Friday, August 17, 2012

Shamoon or DistTrack.A samples


Image from Kaspersky lab
Here are a couple of Shamoon samples. Such destructive malware is rare because it does not really make much sense to destroy computers when you can steal data or use them.  

Download


Download all the files listed below

Additional file Aug 20, 2012 (many thanks to anonymous)
41f13811fa2d4c41b8002bfb2554a286

File info

d214c717a357fe3a455610b197c390aa 
trksvr.exe
12288:Xfz3ZXNPcwmGWdCCg98gJWGG2EbzXHlk3qBUb7UbXfzZdE5Ng98gJWb2Ebzm3q
PE info
UninitializedDataSize     : 0
InitializedDataSize       : 913408
ImageVersion              : 0.0
ProductName               : Microsoft   Windows   Operating System
FileVersionNumber         : 5.2.3790.0
LanguageCode              : English (U.S.)
FileFlagsMask             : 0x003f
FileDescription           : Distributed Link Tracking Server
CharacterSet              : Unicode
LinkerVersion             : 10.0
FileOS                    : Windows NT 32-bit
MIMEType                  : application/octet-stream
Subsystem                 : Windows command line
FileVersion               : 5.2.3790.0 (srv03_rtm.030324-2048)
TimeStamp                 : 2012:08:10 00:46:22+02:00
FileType                  : Win32 EXE
PEType                    : PE32
InternalName              : Distributed Link Tracking Server
ProductVersion            : 5.2.3790.0
SubsystemVersion          : 5.1
OSVersion                 : 5.1
OriginalFilename          : trksvr
LegalCopyright            :    Microsoft Corporation. All rights reserved.
MachineType               : Intel 386 or later, and compatibles
CompanyName               : Microsoft Corporation
CodeSize                  : 84480
FileSubtype               : 0
ProductVersionNumber      : 5.2.3790.0
EntryPoint                : 0x892b
ObjectFileType            : Executable application

PE Signature
============
Publisher                 : Microsoft Corporation
Product                   : Microsoft_ Windows_ Operating System
Internal name             : Distributed Link Tracking Server
Copyright                 : (c) Microsoft Corporation. All rights reserved.
Original name             : trksvr
File version              : 5.2.3790.0 (srv03_rtm.030324-2048)
Description               : Distributed Link Tracking Server


https://www.securelist.com/en/blog?SSL=1#



ASCI strings
File: D214C717A357FE3A455610B197C390AA
MD5:  d214c717a357fe3a455610b197c390aa
Size: 989184


Wow64DisableWow64FsRedirection
Wow64RevertWow64FsRedirection
string too long
invalid string position
Schedule
JobAdd
vector<T> too long
ios_base::eofbit set


