Skip navigation.

paulroyal's blog

Scalable, Automated Baremetal Malware Analysis

This week I will be presenting on scalable, automated baremetal malware analysis at Black Hat Europe. My presentation will coincide with the release of NVMTrace, a tool that facilitates automated baremetal sample processing using inexpensive hardware and freely available technologies. More information is available at the following link:

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis

If you are attending Black Hat Europe and malware analysis is a topic of interest to you, please attend my talk. If you are interested but will not be in attendance, please let me know and I will make my whitepaper and slide set available to you.

Kraken Reverts to HTTP

Following a friendly heads up from someone yesterday morning, I re-loaded the
following Kraken samples into my honeypot:


and began monitoring them. Each sample proceeded to update itself;
the updated binary is around 160KB, given a random name and
placed in the system32 directory, and no longer has an imagefile icon.

The names/MD5 values of samples I got are:

26bd8e696629edba4a1d610d1062b3f1 jtliutnj.exe
36a8c8cce65c9ab46fca127de9dcc5d1 niksojrjbg.exe
b5f65d971d7362512dafdb473ef5888d xfkmrb.exe
5f94989145b4bf69cf81c223b15ec653 yy.exe
5c9274a4483ed540fd433a2cd885e561 zp.exe

As someone mentioned, it does indeed appear that Kraken/Bobax has changed
(perhaps reverted?) its C&C to HTTP. The honeypot session for
1d51463150db06bc098fef335bc64971 goes something like the following:

UTC 15:30 - Honeypot infected with 1d51463150db06bc098fef335bc64971.
UTC 15:45 - niksojrjbg.exe appears in system32 directory.
UTC 15:50 - Last TCP/UDP 447 packets (host observed.
UTC 16:00 - Spam run commences.
UTC 16:10 - First observed HTTP communication with C&C.

The samples do not appear to be using DNS to obtain IPs of the C&C
servers. The C&C IPs I've been able to identify from the samples are,, and Communication is
performed by the victim making an HTTP POST (poststring attached);
receipt of binary data with a bogus MIME type follows:

Syndicate content