Malware-Traffic-Analysis.net - 2017-04-05 - Terror EK sends Andromeda

2017-04-05 - TERROR EK SENDS ANDROMEDA

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2017-04-05-Terror-EK-sends-Andromeda-both-pcaps.zip 708.1 kB (708,066 bytes)

2017-04-05-Terror-EK-sends-Andromeda-1st-run.pcap (258,216 bytes)

2017-04-05-Terror-EK-sends-Andromeda-2nd-run.pcap (572,869 bytes)

2017-04-05-Terror-EK-sends-Andromeda-malware-and-artifacts.zip 495.3 kB (495,293 bytes)

2017-04-04-Terror-EK-landing-page.txt (5,790 bytes)

2017-04-04-Terror-EK-more-HTML-part-1-of-3.txt (20,108 bytes)

2017-04-04-Terror-EK-more-HTML-part-2-of-3.txt (3,833 bytes)

2017-04-04-Terror-EK-more-HTML-part-3-of-3.txt (1,195 bytes)

2017-04-04-Terror-EK-payload-0x7vjvgc.exe (103,421 bytes)

2017-04-04-Terror-EK-payload-radEE66C.tmp.exe (103,421 bytes)

2017-04-05-Terror-EK-artifact-mxl3sfDs.tmp.txt (1,279 bytes)

2017-04-05-Terror-EK-artifact-zs3n.tmp.txt (1,151 bytes)

2017-04-05-file-from-compromised-site-leads-to-old-Terror-EK-landing-page-URL-custom.js.txt (560 bytes)

Dendrite (41,137 bytes)

KB00292189.exe (284,160 bytes)

salsify.dll (45,056 bytes)

NOTES:

Since it was discovered, Terror EK has been re-branded as Blaze EK (or possibly Nebula EK), but I'm calling it by its original name.
The compromised website (info I cannot share) generated two URLs leading to Terror EK.
The first URL came from obfuscated script in a file named custom.js. It led directly to an outdated Terror EK landing page that no longer works.
The second URL led to a gate at uploadrobot[.]download that redirected to an updated Terror EK landing page that worked.
I could not find the script that caused the second URL for the gate, but it was probably obfuscated like in custom.js.
I accidentally filtered out traffic for the outdated Terror EK landing page in the 1st run pcap.
The 2nd run has the outdated Terror EK landing page URL, and it also has follow-up malware not seen during the 1st run.

Shown above: Flow chart for the infection traffic.

TRAFFIC

Shown above: Traffic from the 1st run filtered in Wireshark.

Shown above: Traffic from the 2nd run filtered in Wireshark.

ASSOCIATED TRAFFIC:

[info redacted] port 80 - [info redacted] - Compromised website
185.82.20[2].28 port 80 - uploadrobot[.]download - GET /frame.php [redirect to Terror EK]
159.203.15[.]85 port 80 - 159.203.15[.]85 - Terror EK
159.203.185[.]4 port 80 - 159.203.185[.]4 - Terror EK (old URL, 404 not found)
185.82.202[.]28 port 80 - blazingsupport[.]ws - POST /login/error/gate.php [post-infection traffic, possible Andromeda]
[DNS = No such name] port 80 - optimizeme[.]in - POST /users/login/gate.php [post-infection traffic, possible Andromeda]
185.82.202[.]28 port 80 - uploadrobot[.]download - GET /uploads/d593j.exe [follow-up malware download]
204.145.94[.]115 port 80 - ofmyriseits[.]pw - POST /forum/logout.php [callback traffic from hybrid-analysis.com analysis of follow-up malware]
204.145.94[.]115 port 80 - ofmyriseits.pw - POST /forum/logout.php?page=93 [callback traffic from hybrid-analysis.com analysis of follow-up malware]
iliksaewek[.]pw - another domain from hybrid-analysis.com analysis of follow-up malware
itsmebecauseyoua[.]pw - another domain from hybrid-analysis.com analysis of follow-up malware
newsofmyru[.]pw - another domain from hybrid-analysis.com analysis of follow-up malware
youaresobuti[.]pw - another domain from hybrid-analysis.com analysis of follow-up malware

MALWARE AND ARTIFACTS

ARTIFACTS FROM THE INFECTED WINDOWS HOST:

C:\Users\[username]\AppData\Local\Temp\zs3n.tmp (2 kB)
C:\Users\[username]\AppData\Local\Temp\mxl3sfDs.tmp (2 kB)
C:\Users\[username]\AppData\Local\Temp\Dendrite (41 kB)
C:\Users\[username]\AppData\Local\Temp\salsify.dll (44 kB)
C:\Users\[username]\AppData\Local\Temp\nsaECF.tmp\System.dll (11 kB)
C:\Users\[username]\AppData\Local\Temp\nsvE936.tmp\System.dll (11 kB)
C:\Users\[username]\AppData\Local\Temp\0x7vjvgc.exe [Terror EK payload]
C:\Users\[username]\AppData\Local\Temp\radEE66C.tmp.exe [Terror EK payload]
C:\Users\[username]\AppData\Local\Temp\KB00292189.exe [follow-up malware]
C:\ProgramData\msihmrfda.exe [Terror EK payload made persistent on the infected host]
C:\ProgramData\mscnxsbh.exe [Terror EK payload made persistent on the infected host]

WINDOWS REGISTRY ENTRIES CREATED FOR PERSISTENCE:

Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Value name: 1923045772 -- Type: REG_SZ -- Data: C:\PROGRA~2\msihmrfda.exe
Value name: 926712072 -- Type: REG_SZ -- Data: C:\PROGRA~2\mscnxsbh.exe

OTHER EXAMPLES OF THE EK PAYLOAD PERSISTENT ON AN INFECTED HOST:

C:\ProgramData\mscnxsbh.exe
C:\ProgramData\msdgjn.exe
C:\ProgramData\msdowz.exe
C:\ProgramData\msmuov.exe
C:\ProgramData\mssuinjng.exe
C:\ProgramData\msumrbshs.exe
C:\ProgramData\mswucad.exe

MALWARE FROM THE INFECTED HOST:

SHA256 hash: 439dcf71d13631af7c0e605216699d379808ad156988fc3bbcd35569e68ff42b
File location: C:\Users\[username]\AppData\Local\Temp\0x7vjvgc.exe
File location: C:\Users\[username]\AppData\Local\Temp\radEE66C.tmp.exe
File location: C:\ProgramData\mscnxsbh.exe
File location: C:\ProgramData\msihmrfda.exe
File description: Terror EK payload - possible Andromeda

SHA256 hash: 1481fc8e076871833bedd9f39e2c9767a635fb820d4ffe8673b12d67e1094ccd
File location: C:\Users\[username]\AppData\Local\Temp\KB00292189.exe
File description: Follow-up malware from 2nd run infection
hybrid-analysis.com analysis of this follow-up malware: link

IMAGES

Shown above: Some alerts on the 1st run pcap from the Emerging Threats Pro (ETPRO) ruleset using Sguil on Security Onion.

Shown above: Entries in the Windows registry making the EK payload persistent after a reboot.

Shown above: Want a quick way to see what traffic is generated to a domain that doesn't resolve in DNS? Edit the Windows hosts file at
C:\Windows\sytem32\Drivers\etc\hosts to resolve the domain to an actual IP address.

Click here to return to the main page.