~Dissecting Malware
// f0wL's Blog about malware analysis and reverse engineering
~Dissecting Malware
Osiris, the god of afterlife...and banking malware?!

After coming back from the Chaos Communication Camp two days ago I thought it would be a good idea to check on the current malware events out there, so come along for the ride

I came across this sample after this tweet by @James_inthe_box :



Properties of the Executable

A short disclaimer: downloading and running the samples linked below will compromise your computer and data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live.

Get your sample today from:

Osiris available @ https://malshare.com/sample.php?action=detail&hash=9f4d8bd1cba2681f3bcf642f56342ac7 sha256 0325714eeb2af235a0f543ad9e11b5d852a61be78c9ece308c651412d97edd39

Dropped files in %APPDATA%\Roaming

Files dropped in %APPDATA%\Roaming



Dropped files in %APPDATA%\Local\Temp

Files dropped in %temp%



Binding for System Startup


After running the sample for the first time it adds itself to system startup and copies itself to %appdata%\Roaming\Microsoft\Windows\Protected\setspn.exe. Comparing the malicious setspn.exe with the Microsoft Original (which is normally found at C:\Windows\System32\setspn.exe) with the help of PEBear it is obvious that the files are not the same.

Dropped files in %APPDATA%\Roaming

To jump straight to the Hybrid-Analysis report for fixed111.exe click here. I picked out a couple of interesting findings for you:

Hybrid-Analysis IR



One thing that stands out is that Osiris uses components of the Nullsoft Scriptable Installer. I did not look into it that far yet, but it seems like it is used for a headless install only.

Hybrid-Analysis Mini-Tor

A quite interesting find: this Osiris sample uses a POC implementation called Mini-Tor for communication with the Tor network. Pretty convenient for the malware author as it keeps the size of the binary small, but still allows data exfiltration over an anonymized protocol.

Click here for the Any.Run analysis.

AnyRun HTTP Requests

As the Twitter Discussion about this sample started multiple theories about the Tor Requests were brought up. My explaination for this behaviour is that the malware is exfiltrating data over the Tor network. Because of the URL format of the requested sites IPAddress/tor/servers/fp/-HASH- one can assume that the contacted servers are Directory Servers which hold the Server Descriptor Files for known Nodes. This is why I'd classify this behaviour as more or less standard client communication.


AnyRun Threats


IOCs

Files

fixed111.exe --SHA1--> a1887f8b29ef20a6e0d7284521c40eee77d47dd0
setspn.exe --SHA1--> a1887f8b29ef20a6e0d7284521c40eee77d47dd0
GetX64BTIT.exe--SHA1--> 7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
Majorca.dll --SHA1--> 47d9371a0dd3369d89068994d5d18bb54a0d7433
System.dll --SHA1--> 48df0911f0484cbe2a8cdd5362140b63c41ee457
gutils.dll --SHA1--> ab92a9a74c55c5e5d05f1f3dde518371dda76548
resToResX.exe --SHA1--> b5114de8c2e78d72ec8ddb6ab7bcb02b1bb5291f
79.opends60.dll --SHA1--> ec9946684d5e72dbc5bdcffa31167ad1a19e29bd
MicrosoftXslDebugProxy.exe --SHA1--> 2d9b200ea1d9fb6442f21bb5441072bd4b9d1968
UserInfo.dll --SHA1--> 0bd28183a9d8dbb98afbcf100fb1f4f6c5fc6c41
TypeSharingService2.asmx --SHA1--> f28868e733bfdcf68cee93509f84694df50bbdf4
libfontconfig1amd64.triggers --SHA1--> 6ca8f520c10214648f88a8ba08ccdfcc53b124a3
349f9714.lnk --SHA1--> fe08da4fd09dbab64d4e4d23b9a935468ef05f8b
703 --SHA1--> bb5d6f6ba8155899d0017ce2edc1bf2622ad5b3b
x-perl.xml --SHA1--> 32404eab9098db64af17b6e5862b0b563f57c2dd
x64btit.txt --SHA1--> cd8fff32832f8a8f20b88a2f32c04800535d060e
Paragraphia --SHA1--> 360071bee9bae26834006615d0fb711d25f4a4af
_dvvsdebugapi --SHA1--> f5db6c9fed4cb80461502bb6d25532e8f0c1f064
win.ini --SHA1--> f939c7deb74637544a09df6d0a096f5719b227d1

