This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise.

This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.

Description

Ten (10) files were submitted to NCCIC for analysis.

Four (4) files are malicious applications, obfuscated using a file encryption tool called Themida. When executed on a computer running Windows, the malware unpacks a payload that is loaded directly into the memory of the compromised system.

Once installed, this malware modifies the Windows Firewall to allow incoming connections and installs a proxy server application. In addition, the malware has the ability to exfiltrate data, install and run secondary payloads, and provide proxy capabilities on a compromised system.

Two (2) files are command-line utility applications. Three (3) files are applications designed to provide export functions and methods that allow the application to interact with financial systems and perform transactions. One (1) file is a log file.

Two (2) additional samples in the report include unpacked files contained within the following samples:

820ca1903a30516263d630c7c08f2b95f7b65dffceb21129c51c9e21cf9551c6 and 4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756

For a downloadable copy of IOCs, see:

• MAR-1021537.stix

Submitted Files (10)

10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0eba (Lost_File.so)

3a5ba44f140821849de2d82d5a137c3bb5a736130dddb86b296d94e6b421594c (Lost_File1_so_file)

4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756 (4f67f3e4a7509af1b2b1c6180a03b3...)

820ca1903a30516263d630c7c08f2b95f7b65dffceb21129c51c9e21cf9551c6 (5cfa1c2cb430bec721063e3e2d144f...)

a9bc09a17d55fc790568ac864e3885434a43c33834551e027adb1896a463aafc (8efaabb7b1700686efedadb7949eba...)

ab88f12f0a30b4601dc26dbae57646efb77d5c6382fb25522c529437e5428629 (d0a8e0b685c2ea775a74389973fc92...)

ca9ab48d293cc84092e8db8f0ca99cb155b30c61d32a1da7cd3687de454fe86c (2.so)

d465637518024262c063f4a82d799a4e40ff3381014972f24ea18bc23c3b27ee (Injection_API_executable_e)

e03dc5f1447f243cf1f305c58d95000ef4e7dbcc5c4e91154daa5acd83fea9a8 (Injection_API_log_generating_s...)

f3e521996c85c0cdb2bfb3a0fd91eb03e25ba6feef2ba3a1da844f1b17278dd2 (inject_api)

Additional Files (2)

1f2cd2bc23556fb84a51467fedb89cbde7a5883f49e3cfd75a241a6f08a42d6d (Unpacked_dump_4a740227eeb82c20...)

9ddacbcd0700dc4b9babcd09ac1cebe23a0035099cb612e6c85ff4dffd087a26 (Unpacked_dump_820ca1903a305162...)

IPs (1)

75.99.63.27

820ca1903a30516263d630c7c08f2b95f7b65dffceb21129c51c9e21cf9551c6

Tags

backdoortrojan

Details

Antivirus

Yara Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Process List

Description

This application is a Themida-packed 32-bit Windows executable. This application unpacks and executes a service proxy module in memory (5c0a4f9e67ced69eaea17092444b2c1a).

Analysis indicates that this proxy module accepts command-line parameters to perform its functions. The module modifies the Windows Firewall on the victim’s machine to allow for incoming connections and to force the compromised system to function as a proxy server.

The proxy module uses the following command to open a Windows Firewall port on the victim’s machine to allow for incoming connections:

--Begin firewall modification--
"netsh firewall add portopening TCP <port> RPCServer"
--End firewall modification--

The malware listens to an open port for incoming traffic. The traffic may contain instructions to perform any of the following functions:

-Retrieve information about the logon sessions, drives installed, and operating system
-Search for files
-Execute processes
-Terminate processes
-Delete files
-Execute commands
-Download and upload files
-Read files
-Write files
-Compress and decompress files

This malware uses the multi-protocol file transfer library "libcurl 7.49.1" for transferring data with a URL syntax. It supports the following network protocols:

-POP3
-SMTP
-IMAP
-LDAP
-DICT
-FTP
-HTTP
-HTTPS

9ddacbcd0700dc4b9babcd09ac1cebe23a0035099cb612e6c85ff4dffd087a26

Tags

trojan

Details

Antivirus

Yara Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Description

This file is the unpacked version of 820ca1903a30516263d630c7c08f2b95f7b65dffceb21129c51c9e21cf9551c6.

