This week I will be presenting on scalable, automated baremetal malware analysis at Black Hat Europe. My presentation will coincide with the release of NVMTrace, a tool that facilitates automated baremetal sample processing using inexpensive hardware and freely available technologies. More information is available at the following link:
If you are attending Black Hat Europe and malware analysis is a topic of interest to you, please attend my talk. If you are interested but will not be in attendance, please let me know and I will make my whitepaper and slide set available to you.
Following a friendly heads up from someone yesterday morning, I re-loaded the
following Kraken samples into my honeypot:
and began monitoring them. Each sample proceeded to update itself;
the updated binary is around 160KB, given a random name and
placed in the system32 directory, and no longer has an imagefile icon.
The names/MD5 values of samples I got are:
As someone mentioned, it does indeed appear that Kraken/Bobax has changed
(perhaps reverted?) its C&C to HTTP. The honeypot session for
1d51463150db06bc098fef335bc64971 goes something like the following:
UTC 15:30 - Honeypot infected with 1d51463150db06bc098fef335bc64971.
UTC 15:45 - niksojrjbg.exe appears in system32 directory.
UTC 15:50 - Last TCP/UDP 447 packets (host 220.127.116.11) observed.
UTC 16:00 - Spam run commences.
UTC 16:10 - First observed HTTP communication with C&C.
The samples do not appear to be using DNS to obtain IPs of the C&C
servers. The C&C IPs I've been able to identify from the samples are
18.104.22.168, 22.214.171.124, and 126.96.36.199. Communication is
performed by the victim making an HTTP POST (poststring attached);
receipt of binary data with a bogus MIME type follows: