URLs from PowerShell Downloader:
hxxp://show1[.]website/OerAS.dat (Obfuscated AutoIt script, Base64 encoded as a certificate)
hxxp://show1[.]website/HeyaL.dat (AutoIt Interpreter) – Legitimate
hxxp://show1[.]website/iPYOy.dat (Encrypted KPOT Malware)
Excerpt from Base64 decoded AutoIt script(‘i8ek7’) showing obfuscation:
Decode function at the bottom of AutoIt script:
The string is split from ‘*’ and then each encoded character is subtracted from the number after the comma($integer) before being converted from Unicode.
Decoded sample:
All files necessary in the same folder ‘Temp’ – Windows 7 Virtual Machine:
Utilizing PowerShell to initiate infection chain:
Process chain showing ‘dllhost.exe’ process hollowing:
CreateProcess: powershell.exe:2428 > "%UserProfile%\Downloads\Temp\r17mi.com i8ek7 "
- [Child PID: 2452]
CreateProcess: r17mi.com:2452 > "%UserProfile%\Downloads\Temp\r17mi.com i8ek7 "
- [Child PID: 2064]
CreateProcess: r17mi.com:2064 > "%WinDir%\SysWOW64\dllhost.exe"
- [Child PID: 2244]
CreateProcess: dllhost.exe:2244 > "%WinDir%\system32\cmd.exe /c ping 127.0.0.1 && del %WinDir%\SysWOW64\dllhost.exe"
- [Child PID: 536]
CreateProcess: cmd.exe:536 > "ping 127.0.0.1 "
“dllhost.exe” process dump via Task Manager:
String analysis via “strings” show command and control (C2) servers:
Extract executables via “foremost”:
The decrypted KPOT malware has the SHA256 Hash “3fd4aa339bdfee23684ff495d884aa842165e61af85fd09411abfd64b9780146” and VT score of 34/71.
https://www.virustotal.com/gui/file/3fd4aa339bdfee23684ff495d884aa842165e61af85fd09411abfd64b9780146/detection
Sampled VirusTotal signatures:
String analysis of KPOT malware via “FLOSS”:
Strings indicative of information stealers:
'malware ' 카테고리의 다른 글
Warning server scanner attack ip deny (0) | 2020.12.07 |
---|---|
세계청소년태권도협회 사이트 디페이스 소식 (0) | 2017.10.24 |
소비자 **협의회 사이트 디페이스 (0) | 2017.10.21 |
오*기몰 사이트 디페이스 (0) | 2017.10.21 |
쿠** 전자 쇼핑물 디페이스됨 (0) | 2017.10.12 |