Displayed below are strings of interest for this unpacked proxy module:

--Begin strings of interest--
http
libcurl/7.49.1
%s:%d
%255[^:]:%d:%255s
%255[^:]:%d
<no protocol>
%I64u-
ALL_PROXY
all_proxy
http_proxy
_proxy
NO_PROXY
no_proxy
%s://%s%s%s:%hu%s%s%s
;type=%c
[%*45[0123456789abcdefABCDEF:.]%c
ftp@example.com
anonymous
%s%s%s
User-Agent: %s
Set-Cookie:
RELOAD
FLUSH
SESS
identity
socks
socks4
socks4a
socks5
socks5h
pop3
POP3.
smtp
SMTP.
IMAP
IMAP.
LDAP
LDAP.
DICT
DICT.
FTP.
/?]%[^
%15[^
:]://%[^
/?]%[^
file
%15[^:]:%[^
%s://%s
FALSE
TRUE
#HttpOnly_
expires
max-age
version
domain
path
httponly
secure
%1023[^;
=] =%4999[^;
%s%s%s
%I64d
unknown
# Fatal libcurl error
# Netscape HTTP Cookie File
# https://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.
none
[%s %s %s]
from
Header
Data
host!
0123456789abcdefghijklmnopqrstuvwxyz
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
(nil)
(nil)
.%ld
0123456789
%d.%d.%d.%d
HTTP
%sAuthorization: Basic %s
Proxy-
%s:%s
Basic
Authorization:
Proxy-authorization:
Digest
NTLM
HTTP/
Expect: 100-continue
100-continue
Expect:
Connection
Content-Length
Content-Type:
Host:
If-Modified-Since: %s
If-Unmodified-Since: %s
Last-Modified: %s
%s, %02d %s %4d %02d:%02d:%02d GMT
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Content-Length: %I64d
Content-Length:
%s%s
%s%s=%s
Cookie:
%s HTTP/%s
%s%s%s%s%s%s%s%s%s%s
ftp://%s:%s@%s
Content-Range: bytes %s/%I64d
Content-Range: bytes %s%I64d/%I64d
Content-Range: bytes 0-%I64d/%I64d
Content-Range:
Range: bytes=%s
Range:
Host: %s%s%s:%hu
Host: %s%s%s
Accept: */*
Accept:
;type=
ftp://
Transfer-Encoding: chunked
chunked
Transfer-Encoding:
Accept-Encoding: %s
Accept-Encoding:
Cookie:
Referer: %s
Referer:
User-Agent:
POST
HEAD
Location:
Proxy-authenticate:
WWW-Authenticate:
Last-Modified:
Content-Encoding:
x-gzip
gzip
deflate
Connection:
close
Proxy-Connection:
keep-alive
Server:
RTSP/%d.%d %3d
HTTP %3d
HTTP/%d.%d %d
%hu.%hu.%hu.%hu
HTTP/1.%d %d
CONNECT %s HTTP/%s
%s%s%s
Host: %s
%s%s%s:%hu
CONNECT
%s:%hu
default
machine
password
login
_netrc
HOME
c%c==
%c%c%c=
%c%c%c%c
application/xml
.xml
text/html
.html
text/plain
.txt
.jpeg
image/jpeg
.jpg
image/gif
.gif
; filename="%s"
------------------------%08x%08x
--%s--
--%s--
Content-Type: %s
--%s
Content-Disposition: attachment
Content-Type: multipart/mixed; boundary=%s
Content-Disposition: form-data; name="
--%s
%s; boundary=%s
Content-Type: multipart/form-data
Out of memory
Bad content-encoding found
Write error
Malformed encoding found
Illegal or missing hexadecimal sequence
Too long hexadecimal number
%02x
auth-int
auth
%08x%08x%08x%08x
%s, algorithm="%s"
%s, opaque="%s"
username="%s", realm="%s", nonce="%s", uri="%s", response="%s"
username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=%08x, qop=%s, response="%s"
%s:%s:%08x:%s:%s:%s
d41d8cd98f00b204e9800998ecf8427e
%s:%s:%s
MD5-sess
algorithm
opaque
realm
true
stale
nonce
NTLMSSP
NTLMSSP%c
%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%s%s
NTLMSSP%c
%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c
%c%c%c%c%c%c%c%c
KGS!@#$%
%c%c%c%c
out of memory
1.2.8
internal error: deflate stream corrupt
requested length does not fit in int
deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler
1.2.8
--End strings of interest--

