Pages

Sunday, July 29, 2012

Flamer /SkyWiper Samples

August 13, 2012 - added an article by CERT Polska


If you didn't get enough of Flamer /SkyWiper yet, here are the samples donated by a reader. They are also available on various forums and Virustotal. Whether they are new or old, part of the "Olympic Games" or not, they are a fine example of a targeted attack.  Enjoy

 

Reading

Update: Aug 13 More human than human – Flame’s code injection techniques Polish CERT

Download


 Download all the files listed below (email me if you need the password)  - i fixed the password, redownload if you need to

Download additional June 2, 2012 files



File information

For the file functions see http://code.google.com/p/malware-lu/wiki/en_malware_flamer

  1. advnetcfg.ocx      MD5:  BB5441AF1E1741FCA600E9C433CB1550   Virustotal
  2. advnetcfg2.ocx    MD5:  8ED3846D189C51C6A0D69BDC4E66C1A5  Virustotal
  3. boot32drv.sys     MD5:  C81D037B723ADC43E3EE17B1EEE9D6CC Virustotal
  4. ccalc32.sys         MD5:  5AD73D2E4E33BB84155EE4B35FBEFC2B Virustotal 
  5. msglu32.ocx       MD5:  D53B39FB50841FF163F6E9CFD8B52C2E Virustotal
  6. mssecmgr.ocx     MD5:  BDC9E04388BDA8527B398A8C34667E18 Virustotal
  7. nteps32.ocx        MD5:  C9E00C9D94D1A790D5923B050B0BD741 Virustotal
  8. soapr32.ocx        MD5:  96E04ABB00EA5F18BA021C34E486746 Virustotal
  9. soapr32.ocx        MD5:  296e04abb00ea5f18ba021c34e486746 Virustotal
  10. name?                MD5:  37c97c908706969b2e3addf70b68dc13 Virustotal
  11. 00006411.dl       MD5:  b604c68cd46f8839979da49bb2818c36  Virustotal
  12. 00004784.dl       MD5:  ec992e35e794947a17804451f2a8857e Virustotal
  13.  name?               MD5:  c09306141c326ce96d39532c9388d764 Virustotal
  Additional (June 2, 2012)
  1. mssecmgr2.dll    MD5    0A17040C18A6646D485BDE9CE899789F Virustotal
  2. comspol32.ocx   MD5    20732C97EF66DD97389E219FC0182CB5 Virustotal
  3. soapr32.ocx       MD5    296E04ABB00EA5F18BA021C34E486746 Virustotal
  4. noname.dll         MD5    581F2EF2E3BA164281B562E435882EB5 Virustotal
  5. mscrypt.dat        MD5    5B03ED3894D88ADE1C72BA4A700A193F Virustotal
  6. boot32.ocx         MD5    646FE96ABF038834F8FEAEED8FFBD334 Virustotal
  7. noname.dll         MD5    75DE82289AC8C816E27F3215A4613698 Virustotal
  8. nteps32.ocx        MD5    BB4BF0681A582245BD379E4ACE30274B Virustotal
  9. noname.dll         MD5    BDDBC6974EB8279613B833804EDA12F9 Virustotal
  10. mscrypt.dat        MD5    C4D1CA8DD6ADA3EB1C5EB507516F7C84 Virustotal
  11. ??                      MD5    ee4b589a7b5d56ada10d9a15f81dada9 Virustotal
  12. advnetcfg.ocx     MD5    F0A654F7C485AE195CCF81A72FE083A2 Virustotal
  13.  ??                     MD5    F47BD1AF6F6FBC2559D6AB5069D394EB Virustotal
Alphabetical list of all files here


0A17040C18A6646D485BDE9CE899789F mssecmgr2.dll
20732C97EF66DD97389E219FC0182CB5 comspol32.ocx
296E04ABB00EA5F18BA021C34E486746 soapr32.ocx
296e04abb00ea5f18ba021c34e486746 soapr32.ocx
37c97c908706969b2e3addf70b68dc13 name?
581F2EF2E3BA164281B562E435882EB5 noname.dll
5AD73D2E4E33BB84155EE4B35FBEFC2B ccalc32.sys
5B03ED3894D88ADE1C72BA4A700A193F mscrypt.dat
646FE96ABF038834F8FEAEED8FFBD334 boot32.ocx
75DE82289AC8C816E27F3215A4613698 noname.dll
8ED3846D189C51C6A0D69BDC4E66C1A5 advnetcfg2.ocx
96E04ABB00EA5F18BA021C34E486746 soapr32.ocx
b604c68cd46f8839979da49bb2818c36 00006411.dl
BB4BF0681A582245BD379E4ACE30274B nteps32.ocx
BB5441AF1E1741FCA600E9C433CB1550 advnetcfg.ocx
BDC9E04388BDA8527B398A8C34667E18 mssecmgr.ocx
BDDBC6974EB8279613B833804EDA12F9 noname.dll
c09306141c326ce96d39532c9388d764 name?
C4D1CA8DD6ADA3EB1C5EB507516F7C84 mscrypt.dat
C81D037B723ADC43E3EE17B1EEE9D6CC boot32drv.sys
C9E00C9D94D1A790D5923B050B0BD741 nteps32.ocx
D53B39FB50841FF163F6E9CFD8B52C2E msglu32.ocx
ec992e35e794947a17804451f2a8857e 00004784.dl
ee4b589a7b5d56ada10d9a15f81dada9
F0A654F7C485AE195CCF81A72FE083A2 advnetcfg.ocx
F47BD1AF6F6FBC2559D6AB5069D394EB