ios_base::failbit set
ios_base::badbit set
bad locale name
bad cast
c:\windows\temp\out17626867.txt
kijjjjnsnjbnncbknbkjadc
kjsdjbhjsdbhfcbsjkhdf  jhg jkhg hjk hjk 
slkdfjkhsbdfjbsdf
klsjdfjhsdkufskjdfh
generic
iostream
system
iostream stream error
Unknown exception
bad allocation
CorExitProcess
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
LC_TIME
LC_NUMERIC
LC_MONETARY
LC_CTYPE
LC_COLLATE
LC_ALL
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
Visual C++ CRT: Not enough memory to complete call to strerror.
bad exception
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
July
June
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
united-states
united-kingdom
trinidad & tobago
south-korea
south-africa
south korea
south africa
slovak
puerto-rico
pr-china
pr china
new-zealand
hong-kong
holland
great britain
england
czech
china
britain
america
swiss
swedish-finland
spanish-venezuela
spanish-uruguay
spanish-puerto rico
spanish-peru
spanish-paraguay
spanish-panama
spanish-nicaragua
spanish-modern
spanish-mexican
spanish-honduras
spanish-guatemala
spanish-el salvador
spanish-ecuador
spanish-dominican republic
spanish-costa rica
spanish-colombia
spanish-chile
spanish-bolivia
spanish-argentina
portuguese-brazilian
norwegian-nynorsk
norwegian-bokmal
norwegian
italian-swiss
irish-english
german-swiss
german-luxembourg
german-lichtenstein
german-austrian
french-swiss
french-luxembourg
french-canadian
french-belgian
english-usa
english-us
english-uk
english-trinidad y tobago
english-south africa
english-nz
english-jamaica
english-ire
english-caribbean
english-can
english-belize
english-aus
english-american
dutch-belgian
chinese-traditional
chinese-singapore
chinese-simplified
chinese-hongkong
chinese
canadian
belgian
australian
american-english
american english
american
Norwegian-Nynorsk
Illegal byte sequence
Directory not empty
Function not implemented
No locks available
Filename too long
Resource deadlock avoided
Result too large
Domain error
Broken pipe
Too many links
Read-only file system
Invalid seek
No space left on device
File too large
Inappropriate I/O control operation
Too many open files
Too many open files in system
Invalid argument
Is a directory
Not a directory
No such device
Improper link
File exists
Resource device
Unknown error
Bad address
Permission denied
Not enough space
Resource temporarily unavailable
No child processes
Bad file descriptor
Exec format error
Arg list too long
No such device or address
Input/output error
Interrupted function call
No such process
No such file or directory
Operation not permitted
No error
UTF-8
UTF-16LE
UNICODE
 Complete Object Locator'
 Class Hierarchy Descriptor'
 Base Class Array'
 Base Class Descriptor at (
 Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
 delete[]
 new[]
`local vftable constructor closure'
`local vftable'
`RTTI
`udt re
turning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
 delete
 new
__unaligned
__restrict
__ptr64
__eabi
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
NetScheduleJobDel
NetApiBufferFree
NetApiBufferAllocate
NetRemoteTOD
NETAPI32.dll
WS2_32.dll
GetTickCount
CloseHandle
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
OpenProcess
GetCurrentProcess
VirtualFree
VirtualAlloc
LocalFree
Sleep
LocalAlloc
GetLastError
MoveFileExW
DeleteFileW
GetProcAddress
GetModuleHandleW
WriteFile
CreateFileW
SizeofResource
LockResource
LoadResource
FindResourceW
GetCommandLineW
GetFileTime
GetWindowsDirectoryW
SetFileTime
CreateThread
CreateProcessW
CopyFileW
MoveFileW
ReadFile
GetSystemTime
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
WaitForSingleObject
InitializeCriticalSection
KERNEL32.dll
LoadImageW
USER32.dll
StartServiceW
RegCloseKey
RegDeleteValueW
RegOpenKeyExW
Chan
geServiceConfig2W
CreateServiceW
CloseServiceHandle
ChangeServiceConfigW
QueryServiceConfigW
OpenServiceW
OpenSCManagerW
RegQueryValueExW
StartServiceCtrlDispatcherW
SetServiceStatus
RegisterServiceCtrlHandlerW
ADVAPI32.dll
CommandLineToArgvW
SHELL32.dll
InterlockedIncrement
InterlockedDecrement
EncodePointer
DecodePointer
RaiseException
RtlUnwind
HeapFree
ExitProcess
HeapSetInformation
WideCharToMultiByte
LCMapStringW
MultiByteToWideChar
GetCPInfo
HeapAlloc
IsProcessorFeaturePresent
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
SetLastError
GetCurrentThreadId
HeapCreate
SetHandleCount
GetStdHandle
InitializeCriticalSectionAndSpinCount
GetFileType
GetStartupInfoW
GetConsoleCP
GetConsoleMode
FlushFileBuffers
SetFilePointer
LoadLibraryW
GetLocaleInfoW
GetModuleFileNameW
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
GetACP
GetOEMCP
IsValidCodePage
GetStringTypeW
HeapReAlloc
HeapSize
GetUserDefaultLCID
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
WriteConsoleW
SetStdHandle
CreateFileA
SetEndOfFile
GetProcessHeap
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVruntime_error@std@@
.?AVfacet@locale@std@@
.?AVcodecvt_base@std@@
.?AUctype_base@std@@
.?AVios_base@std@@
.?AV?$_Iosb@H@std@@
.?AV?$basic_ostream@DU?$char_traits@D@std@@@std@@
.?AV?$basic_ios@DU?$char_traits@D@std@@@std@@
.?AV?$basic_istream@DU?$char_traits@D@std@@@std@@
.?AV?$basic_iostream@DU?$char_traits@D@std@@@std@@
.?AV?$ctype@D@std@@
.?AVsystem_error@std@@
.?AVfailure@ios_base@std@@
.?AV?$basic_streambuf@DU?$char_traits@D@std@@@std@@
.?AV?$codecvt@DDH@std@@
.?AVbad_cast@std@@
.?AV?$basic_filebuf@DU?$char_traits@D@std@@@std@@
.?AV?$basic_fstream@DU?$char_traits@D@std@@@std@@
.?AVlogic_error@std@@
.?AVlength_error@std@@
.?AVout_of_range@std@@
.?AV_Locimp@locale@std@@
.?AVerror_category@std@@
.?AV_Generic_error_category@std@@
.?AV_Iostream_error_category@std@@
.?AV_System_error_category@std@@
Copyright (c) 1992-2004 by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.
.?AVtype_info@@
.?AVbad_exception@std@@
                         
