API tools faq
paste
Advertisement
bartblaze

Malware spreading via Skype

bartblaze
Nov 1st, 2013
468
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.44 KB | None | 0 0
raw download clone embed print report
  1. Blogpost: http://bartblaze.blogspot.com/2013/11/malware-spreading-via-skype.html
  2.  
  3. Malware spreads via Skype. Just sends the file to all your contacts, nothing more, nothing less. (no message to invite you to check out "photos", no call, ...)
  4.  
  5.  
  6.  
  7. ### Analysis ###
  8.  
  9. Known MD5's:
  10. 293cc1f379c4fc81a7584c40f7c82410
  11. 66def80d6f87f6f79156557172f9f295
  12.  
  13. Callback to IP's:
  14. 88.150.177.162
  15.  
  16. Callback to domains:
  17. Random & partial DGA(1) - Pattern:
  18. http://%random%.aingo.cc
  19.  
  20. Persistence:
  21. Creates key in:
  22. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  23. Injects into:
  24. explorer.exe
  25. Sets Proxy:
  26. Yes
  27.  
  28.  
  29. Type of malware: Caphaw - Banking malware
  30.  
  31.  
  32. Technical details ~~
  33.  
  34. Meta-data
  35. ================================================================================
  36. File: /home/remnux/samples/invoice_171658.pdf.exe_
  37. Size: 360448 bytes
  38. Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
  39. MD5: 293cc1f379c4fc81a7584c40f7c82410
  40. SHA1: 7bb5b71513e01c2095d37f42c64982a3edb523b5
  41. ssdeep: 3072:fkrImDVQFgEHQPqviUBSnk92oKMcs3JVJXnGcYHmZ52ZgMed1pJ8t/Jpm3dDlnx/:MkpCEwCvi2b92NMxBnUmyZ9o1z8tL
  42. Date: 0x52739069 [Fri Nov 1 11:28:41 2013 UTC]
  43. EP: 0x401270 .text 0/4
  44. CRC: Claimed: 0x5eb47, Actual: 0x5eb47
  45.  
  46. Resource entries
  47. ================================================================================
  48. Name RVA Size Lang Sublang Type
  49. --------------------------------------------------------------------------------
  50. RT_CURSOR 0x532b0 0x134 LANG_RUSSIAN SUBLANG_RUSSIAN data
  51. RT_BITMAP 0x536c0 0x1eec LANG_RUSSIAN SUBLANG_RUSSIAN data
  52. RT_BITMAP 0x555b0 0x4e8 LANG_RUSSIAN SUBLANG_RUSSIAN data
  53. RT_ICON 0x55a98 0x128 LANG_RUSSIAN SUBLANG_RUSSIAN GLS_BINARY_LSB_FIRST
  54. RT_ICON 0x55bc0 0xea8 LANG_RUSSIAN SUBLANG_RUSSIAN data
  55. RT_ICON 0x56a68 0x568 LANG_RUSSIAN SUBLANG_RUSSIAN GLS_BINARY_LSB_FIRST
  56. RT_ICON 0x56fd0 0x10a8 LANG_RUSSIAN SUBLANG_RUSSIAN data
  57. RT_ICON 0x58078 0x468 LANG_RUSSIAN SUBLANG_RUSSIAN GLS_BINARY_LSB_FIRST
  58. RT_GROUP_CURSOR 0x533e8 0x14 LANG_RUSSIAN SUBLANG_RUSSIAN Lotus 1-2-3
  59. RT_GROUP_ICON 0x584e0 0x4c LANG_RUSSIAN SUBLANG_RUSSIAN MS Windows icon resource - 5 icons, 16x16, 16-colors
  60. RT_VERSION 0x53400 0x2c0 LANG_RUSSIAN SUBLANG_RUSSIAN data
  61.  
  62. Sections
  63. ================================================================================
  64. Name VirtAddr VirtSize RawSize Entropy
  65. --------------------------------------------------------------------------------
  66. .text 0x1000 0xee6 0x1000 5.764246
  67. .rdata 0x2000 0x49ce2 0x4a000 5.440947
  68. .data 0x4c000 0x619c 0x6000 0.012147 [SUSPICIOUS]
  69. .rsrc 0x53000 0x5530 0x6000 3.693765
  70.  
  71. Version info
  72. ================================================================================
  73. LegalCopyright: gex Copright ls soft
  74. InternalName: jex MUWEfess dlle
  75. FileVersion: 13, 13, 201, 1241
  76. ProductName: jox Weaex Apps
  77. ProductVersion: 13, 13, 21, 153
  78. FileDescription: jex dllx
  79. OriginalFilename: lexlse.exe
  80. Translation: 0x0419 0x04b0
  81.  
  82. ~~
  83.  
  84.  
  85. ### Prevention ###
  86.  
  87. * Check your Skype settings. Only allow contacts to send you messages/files & contact you
  88. * Don't download and run unknown files, especially PE(2) files
  89.  
  90.  
  91. ### Disinfection ###
  92.  
  93. * Run a full scan with your installed antivirus product
  94. * Look for suspicious Run keys and delete the associated file(s)
  95. * Run a full scan with another antivirus and/or antimalware product
  96. * Change your Skype password
  97. * Change your proxy to the original one(3) (usually none)
  98. * Change ALL your other passwords
  99. * Call your bank to ensure there was no unauthorized withdrawal or transaction
  100.  
  101. * When in doubt, seek advise on a professional malware removal forum(4)
  102.  
  103.  
  104. ### Conclusion ###
  105.  
  106. * Follow above prevention tips
  107. * Use common sense & do not click on or run anything you encounter
  108. * When in doubt, check the file on VirusTotal for example
  109.  
  110.  
  111. # Links #
  112.  
  113. (1) http://en.wikipedia.org/wiki/Domain_generation_algorithm
  114. (2) http://en.wikipedia.org/wiki/Portable_Executable
  115. (3) http://www.wikihow.com/Change-Proxy-Settings
  116. (4) http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs
  117.  
  118.  
  119. @bartblaze
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!