Malware Analysis Report



Similar documents
This report is a detailed analysis of the dropper and the payload of the HIMAN malware.

User Guide - escan for Linux File Server

Cloud Services Prevent Zero-day and Targeted Attacks

VISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE. Summary. Distribution and Installation

Hide and seek - how targeted attacks hide behind clean applications Szappanos Gábor

SHINOBOT/SHINOC2 MANUAL

Latest Business Compromise Malware Found: Olympic Vision

KASPERSKY FRAUD PREVENTION FOR ENDPOINTS

Operation Liberpy : Keyloggers and information theft in Latin America

Advanced Event Viewer Manual

Redline Users Guide. Version 1.12

AnVir Task Manager v5.2 User's Guide

VPS Hosting. The Guide to Bet Angel VPS. Getting started with Bet Angel VPS. Revised August Page 1

Release Notes for Websense Security v7.2

Spyware Doctor Enterprise Technical Data Sheet

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

SecuraLive ULTIMATE SECURITY

SSH Secure Client (Telnet & SFTP) Installing & Using SSH Secure Shell for Windows Operation Systems

Global Image Management System For epad-vision. User Manual Version 1.10

Advanced Malware Cleaning Techniques for the IT Professional

ViRobot Management System 4.0

ViRobot Desktop 5.5. User s Guide

Sophos Endpoint Security and Control Help. Product version: 11

Kaseya 2. User Guide. Version 7.0. English

XI'AN NOVASTAR TECH CO., LTD

Desktop Release Notes. Desktop Release Notes 5.2.1

Detecting Malware With Memory Forensics. Hal Pomeranz SANS Institute

FREQUENTLY ASKED QUESTIONS

Online Payments Threats

Kaseya 2. User Guide. Version R8. English

Sophos Endpoint Security and Control Help

HoneyBOT User Guide A Windows based honeypot solution

Alert (TA14-212A) Backoff Point-of-Sale Malware

Contents Minimum Requirements... 2 Instructions... 2 Troubleshooting... 7

Securepoint Security Systems

CONNECT-TO-CHOP USER GUIDE

Kaspersky Security 9.0 for Microsoft SharePoint Server Administrator's Guide

Best Practices for Deploying Behavior Monitoring and Device Control

Remote Access and Control of the. Programmer/Controller. Version 1.0 9/07/05

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

E-Map Application CHAPTER. The E-Map Editor

Release Notes, February 2009

For keyboard and touchscreen BlackBerry devices User manual

LogMeIn Rescue+Mobile for Android

ShinoBOT ShinoC2. Can you prevent APT like me? Author: Shota Shinogi. - the pentest tool to measure the defense against APT/RAT -

Net Protector Admin Console

Microsoft Labs Online

escan Corporate Edition User Guide

HP ProtectTools Embedded Security Guide

What is WS_FTP? How WS_FTP Works

How to remove Encrypted File guide. How to manually remove Encrypted File

TeamViewer 10 Manual Remote Control

Appendix E. Captioning Manager system requirements. Installing the Captioning Manager

Microsoft Labs Online

How To Use Secureanything On A Mac Or Ipad (For A Mac)

dotdefender for IIS User Guide dotdefender for IIS - Manual Version 1.0

What is new in Switch 12

ConnectIT. How to Connect and End a Remote Support Session. (for Windows & IE / Firefox)

WEB ATTACKS AND COUNTERMEASURES

Advancements in Botnet Attacks and Malware Distribution

Outlook Web Access 2003 Remote User Guide

Keyloggers ETHICAL HACKING EEL-4789 GROUP 2: WILLIAM LOPEZ HUMBERTO GUERRA ENIO PENA ERICK BARRERA JUAN SAYOL

Guidance for the verification of qualified digital signatures following Swiss signature law

User Guide for the Identity Shield

OS Security. Malware (Part 2) & Intrusion Detection and Prevention. Radboud University Nijmegen, The Netherlands. Winter 2015/2016

Voice over IP. Orator Dictation Voice-over-IP Quick Start Installation Guide

Thick Client Application Security

BestSync Tutorial. Synchronize with a FTP Server. This tutorial demonstrates how to setup a task to synchronize with a folder in FTP server.

