Vulnerability issue - Poodle - PLEASE READ.xls

1. ====================================================================================================
2. Reference:
3. https://twitter.com/alex_lanstein/status/530430510968102912
4.  
5. Vulnerability issue - Poodle - PLEASE READ.xls:
6. a3342b92ec4b56d2759df54aec5661f7
7.  
8. Extracted malicious VBA macro:
9. f323d9a64ebecaca1604741b9a475591
10.  
11. Downloads:
12. 78ff589aa5e8e174ce66db4bf8c19d84
13.  
14. Has expired/invalid certificate:
15. LesTrast Import Softwares Ltd.1
16. Validity
17. Not Before: Nov 5 00:45:57 2014 GMT
18. Not After : Nov 4 00:45:57 2016 GMT
19. Subject: C=GA, ST=Estate Real, L=Concan, O=LesTrast Import Softwares Ltd., OU=Lestrust
20.  
21. Connects to:
22. http://sapard.ddns.net/
23. http://leopard.gotdns.ch/
24. http://prefetch.duia.pw/
25.  
26. Meta-data
27. ================================================================================
28. File:acrord32.exe
29. Size:200000 bytes
30. Type:PE32 executable for MS Windows (GUI) Intel 80386 32-bit
31. MD5: 78ff589aa5e8e174ce66db4bf8c19d84
32. SHA1:4b4b15558b7fbb7302a8c217a5ee1e1691fcd37a
33. ssdeep: 3072:UQzvt+Y5JoK7GmCMY7pdkNxiurjHdKheR2wgSeupRhVsTwtzd68tvoRYuBRqRV8p:UQzvt+TdwTdSeFxRZtB6uuH/HMj2j
34. Date:0x545424AB [Sat Nov 1 00:09:15 2014 UTC]
35. EP: 0x40414b .text 0/5
36. CRC: Claimed: 0x3642d, Actual: 0x3642d
37. Packers: Armadillo v1.71
38.  
39. Tries to hide as:
40. OriginalFilename
41. bsplay.exe
42. ProductName
43. BSPlayer Pro v2.66
44.  
45. Malware payload:
46. infostealer
47.  
48. Interesting strings:
49. ComSpec
50. WINDIR
51. %s\system32\cmd.exe
52. mozcrt19.dll
53. sqlite3.dll
54. nspr4.dll
55. plc4.dll
56. plds4.dll
57. nssutil3.dll
58. softokn3.dll
59. nss3.dll
60. Path=
61. SOFTWARE\Mozilla\%s\
62. CurrentVersion
63. SOFTWARE\Mozilla\%s\%s\Main
64. Install Directory
65. mozutils.dll
66. mozglue.dll
67. mozsqlite3.dll
68. %s\nss3.dll
69. Mozilla Firefox
70. APPDATA
71. %s\Mozilla\Firefox\profiles.ini
72. %s\Mozilla\Firefox\%s
73. Mozilla Thunderbird
74. %s\Thunderbird\profiles.ini
75. %s\Thunderbird\%s
76. SeaMonkey
77. %s\Mozilla\SeaMonkey\profiles.ini
78. %s\Mozilla\SeaMonkey\%s
79. %s\signons.sqlite
80. NSS_Init
81. PK11_GetInternalKeySlot
82. PK11_Authenticate
83. NSSBase64_DecodeBuffer
84. PK11SDR_Decrypt
85. PK11_FreeSlot
86. NSS_Shutdown
87. sqlite3_open
88. sqlite3_close
89. sqlite3_prepare_v2
90. sqlite3_step
91. sqlite3_column_text
92. select * from moz_logins
93. %s\Opera\Opera\wand.dat
94. %s\Opera\Opera\profile\wand.dat
95. %s\.purple\accounts.xml
96. <protocol>
97. <name>
98. <password>
99. advapi32.dll
100. CredEnumerateA
101. CredFree
102. WindowsLive:name=*
103. Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
104. Email
105. POP3 User
106. POP3 Server
107. POP3 Password
108. IMAP User
109. IMAP Server
110. IMAP Password
111. HTTP User
112. HTTP Server
113. HTTP Password
114. SMTP User
115. SMTP Server
116. SMTP Password
117. %c%c%S
118. abe2869f-9b47-4cd9-a358-c22904dba7f7
119. Software\Microsoft\Internet Explorer\IntelliForms\Storage2
120. index.dat
121. History
122. Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
123. %s\Google\Chrome\User Data\Default\Login Data
124. %s\Chromium\User Data\Default\Login Data
125. localhost
126. USERNAME
127. Unknown
128. kernel32.dll
129. GetNativeSystemInfo
130. SYSTEM\CurrentControlSet\Control\ProductOptions
131. ProductType
132. WINNT
133. LANMANNT
134. SERVERNT
135. GlobalMemoryStatusEx
136. WINDIR
137. PATH
138. SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
139. SOFTWARE\Microsoft\Active Setup\Installed Components
140. %s.Identifier
141. %Rand%
142. SOFTWARE\Microsoft\Active Setup\Installed Components\%s
143.  
144.  
145. EOF
146. ====================================================================================================
147. @bartblaze