0xDEADBEEF 43 Posted July 11, 2018 Share Posted July 11, 2018 sha256: ed3d2b851d8427973ef3bff301e4cc09d9422fb38a2bd4ab85b339d87ee177d6 ESET only detected it as generic PUA Link to comment Share on other sites More sharing options...
itman 1,758 Posted July 11, 2018 Share Posted July 11, 2018 Is this bugger always bundled in another software installer or can it be stand alone downloaded? Link to comment Share on other sites More sharing options...
itman 1,758 Posted July 11, 2018 Share Posted July 11, 2018 (edited) Also, this thing was floating around in the Chinese "wild" for over a year? Per VT: Quote History Relevant dates related to the file being studied. Creation Time 2017-02-28 06:00:26 First Submission 2018-06-23 02:31:28 Edited July 12, 2018 by itman Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,171 Posted July 12, 2018 ESET Moderators Share Posted July 12, 2018 Hello guys, I do not have access to that sample personally, do you happen to know what it does i.e. what kind of rootkit like behavior does it perform? Regards, P.R. Link to comment Share on other sites More sharing options...
itman 1,758 Posted July 12, 2018 Share Posted July 12, 2018 (edited) Microsoft ids it as Trojan:Win32/Tiggre!rfn. This malware is indeed classified as a PUA per this article: https://www.pcrisk.com/removal-guides/12616-trojan-win32tiggrerfn-virus . Also I see no reason why a PUA could not exhibit rootkit behavior e.g. s5Mark. So we might be in a "chicken or the egg" scenario here. One thing that is common in this type of malware is it is bundled in free crapware usually and needs to be installed to be functional. Edited July 12, 2018 by itman Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted July 12, 2018 Author Share Posted July 12, 2018 6 hours ago, Peter Randziak said: Hello guys, I do not have access to that sample personally, do you happen to know what it does i.e. what kind of rootkit like behavior does it perform? Regards, P.R. Hi I've sent you a message with the link to the sample, thanks Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted July 12, 2018 Author Share Posted July 12, 2018 18 hours ago, itman said: Is this bugger always bundled in another software installer or can it be stand alone downloaded? I am not sure, seems to be legitimate software/PUA but some apparently flag it as rootkit ? Link to comment Share on other sites More sharing options...
Daedalus 16 Posted July 12, 2018 Share Posted July 12, 2018 If you have the file, you can use the following website to see what it does: https://www.hybrid-analysis.com/ Link to comment Share on other sites More sharing options...
itman 1,758 Posted July 12, 2018 Share Posted July 12, 2018 5 hours ago, 0xDEADBEEF said: I am not sure, seems to be legitimate software/PUA but some apparently flag it as rootkit In the recent incident I posted here: https://forum.eset.com/topic/15967-does-eset-detect-s5mark-as-uapua-or-malware/ , the attack involved an installer with s5Mark adware along with a malicious kernel mode device driver that was validly signed with a stolen certificate. Hence the "rootkit" connotation in these incidents. Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted July 13, 2018 Author Share Posted July 13, 2018 23 hours ago, Daedalus said: If you have the file, you can use the following website to see what it does: https://www.hybrid-analysis.com/ Cool, I have the analysis report attached here: https://www.hybrid-analysis.com/sample/ed3d2b851d8427973ef3bff301e4cc09d9422fb38a2bd4ab85b339d87ee177d6/5b47ac647ca3e10e8b151f68 https://www.hybrid-analysis.com/sample/1b6c9775414e8206bada248c461f2ac62af17e68bafef8391c1716879ab3e83f/5b47b0c07ca3e145ff6dff53 Now ESET detect it as dropper btw. Link to comment Share on other sites More sharing options...
itman 1,758 Posted July 13, 2018 Share Posted July 13, 2018 (edited) 5 hours ago, 0xDEADBEEF said: Cool, I have the analysis report attached here: https://www.hybrid-analysis.com/sample/ed3d2b851d8427973ef3bff301e4cc09d9422fb38a2bd4ab85b339d87ee177d6/5b47ac647ca3e10e8b151f68 https://www.hybrid-analysis.com/sample/1b6c9775414e8206bada248c461f2ac62af17e68bafef8391c1716879ab3e83f/5b47b0c07ca3e145ff6dff53 I am posting below screen shots of Mitre's process activity indicators from the above analyses. Orange = suspicious and red = malicious. Mitre.org maintains a web site that is updated with various malware techniques. Hybrid-Analysis uses Cloudstrike's Falcon AI engine running in the Cookoo sandbox I believe. I also assume it factors existing VirusTotal AV detections in rendering its final process malicious status: 1.exe -Malicious 2.exe - Malicious Clearly, 2.exe is the more malicious of the pair. Also, do note both malware samples use of RDP if its available. -EDIT- 2.exe spawns 1.exe as a child process indicating most of 2.exe's malicious is attributable to this relationship. Finally, note the following analysis extract. Perhaps this is where the "rootkit" connection came from. I see no driver creation activities from either malware sample. Quote Opens the Kernel Security Device Driver (KsecDD) of Windows details "<Input Sample>" opened "\Device\KsecDD" "MorphVOXPro4_Install-1.exe" opened "\Device\KsecDD" "1.exe" opened "\Device\KsecDD" "setup.exe" opened "\Device\KsecDD" "mscorsvw.exe" opened "\Device\KsecDD" "VSSVC.exe" opened "\Device\KsecDD" source API Call Edited July 13, 2018 by itman Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted July 13, 2018 Author Share Posted July 13, 2018 1 hour ago, itman said: Hybrid-Analysis uses Cloudstrike's Falcon AI engine running in the Cookoo sandbox I believe They are using their own in-house kernel logging sandbox... Current version of cuckoo is too easy for sandbox evasion Is MITRE ATT&CK a sandbox service? The visualization seems pretty nice and more behaviors of these two samples get unrolled Link to comment Share on other sites More sharing options...
itman 1,758 Posted July 13, 2018 Share Posted July 13, 2018 9 minutes ago, 0xDEADBEEF said: Is MITRE ATT&CK a sandbox service? No. I was referring to this web site: https://attack.mitre.org/wiki/Main_Page Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted July 13, 2018 Author Share Posted July 13, 2018 23 minutes ago, itman said: No. I was referring to this web site: https://attack.mitre.org/wiki/Main_Page ah ok Link to comment Share on other sites More sharing options...
itman 1,758 Posted July 13, 2018 Share Posted July 13, 2018 (edited) It is also questionable if this attack would have succeeded on Win 10 1607+. It is going after lsass.exe to escalate itself to System level which it would need to access the kernel mode KsecDD driver. Lsass.exe starting with Win10 1607 runs as Protected Process - Light. This should have prevented the malware from gaining access to lsass.exe. That is unless the malware employed a PPL bypass which do exist. One would need to do a thorough code examination for that. If so employed, this would indeed make this a very interesting malware sample. Edited July 13, 2018 by itman Link to comment Share on other sites More sharing options...
Recommended Posts