Windows Operating Systems. Basic Security

RDM+ Desktop for Windows Getting Started Guide

Troubleshooting OMERO

Module 5. Control Panel Utilities

Appendix F: Instructions for Downloading Microsoft Access Runtime

AXIS Camera Station Quick Installation Guide

Chapter 8 Objectives. Chapter 8 Operating Systems and Utility Programs. Operating Systems. Operating Systems. Operating Systems.

Product Guide. McAfee Endpoint Security 10

How To Use An Apple Macbook With A Dock On Itunes Macbook V.Xo (Mac) And The Powerbar On A Pc Or Macbook (Apple) With A Powerbar (Apple Mac) On A Macbook

K7 Business Lite User Manual

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Kaspersky Password Manager

Determining Your Computer Resources

McAfee.com Personal Firewall

Installing NetSupport School for use with the NetSupport School Student extension for Google Chrome

Hallpass Instructions for Connecting to Mac with a Mac

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

ZeroAccess. James Wyke. SophosLabs UK

Using the CCNY Server Space with Secure Shell 3.0 for Windows Created by Doris Grasserbauer

Physical Memory Standard Operating Procedures

Certified Secure Computer User

Enterprise Incident Response: Network Intrusion Case Studies and Countermeasures

Outpost Network Security

Redline User Guide. Release 1.14

Hyperoo 2.0 A (Very) Quick Start

Implementation of Web Application Firewall

Transcription:

NSHC 2014. 02. 20 Malware Analysis Report [ Xtreme RAT ] A server program of Xtreme RAT, a type of RAT (Remote Administration Tool), is distributed recently. The system which is infected with the server program becomes a client of attacker who control the system by remote control. The attacker can steal the information of the infected system such as inputting data from keyboard, MSN E-mail, and clipboard data. In the system that is suspected to be infected, countermeasures according to the action and treatment through A/V are required. Information Service about a new vulnerability Version 1.0 External 2014 Red Alert. All Rights Reserved.

Index 1. Malware Stub...3 2. Technical Details...6 3. Red Alert of Opinion... 12 4. Removal Recommendations... 12 5. Reference... 14 facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 1

Confidentiality Agreements This report was written from the Red Alert team. There is no problem user for research purpose, but we don t care about Legal responsibility. This code is a living document and will be updated from time to time. Please refer to the Red Alert SNS Page to download updates. (https://www.facebook.com/nshc.redalert) Analysis reports that are updated on Facebook, including other materials and article, sample can offer premium services the ISAC on the page. (https://isac.nshc.net). facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 2

1. Malware Stub Malware Name pdfviewer.exe File Size 133,624 bytes MD5 50f7368f4b81d4c2891d7a890e8d5b44 Compiled Date 2012.01.18 12:35:52 Etc N/A Table 1. File Info-1 Malware Name dmw.exe File Size 59,823 bytes MD5 c674a56b67332c033d1a041f32f0daac Compiled Date 1992.06.19 22:22:17 Etc N/A Table 2. File Info-2 - dl.**********rcontent.com/s/pn*********5zhh/pdfviewer.exe Index Description OS Windows XP SP3 KR Browser Windows Internet Explorer 8 Table 3. Analysis Environment The malware runs by injecting its module to svchost.exe and explorer.exe. A dwm.exe is registered on Windows Auto-startup that it can the malware resides on the system. Figure 1. Drop Flow facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 3

This is a server which is connected with the malware information. Figure 2. IP Info-1 Figure 3. IP Info-2 The data of malware and Keylogging are stored in the specific folder. Figure 4. Malware Output Data facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 4

Also, users can see that explorer.exe is running more than one because the malware injects the module of explorer.exe. Figure 5. Injected Process When the infected explorer.exe is running, Windows that have the objects symbolizing the Xtreme RAT are created. Figure 6. Malware's Object facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 5

2. Technical Details The XtremeKeylogger created by the infected explorer.exe is registered as a clipboard viewer. Figure 7. Set Clipboard Viewer In XtremeKeylogger procedure, the routine exists that handling the message of WM_DRAWCLIPBOARD. The WM_DRAWCLIPBOARD occurs if the new data is generated to the clipboard. The data of clipboard can be checked in the Windows that is registered as the clipboard viewer. Figure 8. Branches 'WM_DRAWCLIPBOARD' In the routine of WM_DRAWCLIPBOARD message handling, it stores the Unicode text in the buffer. Figure 9. Get Clipboard Data The stored data is recorded separately in the file, and the file is as follows: - %APPDATA%\Microsoft\Windows\((Mutex)).dat - %APPDATA%\Microsoft\Windows\gzAdbdgue.dat Figure 10. Logging Data facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 6

