MAR-10135536-F Malware Characterization //node() | //@* This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise. This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp. US-CERT 2018-02-05T19:36:31.860610+00:00 bmachine F694.F694.F694.F694.F694.F694.F694.F694.F694.F694 6.4.17 3DAE0DC356C2B217A452B477C4B1DB06 336073 PE32 executable (DLL) (console) Intel 80386, for MS Windows MD5 3dae0dc356c2b217a452b477c4b1db06 SHA1 4efb9c09d7bffb2f64fc6fe2519ea85378756195 SHA256 8acfe8ba294ebb81402f37aa094cca8f914792b9171bc62e758a3bbefafb6e02 SHA512 e52b8878bd8c3bdd28d696470cba8a18dcc5a6d234169e26a2fbd9862b10ec1d40196fac981bc3c5a67e661cd60c10036321388e5e5c1f60a7e9937dd71fadb1 SSDEEP 3072:jUdidTaC07zIQt9xSx1pYxHvQY06emquSYttxlxep0xnC:jyi1XCzcbpYdvQ2e9g3kp01C Microsoft Visual C++ 6.0 Microsoft Visual C++ 6.0 DLL (Debug) 6.65226708818 5 2016-01-29T09:21:46Z 4096 MD5 e14dca360e273ca75c52a4446cd39897 0.672591739631 .text 49152 6.41338619924 MD5 076cdf2a2c0b721f0259de10578505a1 .rdata 8192 3.293891672 MD5 4a6af2b49d08dd42374deda5564c24ef .data 110592 6.78785911234 MD5 c797dda9277ee1d5469683527955d77a .reloc 8192 3.46819043887 MD5 fbefbe53b3d0ca62b2134f249d249774 e9 dtn 9J;P GZU{Rd 5Cv ?DA amZ www.apple.com ssl.apple.com0 _0]0[ 0L0# https://d.symcb.com/cps0% https://d.symcb.com/rpa0 j0+ $0"0 http://sr.symcb.com/sr.crl0W K0I0 http://sr.symcd.com0& http://sr.symcb.com/sr.crt0 US1 VeriSign, Inc.1 VeriSign Trust Network1;09 2Terms of use at https://www.verisign.com/rpa (c)101/0- &VeriSign Class 3 Secure Server CA - G30 140609000000Z 150609235959Z0 CN1 beijing1 beijing1907 0BeiJing Baidu Netcom Science Technology Co., Ltd1%0# service operation department1 *.baidu.com0 G`A 6http://mscrl.microsoft.com/pki/mscorp/crl/msitwww2.crl 4http://crl.microsoft.com/pki/mscorp/crl/msitwww2.crl0p d0b0< 0http://www.microsoft.com/pki/mscorp/msitwww2.crt0" http://ocsp.msocsp.com0 G0E0C 0604 (http://www.microsoft.com/pki/mscorp/cps www.bing.com bing.com *.platform.bing.com *.bing.com ieonline.microsoft.com *.windowssearch.com cn.ieonline.microsoft.com *.origin.bing.com *.mm.bing.net *.api.bing.com ecn.dev.virtualearth.net *.cn.bing.net *.cn.bing.com *.ssl.bing.com *.appex.bing.com *.platform.cn.bing.com ssl-api.bing.com ssl-api.bing.net *.api.bing.net *.bingapis.com www.bingsandbox.com bingsandbox.com0 --End SSL CERT Strings--]]> 746CFECFD348B0751CE36C8F504D2C76 180224 PE32 executable (DLL) (console) Intel 80386, for MS Windows MD5 746cfecfd348b0751ce36c8f504d2c76 SHA1 4d51a6f714fac3013142a3ff28f294e4ccd6eb6d SHA256 2cc3b5f2dfc189bf96de419540905893e52b4b126b62bc34ae373c93e257f1d5 SHA512 f1c586abd9f053d631681bd92f52aa77695996899be0d124803a86d130becfdab9be8166d533bdd5bd20acc0bedb55da3b9126ee85b14f7d28c427f0afe16ba4 SSDEEP 1536:jHl+dvKd59GTnl+Dj0v7/OoMrQtKYUwnZ7hUOrYUwnZ7hUOLpnYUwnZ7hUONv:jUdidTaC07zIQt9xSx1pYxHv Microsoft Visual C++ 6.0 Microsoft Visual C++ 6.0 DLL (Debug) 6.61189736378 5 2016-01-29T09:21:46Z 