Sunday, October 18, 2015

Team CLGT Writeup for HITCON CTF 2015 Quals - PhishingMe 200


Move to github

https://github.com/xwings/tuya/tree/master/ctf2015/hitcon-quals/phishingme-200
Posted by at No comments:

Thursday, July 21, 2011

Looking at the W32/Sality.AO


W32/Sality.AO information:


MD5fda71acbd508de0285433d14d376cc6a
SHA-1 15a2478a9f524427c6a983f358f9c00935309c7b
First Received 2011-07-22 14:36:00
Last Received 2011-07-22 14:36:00
Size (bytes) 67072
Weightage 1074
virustotal.com 0 vendors detected, out of 43

As of 1st August, virustotal result. (35/45). Common name, W32/Sality.AO

Generated files captured by xandora
  • "/WINDOWS/Temp/dyfr0sqmy.exe"
  • "/WINDOWS/Temp/omaj11kq.exe"
  • "/WINDOWS/Temp/qtfcyyp.exe"
  • "/WINDOWS/Temp/svchost.exe"
  • "/WINDOWS/Temp/y5547xsx.exe"
  • "/WINDOWS/Temp/~DFB2BE.tmp"
  • "/WINDOWS/Temp/~DFE385.tmp"
  • "/WINDOWS/system32/31rvuk6.log"
  • "/WINDOWS/system32/drivers/359.exe"
  • "/WINDOWS/system32/drivers/734.exe"
Looks like /Temp and /drivers still the place for hiding suspicious file.

Statics from network connection

Total of TCP 80 connections: 671
Total of TCP 25 connections: 1018
Total of TCP 25 connections: 1209

From the SMTP traffic dump, there is some ICQ information and email. With this combination, file creator very likely its from Russia.

Most of the email is targeting .ru domain. Such as odin.ru

Lets check the content of the email.

0x02a0: 4943 513a 2034 3938 3530 2d38 3131 380d ICQ:.49850-8118.
0x02b0: 0a45 6d61 696c 3a20 7661 7a65 7061 6d6f .Email:.vazepamo
0x02c0: 6879 7a65 6740 6d61 696c 2e72 750d 0af3 hyzeg@mail.ru...
0x02d0: c1ca d43a 2068 7474 703a 2f2f 7777 772e ...:.http://www.
0x02e0: 7469 6e79 392e 636f 6d2f 752f 3575 6a76 tiny9.com/u/5ujv
0x02f0: 640d 0a0d 0a2e 0d0a d.......

Besides the information, there are also attachment from in the email.

Most of the malware update comes from 7293163855.com. As of now, this is the result from WOT(Web of trust).

During sandboxing xandora recorded there is an access to external IP with TCP 3128. TCP 3128 is being widely used by squid proxy.

Connected to host-static-XXX-116-XXX-250.XXXXXXXcom.md.
Escape character is '^]'.
GET http://www.google.com/ HTTP/1.1
HTTP/1.0 200 OK

YES
Connection closed by foreign host.

Very likely W32/Sality.AO got a list of proxy database to route http.

For full analysis report, please goto xandora.

Posted by at 1 comment:
Subscribe to: Posts (Atom)