The signatures that 0xAA, 0xFE is existed on the starting point in the data of file. And it is stored in single-byte encryption(xor 0x55) an Unicode characters excluding CRLF(Carriage Return Lin Feed : 0x0D, 0x0A) and 0x00. Figure 11. XOR Encode Routine The decoded data excluding the Unicode Text is as follows: Figure 12. Decoding Data facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 7

It attempts to hook the system using SetWindowsHookExW function on the XremeKeylogger windows made by the infected explorer.exe. Figure 13. Set Keyboard Hook A routine that processing of keyboard input message is existed on LowLevelKeyboardProc which is executing through global hooking. - WM_SYSKEYDOWN : Input System key - WM_KEYDOWN : Input Keyboard key Figure 14. Branches Key Down Messages It is divided the windows using Foreground Window. Figure 15. Get Foreground Wnd Caption facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 8

The time information is also recorded in the form of DATE_SHORTDATE along with the name of windows caption. Figure 16. Local Time Format It is saved the contents with single byte encryption (XOR 0x55) in the keylogging data file the same way as Clipboard Hooker. The decoded data excluding the Unicode type is same the below. Figure 17. Key Logging Data The keylogging data file is sent with the clipboard data to FTP Server. Figure 18. Logging File Transfer facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 9

It attempts to hook the system using SetWindowsHookExW function on the XremeKeylogger windows made by the infected explorer.exe. Figure 19. Set Mouse Hook A routine that processing of mouse input message is existed in LowLevelMouseProc. - WM_LBUTTONDOWN : Click the left button of mouse - WM_RBUTTONDOWN : Click the right button of mouse - WM_MBUTTONDOWN : Click the wheel of mouse - WM_LBUTTONDBLCLK : Double click the left button of mouse - WM_RBUTTONDBLCLK : Double click the right button of mouse Figure 20. Branches Mouse Click Messages It is also divided the windows using Foreground Window. Figure 21. Get Foreground Wnd Caption facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 10

By using BtiBlt function, it captures the screen contents in the memory. Figure 22. Screen Capture The captured screen is stored as a.jpg. Figure 23. Saved Capture facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 11

3. Red Alert of Opinion The RAT (Remote Administration Tool) can do Capture screen, Keylogging, Steal clipboard data, proxy server, handle process, handle windows, and handle registry. The case to exploit for stealing the personal information is increasing. Please note the damage of RAT.. 4. Removal Recommendations By releasing the check box of Hide protected operation system files (Recommended) and applying Show hidden files and folders in the folder option of Windows Explorer. After this, please delete the files are as follows: - %APPDATA%\Microsoft\Windows\((Mutex)).cfg - %APPDATA%\Microsoft\Windows\((Mutex)).dat - %APPDATA%\Microsoft\Windows\gzAdbdgue.cfg - %APPDATA%\Microsoft\Windows\gzAdbdgue.dat - %APPDATA%\Microsoft\Windows\gzAdbdgue.xtr - %APPDATA%\System\dmw.exe Figure 24. Folder Option facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 12

Delete the registry related on the malware. - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value Name : HKLM Value Data : %APPDATA%\System\dmw.exe - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value Name : HKCU Value Data : %APPDATA%\System\dmw.exe - HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ {54F31X8D-X7YK-MYWP-XFCM-1M6UNSJ65AWU} Name : StubPath Value Data : %APPDATA%\System\dmw.exe restart - HKCU\Software\gzAdbdgue - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows Value Name : Load - HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Value Name : Load Please get a thorough system examination by referring Reference. [1] Virus Total and treat the malware through A/V. facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 13

5. Reference [1] Virus Total https://www.virustotal.com/en/file/e6b8a3a8b4df58ad8c656cafada78a2462023acb5c76fda5f7 d4cc62604a6a20/analysis/ [2] Xtreme RAT https://sites.google.com/site/xxtremerat/ facebook.com/nshc.redalert 2014 Red Alert. All Rights Reserved. 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information