URLs

httpx://naot[.]org/cms/file/fixed111.exe
httpx://borel[.]fr/notices/CanadaPost.zip

GermanWiper's big Brother? GandGrab's kid ? Sodinokibi!

After last week's analysis on GermanWiper I thought it would be about time to have a Look at Sodinokibi aka REvil, the new weird kid on the block.

According to Cybereason the Sodinokibi Ransomware was written by the same guys who created GandCrab, which is a pretty big deal after GandCrab retired recently. The samples that I'll be looking at today were first dropped in Asia, but it did not take long to reach other continents as well. A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be...

Read More
TFW Ransomware is only your side hustle...

and you constantly have to apply for jobs. A partial analysis of the "GermanWiper" Ransomware

Today someone posted about a Ransomware attack on the local chat plaform Jodel (don't judge please, as you know the sketchy corners of the web get you the best samples :D) which instantly peaked my interest. What I got was this email and the two attached files. The two attached files Applicant Name - Lebenslauf Aktuell.doc.lnk and Applicant Name - Arbeitszeugnisse Aktuell.doc.lnk are made to look like Microsoft Office...

Read More
Picking Locky 🔓

Back in 2016 Locky was (one of) the first to commercialize the "art" of holding data for ransom. I picked this strain because I would like a bit more of a challenge in terms of obfuscation and anti-disassembly techniques, so strap in for this OG Ransomware

Locky (at least the first few versions) is said to be created by the makers of the Dridex/Cridex banking trojans. For example the spreading mechanism via macros in Word or Excel documents sent out via carefully crafted spear-phishing emails is exactly the same for both of these strains. A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with...

Read More
Third time's the charm? Analysing WannaCry samples

After over two years since the inital spread of the ransomware and Malwaretechs sentencing last week I got a bit nostalgic and took a second look at different samples

Since the first wave of infections in May 2017 WannaCry is basically the goto example for the whole ransomware scheme and that is actually a good thing. The potential damage that WannaCry and the variants following the original version would have been massive if it wouldn't have been for Malwaretech, 2sec4u and all the other researchers who helped to contain the spread of ransomware powered by...

Read More
Useful Resources for Reverse Engineering and Malware Analysis

Just another collection of links, videos, books and other materials related to RE and Malware Research

I'll update this list regularly to keep it somewhat relevant, so be sure to bookmark this page if you like the contents so far. Books "Reversing: Secrets of Reverse Engineering" by Eldad Eilam "Reversing: secrets of reverse engineering practical reverse engineering: x86, x64, ARM, Windows kernel, Reversing tools, and obfuscation" by Bruce Dang, Alexandre Gazet and Elias Bachaalany "The Shellcoder's Handbook: Discovering and Exploiting Security Holes" by Chris Anley, John Heasman, Felix Lindner and Gerardo Richarte "Hacker Dissassembling Uncovered" by...

Read More
printf("Hello World\n");

Hey there, looks like you somehow found your way onto my new site. If you are into malware analysis, reverse engineering and that sort of jazz have a look around and stay awhile!

...

Read More
  • 1
  • 2

About me

Hey there! My Name is Marius Genheimer aka f0wL and I'm a Computer Science Student from Germany. As you can probably tell I like to analyse malware (especially Ransomware) in my spare time.

https://sandbox.lol

My shot at an automated analysis platform based on the Cuckoo Sandbox. Feel free to drop your samples!

https://phish.fishing

A tracking and logging system for Phishing attacks and Malspam

Receive Updates

ATOM