Automated scans

Main module scan

SHA256:     295b089792d00870db938f2107772e0b58b23e5e8c6c4465c23affe87e2e67ac
SHA1:     a592d49ff32fe130591ecfde006ffa4fb34140d5
MD5:     bdc9e04388bda8527b398a8c34667e18
File size:     5.9 MB ( 6166528 bytes )
File name:     file-4030286_ocx
File type:     Win32 DLL
Detection ratio:     38 / 42
Antivirus     Result     Update
AhnLab-V3     Win32/Flame.worm.6166528     20120531
AntiVir     TR/Flamer.A     20120531
Antiy-AVL     Trojan/win32.agent.gen     20120531
Avast     Win32:Skywiper-C [Trj]     20120531
AVG     Worm/Pakes.ATG     20120531
BitDefender     Trojan.Flame.A     20120531
CAT-QuickHeal     Trojan.Flamer.A.iw5     20120531
ClamAV     Worm.Flame-2     20120531
Commtouch     W32/Flamer.A     20120531
Comodo     Worm.Win32.Flame.a     20120531
DrWeb     Win32.HLLW.Flame.1     20120531
Emsisoft     Worm.Win32.Flame!IK     20120531
F-Prot     W32/Flamer.A     20120531
F-Secure     Trojan.Flame.A     20120531
Fortinet     W32/Flame.A!worm     20120531
GData     Trojan.Flame.A     20120531
Ikarus     Worm.Win32.Flame     20120531
K7AntiVirus     EmailWorm     20120531
Kaspersky     Worm.Win32.Flame.a     20120531
McAfee     SkyWiper     20120531
McAfee-GW-Edition     SkyWiper     20120531
Microsoft     Worm:Win32/Flame.gen!A     20120531
NOD32     Win32/Flamer.A     20120531
Norman     W32/Flamer.A     20120531
nProtect     Worm/W32.Flame.6166528     20120531
Panda     W32/Flamer.A.worm     20120531
PCTools     Malware.Flamer     20120531
Rising     Trojan.Win32.Generic.12D406C1     20120531
Sophos     W32/Flame-Gen     20120531
Symantec     W32.Flamer     20120531
TheHacker     Trojan/Flamer.a     20120531
TotalDefense     Win32/Flame.C     20120531
TrendMicro     WORM_FLAMER.A     20120531
TrendMicro-HouseCall     WORM_FLAMER.A     20120531
VBA32     BScope.Trojan.MTA.01233     20120531
VIPRE     Worm.Win32.Flame.a     20120531
ViRobot     Worm.Win32.S.Flame.6166528     20120531
VirusBuster     Trojan.Flame.A     20120531


21 comments:

  1. Hi Mila, good to see you back after so long :)
    I've found some samples (6 or so) on the malware.lu site, but not as many as listed here.
    Thanks for sharing!
    Cheers,
    @c_APT_ure

    ReplyDelete
  2. Mila,welcome back!

    ReplyDelete
  3. #8 in the first list is only 31 characters

    ReplyDelete
  4. WHAT IS THE PASSWORD?!

    ReplyDelete
    Replies
    1. It is an IQ test. If you can't figure out how to get the password,you are not ready for flame

      Delete
    2. B*tch please, I'm at university. Downloaded the samples off an asian site where people don't have such an attitude.

      common, logical passwords would be: infected, virus, malware, flame but sht idc anymore anyway.

      Delete
    3. It's really good to see some skiddies without a proper language for kindly asking something, without ability to read texts properly cannot access some files. It's really good method Mila, thanks for not sharing sample files with everyone. Keep up your great blog, I really appreciate your work. I've learned so much from your blog.

      Delete
  5. wow ha,
    It is a personal blog. Today uncommon passwords, tomorrow butterflies and movie reviews. If it makes you angry, take it to your therapist.

    ReplyDelete
  6. Dick head. I will crack ur sht. Dick eater

    ReplyDelete
  7. So, I'm new to this malware analysis thing. Taking a few classes to learn it better. Any recommendations on best way to go about analyzing flame and others on this site? I hear this one is a nasty one, been reading about it a lot online.

    ReplyDelete
    Replies
    1. Hi, try more links http://contagiodump.blogspot.com/2010/06/malware-analysis-and-forensics-tools.html or books
      http://www.amazon.com/Practical-Malware-Analysis-Dissecting-ebook/dp/B007ED2XDS/ref=sr_1_1?s=digital-text&ie=UTF8&qid=1339757848&sr=1-1

      Delete
    2. I've got that book and would recommend it to you. The labs are a brilliant feature.

      @Mila Good to see your back.

      Delete
    3. I've got that book and would recommmend it to you. The labs are a brilliant feature.

      @Mila it's good to see your back posting again.

      Delete
  8. no problem, thank you all for the feedback!

    ReplyDelete
  9. sir i need password my id netbook@rediffmail.com

    ReplyDelete
  10. anyone knows how to execute function that infects the usb?

    ReplyDelete