Upload File

summary network info - udurrani · 2018-11-22 · resume and job application.exe. main executable,...

  • Home
  • Documents
  • Summary Network Info - UDURRANI · 2018-11-22 · Resume and Job Application.exe. MAIN EXECUTABLE, FILENAME(S) VIRUSTOTAL. Title: azrult Created Date: 11/22/2018 9:42:08 AM
5
<LogonTrigger> <Enabled>true</Enabled> <UserId>WIN-RN4A1D7IM6L\foo</UserId> </LogonTrigger> <RegistrationTrigger> <Enabled>false</Enabled> </RegistrationTrigger> </Triggers> <Principals> <Principal id="Author"> <UserId>WIN-RN4A1D7IM6L\foo</UserId> <LogonType>InteractiveToken</LogonType> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>C:\Windows\debug\WIA\VKZmJfrhdoVY.exe</Command> </Exec> </Actions> </Task> - Payload is initiated (Runs as snier_gpu by adobe) - Payload schedules a task by feeding an XML file (Task is called Updates) - Creates 2fda folder and drops DLL’s - Scheduled task runs an executable saved in c:\windows\WIA folder - Payload spawns itself as suspended process and hollows the memory - Second stage talks to the C2 server - Data & credential theft - Ransomware activity in some cases Scheduled task info Network Info Summary

Upload: others

Post on 28-Jun-2020

1 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Summary Network Info - UDURRANI · 2018-11-22 · Resume and Job Application.exe. MAIN EXECUTABLE, FILENAME(S) VIRUSTOTAL. Title: azrult Created Date: 11/22/2018 9:42:08 AM

<LogonTrigger> <Enabled>true</Enabled> <UserId>WIN-RN4A1D7IM6L\foo</UserId> </LogonTrigger> <RegistrationTrigger> <Enabled>false</Enabled> </RegistrationTrigger> </Triggers> <Principals> <Principal id="Author"> <UserId>WIN-RN4A1D7IM6L\foo</UserId> <LogonType>InteractiveToken</LogonType> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>C:\Windows\debug\WIA\VKZmJfrhdoVY.exe</Command> </Exec> </Actions> </Task>

- Payload is initiated (Runs as sniffer_gpu by adobe) - Payload schedules a task by feeding an XML file (Task is called Updates) - Creates 2fda folder and drops DLL’s - Scheduled task runs an executable saved in c:\windows\WIA folder - Payload spawns itself as suspended process and hollows the memory - Second stage talks to the C2 server - Data & credential theft - Ransomware activity in some cases

Scheduled task info

Network InfoSummary

Usman Durrani
Usman Durrani
Page 2: Summary Network Info - UDURRANI · 2018-11-22 · Resume and Job Application.exe. MAIN EXECUTABLE, FILENAME(S) VIRUSTOTAL. Title: azrult Created Date: 11/22/2018 9:42:08 AM

Dropped filesPayload Info

Network Info

Page 3: Summary Network Info - UDURRANI · 2018-11-22 · Resume and Job Application.exe. MAIN EXECUTABLE, FILENAME(S) VIRUSTOTAL. Title: azrult Created Date: 11/22/2018 9:42:08 AM

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKZmJfrhdoVY" /XML "C:\Users\foo\AppData\Local\Temp\tmpC486.tmp"

Schtasks eventually calls taskeng.exe

ProcessHollow

CreateProcessW ( "C:\Users\foo\Desktop\PAYLOAD.exe", ""C:\Users\foo\Desktop\PAYLOAD.exe"", NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, ... )

NtUnmapViewOfSection ( GetCurrentProcess(), (PVOID *)PointerToBaseAddress) VirtualAlloc ( Address, 1028096, MEM_COMMIT, PAGE_READWRITE ) WriteProcessMemory()

LoadLibraryExW ( "C:\Windows\SysWOW64\schtasks.exe", NULL, LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE )

IsHostInProxyBypassList ( INTERNET_SCHEME_HTTP, "tain.u8f3e5jq.ru", 16 )htons(80)

send (fd, 0x002a0058, 266, 0 )connect (fd, 0x004dea2c, 16 )

recv ( fd, 0x004de62c, 1024, 0 )

Bytes Sent

Bytes received

FLOW

timeout.exe 3 & del "PAYLOAD.exe"
wait 3 seconds and delete stage 1
Page 4: Summary Network Info - UDURRANI · 2018-11-22 · Resume and Job Application.exe. MAIN EXECUTABLE, FILENAME(S) VIRUSTOTAL. Title: azrult Created Date: 11/22/2018 9:42:08 AM

IOC

u8f3e5jq.rutain.u8f3e5jq.ru

053aed5d184be57c4bb8021973c03730 284B89F3B6ECC8279896F3DD76925416 (RAR)Dfbea762a80d62068c972a1a27f4cf4f (RAR)7814538a31c9d232d85f9511c19f709e (RAR)

Order # 30090 UAE_jpg.exe

Resume and Job Application.exeMAIN EXECUTABLE, FILENAME(S)

http://u8f3e5jq.ru
Page 5: Summary Network Info - UDURRANI · 2018-11-22 · Resume and Job Application.exe. MAIN EXECUTABLE, FILENAME(S) VIRUSTOTAL. Title: azrult Created Date: 11/22/2018 9:42:08 AM

VIRUSTOTAL


Metasploit Framework Executable Encoding

SpecFlow Executable Specifications

Executable UML (xUML)

Malware Analysis as a Hobby - OWASP · 22-11-2012  · • Cuckoo Sandbox • VirusTotal. A days work for a Cuckoo. DEMO: Submit sample for analysis. Sample Reporting Results are

Executable Architectures using Cuckoo Search Optimization ... › IMG › pdf › Executable... · [18]. Executable systems architectures are created using CPN models and their simulations

Anti-Executable Enterprise User Guide · Anti-Executable. Executable Any file that can be launched by the operating system. The executable files managed by Anti-Executable have the

Kermeta Executable Metamodeling Language

Executable Specifications in Action

Unix executable buffer overflow

Executable UML

Executable Music Documents

Executable Semantic Parsing

Chapter 2 - 1 Abstraction Concrete: directly executable/storable Abstract: not directly executable/storable –automatic translation (as good as executable/storable)

DPR301 demo Executable Requirements

Executable Specifications Agile Palooza

MDA with Executable UML

VirusTotal for Investigators - storage.googleapis.com · VirusTotal for Investigators Brandon Levene, Juan Infantes, Jose Martin, Julio Canto VirusTotal This session will demonstrate

Executable papers

Portable Executable Formats

Executable specifiaction

Matthew Executable (Student)

Executable Part

Executable and Translatable UML

idbi executable

Executable UML - Villanova Computer Science · Executable UML •xUML is an executable version of UML –clearly defined model structure –precise semantics for actions ... •MDA

Jelly: Executable XML

Executable Biology Tutorial

Macaroni: Integrate Yara sigs with VirusTotal Intelligence

vtapi3 - VirusTotal in Python

1 Software Development Using Executable UML (xUML) Anoop Mathew 11-22-2002

An Executable Packer

Anti Executable Standard Manual

Guía del usuario de Anti-Executable Standardfaronics.com/assets/assets/AES_Manual_S.pdf · Guía del usuario de Anti-Executable Standard | 5 Prólogo Faronics Anti-Executable es

2.1 Executable Architecture Research at Old Dominion ... · 2.1 Executable Architecture Research at Old Dominion University Executable Architecture Research at Old Dominion University

Executable model en