4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756

Tags

backdoortrojan

Details

Antivirus

Yara Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Process List

Description

This application is a Themida--packed 64-bit Windows executable. This application unpacks and executes a service proxy module in memory (02959903cd988443e5ef519d556b34b0).

Analysis indicates that this proxy module accepts command-line parameters to perform its functions. The module modifies the Windows Firewall on the victim’s machine to allow for incoming connections and forces the compromised system to function as a proxy server.

The proxy module uses the following command to open a Windows Firewall port on the victim’s machine to allow for incoming connections:

--Begin firewall modification--
"netsh firewall add portopening TCP <port> RPCServer"
--End firewall modification--

The malware listens to an open port for incoming traffic. The traffic may contain instructions to perform any of the following functions:

-Retrieve information about the logon sessions, drives installed, and operating system
-Search for files
-Execute processes
-Terminate processes
-Delete files
-Execute commands
-Download and upload files
-Read files
-Write files
-Compress and decompress files

This malware used the multi-protocol file transfer library "libcurl 7.49.1" for transferring data with a URL syntax. It supports the following network protocols:

-POP3
-SMTP
-IMAP
-LDAP
-DICT
-FTP
-HTTP
-HTTPS

1f2cd2bc23556fb84a51467fedb89cbde7a5883f49e3cfd75a241a6f08a42d6d

Tags

trojan

Details

Antivirus

Yara Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Description

This file is the unpacked version of 4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756.

Displayed below are strings of interest for this unpacked proxy module:

--Begin strings of interest--
http
libcurl/7.49.1
%s:%d
%255[^:]:%d:%255s
%255[^:]:%d
<no protocol>
%I64u-
ALL_PROXY
all_proxy
http_proxy
_proxy
NO_PROXY
no_proxy
%s://%s%s%s:%hu%s%s%s
;type=%c
[%*45[0123456789abcdefABCDEF:.]%c
ftp@example.com
anonymous
%s%s%s
User-Agent: %s
Set-Cookie:
RELOAD
FLUSH
SESS
identity
socks
socks4
socks4a
socks5
socks5h
pop3
POP3.
smtp
SMTP.
IMAP
IMAP.
LDAP
LDAP.
DICT
DICT.
FTP.
/?]%[^
%15[^
:]://%[^
/?]%[^
file
%15[^:]:%[^
%s://%s
FALSE
TRUE
#HttpOnly_
expires
max-age
version
domain
path
httponly
secure
%1023[^;
=] =%4999[^;
%s%s%s
%I64d
unknown
# Fatal libcurl error
# Netscape HTTP Cookie File
# https://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.
none
[%s %s %s]
from
Header
Data
host!
0123456789abcdefghijklmnopqrstuvwxyz
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
(nil)
(nil)
.%ld
0123456789
%d.%d.%d.%d
HTTP
%sAuthorization: Basic %s
Proxy-
%s:%s
Basic
Authorization:
Proxy-authorization:
Digest
NTLM
HTTP/
Expect: 100-continue
100-continue
Expect:
Connection
Content-Length
Content-Type:
Host:
If-Modified-Since: %s
If-Unmodified-Since: %s
Last-Modified: %s
%s, %02d %s %4d %02d:%02d:%02d GMT
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Content-Length: %I64d
Content-Length:
%s%s
%s%s=%s
Cookie:
%s HTTP/%s
%s%s%s%s%s%s%s%s%s%s
ftp://%s:%s@%s
Content-Range: bytes %s/%I64d
Content-Range: bytes %s%I64d/%I64d
Content-Range: bytes 0-%I64d/%I64d
Content-Range:
Range: bytes=%s
Range:
Host: %s%s%s:%hu
Host: %s%s%s
Accept: */*
Accept:
;type=
ftp://
Transfer-Encoding: chunked
chunked
Transfer-Encoding:
Accept-Encoding: %s
Accept-Encoding:
Cookie:
Referer: %s
Referer:
User-Agent:
POST
HEAD
Location:
Proxy-authenticate:
WWW-Authenticate:
Last-Modified:
Content-Encoding:
x-gzip
gzip
deflate
Connection:
close
Proxy-Connection:
keep-alive
Server:
RTSP/%d.%d %3d
HTTP %3d
HTTP/%d.%d %d
%hu.%hu.%hu.%hu
HTTP/1.%d %d
CONNECT %s HTTP/%s
%s%s%s
Host: %s
%s%s%s:%hu
CONNECT
%s:%hu
default
machine
password
login
_netrc
HOME
c%c==
%c%c%c=
%c%c%c%c
application/xml
.xml
text/html
.html
text/plain
.txt
.jpeg
image/jpeg
.jpg
image/gif
.gif
; filename="%s"
------------------------%08x%08x
--%s--
--%s--
Content-Type: %s
--%s
Content-Disposition: attachment
Content-Type: multipart/mixed; boundary=%s
Content-Disposition: form-data; name="
--%s
%s; boundary=%s
Content-Type: multipart/form-data
Out of memory
Bad content-encoding found
Write error
Malformed encoding found
Illegal or missing hexadecimal sequence
Too long hexadecimal number
%02x
auth-int
auth
%08x%08x%08x%08x
%s, algorithm="%s"
%s, opaque="%s"
username="%s", realm="%s", nonce="%s", uri="%s", response="%s"
username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=%08x, qop=%s, response="%s"
%s:%s:%08x:%s:%s:%s
d41d8cd98f00b204e9800998ecf8427e
%s:%s:%s
MD5-sess
algorithm
opaque
realm
true
stale
nonce
NTLMSSP
NTLMSSP%c
%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%s%s
NTLMSSP%c
%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c
%c%c%c%c%c%c%c%c
KGS!@#$%
%c%c%c%c
out of memory
1.2.8
internal error: deflate stream corrupt
requested length does not fit in int
deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler
1.2.8
--End strings of interest--

