I have been away and busy with all kinds of stuff (some malware related and some not :) but I am back.
I played a little recently with Cuckoo sandbox - an awesome free sandbox developed by Claudio Guarnieri (Linkedin). The sandbox has been out for several months, constantly being improved and got a lot of fans. You can read the Cuckoo guide here and also follow active discussions on the Malwr forum. I think the sandbox works very well and very flexible - it can be developed and extended to analyze any (many) kinds of exploits. You can find descriptions of the sandbox online but I want to post results of the sandbox analysis - something I didn't have chance to see until I installed it. I will post unfiltered results and with some minimal processing (conversion of pcaps to text, filtering out search results, etc.). This tool is still in development and you will not get polished reports like you see on Threatexpert but they are exportable into a database of your choice, searchable, and "tweakable". If you already tried it a while ago, try it again, I heard the later versions are much better than the earlier ones.
60.249.181.163
60.249.0.0 - 60.249.255.255
Taiwan
CHTD, Chunghwa Telecom Co.,Ltd.
Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
Taipei Taiwan 100
[2011-11-29 00:13:28] [INFO] Dropped file "C:\WINDOWS\system32\d3d9caps.dat"
[2011-11-29 00:13:28] [INFO] Dropped file "C:\WINDOWS\system32\d3d8caps.dat"
[2011-11-29 00:13:28] [INFO] Dropped file "iso88591"
[2011-11-29 00:13:28] [INFO] Dropped file "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
[2011-11-29 00:13:28] [INFO] Dropped file "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
[2011-11-29 00:13:29] [INFO] Dropped file "C:\WINDOWS\system32\OLEACCRC.DLL"
[2011-11-29 00:13:29] [INFO] Dropped file "C:\WINDOWS\system32\oleacc.dll"
Here is a unfiltered log (you would get all these files in the "Files" analysis folder as well)
This is a zipped folder with the entire unfiltered analysis (use the password scheme or email me if you need it)
www.virustotal.com/file-scan/report.html?id=e4875a7fe94b53f0088b0aedd88a2601b4bee99ed8d8196b547adfdb5cafe638-1322293498
2011112
Submission date:2011-11-26 07:44:58 (UTC)
Result:33 /43 (76.7%)
Antivirus Version Last Update Result
AhnLab-V3 2011.11.25.00 2011.11.25 Backdoor/Win32.CSon
AntiVir 7.11.18.78 2011.11.25 TR/Hijacker.Gen
Antiy-AVL 2.0.3.7 2011.11.26 Backdoor/Win32.Agent.gen
Avast 6.0.1289.0 2011.11.25 Win32:Malware-gen
AVG 10.0.0.1190 2011.11.25 BackDoor.Generic14.AJZQ
BitDefender 7.2 2011.11.26 Gen:Trojan.Heur.TP.bq1@byoLvWnb
CAT-QuickHeal 12.00 2011.11.25 Backdoor.Agent.bwtk
Comodo 10789 2011.11.26 UnclassifiedMalware
DrWeb 5.0.2.03300 2011.11.26 Trojan.Taidoor
Emsisoft 5.1.0.11 2011.11.26 Backdoor.Win32.Simbot!IK
eSafe 7.0.17.0 2011.11.24 Win32.TRHijacker
F-Secure 9.0.16440.0 2011.11.26 Gen:Trojan.Heur.TP.bq1@byoLvWnb
Fortinet 4.3.370.0 2011.11.26 W32/Injector.JQA!tr
GData 22 2011.11.26 Gen:Trojan.Heur.TP.bq1@byoLvWnb
Ikarus T3.1.1.109.0 2011.11.26 Backdoor.Win32.Simbot
Jiangmin 13.0.900 2011.11.25 Backdoor/Agent.diki
K7AntiVirus 9.119.5542 2011.11.25 Backdoor
Kaspersky 9.0.0.837 2011.11.26 Backdoor.Win32.Agent.bwtk
McAfee 5.400.0.1158 2011.11.26 Generic BackDoor!dtm
McAfee-GW-Edition 2010.1D 2011.11.25 Generic BackDoor!dtm
Microsoft 1.7801 2011.11.26 Backdoor:Win32/Simbot.gen
NOD32 6660 2011.11.26 a variant of Win32/Injector.JQA
Norman 6.07.13 2011.11.25 W32/Suspicious_Gen2.RUNSA
Panda 10.0.3.5 2011.11.25 Generic Backdoor
PCTools 8.0.0.5 2011.11.26 Backdoor.Trojan
Sophos 4.71.0 2011.11.26 Mal/Simbot-A
Symantec 20111.2.0.82 2011.11.26 Backdoor.Trojan
TheHacker 6.7.0.1.347 2011.11.24 Trojan/Injector.jqa
TrendMicro 9.500.0.1008 2011.11.26 TROJ_GEN.R47C7K4
TrendMicro-HouseCall 9.500.0.1008 2011.11.26 TROJ_GEN.R47C7K4
VBA32 3.12.16.4 2011.11.25 TrojanDownloader.Rubinurd.f
VIPRE 11151 2011.11.26 Trojan.Win32.Generic!BT
VirusBuster 14.1.85.0 2011.11.25 Backdoor.Agent!kZFb0jr2OQ4
Additional information
MD5 : a3a71678576164e93e882392e609a917
It also generates many screenshots to capture the malware behavior (you can turn off this feature) - see one screenshot below
Cuckoo creates a dump pcap file you can download from there. You can of course run conversion to text as part of your post-processing routine like you see below.Common Vulnerability & Exposures CVE#
CVE-2011-0611General File Information
CVE-2011-0611
File: 1104statment.pdf
Size: 91010
MD5: 86730A9BC3AB99503322EDA6115C1096
Size: 91010
MD5: 86730A9BC3AB99503322EDA6115C1096
Download
Original Message and Headers
Received: (qmail 3627 invoked from network); 3 Nov 2011 02:53:35 -0000
Received: from msr8.hinet.net (HELO msr8.hinet.net) (168.95.4.108)
xxxxxxxxxxxxxx
Received: from deepin-f12c1fc0 (60-249-181-163.HINET-IP.hinet.net [60.249.181.163])
by msr8.hinet.net (8.14.2/8.14.2) with SMTP id pA32pCaW016745
xxxxxxxxxxxxx
Date: Thu, 3 Nov 2011 10:51:17 +0800
From: "cy.hsiao" <cy.hsiao@msa.hinet.net>
xxxxx
Reply-To: "jun.lun" <jun.lun@msa.hinet.net>
Subject: 1104statment
X-Priority: 1
X-GUID: 2AE71A5A-DDDA-497A-B8B7-1850D647AC9D
X-Mailer: Foxmail 7.0.1.84[cn]
MIME-Version: 1.0
Message-ID: <201111031040202773896@msa.hinet.net>
Content-Type: multipart/mixed;
boundary="----=_001_NextPart150125300633_=----"
Received: from msr8.hinet.net (HELO msr8.hinet.net) (168.95.4.108)
xxxxxxxxxxxxxx
Received: from deepin-f12c1fc0 (60-249-181-163.HINET-IP.hinet.net [60.249.181.163])
by msr8.hinet.net (8.14.2/8.14.2) with SMTP id pA32pCaW016745
xxxxxxxxxxxxx
Date: Thu, 3 Nov 2011 10:51:17 +0800
From: "cy.hsiao" <cy.hsiao@msa.hinet.net>
xxxxx
Reply-To: "jun.lun" <jun.lun@msa.hinet.net>
Subject: 1104statment
X-Priority: 1
X-GUID: 2AE71A5A-DDDA-497A-B8B7-1850D647AC9D
X-Mailer: Foxmail 7.0.1.84[cn]
MIME-Version: 1.0
Message-ID: <201111031040202773896@msa.hinet.net>
Content-Type: multipart/mixed;
boundary="----=_001_NextPart150125300633_=----"
60.249.181.163
60.249.0.0 - 60.249.255.255
Taiwan
CHTD, Chunghwa Telecom Co.,Ltd.
Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
Taipei Taiwan 100
Automated Scans
86730a9bc3ab99503322eda6115c1096
http://www.virustotal.com/file-scan/report.html?id=8a2b54f64d1866ac8c46c99651cadba1597bc5671cf9b4a966c1d23898b19ce6-1320344807
Submission date:2011-11-03 18:26:47 (UTC)
Result: 10 /42 (23.8%)
Avast 6.0.1289.0 2011.11.03 SWF:Dropper [Heur]
BitDefender 7.2 2011.11.03 Script.SWF.C08
F-Secure 9.0.16440.0 2011.11.03 Script.SWF.C08
GData 22 2011.11.03 Script.SWF.C08
Microsoft 1.7801 2011.11.03 Exploit:Win32/Pdfjsc.XD
Norman 6.07.13 2011.11.03 Exploit/2011-0611.A
nProtect 2011-11-03.01 2011.11.03 Script.SWF.C08
Sophos 4.71.0 2011.11.03 Troj/SWFExp-AK
Symantec 20111.2.0.82 2011.11.03 Trojan.Pidief
VirusBuster 14.1.44.0 2011.11.03 SWF.CVE-2011-0609.C
MD5 : 86730a9bc3ab99503322eda6115c1096
Submission date:2011-11-03 18:26:47 (UTC)
Result: 10 /42 (23.8%)
Avast 6.0.1289.0 2011.11.03 SWF:Dropper [Heur]
BitDefender 7.2 2011.11.03 Script.SWF.C08
F-Secure 9.0.16440.0 2011.11.03 Script.SWF.C08
GData 22 2011.11.03 Script.SWF.C08
Microsoft 1.7801 2011.11.03 Exploit:Win32/Pdfjsc.XD
Norman 6.07.13 2011.11.03 Exploit/2011-0611.A
nProtect 2011-11-03.01 2011.11.03 Script.SWF.C08
Sophos 4.71.0 2011.11.03 Troj/SWFExp-AK
Symantec 20111.2.0.82 2011.11.03 Trojan.Pidief
VirusBuster 14.1.44.0 2011.11.03 SWF.CVE-2011-0609.C
MD5 : 86730a9bc3ab99503322eda6115c1096
Created files
Trojan Taidoor
Cuckoo sandbox does a great job on binaries (and can capture deleted files too) but the document analysis results require a bit more filtering due to many legitimate Adobe and Office files that get generated during the analysis. It also does not calculate hash.
Dropped files (Results of a filtering script) -
[2011-11-29 00:13:25] [INFO] Dropped file "C:\APT_1104statment.pdf"
[2011-11-29 00:13:28] [INFO] Dropped file "C:\Documents and Settings\Angie\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" [2011-11-29 00:13:28] [INFO] Dropped file "C:\WINDOWS\system32\d3d9caps.dat"
[2011-11-29 00:13:28] [INFO] Dropped file "C:\WINDOWS\system32\d3d8caps.dat"
[2011-11-29 00:13:28] [INFO] Dropped file "iso88591"
[2011-11-29 00:13:28] [INFO] Dropped file "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
[2011-11-29 00:13:28] [INFO] Dropped file "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
[2011-11-29 00:13:29] [INFO] Dropped file "C:\WINDOWS\system32\OLEACCRC.DLL"
[2011-11-29 00:13:29] [INFO] Dropped file "C:\WINDOWS\system32\oleacc.dll"
Here is a unfiltered log (you would get all these files in the "Files" analysis folder as well)
This is a zipped folder with the entire unfiltered analysis (use the password scheme or email me if you need it)
www.virustotal.com/file-scan/report.html?id=e4875a7fe94b53f0088b0aedd88a2601b4bee99ed8d8196b547adfdb5cafe638-1322293498
2011112
Submission date:2011-11-26 07:44:58 (UTC)
Result:33 /43 (76.7%)
Antivirus Version Last Update Result
AhnLab-V3 2011.11.25.00 2011.11.25 Backdoor/Win32.CSon
AntiVir 7.11.18.78 2011.11.25 TR/Hijacker.Gen
Antiy-AVL 2.0.3.7 2011.11.26 Backdoor/Win32.Agent.gen
Avast 6.0.1289.0 2011.11.25 Win32:Malware-gen
AVG 10.0.0.1190 2011.11.25 BackDoor.Generic14.AJZQ
BitDefender 7.2 2011.11.26 Gen:Trojan.Heur.TP.bq1@byoLvWnb
CAT-QuickHeal 12.00 2011.11.25 Backdoor.Agent.bwtk
Comodo 10789 2011.11.26 UnclassifiedMalware
DrWeb 5.0.2.03300 2011.11.26 Trojan.Taidoor
Emsisoft 5.1.0.11 2011.11.26 Backdoor.Win32.Simbot!IK
eSafe 7.0.17.0 2011.11.24 Win32.TRHijacker
F-Secure 9.0.16440.0 2011.11.26 Gen:Trojan.Heur.TP.bq1@byoLvWnb
Fortinet 4.3.370.0 2011.11.26 W32/Injector.JQA!tr
GData 22 2011.11.26 Gen:Trojan.Heur.TP.bq1@byoLvWnb
Ikarus T3.1.1.109.0 2011.11.26 Backdoor.Win32.Simbot
Jiangmin 13.0.900 2011.11.25 Backdoor/Agent.diki
K7AntiVirus 9.119.5542 2011.11.25 Backdoor
Kaspersky 9.0.0.837 2011.11.26 Backdoor.Win32.Agent.bwtk
McAfee 5.400.0.1158 2011.11.26 Generic BackDoor!dtm
McAfee-GW-Edition 2010.1D 2011.11.25 Generic BackDoor!dtm
Microsoft 1.7801 2011.11.26 Backdoor:Win32/Simbot.gen