4096 MD5 e14dca360e273ca75c52a4446cd39897 0.672591739631 .text 49152 6.41338619924 MD5 076cdf2a2c0b721f0259de10578505a1 .rdata 8192 3.293891672 MD5 4a6af2b49d08dd42374deda5564c24ef .data 110592 6.78785911234 MD5 c797dda9277ee1d5469683527955d77a .reloc 8192 3.46819043887 MD5 fbefbe53b3d0ca62b2134f249d249774 9CE9A0B3876AACBF0E8023C97FD0A21D 21812 ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV) MD5 9ce9a0b3876aacbf0e8023c97fd0a21d SHA1 f4fac6fea1a947e3bf9ea499450ccf0c370ef5dd SHA256 0ff83f3b509c0ec7070d33dceb43cef4c529338487cd7e4c6efccf2a8fd7142d SHA512 29defe1742629a4b28cf6eab7b450db8258c6375fdee697210e73533ed5d9f23ae41458cb66b2a00dd9ada0b51a1f4604a2d5924e421d98b9d4b3e2449164032 SSDEEP 384:M1lJPX/pAibVDSBV55oXy8KQvKvCT1bo0Z:MpvhA4SCKQS41bh 6.13535106368 MD5 3dae0dc356c2b217a452b477c4b1db06 SHA1 4efb9c09d7bffb2f64fc6fe2519ea85378756195 MD5 746cfecfd348b0751ce36c8f504d2c76 SHA1 4d51a6f714fac3013142a3ff28f294e4ccd6eb6d MD5 9ce9a0b3876aacbf0e8023c97fd0a21d SHA1 f4fac6fea1a947e3bf9ea499450ccf0c370ef5dd ProxyDll.dll - MD5 Malware Artifacts US-CERT 2018-01-10T14:54:12.822115+00:00 ProxyDll.dll - SHA1 Malware Artifacts US-CERT 2018-01-10T14:54:12.822887+00:00 ELF ARM File - MD5 Malware Artifacts US-CERT 2018-01-10T14:57:47.267592+00:00 ELF ARM File - SHA1 Malware Artifacts US-CERT 2018-01-10T14:57:47.268430+00:00 ProxyDll - MD5 Malware Artifacts US-CERT 2018-01-16T22:46:15.083895+00:00 ProxyDll - SHA1 Malware Artifacts US-CERT 2018-01-16T22:46:15.084806+00:00 MAEC Characterization of 3dae0dc356c2b217a452b477c4b1db06 McAfee BackDoor-FCIV!3DAE0DC356C2 K7 Trojan ( 004be70e1 ) Symantec Heur.AdvML.B BitDefender Gen:Variant.Graftor.185553 Microsoft Security Essentials Backdoor:Win32/Escad.A!dha Emsisoft Gen:Variant.Graftor.185553 (B) Avira TR/Agent.cjav Ahnlab Backdoor/Win32.Akdoor ESET a variant of Win32/NukeSped.M trojan NANOAV Trojan.Win32.Agent.ebiijz Vir.IT eXplorer Backdoor.Win32.Generic.AIVO AVG BackDoor.Generic19.AIVO MAEC Characterization of 746cfecfd348b0751ce36c8f504d2c76 McAfee BackDoor-FCIV!746CFECFD348 K7 Trojan ( 004be70e1 ) Symantec Heur.AdvML.C BitDefender Gen:Variant.Graftor.185553 Microsoft Security Essentials Backdoor:Win32/Escad.A!dha Emsisoft Gen:Variant.Graftor.185553 (B) Avira BDS/Escad.180224 Ahnlab Backdoor/Win32.Akdoor ESET a variant of Win32/NukeSped.M trojan Vir.IT eXplorer Backdoor.Win32.Generic.AIVO Ikarus Trojan.Win32.Agent AVG BackDoor.Generic19.AIVO MAEC Characterization of 9ce9a0b3876aacbf0e8023c97fd0a21d Symantec Backdoor.Trojan Sophos Andr/Spy-ANK Ahnlab Linux/Backdoor.21812 ESET a variant of Android/NukeSped.A trojan Ikarus Backdoor.AndroidOS.BlockBuster 10135536-F Malicious Code Malicious Artifact Detected Malicious Artifact Detected Malicious Artifact Detected Malicious Artifact Detected Malicious Artifact Detected Malicious Artifact Detected Malicious Artifact Detected Malicious Artifact Detected Malicious Artifact Detected