Malware Analysis with real time IOC feed ( EoT ) and private sources

Introduction

Lutech Cyber Threat Intelligence team, with the help of Lutech EyeOnThreat™  and his own private infrastructure, identified an attack from a Chinese IP address and performed an analysis about the TTPs (Tactics, techniques and procedures) of the attacker, providing a detailed and private IoC list in real time, freely and easily available for any customer of the platform.

Analysis

On September 7th 2017 at about 11:41 AM, Lutech honeynet infrastructure started to detect a malicious attack from a Chinese IP: 221.229.197.116.

Immediately Lutech EyeOnThreat™ gathered these information from the honeynet infrastructure and categorized the IP address as a malicious attacker, before anyone else over the internet. As shown on the following screenshot EmergingThreatsPro have listed the IP in his public feed on Semptember 8th 2017.

 

 

Going deeply with analysis, first the attacker found our fake MySQL service available and started to bruteforce the administrative account with some kind of default list of credentials.

As soon as he found the default credentials (yeah, root/blank, it was not so difficult) he tried to upload on the system some malicious code with the main goal of executing commands from the database to the “actual” server and get root access.

Firstly, he dropped a file from an HTTP webserver, which is located here: http://117.27.239.203:1038/5.exe

The IP address 117.27.239.203 is also resolved as www.515bt.com

 

The MD5 of the file 5.exe is f671d23d45ca06e64d8e4c801254a19c, which at the moment of the attack was detected just by 6/64 of the AV out there.

Giving some more details about this detection, considering the greatest AV companies out there, just ESET-NOD32 detected the file as “a variant of Win32/Kryptik.FDQG”

 

By the way, on the system there was no AV installed and once dropped, the attacker executed the malware that mainly started to execute some sort of botkill function, with the intent of verifying previously run instances of itself:

Drop FUNCTION IF EXISTS shell
Drop FUNCTION IF EXISTS downloader
Drop FUNCTION IF EXISTS cmdshell
Drop FUNCTION IF EXISTS sys_eval
Drop FUNCTION IF EXISTS lib_mysqludf_sys_info

 

and then tried (actually more than one time) to execute his own code directly from the shell:

select cmdshell(“C:\\5.exe “C:\\5.exe””)
create function downloader returns string soname “lib_mysqludf_sys.dll”
CREATE FUNCTION cmdshelv RETURNS string SONAME ‘udf.dll’
CREATE FUNCTION cmdshell RETURNS string SONAME ‘xijin1.dll’
CREATE FUNCTION downloader RETURNS string SONAME ‘xijin.dll’
CREATE FUNCTION cmdshell RETURNS string SONAME ‘xijin.dll’
CREATE FUNCTION downloader RETURNS string SONAME ‘xsa.dll’
CREATE FUNCTION cmdshell RETURNS string SONAME ‘xsa.dll’
create function downloader returns string soname “udf32.dll”
CREATE FUNCTION cmdshell RETURNS string SONAME ‘udf33.dll’
create function downloader returns string soname “lib_mysqludf_sys.dll”
CREATE FUNCTION downloader RETURNS string SONAME ‘xsa.dll’
CREATE FUNCTION cmdshell RETURNS string SONAME ‘xsa.dll’

 

Of course, because of the nature of the honeypot, he failed to execute malicious code on the server but he left some interesting footprint about his activities over the internet.

 

After 24 hours from the first detection the file named “5.exe” have been uploaded to VirusTotal service more than one time and actually the malware is detected as a Generic Malware by 25/64 AV and is identified as “a Network Worm spreading via a buffer overflow exploit, bruteforcing of weak network services passwords, shares, or the like.”

 

 

Going deeply with the analysis, what is also interesting to see is that the attacker used an HFS Webserver to host his malicious content.

 

Thanks to our fully automated and integrated infrastructure, until now Lutech EyeOnThreat™ is the only one system over the internet which as categorized in real time this host as “Malware Distribution Site”.

And that’s what it is.

 

 

As shown in the following screenshot the attacker is serving many other malwares:

As we can see from the dates and the hits, the webserver have just 2 days of uptime and the attacker tried to spread different versions of malwares, many times over the internet.

Moreover, Lutech infrastructure have been able to gather these information and analyse all these files, giving us a better idea of the overall TTPs of the attacker.

 

From our analysis files named “3.exe”, “4.exe”, “5exe”, “6.exe”, “123.exe” are basically a copy of the file “1.exe”, that we have analysed before in this report. The file named “2.exe” seems to be a variant of the malware, probably encrypted in a different way.
It has a different md5 but, once executed in a controlled environment, his behaviour is similar to the other one. Actually this file is detected by 11/64 AV.

Moving forward, we notice some file named “360”, “36000”, “linux-syn25000”, “linux-udp25000” which once analysed they were found to be a backdoor for Linux based systems. These files are detected by most of the AV.

Once analysed in a controlled environment (thanks to Detux), the malware named “360” try to contact its command & control, which, again, seems to be located on the host with IP 117.27.239.203 on port 36000. Also the malware try to contact back a domain named “linux.dj6cc.com”.

 

Instead, the malware named “linux-syn25000” seems to try to contact his command & control, which, again, seems to be located on the host with IP 117.27.239.203 on port 25000. Also the malware try to contact back a domain named “bennaio.date”, which is known for hosting malicious content.

 

 

The webserver also serves other kind of malwares with similar behaviour: a dropper malware named “server.exe” (16/34), another linux based trojan, and some other stuff like a scanner and a list of IP addresses probably used in order to search more vulnerable hosts.

IOCs List

The following table shows a list of the IOCs that we collected from various private and public sources.

 

Threat IOC IOC Type
221.229.197.116 Attacker IP
117.27.239.203 Malware Distribution Site
www.515bt.com Malware Distribution Site
f671d23d45ca06e64d8e4c801254a19c Malware MD5
f671d23d45ca06e64d8e4c801254a19c Malware MD5
8b5a56dd57bdda1e53b99348cea89092 Malware MD5
eb26d92f9ef326383201ffddda99567b Malware MD5
ed07acb62f46f300d6d2f0431ff9e74b Malware MD5
6265cd630c554052b29f2777bed0b935 Malware MD5
6f8fd8b1e8e331e0d0883675f0e2757b Malware MD5
6f8fd8b1e8e331e0d0883675f0e2757b Malware MD5
471d5d77954a6ada24e2c411eab5c8b5 Malware MD5
4ca95a86367ac89e8f932ca1147d69b1 Malware MD5
8a2c40a51df7f711e4f7498ce66a8e86 Malware MD5
35da2bf2befd998980a495b6f4f55e60 Malware MD5
9a6f7b4dbee86e3cb0d5f69716593015 Malware MD5
linux.dj6cc.com C&C Website
dj6cc.com C&C Website
bennaio.date C&C Website

 

Authors

Lutech Cyber Threat Intelligence Team, Luca Dinardo

Leave a Comment

Your email address will not be published.