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
                         
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
KG=]
>]H:
uD^5
_D`j
^+'o
^#WkW+K
_aFNZ-
kS3~
K^#s
K^aCN
^#WkW+K
_aFNZ-

Unicode Strings:
---------------------------------------------------------------------------
jjjjj
@LanmanWorkstation
WOW64
SYSTEM\CurrentControlSet\Services\TrkSvr
Distributed Link Tracking Server
Enables the Distributed Link Tracking Client service within the same domain to provide more reliable and efficient maintenance of links within the domain. If this service is disabled, any services that explicitly depend on it will fail to start.
RpcSs
C:\Windows\system32\svchost.exe -k netsvcs
TrkSvr
.exe
kernel32.dll
amd64
AMD64
PROCESSOR_ARCHITECTURE
SYSTEM\CurrentControlSet\Control\Session Manager\Environment
ntrksvr.exe
trksrv.exe
netinit
\system32\kernel32.dll
netapi32.dll
%SystemRoot%\System32\
\system32\
\system32\csrss.exe
E$\WINDOWS
D$\WINDOWS
C$\WINDOWS
ADMIN$
\inf\netft429.pnf
PKCS7
\System32\cmd.exe /c "ping -n 30 127.0.0.1 >nul && sc config TrkSvr binpath= system32\trksrv.exe && ping -n 10 127.0.0.1 >nul && sc start TrkSvr "
X509
myimage12767
PKCS12
wow32
mscoree.dll
         (((((                  H
         h((((                  H
                                 H
AKERNEL32.DLL
runtime error
TLOSS error
SING error
DOMAIN error
R6033
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.

R6002
- floating point support not loaded
AMicrosoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program:
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
July
June
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
Eccs
UTF-8
UTF-16LE
UNICODE
WUSER32.DLL
CONOUT$
caclsrv
certutl
clean
ctrl
dfrag
dnslookup
dvdquery
event
findfile
gpget
ipsecure
iissrv
msinit
ntfrsutil
ntdsutl
power
rdsadmin
regsys
sigver
routeman
rrasrv
sacses
sfmsc
smbinit
wcscript
ntnw
netx
fsutl
extract
\system32\
test123
test456
test789
testdomain.com
123123
456456
789789
PKCS12
PKCS7
X509
VS_VERSION_INFO
StringFileInfo
040904b0
CompanyName
Microsoft Corporation
FileDescription
Distributed Link Tracking Server
FileVersion
5.2.3790.0 (srv03_rtm.030324-2048)
InternalName
Distributed Link Tracking Server
LegalCopyright
 Microsoft Corporation. All rights reserved.
OriginalFilename
trksvr
ProductName
Microsoft
 Windows
 Operating System
ProductVersion
5.2.3790.0
VarFileInfo
Translation


Automatic scans

 https://www.virustotal.com/file/f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72/analysis/
SHA256:     f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72
SHA1:     502920a97e01c2d022ac401601a311818f336542
MD5:     d214c717a357fe3a455610b197c390aa
File size:     966.0 KB ( 989184 bytes )
File name:     str.exe
File type:     Win32 EXE
Tags:     peexe
Detection ratio:     22 / 42
Analysis date:     2012-08-16 13:57:43 UTC ( 16 hours, 25 minutes ago )

AntiVir     TR/Crypt.FKM.Gen     20120816
Avast     Win32:Malware-gen     20120816
AVG     unknown virus Win32/DH{A2cI}     20120815
BitDefender     Gen:Trojan.Heur.8u0@ILmUdSm     20120816
Commtouch     W32/Dropper.gen8!Maximus     20120816
Comodo     UnclassifiedMalware     20120816
Emsisoft     Trojan.Win32.Spy!IK     20120816
F-Prot     W32/Dropper.gen8!Maximus     20120815
F-Secure     Gen:Trojan.Heur.8u0@ILmUdSm     20120816
GData     Gen:Trojan.Heur.8u0@ILmUdSm     20120816
Ikarus     Trojan.Win32.Spy     20120816
Jiangmin     Trojan/Generic.aninx     20120816
K7AntiVirus     Trojan     20120815
Kaspersky     HEUR:Trojan.Win32.Generic     20120816
McAfee     W32/DistTrack     20120816
McAfee-GW-Edition     W32/DistTrack     20120816
Norman     W32/Troj_Generic.DKYIW     20120816
Sophos     Troj/Mdrop-ELD     20120816
Symantec     W32.DistTrack     20120816
TrendMicro     TROJ_DISTTRACK.A     20120816
TrendMicro-HouseCall     TROJ_DISTTRACK.A     20120816
VIPRE     Trojan.Win32.Generic!BT     20120816



