Malware Analysis Report (AR20-133M)

MIFR-10077745-1.v2

 

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

This report contains information obtained from automated analysis and is not intended to be a complete description of the submitted sample. Results may be limited due to the complexity of the samples, or due to the ability of the samples to defend against automated analysis techniques. If additional information is required, please contact the Cybersecurity and Infrastructure Security Agency (CISA) using the information provided at the end of this report.

One malicious Microsoft Word Document was submitted for analysis. The document is designed to drop files that injects malicious code into Windows processes.

For a downloadable copy of IOCs, see MIFR-10077745-1.v2.stix.

Files (3)

1676884af2f090307aa9d0c9997f01d7dfc2f0667019bec47e88229b2f8ee65f (purchaseorderno.89764125.doc)

c64657539a0e3a0ff8817705abc1afb081d4b86a42d4d358d7774207a8810beb (~WRD8811.tmp)

edd53e51acdf19ae2f287d20c858d6f9ac63415b034d0ed9ba8eaf49bb140782 (~WRD8911.tmp)

Domains (1)

indogulf.hopto.org

IPs (1)

104.255.68.92

Findings

1676884af2f090307aa9d0c9997f01d7dfc2f0667019bec47e88229b2f8ee65f

Tags

CVE-2015-1641droppertrojan

Details
Name purchaseorderno.89764125.doc
Size 1021803 bytes
Type data
MD5 f86ec79467abbcf6c040ef8cddbac660
SHA1 8729edd552627df4be4dec19d2f9618fe70dbb47
SHA256 1676884af2f090307aa9d0c9997f01d7dfc2f0667019bec47e88229b2f8ee65f
SHA512 4c92975bdb3384b764f7bceb25f00e15947b11727d88ae595f328c02ed1ead53691ee3c2cbc6e3b4cddfcc9bc69b1385e000670d80eb5168f950efa72e413ca6
ssdeep 12288:Xbzbzb1Dz3BE9UY8xC538Uq8wJ1d6e9N8OM7svY7yEpb1TpU5G4RU:X//xDY7538l7J1wg8OMJBpvUG4RU
Entropy 7.074611
Antivirus
Ahnlab RTF/Exploit
Antiy Trojan/Generic.ASExplot.7A
BitDefender Trojan.GenericKD.3825160
ClamAV Rtf.Dropper.Agent-1699578
ESET Win32/Exploit.Agent.NOW trojan
Emsisoft Trojan.GenericKD.3825160 (B)
Ikarus Trojan.Win32.Exploit
McAfee Generic Dropper.ahb
Microsoft Security Essentials Exploit:Win32/CVE-2015-1641
NANOAV Exploit.Rtf.RTF.ekbjwo
NetGate Exploit.Win32.Agent
Quick Heal Exp.RTF.Heur.Gen.A
Sophos Troj/RTFDrp-AE
Symantec Bloodhound.RTF.3
TACHYON Suspicious/RTF.GDO.Gen
TrendMicro TROJ_AR.2539E986
TrendMicro House Call TROJ_AR.2539E986
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
1676884af2... Dropped c64657539a0e3a0ff8817705abc1afb081d4b86a42d4d358d7774207a8810beb
1676884af2... Dropped edd53e51acdf19ae2f287d20c858d6f9ac63415b034d0ed9ba8eaf49bb140782
Description

This file is a Microsoft Word Document designed to drop two malicious executable files. These executable files are .NET PE files and share the same MD5 hash value. Upon execution, the Word document drops and executes the following files at run time:

-- Begin Drop Files--

%AppData%\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD8811.tmp
%AppData%\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD8812.tmp

-- End Drop Files--

c64657539a0e3a0ff8817705abc1afb081d4b86a42d4d358d7774207a8810beb

Tags

CVE-2015-1641trojan

Details
Name ~WRD8811.tmp
Name ~WRD8812.tmp
Size 607744 bytes
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 7c5d7ec22dafa11e5981fce7de75ae4d
SHA1 35a1aa16695d1eb81ee7a96ebd85331a0fbec607
SHA256 c64657539a0e3a0ff8817705abc1afb081d4b86a42d4d358d7774207a8810beb
SHA512 3c568850f0f051f9d5ec6a360a1c35d171963f5c11d7afc769623bb80f8429628333d7e23ad297e56e2fd0a3f7f5c5e8ab946e21880a5ccc63b99ba83a8cd7b0
ssdeep 12288:XkzuU5OFic3B7quDB+XQf9UAEWJ5d2lzS7FUCVzxnkclFZp:0aU5OFJlaQfRXzeCjkg
Entropy 7.768194
Antivirus
Ahnlab Trojan/Win32.Limitail
Antiy Trojan/Win32.Inject
Avira HEUR/AGEN.1101621
BitDefender Gen:Variant.Zusy.220725
Cyren W32/Trojan.SW.gen!Eldorado
ESET a variant of MSIL/Kryptik.GLC trojan
Emsisoft Gen:Variant.Zusy.220725 (B)
Ikarus Trojan.MSIL.Crypt
K7 Trojan ( 004f26a41 )
McAfee Fareit-FEW!7C5D7EC22DAF
NANOAV Trojan.Win32.Kryptik.eldmai
Sophos Troj/MSIL-HIE
Symantec Heur.AdvML.B
TrendMicro TROJ_FR.EF301573
TrendMicro House Call TROJ_FR.EF301573
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Packers/Compilers/Cryptors
Microsoft Visual C# v7.0 / Basic .NET
Relationships
c64657539a... Dropped edd53e51acdf19ae2f287d20c858d6f9ac63415b034d0ed9ba8eaf49bb140782
c64657539a... Dropped_By 1676884af2f090307aa9d0c9997f01d7dfc2f0667019bec47e88229b2f8ee65f
c64657539a... Resolved_To indogulf.hopto.org
Description

