{ "Event": { "analysis": "2", "date": "2012-08-14", "extends_uuid": "", "info": "OSINT Backdoor.Win32.Shiz from Lavasoft", "publish_timestamp": "1421404886", "published": true, "threat_level_id": "4", "timestamp": "1421401757", "uuid": "54b8caf4-0830-44b3-b460-4662950d210b", "Orgc": { "name": "CthulhuSPRL.be", "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" }, "Tag": [ { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#33FF00", "local": false, "name": "tlp:green", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421396736", "to_ids": false, "type": "link", "uuid": "54b8cb01-a478-435f-9b65-47b5950d210b", "value": "http://lavasoft.com/mylavasoft/malware-descriptions/blog/backdoorwin32shiz" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421396750", "to_ids": false, "type": "text", "uuid": "54b8cb0e-1528-417d-b1c9-4053950d210b", "value": "Shiz" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421396803", "to_ids": true, "type": "sha1", "uuid": "54b8cb43-763c-48c3-81c5-4254950d210b", "value": "e973239500b4fb216182043805453cea9edf8730" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421396860", "to_ids": false, "type": "filename", "uuid": "54b8cb6f-001c-4864-b4a3-484d950d210b", "value": "%Temp%\\.tmp" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421396880", "to_ids": false, "type": "filename", "uuid": "54b8cb90-ce44-4091-9163-440d950d210b", "value": "%WinDir\\AppPatch\\.exe" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421397510", "to_ids": false, "type": "comment", "uuid": "54b8ce06-5244-4c6d-ac48-430d950d210b", "value": "The backdoor ends its own execution and deletes its original file if the following processes run on the system:\r\n\r\nHookExplorer.exe\r\nproc_analyzer.exe\r\nsckTool.exe\r\nsniff_hit.exe\r\nsysAnalyzer.exe\r\nidag.exe\r\nollydbg.exe\r\ndumpcap.exe\r\nwireshark.exe\r\navp.exe" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421397525", "to_ids": false, "type": "comment", "uuid": "54b8ce15-1390-48b5-b329-49c3950d210b", "value": "If the backdoor launches without administrator privileges, it tries to access the administrator account by guessing a password:\r\n\r\nhelp\r\nstone\r\nserver\r\npass\r\nidontknow\r\nadministrator\r\nadmin\r\n666666\r\n111\r\n12345678\r\n1234\r\nsoccer\r\nabc123\r\npassword1\r\nfootball1\r\nfuckyou\r\nmonkey\r\niloveyou1\r\nsuperman1\r\nslipknot1\r\njordan23\r\nprincess1\r\nliverpool1\r\nmonkey1\r\nbaseball1\r\n123abc\r\nqwerty1\r\nblink182\r\nmyspace1\r\npop\r\nuser111\r\n098765\r\nqweryuiopas\r\nqwe\r\nqwer\r\nqwert\r\nqwerty\r\nasdfg\r\nchort\r\nnah\r\nxak\r\nxaep\r\n111111\r\n12345\r\n2013\r\n2007\r\n2207\r\n110\r\n5554\r\n775\r\n354\r\n1982\r\n123\r\npassword\r\n123456" }, { "category": "Network activity", "comment": "Internet connectivity check", "deleted": false, "disable_correlation": false, "timestamp": "1421397547", "to_ids": false, "type": "hostname", "uuid": "54b8ce2b-1cd8-4a4d-88c2-4e5a950d210b", "value": "www.bing.com" }, { "category": "Network activity", "comment": "Internet connectivity check", "deleted": false, "disable_correlation": false, "timestamp": "1421397548", "to_ids": false, "type": "hostname", "uuid": "54b8ce2c-bef0-45dd-b805-4c9f950d210b", "value": "www.microsoft.com" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421397569", "to_ids": false, "type": "comment", "uuid": "54b8ce41-6378-492b-813b-caa2950d210b", "value": "Installs hooks for following functions:\r\n\r\nDnsapi.dll:\r\nDnsQuery_A\r\nDnsQuery_UTF8\r\nDnsQuery_W\r\nQuery_Main\r\n\r\nuser32.dll:\r\nGetClipboardData\r\nTranslateMessage\r\nGetMessageA\r\nGetMessageW\r\nGetWindowTextA\r\nOpenDesktopA\r\nOpenDesktopW\r\nTrackPopupMenuEx\r\nOpenDesktopW\r\nOpenInputDesktop\r\nSwitchDesktop\r\nGetUpdatedClipboardFormats\r\nCloseClipboard\r\nCountClipboardFormats\r\nEmptyClipboard\r\nGetPriorityClipboardFormat\r\nIsClipboardFormatAvailable\r\nSetClipboardData\r\nFlashWindowEx\r\nFlashWindow\r\nGetCursorPos\r\nSetCursorPos\r\nSetCapture\r\nReleaseCapture\r\nGetCapture\r\nDefWindowProcW\r\nDefWindowProcA\r\nDefDlgProcW\r\nDefDlgProcA\r\nDefFrameProcW\r\nDefWindowProcA\r\nDefMDIChildProcA\r\nCallWindowProcW\r\nCallWindowProcA\r\nPeekMessageW\r\nPeekMessageA\r\n\r\nadvapi32.dll:\r\nCryptEncrypt\r\n\r\nntdll.dll:\r\nNtQuerySystemInformation\r\n\r\nws2_32.dll:\r\nsend\r\nWSASend\r\nWSARecv\r\nrecv\r\ngetaddrinfo\r\ngethostbyname\r\ninet_addr\r\n\r\nkernel32.dll:\r\nCreateFileW\r\nGetFileAttributesW \r\n\r\nCrypt32.dll:\r\nCertVerifyCertificateChainPolicy\r\n\r\nWininet.dll:\r\nHttpSendRequestA\r\nHttpSendRequestW\r\nHttpSendRequestExA\r\nHttpSendRequestExW\r\nInternetQueryDataAvailable\r\nInternetReadFile\r\nInternetReadFileExA\r\nInternetReadFileExW\r\nInternetCloseHandle \r\n\r\nnspr4.dll:\r\nPR_Write\r\nPR_Read\r\nPR_Close\r\nPR_OpenTCPSocket \r\n\r\nsks2xyz.dll:\r\nvb_pfx_import \r\n\r\nFilialRCon.dll:\r\nRCN_R50Buffer\r\n\r\nmespro.dll:\r\nAddPSEPrivateKeyEx\r\nAddSigner" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421398963", "to_ids": true, "type": "md5", "uuid": "54b8d3b3-f798-4bb8-904b-d90d950d210b", "value": "31e855d428195a27077d535e4b0778cd" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421398980", "to_ids": true, "type": "md5", "uuid": "54b8d3c4-12d4-42ad-8559-4762950d210b", "value": "9d1f4902e2eb83feab79175dd89b1912" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421399040", "to_ids": true, "type": "domain", "uuid": "54b8d400-56f4-4318-8431-44ac950d210b", "value": "xubifaremin.eu" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421399040", "to_ids": true, "type": "domain", "uuid": "54b8d400-5fbc-4e33-8b8b-40fc950d210b", "value": "dixemazufel.eu" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421399040", "to_ids": true, "type": "domain", "uuid": "54b8d400-eba0-49eb-9a1e-49cc950d210b", "value": "lyvejujolec.eu" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421399040", "to_ids": true, "type": "domain", "uuid": "54b8d400-5a64-4787-80ff-4d33950d210b", "value": "marytymenok.eu" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421399041", "to_ids": true, "type": "domain", "uuid": "54b8d401-98e4-452d-bfe5-4367950d210b", "value": "vojacikigep.eu" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421399041", "to_ids": true, "type": "domain", "uuid": "54b8d401-d444-4f3c-b032-4336950d210b", "value": "gadufiwabim.eu" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421399041", "to_ids": true, "type": "domain", "uuid": "54b8d401-8a64-4961-9851-4947950d210b", "value": "xuxusujenes.eu" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421399041", "to_ids": true, "type": "domain", "uuid": "54b8d401-2f08-481c-a5e0-49f8950d210b", "value": "fogeliwokih.eu" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421399041", "to_ids": true, "type": "domain", "uuid": "54b8d401-9a34-43a7-b364-4128950d210b", "value": "jewuqyjywyv.eu" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421399041", "to_ids": true, "type": "domain", "uuid": "54b8d401-62c8-41d7-a411-48aa950d210b", "value": "masisokemep.eu" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421399041", "to_ids": true, "type": "domain", "uuid": "54b8d401-4178-4b8e-bb3f-47f1950d210b", "value": "nofyjikoxex.eu" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421399041", "to_ids": true, "type": "domain", "uuid": "54b8d401-3c0c-4e5e-ad2a-4aa9950d210b", "value": "qetoqolusex.eu" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421399041", "to_ids": true, "type": "domain", "uuid": "54b8d401-21c4-40d2-8a72-4b0e950d210b", "value": "jepororyrih.eu" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421399041", "to_ids": true, "type": "domain", "uuid": "54b8d401-374c-4667-bb9b-45c9950d210b", "value": "rynazuqihoj.eu" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421399041", "to_ids": true, "type": "domain", "uuid": "54b8d401-a238-48d7-90ad-40aa950d210b", "value": "dikoniwudim.eu" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421399041", "to_ids": true, "type": "domain", "uuid": "54b8d401-b8d8-4e5e-a9d7-4cac950d210b", "value": "kemocujufys.eu" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421399042", "to_ids": true, "type": "domain", "uuid": "54b8d402-18b0-4bcf-a93e-454b950d210b", "value": "voniqofolyt.eu" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421399042", "to_ids": true, "type": "domain", "uuid": "54b8d402-9978-43ab-b9c6-464e950d210b", "value": "dimutobihom.eu" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421399042", "to_ids": true, "type": "domain", "uuid": "54b8d402-d264-45d2-b5d0-4f04950d210b", "value": "makagucyraj.eu" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421399042", "to_ids": true, "type": "domain", "uuid": "54b8d402-7da0-469c-95a7-4bb6950d210b", "value": "qebahilojam.eu" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421399042", "to_ids": true, "type": "domain", "uuid": "54b8d402-4ca8-4cb7-a2ba-4385950d210b", "value": "tufecagemyl.eu" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1421399085", "to_ids": false, "type": "comment", "uuid": "54b8d42d-207c-421a-8b10-4611950d210b", "value": "Seem to use a domain generation algorithm" }, { "category": "External analysis", "comment": "Emerging Threats free IDS rules available", "deleted": false, "disable_correlation": false, "timestamp": "1421401757", "to_ids": false, "type": "link", "uuid": "54b8de9d-49a4-4b93-bb52-4662950d210b", "value": "http://doc.emergingthreats.net/bin/view/Main/WebSearch?search=shiz&scope=all&web=Main" } ] } }