Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Blogpost: http://bartblaze.blogspot.com/2013/11/malware-spreading-via-skype.html
- Malware spreads via Skype. Just sends the file to all your contacts, nothing more, nothing less. (no message to invite you to check out "photos", no call, ...)
- ### Analysis ###
- Known MD5's:
- 293cc1f379c4fc81a7584c40f7c82410
- 66def80d6f87f6f79156557172f9f295
- Callback to IP's:
- 88.150.177.162
- Callback to domains:
- Random & partial DGA(1) - Pattern:
- http://%random%.aingo.cc
- Persistence:
- Creates key in:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- Injects into:
- explorer.exe
- Sets Proxy:
- Yes
- Type of malware: Caphaw - Banking malware
- Technical details ~~
- Meta-data
- ================================================================================
- File: /home/remnux/samples/invoice_171658.pdf.exe_
- Size: 360448 bytes
- Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
- MD5: 293cc1f379c4fc81a7584c40f7c82410
- SHA1: 7bb5b71513e01c2095d37f42c64982a3edb523b5
- ssdeep: 3072:fkrImDVQFgEHQPqviUBSnk92oKMcs3JVJXnGcYHmZ52ZgMed1pJ8t/Jpm3dDlnx/:MkpCEwCvi2b92NMxBnUmyZ9o1z8tL
- Date: 0x52739069 [Fri Nov 1 11:28:41 2013 UTC]
- EP: 0x401270 .text 0/4
- CRC: Claimed: 0x5eb47, Actual: 0x5eb47
- Resource entries
- ================================================================================
- Name RVA Size Lang Sublang Type
- --------------------------------------------------------------------------------
- RT_CURSOR 0x532b0 0x134 LANG_RUSSIAN SUBLANG_RUSSIAN data
- RT_BITMAP 0x536c0 0x1eec LANG_RUSSIAN SUBLANG_RUSSIAN data
- RT_BITMAP 0x555b0 0x4e8 LANG_RUSSIAN SUBLANG_RUSSIAN data
- RT_ICON 0x55a98 0x128 LANG_RUSSIAN SUBLANG_RUSSIAN GLS_BINARY_LSB_FIRST
- RT_ICON 0x55bc0 0xea8 LANG_RUSSIAN SUBLANG_RUSSIAN data
- RT_ICON 0x56a68 0x568 LANG_RUSSIAN SUBLANG_RUSSIAN GLS_BINARY_LSB_FIRST
- RT_ICON 0x56fd0 0x10a8 LANG_RUSSIAN SUBLANG_RUSSIAN data
- RT_ICON 0x58078 0x468 LANG_RUSSIAN SUBLANG_RUSSIAN GLS_BINARY_LSB_FIRST
- RT_GROUP_CURSOR 0x533e8 0x14 LANG_RUSSIAN SUBLANG_RUSSIAN Lotus 1-2-3
- RT_GROUP_ICON 0x584e0 0x4c LANG_RUSSIAN SUBLANG_RUSSIAN MS Windows icon resource - 5 icons, 16x16, 16-colors
- RT_VERSION 0x53400 0x2c0 LANG_RUSSIAN SUBLANG_RUSSIAN data
- Sections
- ================================================================================
- Name VirtAddr VirtSize RawSize Entropy
- --------------------------------------------------------------------------------
- .text 0x1000 0xee6 0x1000 5.764246
- .rdata 0x2000 0x49ce2 0x4a000 5.440947
- .data 0x4c000 0x619c 0x6000 0.012147 [SUSPICIOUS]
- .rsrc 0x53000 0x5530 0x6000 3.693765
- Version info
- ================================================================================
- LegalCopyright: gex Copright ls soft
- InternalName: jex MUWEfess dlle
- FileVersion: 13, 13, 201, 1241
- ProductName: jox Weaex Apps
- ProductVersion: 13, 13, 21, 153
- FileDescription: jex dllx
- OriginalFilename: lexlse.exe
- Translation: 0x0419 0x04b0
- ~~
- ### Prevention ###
- * Check your Skype settings. Only allow contacts to send you messages/files & contact you
- * Don't download and run unknown files, especially PE(2) files
- ### Disinfection ###
- * Run a full scan with your installed antivirus product
- * Look for suspicious Run keys and delete the associated file(s)
- * Run a full scan with another antivirus and/or antimalware product
- * Change your Skype password
- * Change your proxy to the original one(3) (usually none)
- * Change ALL your other passwords
- * Call your bank to ensure there was no unauthorized withdrawal or transaction
- * When in doubt, seek advise on a professional malware removal forum(4)
- ### Conclusion ###
- * Follow above prevention tips
- * Use common sense & do not click on or run anything you encounter
- * When in doubt, check the file on VirusTotal for example
- # Links #
- (1) http://en.wikipedia.org/wiki/Domain_generation_algorithm
- (2) http://en.wikipedia.org/wiki/Portable_Executable
- (3) http://www.wikihow.com/Change-Proxy-Settings
- (4) http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs
- @bartblaze
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement