Hace tiempo que no me topaba con una nueva campaña del Crimenware Citadel. Tal cual como hemos visto en entregas anteriores, se apela a ingeniería social para atrapar a los incautos.
Descarga del archivo ejecutable.
Icono de la amenaza, que parece ser un reproductor de video.
Analisis en V.T.
Esta encapsulado con un crypter en Visual Basic.
Aquí en el Dump, un String que hace mención al reconocido investigador Brian Krebs
Strings.
0040A1E0 ASCII "GET ",0
0040A1E8 ASCII "POST ",0
0040A1F0 ASCII "FAIL",0
0040A1F8 ASCII ".swf",0
0040A200 ASCII ".flv",0
0040A208 ASCII "facebook.com",0
0040A21C ASCII "%BOTID%",0
0040A224 ASCII "%BOTNET%",0
0040A230 ASCII "%BC-*-*-*-*%",0
0040A240 ASCII "%VIDEO%",0
0040A248 ASCII "Cookie: %s
00401C50 ASCII "api",0
00401C54 ASCII "cmd",0
00401C58 ASCII "C1F20D2340B51905"
00401C68 ASCII "6A7D89B7DF4B0FFF"
00401C78 ASCII 0
00401C7C UNICODE ".exe",0
00401C88 ASCII "update.exe",0
00401C9C ASCII "config.bin",0
004026A0 UNICODE "ll",0
004026A8 ASCII "cookie_module",0
004026B8 ASCII "cit_ffcookie.mod"
004026C8 ASCII "ule",0
004026CC ASCII "video_module",0
004026DC ASCII "cit_video.module"
00403D80 DD Dumped9.00409F98 UNICODE "Microsoft"
00403D84 DD Dumped9.00409F70 UNICODE "Microsoft"
00403D88 DD Dumped9.00409F44 UNICODE "Microsoft"
00403D8C DD Dumped9.00409F24 UNICODE "ESET"
00403D90 DD Dumped9.00409F04 UNICODE "ESET"
00403D94 DD Dumped9.00409EE8 UNICODE "AVG"
00403D98 DD Dumped9.00409ECC UNICODE "AVG"
00403D9C DD Dumped9.00409EB0 UNICODE "AVG"
00403DA0 DD Dumped9.00409E8C UNICODE "AntiVir"
00403DA4 DD Dumped9.00409E68 UNICODE "avast!"
00403DA8 DD Dumped9.00409E3C UNICODE "Kaspersky"
00403DAC DD Dumped9.00409E14 UNICODE "Kaspersky"
00403DB0 DD Dumped9.00409DEC UNICODE "Norton"
00403DB4 DD Dumped9.00409DC4 UNICODE "Symantec"
00403DB8 DD Dumped9.00409DA0 UNICODE "Symantec"
00403DBC DD Dumped9.00409D74 UNICODE "Symantec"
00403DC0 DD Dumped9.00409D50 UNICODE "Symantec"
00403DC4 DD Dumped9.00409D20 UNICODE "McAfee"
00403DC8 DD Dumped9.00409CF0 UNICODE "McAfee"
00403DCC DD Dumped9.00409CE0 UNICODE "McAfee"
00403DD0 DD Dumped9.00409CB8 UNICODE "SafenSoft"
00407C64 UNICODE "ComSpec",0
00407C74 ASCII "Mozilla/4.0 (com"
00407C84 ASCII "patible; MSIE 7."
00407C94 ASCII "0; Windows NT 5."