This file is a .NET executable file and the original file name has been identified as "ubndetnj.exe", which is displayed in the file's properties. Upon execution, the malware checks if it is being run in a virtual environment. If the malware finds that it is being run in a virtual environment, it will drop a copy of itself into the following directory:

-- Begin Drop Files--

%AppData%\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD8811.tmp
%AppData%\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD8812.tmp


-- End Drop Files--

The file ubndetnj.exe, drops and loads a DLL file into the same directory as the previous dropper files.

If the malware does not detect that it is running in a virtual environment it will create a copy of itself into the following directories:

--Begin Directory--

%ProgramData%\Client
%All Users%\Client
%APPDATA%\Roaming
%TEMP%4492

--End Directory--

The malware was copied into the victims profile.

Persistence was established by the malware in a 32 bit Windows environment with the creation of the following registry keys:

--Begin Registry Key--

HKEY: HKU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Value Name: Client Monitor

Value Data: C:\ProgramData\Client\client.exe" -a /a

HKEY: HKU\Software\Microsoft\Windows NT\CurrentVersion\Winlog
Value Name: =shell

Value Data: explorer.exe,"C:\Users\markie\AppData\Roaming\clientmonitor.exe"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A8C524F2-14F2-4516-A9B1-8A03ECD6699A}\DynamicInfo: 03 00 00 00 0C BE 4D 9E 83 4B D2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Client Monitor\Id: "{A8C524F2-14F2-4516-A9B1-8A03ECD6699A}"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Client Monitor\Index: 0x00000002
HKU\S-1-5-21-2627192596-1068805455-678978931-1000\Software\yD/qT8z5WeCyU6IM+GEC+A==: "tIQiMmreK4JTiAmI6pS+nXANOkkx26ewEImrJin28xg="
HKU\S-1-5-21-2627192596-1068805455-678978931-1000\Software\FObKsonc89Gou4fOabcF9A==: "cQU0xUd8mLddaatQ/cs+kVFSaSZRYtMuyJm2SpPLfaM="
HKU\S-1-5-21-2627192596-1068805455-678978931-1000\Software\PTH: "C:\ProgramData\Client\client.exe"
HKU\S-1-5-21-2627192596-1068805455-678978931-1000\Software\MTX: "85281209e3b0af40c74dbf5e62dfc366bef39d6e17e41ec056953a40e4c9fc01"
HKU\S-1-5-21-2627192596-1068805455-678978931-1000\Software\PRC: "3648"

--End Registry Key--

The malware employed the following mutex objects:

--Begin Mutex--

\Sessions\1\BaseNamedObjects\FireFX2836
\Sessions\1\BaseNamedObjects\FireFX1536
\Sessions\1\BaseNamedObjects\FireFX3148

--End Mutex--

The malware will then make a DNS query to the following domain:

--Begin Domain--

indogulf[.]hopto[.]org

--End Domain--

At the time of analysis the domain resolved to the following IP:

--Begin IP--

104[.]255.68.92

--End IP--

indogulf.hopto.org

Tags

command-and-control

URLs
  • indogulf.hopto.org
Whois

Domain Name: HOPTO.ORG
Domain ID: D20065021-LROR
WHOIS Server:
Referral URL: http://www.srsplus.com
Updated Date: 2015-12-21T17:43:40Z
Creation Date: 2000-02-17T19:56:50Z
Registry Expiry Date: 2021-02-17T19:56:50Z
Sponsoring Registrar: TLDS L.L.C. d/b/a SRSPlus
Sponsoring Registrar IANA ID: 320
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registrant ID: cm8dnqb78dtu7b9c
Registrant Name: Domain Operations No-IP.com
Registrant Organization: Vitalwerks Internet Solutions, LLC
Registrant Street: 425 Maestro Dr.
Registrant Street: Second Floor
Registrant City: Reno
Registrant State/Province: NV
Registrant Postal Code: 89511
Registrant Country: US
Registrant Phone: +1.17758531883
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: domains@no-ip.com
Admin ID: cm8dnqb78dtu7b9c
Admin Name: Domain Operations No-IP.com
Admin Organization: Vitalwerks Internet Solutions, LLC
Admin Street: 425 Maestro Dr.
Admin Street: Second Floor
Admin City: Reno
Admin State/Province: NV
Admin Postal Code: 89511
Admin Country: US
Admin Phone: +1.17758531883
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: domains@no-ip.com
Tech ID: cm8dnqb78dtu7b9c
Tech Name: Domain Operations No-IP.com
Tech Organization: Vitalwerks Internet Solutions, LLC
Tech Street: 425 Maestro Dr.
Tech Street: Second Floor
Tech City: Reno
Tech State/Province: NV
Tech Postal Code: 89511
Tech Country: US
Tech Phone: +1.17758531883
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: domains@no-ip.com
Name Server: NF1.NO-IP.COM
Name Server: NF2.NO-IP.COM
Name Server: NF3.NO-IP.COM
Name Server: NF4.NO-IP.COM
Name Server: NF5.NO-IP.COM
DNSSEC: unsigned

Relationships
indogulf.hopto.org Resolved_To c64657539a0e3a0ff8817705abc1afb081d4b86a42d4d358d7774207a8810beb
indogulf.hopto.org Resolved_To 104.255.68.92
Description

The malware made a DNS query to this domain.

edd53e51acdf19ae2f287d20c858d6f9ac63415b034d0ed9ba8eaf49bb140782

Tags

CVE-2015-1641trojanvirus

Details
Name ~WRD8911.tmp
Size 6144 bytes
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 55d5959618d96e4e36e6580717f52da1
SHA1 60d4aafb1e8940bbd3c0dab75216055f168e0a7a
SHA256 edd53e51acdf19ae2f287d20c858d6f9ac63415b034d0ed9ba8eaf49bb140782
SHA512 4ee7973a654c805af940c8a85f8193a8d41adda0c5458066a6ed08e6e47bc538257c79d9c97611cd86c78c88a0325127f1d56969f4fec2b5276815492d875d38
ssdeep 96:Qr5bRPmb7FENmEVnCZsV+k5t8Wz3JbCMKFcP0b4jmK94Ctyc:g18W8Xs3JbCMf0kqeyc
Entropy 5.352524
Antivirus
Antiy Trojan/Win32.TSGeneric
Avira TR/Agent.tssn
ESET Win32/Agent.YAI trojan
Filseclab Trojan.Inject.aaokk.nzvg
Ikarus Trojan.Win32.Agent
K7 Trojan ( 0055e3dd1 )
NANOAV Virus.Win32.Gen.ccmw
Quick Heal Trojan.Dynamer
Sophos Troj/Inject-BZQ
TACHYON Trojan/W32.Inject.6144.AH
TrendMicro TROJ_KRYPTIK.NPW
TrendMicro House Call TROJ_KRYPTIK.NPW
VirusBlokAda Trojan.Inject
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
edd53e51ac... Dropped_By 1676884af2f090307aa9d0c9997f01d7dfc2f0667019bec47e88229b2f8ee65f
edd53e51ac... Dropped_By c64657539a0e3a0ff8817705abc1afb081d4b86a42d4d358d7774207a8810beb
Description

This file is a DLL file. The file is designed to start new instances of the following Windows processes. The code injected into these processes is used for process enumeration:

--Begin Processes--

svchost.exe
dwm.exe
taskhost.exe
slui.exe

--End Processes--

104.255.68.92

Relationships
104.255.68.92 Resolved_To indogulf.hopto.org
Description

The domain indogulf.hopto.org resolved to this IP.

Relationship Summary

1676884af2... Dropped c64657539a0e3a0ff8817705abc1afb081d4b86a42d4d358d7774207a8810beb
1676884af2... Dropped edd53e51acdf19ae2f287d20c858d6f9ac63415b034d0ed9ba8eaf49bb140782
c64657539a... Dropped edd53e51acdf19ae2f287d20c858d6f9ac63415b034d0ed9ba8eaf49bb140782
c64657539a... Dropped_By 1676884af2f090307aa9d0c9997f01d7dfc2f0667019bec47e88229b2f8ee65f
c64657539a... Resolved_To indogulf.hopto.org
indogulf.hopto.org Resolved_To c64657539a0e3a0ff8817705abc1afb081d4b86a42d4d358d7774207a8810beb
indogulf.hopto.org Resolved_To 104.255.68.92
edd53e51ac... Dropped_By 1676884af2f090307aa9d0c9997f01d7dfc2f0667019bec47e88229b2f8ee65f
edd53e51ac... Dropped_By c64657539a0e3a0ff8817705abc1afb081d4b86a42d4d358d7774207a8810beb
104.255.68.92 Resolved_To indogulf.hopto.org

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or soc@us-cert.gov.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.us-cert.gov.

Revisions

May 12, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No