250819688dc109a79a4de24eeabbb3de (Dropper) [24 / 55] as of 2014-09-12 07:49:15 UTC
bc183d917bc4dcffa954adb437bdcb96 (Backdoor) [2 / 53] as of 2014-09-09 23:33:47 UTC
This post details a triage of a malware sample retrieved from 2014-09-09 - RIG EK FROM 220.127.116.11 - SDFI.APARTMENTPERCH.COM. The initial sample executed after exploitation is 250819688dc109a79a4de24eeabbb3de.
Creation & Deletion of *.tmp Files:
The startup routine of the Dropper includes the creation and deletion of *.tmp files in the "%TEMP%" folder path. The naming convention of the files are ns[random alphabet][random digit].tmp.
Creation of Staging Folder:
- Creates the folder "%APPDATA%\NVIDIA Corporation\Updates\". The naming convention is made to look legitimate by likely mimicking a NVIDIA software update folder.
Dropping of Persistent Backdoor:
- Creates the Backdoor "%APPDATA%\NVIDIA Corporation\Updates\nvid_upd.exe" (md5: bc183d917bc4dcffa954adb437bdcb96).
- Creates the registry key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\NvUpdSrv" for persistence. The persistence key points to the file path of the earlier created Backdoor.
- Creates a new process from the Backdoor (using CreateProcessA) .
- Deletes itself (using DeleteFileA).
- Initiates a TCP handshake with the IP address "18.104.22.168"
- If the TCP handshake is successful, the Backdoor sends an additional ACK, with additional data appended to the network traffic:
|Notice the additional TCP ACK has an additional 178 bytes of data.|
|Hex view of the additional bytes appended to the additional TCP ACK.|
- After the initial callback is sent, the backdoor remains dormant until commands are sent to it.
Breakdown of the additional appended Data:
- GET /stat?uid=100&downlink=1111&uplink=1111&id=01F7906A&statpass=bpass&version=11140907&features=30&guid=0969e6cd-f722-4f9f-a6e4-35128ffe7946&comment=11140907&p=0&s= HTTP/1.0