00407CA4 ASCII "1; SV1)",0
00407CAC ASCII "POST",0
00407CB4 ASCII "GET",0
00407CB8 ASCII "Connection: clos"
00407CC8 ASCII "e
",0
00407CCC ASCII "urlmon.dll",0
00407CD8 ASCII "ObtainUserAgentS"
00407CE8 ASCII "tring",0
00407D08 UNICODE "S:(ML;;N"
00407D18 UNICODE "RNWNX;;;"
00407D28 UNICODE "LW)",0
00407D30 UNICODE "SeSecuri"
00407D40 UNICODE "tyPrivil"
00407D50 UNICODE "ege",0
00407D58 UNICODE "S:(ML;CI"
00407D68 UNICODE "OI;NRNWN"
00407D78 UNICODE "X;;;LW)",0
00407DEC ASCII "wxz",0
00407DF0 ASCII "aeiouy",0
00407DF8 UNICODE "Global\",0
00407E08 UNICODE "Local\",0
00409C50 ASCII "GAEZ",0
00409C74 ASCII "71:> &2",0
00409CB8 UNICODE "SafenSof"
00409CC8 UNICODE "t",0
00409CCC UNICODE "SysWatch"
00409CDC UNICODE 0
00409CE0 UNICODE "McAfee",0
00409CF0 UNICODE "McAfee",0
00409CFE UNICODE "Security"
00409D0E UNICODE " Center",0
00409D20 UNICODE "McAfee",0
00409D2E UNICODE "Security"
00409D3E UNICODE "Center",0
00409D50 UNICODE "Symantec"
00409D60 UNICODE 0
00409D62 UNICODE "Client",0
00409D74 UNICODE "Symantec"
00409D84 UNICODE 0
00409D86 UNICODE "Protecti"
00409D96 UNICODE "on",0
00409DA0 UNICODE "Symantec"
00409DB0 UNICODE 0
00409DB2 UNICODE "Shared",0
00409DC4 UNICODE "Symantec"
00409DD4 UNICODE 0
00409DD6 UNICODE "Security"
00409DE6 UNICODE 0
00409DEC UNICODE "Norton",0
00409DFA UNICODE "Protecti"
00409E0A UNICODE "on",0
00409E14 UNICODE "Kaspersk"
00409E24 UNICODE "y",0
00409E28 UNICODE "Security"
00409E38 UNICODE 0
00409E3C UNICODE "Kaspersk"
00409E4C UNICODE "y",0
00409E50 UNICODE "Anti-Vir"
00409E60 UNICODE "us",0
00409E68 UNICODE "avast!",0
00409E76 UNICODE "Antiviru"
00409E86 UNICODE "s",0
00409E8C UNICODE "AntiVir",0
00409E9C UNICODE "Desktop",0
00409EB8 UNICODE "Monitor",0
00409ED4 UNICODE "Service",0
00409EF0 UNICODE "Security"
00409F00 UNICODE 0
00409F04 UNICODE "ESET",0
00409F0E UNICODE "Security"
00409F1E UNICODE 0
00409F24 UNICODE "ESET",0
00409F2E UNICODE "Antiviru"
00409F3E UNICODE "s",0
00409F44 UNICODE "Microsof"
00409F54 UNICODE "t",0
00409F58 UNICODE "Inspecti"
00409F68 UNICODE "on",0
00409F70 UNICODE "Microsof"
00409F80 UNICODE "t",0
00409F84 UNICODE "Malware",0
00409F98 UNICODE "Microsof"
00409FA8 UNICODE "t",0
00409FAC UNICODE "Security"
00409FBC UNICODE 0
00409FC0 ASCII "GetProcAddress",0
00409FD0 ASCII "LoadLibraryA",0
00409FE0 ASCII "NtCreateThread",0
00409FF0 ASCII "NtCreateUserProc"
0040A000 ASCII "ess",0
0040A004 ASCII "NtQueryInformati"
0040A014 ASCII "onProcess",0
0040A020 ASCII "RtlUserThreadSta"
0040A030 ASCII "rt",0
0040A034 ASCII "LdrLoadDll",0
0040A040 ASCII "LdrGetDllHandle",0
0040A050 ASCII ".reloc",0
0040A060 UNICODE ".dat",0
0040A06C ASCII "RFB 003.003
",0
0040A07C ASCII "RFB ",0
0040A08C UNICODE ".txt",0
0040A10C ASCII "https://",0
0040A118 ASCII "User-Agent",0
0040A124 ASCII "Cookie",0
0040A12C ASCII "Accept-Language",0
0040A13C ASCII "Accept-Encoding",0
0040A14C ASCII "HTTP/1.",0
0040A154 ASCII "Transfer-Encodin"
0040A164 ASCII "g",0
0040A168 ASCII "chunked",0
0040A170 ASCII "Connection",0
0040A17C ASCII "close",0
0040A184 ASCII "Proxy-Connection"
Analisis Dinámico (dumpit! + volatility)
Volatility
pslist
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x81bc97c0 System 4 0 56 661 ------ 0
0x81952b10 smss.exe 528 4 3 19 ------ 0 2014-08-22 20:45:49 UTC+0000
0x81954b60 csrss.exe 592 528 11 378 0 0 2014-08-22 20:45:50 UTC+0000
0x819abb60 winlogon.exe 616 528 19 261 0 0 2014-08-22 20:45:50 UTC+0000
0x81a5aad0 services.exe 668 616 16 247 0 0 2014-08-22 20:45:50 UTC+0000
0x81a4a748 lsass.exe 680 616 25 349 0 0 2014-08-22 20:45:50 UTC+0000
0x81a0f020 svchost.exe 880 668 18 212 0 0 2014-08-22 20:45:51 UTC+0000
0x81904da0 svchost.exe 956 668 9 220 0 0 2014-08-22 20:45:51 UTC+0000
0x81a04c30 svchost.exe 1048 668 76 1312 0 0 2014-08-22 20:45:51 UTC+0000
0x81a1b428 svchost.exe 1108 668 7 81 0 0 2014-08-22 20:45:51 UTC+0000
0x8191f020 svchost.exe 1136 668 15 201 0 0 2014-08-22 20:45:52 UTC+0000
0x818e4230 explorer.exe 1508 1472 31 648 0 0 2014-08-22 20:45:53 UTC+0000
0x818fc318 spoolsv.exe 1612 668 14 116 0 0 2014-08-22 20:45:54 UTC+0000
0x819c9da0 smsniff.exe 360 1508 3 79 0 0 2014-08-22 20:46:03 UTC+0000
0x819aebe0 wuauclt.exe 452 1048 8 143 0 0 2014-08-22 20:46:06 UTC+0000
0x819c5980 alg.exe 1240 668 6 101 0 0 2014-08-22 20:46:07 UTC+0000
0x819c4c10 udpi.exe 796 720 0 -------- 0 0 2014-08-22 20:47:21 UTC+0000 2014-08-22 20:47:26 UTC+0000
0x81947020 DumpIt.exe 1428 1508 2 57 0 0 2014-08-22 20:48:37 UTC+0000
Conexiones activas en el pid 1508, que corresponde a explorer.exe
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x01d8ed80 10.0.2.15:1041 23.228.250.83:80 1508
0x01d8f418 10.0.2.15:1037 23.228.250.83:80 1508
Se deshabilita el firewall de windows.