ab88f12f0a30b4601dc26dbae57646efb77d5c6382fb25522c529437e5428629

Tags

trojan

Details

Antivirus

Yara Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Process List

Relationships

Description

This application is a 32-bit Windows executable. This application executes as a service named "helpsvcs." The application utilizes the Rivest Cipher 4 (RC4) encryption algorithm to encrypt configuration data. It stores a four-byte unique identifier, RC4 key, and the encrypted configuration data in the following registry:

--Begin registry key--
hKey = HKEY_LOCAL_MACHINE
Subkey = "SYSTEM\CurrentControlSet\Services\Security" ValueName = "Data1"
ValueData = "Encrypted configuration data"

hKey = HKEY_LOCAL_MACHINE
Subkey = "SYSTEM\CurrentControlSet\Services\PVS\Security" ValueName = "Data1"
ValueData = "Encrypted configuration data"
--End registry key--

Displayed below is the RC4 key for encrypting and decrypting the configuration data:

--Begin RC4 key--
11 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00

--End RC4 key--

Displayed below is the hard-coded configuration data, which contains command and control (C2) information:

--Begin hard-coded configuration data--
FF 04 00 02 00 00 00 04 FF 08 00 00 4B 63 3F 1B    ===> 75.99.63.27
00 00 00 00 FF 02 00 01 BB 01 FF 04 00 04 00 00    ===> port 443
00 00 FF 04 00 03 3C 00 00 00 FF 04 00 05 00 00
00 00 FF 04 00 08 01 00 00 00 FF 04 00 06 00 00
00 00 FF 00 00 09 00 FF 00 00 0A 00 FF 00 00 0B
00 FF 00 00 0C 00 FF 00 00 0D 00 FF 00 00 0E 00
FF 04 00 07 00 00 00 00 FD
--End hard-coded configuration data--

Displayed below is the data stored in the registry to include the four byte unique identifier, RC4 key, and the encrypted configuration data:

--Begin configuration data--
10 00 20 00    ==> four bytes data (unique identifier)
11 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ===> RC4 key
FF 04 00 02 00 00 00 04 FF 08 00 00 4B 63 3F 1B    ===> configuration
00 00 00 00 FF 02 00 01 BB 01 FF 04 00 04 00 00
00 00 FF 04 00 03 3C 00 00 00 FF 04 00 05 00 00
00 00 FF 04 00 08 01 00 00 00 FF 04 00 06 00 00
00 00 FF 00 00 09 00 FF 00 00 0A 00 FF 00 00 0B
00 FF 00 00 0C 00 FF 00 00 0D 00 FF 00 00 0E 00
FF 04 00 07 00 00 00 00 FD
--End configuration data--

The malware encrypts a payload from the remote operator using the following hard-coded RC4 key:

--Begin hard-coded RC4 key--
53 87 F2 11 30 3D B5 52 AD C8 28 09 E0 52 60 D0 6C C5 68 E2 70 77 3C 8F 12 C0 7B 13 D7 B3 9F 7C
--End hard-coded RC4 key--

The encrypted payload is installed into the following registry key:

--Begin registry key--
hKey = HKEY_LOCAL_MACHINE
Subkey = "SYSTEM\CurrentControlSet\Services\Security" ValueName = "Data0"
ValueData = "Encrypted payload"
--End registry key--

The malware uses the following command to open the Windows Firewall port on the victim’s machine to allow incoming connections:

--Begin firewall modification--
"netsh firewall add portopening TCP 443 "Windows Firewall Remote Management""
--End firewall modification--

The malware binds and listens on port 443 for incoming connections from a remote operator. No outbound connection was observed. Static analysis indicates that the malware is capable of providing remote command and control (C2) capabilities, including the ability to exfiltrate data, install and run secondary payloads, and provide proxy services on a compromised system. The malware utilizes the RC4 encryption algorithm to encrypt and decrypt a portion of its communications data to and from the remote operator.

Listed below are the types of data exfiltrated by the malware:

-    network adapter information
-    computer name
-    username
-    systems Internet Protocol (IP) address
-    hard-coded value (00 00 00 04h)
-    current directory of the malware

-    %Current directory%\malware.exe
-    hard-coded value (01h)
-    hard-coded value "PVS"
-    the victim's operating system information
-    installed drives information
-    the current system time

Displayed below are additional functions the malware performs based on specified commands from the remote operator:

-Retrieve information drives installed
-Search for files
-Execute processes
-Terminate processes
-Delete files
-Execute commands
-Download and upload files
-Read files
-Write files
-Compress and uncompress files
-Change the listening port for Remote Desktop via registry modification

a9bc09a17d55fc790568ac864e3885434a43c33834551e027adb1896a463aafc

Tags

trojan

Details

Antivirus

Yara Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Process List

Description

This application is a malicious 64-bit Windows Dynamic Link Library (DLL), designed to run as a Windows service under Windows "svchost.exe." When executed, it searches and attempts to load and RC4-decrypt a payload from the following registry into memory:

--Begin registry key--
hKey = HKEY_LOCAL_MACHINE
Subkey = "SYSTEM\CurrentControlSet\Services\Security" ValueName = "Data0"

hKey = HKEY_LOCAL_MACHINE
Subkey = "SYSTEM\CurrentControlSet\Services\Security" ValueName = "Data2"
--End registry key--

The binary that installs the encrypted payload in the registry was not available for analysis.

75.99.63.27

Ports

• 443 TCP

Whois

Domain Name: optonline.net
Registry Domain ID: 4531660_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2016-06-08T16:38:21Z
Creation Date: 1996-10-07T04:00:00Z
Registrar Registration Expiration Date: 2018-10-06T04:00:00Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Registrant Organization: Cablevision Systems Corporation
Registrant State/Province: New York
Registrant Country: US
Name Server: AUTHNS1.CV.NET
Name Server: AUTHNS1.CVNET.COM
DNSSEC: signedDelegation
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2018-05-22T21:00:00Z <<<

Relationships

d465637518024262c063f4a82d799a4e40ff3381014972f24ea18bc23c3b27ee

Details

Antivirus

No matches found.

