![]() HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004 HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003 HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002 HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001 Additionally, the setup put an encoded PE in the registry : None of the files that are dropped are signed or legitimate.Įffectively, they patch a legitimate binary to package their malware. The 圆4 version drops a trojanized EFACli64.dll file named SymEFA which is the filename taken from a legitimate executable that is part of "Symantec Endpoint". The x86 version is using a trojanized TSMSISrv.dll, which drops VirtCDRDrv (which matches the filename of a legitimate executable that is part of Corel) using a similar method to the backdoored CCleaner tool. This installer checks the OS version and then drops either a 32-bit or 64-bit version of a trojanized tool. Static PE information: data direc tory type: IMAGE_DIR ECTORY_ENT RY_DEBUGīinary string: SPN2VPE.PD B source: CCleaner.e xe, 000000 00.The stage 2 installer is GeeSetup_x86.dll. Static file information: File size 1681208 > 1048576 Submission file is bigger than most known malware samples Static PE information: certificat e valid Process created: C:\Windows \System32\ pcaui.exe 'C:\Window s\system32 \pcaui.exe ' -g \InProcSer ver32 exe 'C:\U sers\user\ Desktop\CC leaner.exe ' Process created: C:\Users\u ser\Deskto p\CCleaner. ' || quote (name) || ' ' FROM v acuum_db.s qlite_mast er WHERE n ame='sqlit e_sequence ' ' || quote (name) || ' SELECT * FROM ' || quote(nam e) || ' 'F ROM sqlite _master WH ERE type = 'table' A ND name!=' sqlite_seq uence' A ND rootpag e>0īinary or memory string: SELECT 'DE LETE FROM vacuum_db. %s SET sql = CASE WH EN type = 'trigger' THEN sqlit e_rename_t rigger(sql, %Q)ELSE sqlite_ren ame_table( sql, %Q) E ND, tbl_na me = %Q, n ame = CASE WHEN type ='table' T HEN %Q WHE N name LIK E 'sqlite_ autoindex% %' AND typ e='index' THEN 'sqli te_autoind ex_' || %Q || substr (name,%d 1 8) ELSE na me END WHE RE tbl_nam e=%Q AND ( type='tabl e' OR type ='index' O R type='tr igger') īinary or memory string: UPDATE sql ite_temp_m aster SET sql = sqli te_rename_ trigger(sq l, %Q), tb l_name = % Q WHERE %s īinary or memory string: SELECT 'IN SERT INTO vacuum_db. ' || quote (name) || ' SELECT * FROM ' || quote(nam e) || ' ' FROM vacuu m_db.sqlit e_master W HERE name='sqlite_s equence' īinary or memory string: UPDATE %Q. 00000008.0 0020000.sd mpīinary or memory string: INSERT INT O %Q.%s VA LUES('inde x',%Q,%Q,# %d,%Q) īinary or memory string: SELECT 'IN SERT INTO vacuum_db. SQL strings found in memory and binary data Key opened: HKEY_CURRE NT_USER\So ftware\Pol icies\Micr osoft\Wind ows\Safer\ CodeIdenti fiers text IMAGE _SCN_MEM_E XECUTE, IM AGE_SCN_CN T_CODE, IM AGE_SCN_ME M_READ text section and no other executable section debug / backup)Ĭode function: 0_2_0049E5 8D GetLast Error,GetC urrentProc ess,OpenPr ocessToken ,GetLastEr ror,Lookup PrivilegeV alueW,Adju stTokenPri vileges,Ge tLastError ,įile created: C:\Users\u ser\AppDat a\Local\Te mp\CCleane r.exe.png Static PE information: Resource n ame: RT_IC ON type: G LS_BINARY_ LSB_FIRSTīinary contains paths to development resourcesĬlassification label: sus26.evad functionality to adjust token privileges (e.g. Static PE information: Resource n ame: RT_BI TMAP type: GLS_BINAR Y_LSB_FIRS T exeįound potential string decryption / allocating functionsĬode function: String fun ction: 004 41A5C appe ars 226 ti mesĬode function: String fun ction: 004 41A8F appe ars 39 tim esĬode function: String fun ction: 004 6DA6D appe ars 36 tim es Source: C:\Users\u ser\Deskto p\CCleaner. String found in binary or memory: oopops.sou rceforge.n et com/http:/ /ENTS_WINDO W_MESSAGES oftware macromedi a.com/shoc kwave/down load/ http ://sdc.sho /shockwave /download/ index.cgi? ![]() String found in binary or memory: adobp/1.0/ String found in binary or memory: isknight.o rg/ ![]()
0 Comments
Leave a Reply. |