It's been a few years since I used this blog. I thought I should, going forward write some semi recurring posts about random things that I spend about an hour on (mostly because that's about the time I have for random things)
I do learn rather easy, but I "forget" as easily as well, at least if I don't use the knowledge on a more day today basis.
During the days "reversing" mostly stops with C2 info and some characteristics as that's what needed and because there is tons of other things to be looked at.... Hopefully, given a few "hours" I will refresh some knowledge at least...
I picked a random sample to look at for my first post.
- Sample Name: vbc.exe
- SHA1: 5a4a29b0980ea0b5b42da76d878102bf7a00807e
If we start off with running the sample in a controlled environment. Tracking all the changes made to the filesystem and traffic generated, we can quickly see that it (the sample) tries to reach out to the following domain:
http://secure01-redirect.net/ (http://secure01-redirect.net/ga13/fre.php)
This domain is also later visible during debugging.
During execution the original sample is deleted and move to a hidden folder under the users %APPDATA%\Roaming\<"random named catalogue, six characters"> folder, more on that later on.
By looking at the API imports we could have guessed that something like that was able to happen:
MoveFileA and DeleteFileW
The sample was not stripped of it's debug information so we can learn the following:
Age: 19
Timestamp: Sun Sep 26 22:56:51 2021 (For reference the compiler timestamp says: Mon Jan 25 04:24:02 2021, so possible time stomping in play)
PDB path: c:\vobevipusilolo59.pdb
This sample applies a variety of anti debugging measures, like:
RaiseException, GetTickCount, IsDebuggerPresent, UnhandledExceptionFilter etc
The value from which the "moved" sample and directory got it's name from (it's most likely derived from the infected host)
"37FAB5D71BC2B23EAF4E28C0"
Although visible in the traffic from the malware infection, performed earlier it's also rather easy find the same User Agent information during debugging:
And given the UA, it point's to this sample being LOKI.
Besides the above, here is a long list of software that is being targeted, probably corresponds to all possible variants of certain software types found on download.com =)
Browsers:
- Comodo IceDragon
- Maple Studio Chrome Plus
- Google Chrome
- Nichrome
- RockMelt
- Spark
- Chromiu
- Titan Browser
- Torch
- YandexBrowser
- Epic Privacy Browser
- CocCoc Browser
- Vivaldi
- Chromodo
- Superbird
- Coowon
- Mustang Browser
- 360Browser
- Citrio
- Chrome SxS
- Orbitum
- Iridium
- Opera Next
- Sleipnir
- Firefox
- SeaMonkey
- Flock
- K-Meleon
- BlackHawk
- Cyberfox
- Pale Moon
- Lunascape
Mail clients:
- Thunderbird
- PostBox
- FossaMail
- Foxmail
- IncrediMail
- Outlook
FTP/SCP/SSH Clients:
- 32-Bit-FTP
- ALFTP
- BitKinex
- BlazeFtp
- ClassicFTP
- Cyberduck
- EasyFTP
- ExpanDrive
- Far
- FileZilla
- FlashFXP
- Fling
- FreshFTP
- FTPBox
- FTPGetter
- FTPInfo
- FTP Navigator
- FTP Now
- FTPShell
- DeluxeFTP
- GoFTP
- AbleFTP
- JaSFtp
- LinasFTP
- MyFTP
- NetDrive
- NETFile
- NexusFile
- NovaFTP
- Notepad++
- Odin Secure FTP Expert
- KiTTY
- PuTTY
- SecureFX
- SftpNetDrive
- sherrod FTP
- SmartFTP
- Staff-FTP
- Syncovery
- Total Commander
- UltraFXP
- WinFtp Client
- WS_FTP
- Xftp
This was about all I was able to get out of the sample during my "hour", obviously LOKI does a lot more.
/Mikael