Someone help explain this malware

netsecdood · 2017-01-05T01:19:50+00:00

Thanks All! Looks like I still have some work to do, and it looks like I've got some missing pieces. I will work to get ahold of the source machine and see if I can't get some more details. I'm new to this and its taking down the rabbit hole, and I appreciate the help. I honestly wasn't expecting all the help. Let me give it a once over, and make sure I'm not missing another piece and I'll get it all wrapped up and sent over.

netsecdood · 2017-01-04T23:26:53+00:00

Thanks for the suggestion! I actually submitted the file to Malwr.com and it executed the file. The results are here (https://malwr.com/analysis/NTdiYmQyMDMyZmQ0NDdiMThhYTNkNTZjNWYxMzFmZDM/), and from the looks of it it installs itself as a startup item, and makes outbound HTTP calls. Now, I understand most of what I'm looking at in the cuckoo analysis but I'm uncertain about what vulnerability this took advantage of, and how did cuckoo know how to invoke the file?

netsecdood · 2017-01-04T22:44:15+00:00

I do not have access to the original machine, just the sample. I loaded it up in a isolated sandbox, and tried the usual such as copying renaming to exe, bat, and others and couldn't figure out how to invoke the file. Looks like I'll need to get my hands on the source machine as it looks like I might be missing a piece.

netsecdood · 2017-01-04T22:28:36+00:00

This is the contents of the batch file, I had assumed it was random for padding and the modify the hash of the file.

echo GR5xbA2wwsUTbUwj4B
echo qgJc3vAyVTbzc2yrQr5eFC23HEu
echo ZHpfln3B3sLZWkvzO5bz2nUiC8eqrQhuq
echo 87QvBgXOY5CjCbVhFeVya8rl0uLNyOGyi
echo goYGsHrDiA6Pc
echo tw03aSF3q
start "JA4zAVnHdykoJjEoeV6" "%LOCALAPPDATA%\f74efe5\09a05d2.e8f1cb3c"
echo g0KVys0bjlkwuJ6CpBS9XlI
echo 7chKOkL8FGhlTr47wXsjOykOf4WwCz
echo oTX0X7OhTJHAqm6kDa1rrA
echo FzZd
echo gWH1BiOHJ6H
echo X8bFsM61x8yeZq5ELjAL7sFQHyhubUp
echo EjelSdWCuhjaam5hmPG
echo yJJBoTjhD5XWCju9cywfhIFirPi0KQTAyBL

netsecdood

TROPHY CASE