C:\Python27\Scripts>vol.py -f memory.dmp printkey -K "ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile"
Volatility Foundation Volatility Framework 2.4
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\sysftem
Key name: StandardProfile (S)
Last updated: 2011-07-15 21:12:13 UTC+0000
Subkeys:
(S) AuthorizedApplications
Values:
REG_DWORD EnableFirewall : (S) 0
REG_DWORD DoNotAllowExceptions : (S) 0
REG_DWORD DisableNotifications : (S) 0
REG_DWORD DisableUnicastResponsesToMulticastBroadcast : (S) 0
Buscando strings en el dump de la memoria de la pc infectada.
El troyano realiza un escaneo de la configuración de la pc que es enviado al atacante.
1180 Console 0 3.876 KB
tasklist.exe 1772 Console 0 5.268 KB
==========[ C:\Documents and Settings\Administrador ]>ipconfig /all
Configuraci
n IP de Windows
Nombre del host . . . . . . . . . : Equipo01
Sufijo DNS principal . . . . . . :
Tipo de nodo . . . . . . . . . . : desconocido
Enrutamiento habilitado. . . . . .: No
Proxy WINS habilitado. . . . . : No
Adaptador Ethernet Conexi
n de
rea local :
Sufijo de conexi
n espec
fica DNS :
Descripci
n. . . . . . . . . . . : Adaptador Ethernet PCI AMD PCNET Family
Direcci
n f
sica. . . . . . . . . : 08-00-27-80-70-30
DHCP habilitado. . . . . . . . . : No
Autoconfiguraci
n habilitada. . . : S
Direcci
n IP. . . . . . . . . . . : 10.0.2.15
M
scara de subred . . . . . . . . : 255.255.255.0
Puerta de enlace predeterminada : 10.0.2.2
Servidor DHCP . . . . . . . . . . : 10.0.2.2
Servidores DNS . . . . . . . . . .: 10.0.2.3
Concesi
n obtenida . . . . . . . : viernes, 22 de agosto de 2014 17:45:52
Concesi
n expira . . . . . . . . .: s
bado, 23 de agosto de 2014 17:45:52
==========[ C:\Documents and Settings\Administrador ]>netsh firewall set opmode disable
Aceptar
==========[ C:\Documents and Settings\Administrador ]>
==========[ C:\Documents and Settings\Administrador ]>exit
C:\WINDOWS\Explorer.EXE$'
Microsoft Corporation | Sistema operativo Microsoft
Windows
| 6.00.2900.5512
Equipo01\Administrador"'
0pP/
;^<*
Comando y control
http://nrgg1731.ru/cphouse/file.php|file=soft.exe#N
http://nrgg1731.ru/cphouse/gate.php2N
http://nrgg1731.ru/cphouse/file.php$N
http://poroto6a.ru/cph
ouse/file.
=con
.dll
hostname
tasklist
ipconfig /all
netsh firewall set opmode disable
#*wellsfargo.com/*
@*payment.com/*
!http://*.com/*.jpg
*facebook.com/*
*antivirus*=209.85.22
http://poroto666bbb.ru/cphouse/file.php|file=config.dll
http://nrgg1731.ru/cphouse/file.php|file=config.dll
Peru-Panama
Muestra:https://dl.dropboxusercontent.com/u/80008916/Citadel-22-08-14.zip
Es todo por el momento @Dkavalanche 2014
No hay comentarios:
Publicar un comentario