Jump to content

Archived

This topic is now archived and is closed to further replies.

0xDEADBEEF

Rootkit?

Recommended Posts

sha256: ed3d2b851d8427973ef3bff301e4cc09d9422fb38a2bd4ab85b339d87ee177d6

 

ESET only detected it as generic PUA

Share this post


Link to post
Share on other sites

Is this bugger always bundled in another software installer or can it be stand alone downloaded?

Share this post


Link to post
Share on other sites

Also, this thing was floating around in the Chinese "wild" for over a year? Per VT:

Quote

History

Relevant dates related to the file being studied.
 
Creation Time 2017-02-28 06:00:26
First Submission 2018-06-23 02:31:28
 

Share this post


Link to post
Share on other sites

Hello guys,

I do not have access to that sample personally, do you happen to know what it does i.e. what kind of rootkit like behavior does it perform? 

Regards, P.R.

Share this post


Link to post
Share on other sites

Microsoft ids it as Trojan:Win32/Tiggre!rfn. This malware is indeed classified as a PUA per this article: https://www.pcrisk.com/removal-guides/12616-trojan-win32tiggrerfn-virus .

Also I see no reason why a PUA could not exhibit rootkit behavior e.g. s5Mark. So we might be in a "chicken or the egg" scenario here. One thing that is common in this type of malware is it is bundled in free crapware usually and needs to be installed to be functional. 

Share this post


Link to post
Share on other sites
6 hours ago, Peter Randziak said:

Hello guys,

I do not have access to that sample personally, do you happen to know what it does i.e. what kind of rootkit like behavior does it perform? 

Regards, P.R.

Hi I've sent you a message with the link to the sample, thanks

Share this post


Link to post
Share on other sites
18 hours ago, itman said:

Is this bugger always bundled in another software installer or can it be stand alone downloaded? 

I am not sure, seems to be legitimate software/PUA but some apparently flag it as rootkit 🙄

Share this post


Link to post
Share on other sites
5 hours ago, 0xDEADBEEF said:

I am not sure, seems to be legitimate software/PUA but some apparently flag it as rootkit 

In the recent incident I posted here: https://forum.eset.com/topic/15967-does-eset-detect-s5mark-as-uapua-or-malware/ , the attack involved an installer with s5Mark adware along with a malicious kernel mode device driver that was validly signed with a stolen certificate. Hence the "rootkit" connotation in these incidents.

Share this post


Link to post
Share on other sites
23 hours ago, Daedalus said:

If you have the file, you can use the following website to see what it does:

https://www.hybrid-analysis.com/

Cool, I have the analysis report attached here:

https://www.hybrid-analysis.com/sample/ed3d2b851d8427973ef3bff301e4cc09d9422fb38a2bd4ab85b339d87ee177d6/5b47ac647ca3e10e8b151f68

https://www.hybrid-analysis.com/sample/1b6c9775414e8206bada248c461f2ac62af17e68bafef8391c1716879ab3e83f/5b47b0c07ca3e145ff6dff53

Now ESET detect it as dropper btw.

Share this post


Link to post
Share on other sites
5 hours ago, 0xDEADBEEF said:

I  am posting below screen shots of Mitre's process activity indicators from the above analyses. Orange = suspicious and red = malicious. Mitre.org maintains a web site that is updated with various malware techniques. Hybrid-Analysis uses Cloudstrike's Falcon AI engine running in the Cookoo sandbox I believe. I also assume it  factors existing VirusTotal AV detections in rendering its final process malicious status:

1.exe -Malicious

Mitre-1-exe.thumb.png.fc823c96c5244637862483865fa9faac.png

2.exe - Malicious

Mitre-2-exe.thumb.png.06246f534dbae4b25426eb70b3ec2e19.png

Clearly, 2.exe is the more malicious of the pair. Also, do note both malware samples use of RDP if its available. -EDIT- 2.exe spawns 1.exe as a child process indicating most of 2.exe's malicious is attributable to this relationship.

Finally, note the following analysis extract. Perhaps this is where the "rootkit" connection came from. I see no driver creation activities from either malware sample. 

Quote

Opens the Kernel Security Device Driver (KsecDD) of Windows 

details
"<Input Sample>" opened "\Device\KsecDD"
"MorphVOXPro4_Install-1.exe" opened "\Device\KsecDD"
"1.exe" opened "\Device\KsecDD"
"setup.exe" opened "\Device\KsecDD"
"mscorsvw.exe" opened "\Device\KsecDD"
"VSSVC.exe" opened "\Device\KsecDD"
source
API Call
 

Share this post


Link to post
Share on other sites
1 hour ago, itman said:

Hybrid-Analysis uses Cloudstrike's Falcon AI engine running in the Cookoo sandbox I believe

They are using their own in-house kernel logging sandbox... Current version of cuckoo is too easy for sandbox evasion

Is MITRE ATT&CK a sandbox service? The visualization seems pretty nice and more behaviors of these two samples get unrolled

Share this post


Link to post
Share on other sites

It is also questionable if this attack would have succeeded on Win 10 1607+. It is going after lsass.exe to escalate itself to System level which it would need to access the kernel mode KsecDD driver. Lsass.exe starting with Win10 1607 runs as Protected Process - Light. This should have prevented the malware from gaining access to lsass.exe. That is unless the malware employed a PPL bypass which do exist. One would need to do a thorough code examination for that. If so employed, this would indeed make this a very interesting malware sample.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×