Yara Rules

No matches found.

ssdeep Matches

No matches found.

Process List

Relationships

Description

This file is an Advanced Interactive Executive (AIX) executable intended for a proprietary UNIX operating system developed by IBM. This application injects a library into a currently running process. Figure 1 is a screenshot containing strings of interest. The strings indicate the application is a command-line utility that enables an operator to easily conduct code injection on an IBM AIX platform. Analysis indicates this application logs its usage to a log file (Figure 2).

Screenshots

3a5ba44f140821849de2d82d5a137c3bb5a736130dddb86b296d94e6b421594c

Details

Antivirus

No matches found.

Yara Rules

No matches found.

ssdeep Matches

No matches found.

Process List

Description

This file is an AIX executable, intended for a proprietary UNIX operating system developed by IBM. This file is a library application designed to provide export functions. These functions allow an application to perform transactions on financial systems using the ISO8583 standard. A list of the ISO8583 functions is displayed in Figure 3 and Figure 4.

Screenshots

e03dc5f1447f243cf1f305c58d95000ef4e7dbcc5c4e91154daa5acd83fea9a8

Details

Antivirus

No matches found.

Yara Rules

No matches found.

ssdeep Matches

No matches found.

Process List

Relationships

Description

The file appears to be a log file generated by the usage of the application Inject API executable_e (b3efec620885e6cf5b60f72e66d908a9). The data contained in the log file is displayed in Figure 5, 6, and 7.

Screenshots

f3e521996c85c0cdb2bfb3a0fd91eb03e25ba6feef2ba3a1da844f1b17278dd2

Details

Antivirus

No matches found.

Yara Rules

No matches found.

ssdeep Matches

No matches found.

Process List

Description

This file is an AIX executable, intended for a proprietary UNIX operating system developed by IBM. Figure 8 displays strings of interest. The strings contained within the file indicate it is a command-line utility. The file is designed to update a proprietary data structure on a UNIX system known as "PVPA." The code structure in Figure 9, extracted from this application, attempts to perform a raw read of this data structure from memory.

Screenshots

ca9ab48d293cc84092e8db8f0ca99cb155b30c61d32a1da7cd3687de454fe86c

Details

Antivirus

No matches found.

Yara Rules

No matches found.

ssdeep Matches

No matches found.

Process List

Description

This file is an AIX executable, intended for a proprietary UNIX operating system developed by IBM. The application provides several exported methods permitting the interaction with financial systems that utilize the ISO8583 standard. A list of the ISO8583 functions is displayed in Figure 10 and Figure 11. This file is not considered malicious, but may have been used by actors for malicious purposes.

Screenshots

10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0eba

Details

Antivirus

No matches found.

Yara Rules

No matches found.

ssdeep Matches

No matches found.

Process List

Description

This file is a UNIX Common Object File Format (COFF) executable, a format for executable, object code, and shared libraries used on UNIX systems. The executable provides several exported methods that enable interactions with financial systems utilizing the ISO8583 standard. This file is not considered malicious but may have been used by actors for malicious purposes.

NCCIC would like to remind users and administrators to consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

• Maintain up-to-date antivirus signatures and engines.
• Keep operating system patches up-to-date.
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
• Monitor users' web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.).
• Scan all software downloaded from the Internet prior to executing.
• Maintain situational awareness of the latest threats and implement appropriate ACLs.

Additional information on malware incident prevention and handling can be found in NIST's Special Publication 800-83, Guide to Malware Incident Prevention & Handling for Desktops and Laptops.

• 1-888-282-0870
• NCCICCustomerService@us-cert.gov (UNCLASS)
• us-cert@dhs.sgov.gov (SIPRNET)
• us-cert@dhs.ic.gov (JWICS)

NCCIC continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact NCCIC and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the NCCIC at 1-888-282-0870 or soc@us-cert.gov.

Can I submit malware to NCCIC? Malware samples can be submitted via three methods:

• Web: https://malware.us-cert.gov
• E-Mail: submit@malware.us-cert.gov
• FTP: ftp.malware.us-cert.gov (anonymous)

NCCIC encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on US-CERT's homepage at www.us-cert.gov.