https://www.virustotal.com/file/4f02a9fcd2deb3936ede8ff009bd08662bdb1f365c0f4a78b3757a98c2f40400/analysis/
 SHA256:     4f02a9fcd2deb3936ede8ff009bd08662bdb1f365c0f4a78b3757a98c2f40400
SHA1:     7c0dc6a8f4d2d762a07a523f19b7acd2258f7ecc
MD5:     b14299fd4d1cbfb4cc7486d978398214
File size:     966.0 KB ( 989184 bytes )
File name:     str.exe
File type:     Win32 EXE
Tags:     peexe
Detection ratio:     21 / 42
Analysis date:     2012-08-16 13:39:56 UTC ( 16 hours, 44 minutes ago )
AntiVir     TR/Crypt.FKM.Gen     20120816
Avast     Win32:Malware-gen     20120816
AVG     unknown virus Win32/DH{A2cI}     20120815
BitDefender     Gen:Trojan.Heur.8u0@ILmUdSm     20120816
Commtouch     W32/Dropper.gen8!Maximus     20120816
Comodo     UnclassifiedMalware     20120816
Emsisoft     Trojan.Win32.Spy!IK     20120816
F-Prot     W32/Dropper.gen8!Maximus     20120815
F-Secure     Gen:Trojan.Heur.8u0@ILmUdSm     20120816
GData     Gen:Trojan.Heur.8u0@ILmUdSm     20120816
Ikarus     Trojan.Win32.Spy     20120816
K7AntiVirus     Trojan     20120815
Kaspersky     HEUR:Trojan.Win32.Generic     20120816
McAfee     W32/DistTrack     20120816
McAfee-GW-Edition     W32/DistTrack     20120816
Norman     W32/Troj_Generic.DLKSV     20120816
Sophos     Troj/Mdrop-ELD     20120816
SUPERAntiSpyware     -     20120816
Symantec     W32.DistTrack     20120816
TrendMicro     TROJ_DISTTRACK.A     20120816
TrendMicro-HouseCall     TROJ_DISTTRACK.A     20120816
VIPRE     Trojan.Win32.Generic!BT     20120816

VirusBuster     -

5 comments:

  1. Decrypted resources from the sample:

    $ pedump trksvr.exe.dr -R

    === RESOURCES ===

    FILE_OFFSET CP LANG SIZE TYPE NAME
    0x1cb60 0 0 194048 PKCS12 #112
    0x4c160 0 0 133120 PKCS7 #113
    0x6cd20 0 0 532992 X509 #116
    0x6c960 0 0 960 VERSION #1

    http://box.jisko.net/d/5d1e9ddc <- "infected"

    ReplyDelete
  2. And it continues!

    One of the extracted files from the resources is a copy of the original sample for 64 bits systems. It has more encrypted resources:

    $ pedump -R trksvr.exe.dr_X509_116_0_decrypted

    === RESOURCES ===

    FILE_OFFSET CP LANG SIZE TYPE NAME
    0x23910 0 0 227840 PKCS12 #112
    0x5b310 0 0 155136 PKCS7 #113
    0x81110 0 0 960 VERSION #1

    shamoon_resources2$ file *
    PKCS12_112_0.txt: data
    PKCS12_112_0.txt_decrypted: PE32+ executable (console) x86-64, for MS Windows
    PKCS7_113_0.txt: \0 "Z\216*"
    PKCS7_113_0.txt_decrypted: PE32+ executable (console) x86-64, for MS Windows

    Attached!

    http://box.jisko.net/d/496d8628 <- "infected"

    ReplyDelete
  3. If you run the executable on any computer, will it automatically wipe the disk? Or will it only run on computers that were targeted?

    ReplyDelete
  4. Here are a couple of Shamoon samples. Such destructive malware is rare because it does not really make much sense to destroy computers when you can steal data or use them. Unless you want to instill fear or show off. The ArabianGolf string...

    ReplyDelete
  5. excellent photos!!!! really country influence, adore your clothing consequently fashionable and wonderful!!!

    ReplyDelete