NOD32 6660 2011.11.26 a variant of Win32/Injector.JQA
Norman 6.07.13 2011.11.25 W32/Suspicious_Gen2.RUNSA
Panda 10.0.3.5 2011.11.25 Generic Backdoor
PCTools 8.0.0.5 2011.11.26 Backdoor.Trojan
Sophos 4.71.0 2011.11.26 Mal/Simbot-A
Symantec 20111.2.0.82 2011.11.26 Backdoor.Trojan
TheHacker 6.7.0.1.347 2011.11.24 Trojan/Injector.jqa
TrendMicro 9.500.0.1008 2011.11.26 TROJ_GEN.R47C7K4
TrendMicro-HouseCall 9.500.0.1008 2011.11.26 TROJ_GEN.R47C7K4
VBA32 3.12.16.4 2011.11.25 TrojanDownloader.Rubinurd.f
VIPRE 11151 2011.11.26 Trojan.Win32.Generic!BT
VirusBuster 14.1.85.0 2011.11.25 Backdoor.Agent!kZFb0jr2OQ4
Additional information
MD5 : a3a71678576164e93e882392e609a917
It also generates many screenshots to capture the malware behavior (you can turn off this feature) - see one screenshot below
Traffic
74 50.331130 10.0.2.15 -> 110.142.12.95 TCP 1044 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
76 62.360903 10.0.2.15 -> 110.142.12.95 TCP 1046 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
77 65.352406 10.0.2.15 -> 110.142.12.95 TCP 1046 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
78 71.361654 10.0.2.15 -> 110.142.12.95 TCP 1046 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
81 83.379329 10.0.2.15 -> 108.77.146.124 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
83 86.382691 10.0.2.15 -> 108.77.146.124 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
85 92.391543 10.0.2.15 -> 108.77.146.124 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
89 104.309538 10.0.2.15 -> 108.77.146.124 TCP 1048 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
91 107.313022 10.0.2.15 -> 108.77.146.124 TCP 1048 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
94 113.321174 10.0.2.15 -> 108.77.146.124 TCP 1048 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
100 127.342043 10.0.2.15 -> 110.142.12.95 TCP 1049 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
102 130.345727 10.0.2.15 -> 110.142.12.95 TCP 1049 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
108 136.354881 10.0.2.15 -> 110.142.12.95 TCP 1049 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
hirudo.lnk.telstra.net
Host reachable, 259 ms. average
110.142.0.0 - 110.143.255.255
Telstra
Level 12, 242 Exhibition St
Melbourne
VIC 3000
Australia
108.77.146.124
108-77-146-124.lightspeed.tulsok.sbcglobal.net
Host unreachable
108.64.0.0 - 108.95.255.255
AT&T Internet Services
2701 N. Central Expwy # 2205.15
Richardson
TX
75080
United States
Examples of other captures (I will post these files separately)
42 23.708044 10.0.2.15 -> 68.87.73.246 DNS Standard query A sh.antivirusbar.org
43 24.209549 68.87.73.246 -> 10.0.2.15 DNS Standard query response A 58.68.224.24
44 24.213107 10.0.2.15 -> 58.68.224.24 TCP 1045 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
48 24.732612 58.68.224.24 -> 10.0.2.15 TCP 80 > 1045 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
49 24.733912 10.0.2.15 -> 58.68.224.24 TCP 1045 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
50 24.735034 10.0.2.15 -> 58.68.224.24 TCP [TCP segment of a reassembled PDU]
51 24.735034 58.68.224.24 -> 10.0.2.15 TCP 80 > 1045 [ACK] Seq=1 Ack=236 Win=65535 Len=0
52 24.736365 10.0.2.15 -> 58.68.224.24 HTTP POST /phqghumeaylnlfdxfircvscxggbwkfn.htm HTTP/1.1
53 24.736428 58.68.224.24 -> 10.0.2.15 TCP 80 > 1045 [ACK] Seq=1 Ack=1516 Win=65535 Len=0
74 40.881943 10.0.2.15 -> 68.87.73.246 DNS Standard query A checkip.dyndns.org
75 41.032372 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME checkip.dyndns.com A 216.146.39.70 A 91.198.22.70 A 216.146.38.70
76 41.033219 10.0.2.15 -> 216.146.39.70 TCP 1045 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
77 41.269469 216.146.39.70 -> 10.0.2.15 TCP 80 > 1045 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
78 41.270321 10.0.2.15 -> 216.146.39.70 TCP 1045 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
Nice to see you again
ReplyDeleteWow, this is a great article.
ReplyDeleteThank you for posting!