Skip navigation.
Home

paulroyal's blog

Scalable, Automated Baremetal Malware Analysis

This week I will be presenting on scalable, automated baremetal malware analysis at Black Hat Europe. My presentation will coincide with the release of NVMTrace, a tool that facilitates automated baremetal sample processing using inexpensive hardware and freely available technologies. More information is available at the following link:

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis

If you are attending Black Hat Europe and malware analysis is a topic of interest to you, please attend my talk. If you are interested but will not be in attendance, please let me know and I will make my whitepaper and slide set available to you.

Kraken Reverts to HTTP

Following a friendly heads up from someone yesterday morning, I re-loaded the
following Kraken samples into my honeypot:

1d51463150db06bc098fef335bc64971
65b958bf6f5eddca3d9455354af08b6f
6ec7d67d5553cbec2a99c7fbe385a729
7ecef2f126e66e7270afa7b803f715bc
8fd8c67103ec073d9303a7fbc702f89a

and began monitoring them. Each sample proceeded to update itself;
the updated binary is around 160KB, given a random name and
placed in the system32 directory, and no longer has an imagefile icon.

The names/MD5 values of samples I got are:

26bd8e696629edba4a1d610d1062b3f1 jtliutnj.exe
36a8c8cce65c9ab46fca127de9dcc5d1 niksojrjbg.exe
b5f65d971d7362512dafdb473ef5888d xfkmrb.exe
5f94989145b4bf69cf81c223b15ec653 yy.exe
5c9274a4483ed540fd433a2cd885e561 zp.exe

As someone mentioned, it does indeed appear that Kraken/Bobax has changed
(perhaps reverted?) its C&C to HTTP. The honeypot session for
1d51463150db06bc098fef335bc64971 goes something like the following:

UTC 15:30 - Honeypot infected with 1d51463150db06bc098fef335bc64971.
UTC 15:45 - niksojrjbg.exe appears in system32 directory.
UTC 15:50 - Last TCP/UDP 447 packets (host 209.160.65.66) observed.
UTC 16:00 - Spam run commences.
UTC 16:10 - First observed HTTP communication with C&C.

The samples do not appear to be using DNS to obtain IPs of the C&C
servers. The C&C IPs I've been able to identify from the samples are
208.101.52.82, 208.101.54.243, and 208.101.42.28. Communication is
performed by the victim making an HTTP POST (poststring attached);
receipt of binary data with a bogus MIME type follows:

Syndicate content