About contagio exchange

CONTAGIO EXCHANGE Contagio exchange was created to absorb malware samples shared by readers of Contagio. This is meant to be a community driven malware collection.
Edit Aug 2013 - The community is busy and Mila too so this was not a very active site (my fault probably) so I will be just dumping malware strings here - it often helps in malware identification and googling is the best way.
With just strings, not exactly a fun blog to read but might become s useful resource over time.
I will not be posting samples here, just md5. You can find the corresponding samples on contagio or ping me if you can't find
M
P.S. Robot pictures delivered by Robohash.com (generated from file hashes)

Sunday, April 29, 2012

018 Crime "Microsoft Update" phish -> Blackhole exploit kit with Zeus payload - web - April 2012

File: KB971033.exe
Size: 201216
MD5:  EC750B75E83749C715D7834E130FCE8E

File: hnszs0.exe
Size: 184832
MD5:  9DB4174373601F74FCE0ECBC77A9577D

Sample credit Bryan Nolen

Download (pass infected)


LIST OF FILES INCLUDED
│   investigation_notes.txt

├───dropped_files
│   ├───exe
│   │       hnszs0.exe
│   │       KB971033.exe
│   │
│   ├───java
│   │       jar_cache.zip
│   │
│   ├───pdf
│   │       ap1.pdf
│   │       ap2.pdf
│   │
│   └───swf
│           score.swf

├───email
│       MSUPDATE.eml

├───extracted_files
│       pid_1412_Explorer_Dumped.EXE

├───html
│       exploit.html
│       landing.html

└───pcap
        dump.pcap



Quick analysis made by Bryan Nolen

Landing page (hxxp://volozhin.gov.by/pub/KB971033/?clien-e=3D1093821896211 and saved as html/landing.html) contains a hidden IFRAME that leads to the exploit page. This landing page also contains a META REFRESH that leads to another suspect binary (hxxp://volozhin.gov.by/pub/KB971033/KB971033.exe saved as dropped_files/exe/KB971033.exe) - detection on this second binary is low ( https://www.virustotal.com/file/0e14f5e6cdab9218135d3a7eed11f0457c9934210859f6075d63bc609469d43b/analysis/1335596875/ )

Exploit page (hxxp://fewfewfewfew.ibiz.cc/main.php?page=95fc4549d83b0486 and saved as html/exploit.html) utilises a trio of exploits designed to attack java, adobe acrobat, or flash.

Analysis of the javascript was perfomed with the assistance of URLQUERY report link (http://urlquery.net/report.php?id=47909).

The attack payloads are saved as
  • dropped_files/pdf/ap1.pdf 
  • dropped_files/pdf/ap2.pdf 
  • dropped_files/swf/score.swf 
  • dropped_files/java/jar_cache.zip

The "final" malicious payload is saved as (dropped_files/exe/hnszs0.exe) and its detection is VERY poor ( https://www.virustotal.com/file/c48df0394939fccb9a3ac0853d0ae696d04e7c5230d3a6468ebce257a0be4ccc/analysis/1335598639/ )

A copy of explorer.exe extracted from the memory image after infection is included, based on observations this is the process it migrated into after infection. It is saved in (extracted_files/pid_1412_Explorer_Dumped.EXE)

PCAP is supplied in the pcap folder. The hosts identified in this malware are:

Landing Page:    volozhin.gov.by         212.98.162.62
Exploit Page:    fewfewfewfew.ibiz.cc         83.69.233.156
C2:        google-analytics-sv1.com     91.230.147.222
(alt C2):    localdomain01.com         91.230.147.145

Note: the Alternate C2 was seen in earlier investigations of this malware and changed to the C2 address above when this round of investigation was performed.

Full memory dumps from my sandbox VM avaliable on request.

I have a strong suspicion this is a Zeus varient.


-Bryan Nolen <bryan _at_ arc .dot. net .dot. au>
@bryannolen

SITE TYPE
LEGITIMATE, COMPROMISED   
212.98.162.62
volozhin.gov.by
    Belarus    AS12406 Business network j.v.    Business Network JV
                       
BLACKHOLE    
83.69.233.156
fewfewfewfew.ibiz.cc 
   Russian Federation    AS28762 AWAX Telecom Ltd    AWAX Telecom Ltd.

PAYLOAD - ZEUS   
C2
91.230.147.222
google-analytics-sv1.com
Russian Federation    AS57189 PE Spiridonova Vera Ana    OOO Aldevir Invest
 
C2
91.230.147.145
localdomain01.com Russian Federation    AS57189 PE Spiridonova Vera Ana    OOO Aldevir Invest