462 lines
No EOL
19 KiB
JSON
462 lines
No EOL
19 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2017-01-07",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - 2016 Updates to Shifu Banking Trojan",
|
|
"publish_timestamp": "1483798227",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1483798214",
|
|
"uuid": "5870f2f5-5744-4ded-a6f5-469c950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"name": "tlp:white"
|
|
},
|
|
{
|
|
"colour": "#6edb00",
|
|
"name": "circl:topic=\"finance\""
|
|
},
|
|
{
|
|
"colour": "#00afd6",
|
|
"name": "veris:action:social:target=\"Finance\""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797279",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "5870f31f-01f0-42fa-b746-4d2b950d210f",
|
|
"value": "Shifu is a Banking Trojan first discovered in 2015. Shifu is based on the Shiz source code which incorporated techniques used by Zeus. Attackers use Shifu to steal credentials for online banking websites around the world, starting in Russia but later including the UK, Italy, and others.\r\n\r\nPalo Alto Networks Unit 42 research has found that the Shifu authors have evolved Shifu in 2016. Our research has found that Shifu has incorporated multiple new techniques to infect and evade detection on Microsoft Windows systems. Some of these include:\r\n\r\n Exploitation of CVE-2016-0167 a Microsoft Windows Privilege Escalation vulnerability to gain SYSTEM level privileges. Earlier versions of Shifu exploited CVE-2015-0003 to achieve the same goal\r\n Use of a Windows atom to identify if the host is already infected with Shifu in addition to the mutex used by previous versions\r\n Use of \u00e2\u20ac\u0153push-calc-ret\u00e2\u20ac\u009d API obfuscation to hide function calls from malware analysts\r\n Use of alternative Namecoin .bit domains\r\n\r\nWe have also identified new links between Shifu and other tools which suggest Shifu isn\u00e2\u20ac\u2122t simply based on the Shiz Trojan, but is probably the latest evolution of Shiz.\r\n\r\nThe primary goal of this report is to introduce Shifu\u00e2\u20ac\u2122s new features to other malware analysts who may encounter this Trojan in the future. The following sections give an overview of the new features, and the appendix at the end includes the technical details on the overall functionality of Shifu."
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797291",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5870f32b-6864-4da5-87f3-477c950d210f",
|
|
"value": "http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Exploitation of CVE-2016-0167 a Microsoft Windows Privilege Escalation vulnerability to gain SYSTEM level privileges. Earlier versions of Shifu exploited CVE-2015-0003 to achieve the same goal",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797347",
|
|
"to_ids": false,
|
|
"type": "vulnerability",
|
|
"uuid": "5870f363-0640-47d0-9bdd-422d950d210f",
|
|
"value": "CVE-2016-0167"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Exploitation of CVE-2016-0167 a Microsoft Windows Privilege Escalation vulnerability to gain SYSTEM level privileges. Earlier versions of Shifu exploited CVE-2015-0003 to achieve the same goal",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797347",
|
|
"to_ids": false,
|
|
"type": "vulnerability",
|
|
"uuid": "5870f363-d7dc-4588-815e-4bfb950d210f",
|
|
"value": "CVE-2015-0003"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797393",
|
|
"to_ids": true,
|
|
"type": "pdb",
|
|
"uuid": "5870f391-9b5c-440e-b68a-4de3950d210f",
|
|
"value": "Z:\\coding\\cryptor\\Release\\crypted.pdb"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797395",
|
|
"to_ids": true,
|
|
"type": "pdb",
|
|
"uuid": "5870f393-add0-49e8-921f-47a6950d210f",
|
|
"value": "Z:\\coding\\malware\\tests\\Release\\cryptoshit.pdb"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797395",
|
|
"to_ids": true,
|
|
"type": "pdb",
|
|
"uuid": "5870f393-4888-4dc5-8269-4753950d210f",
|
|
"value": "Z:\\coding\\malware\\RDP\\output\\Release\\rdp_bot.pdb"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797396",
|
|
"to_ids": true,
|
|
"type": "pdb",
|
|
"uuid": "5870f394-4a04-4eac-b562-4d39950d210f",
|
|
"value": "Z:\\coding\\malware\\ScanBot\\Release\\bot.pdb"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797397",
|
|
"to_ids": true,
|
|
"type": "pdb",
|
|
"uuid": "5870f395-b0ac-412c-9c9e-4c02950d210f",
|
|
"value": "Z:\\coding\\project\\main\\payload\\payload.x86.pdb"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Initial obfuscated loader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797421",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5870f3ad-77c8-409b-a83f-42e6950d210f",
|
|
"value": "d3f9c4037f8b4d24f2baff1e0940d2bf238032f9343d06478b5034d0981b2cd9"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Initial obfuscated loader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797422",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5870f3ae-e4bc-42ea-8d87-4010950d210f",
|
|
"value": "368b23e6d9ec7843e537e9d6547777088cf36581076599d04846287a9162652b"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Initial obfuscated loader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797423",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5870f3af-3904-4b3c-b447-41fc950d210f",
|
|
"value": "e7e154c65417f5594a8b4602db601ac39156b5758889f708dac7258e415d4a18"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Initial obfuscated loader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797423",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5870f3af-7a24-489c-9e8a-4cef950d210f",
|
|
"value": "f63ec1e5752eb8b9a07104f42392eebf143617708bfdd0fe31cbf00ef12383f9"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Second stage injector",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797446",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5870f3c6-0068-42bb-bec1-4c6c950d210f",
|
|
"value": "003965bd25acb7e8c6e16de4f387ff9518db7bcca845502d23b6505d8d3cec01"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Second stage injector",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797447",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5870f3c7-1940-479d-b282-4b0f950d210f",
|
|
"value": "1188c5c9f04658bef20162f3001d9b89f69c93bf5343a1f849974daf6284a650"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Exploit injector",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797468",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5870f3dc-fa2c-4b55-b184-439a950d210f",
|
|
"value": "e7c1523d93154462ed9e15e84d3af01abe827aa6dd0082bc90fc8b58989e9a9a"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "CVE-2016-0167 exploit (x86)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797487",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5870f3ef-7c44-4011-a6cb-4038950d210f",
|
|
"value": "5124f4fec24acb2c83f26d1e70d7c525daac6c9fb6e2262ed1c1c52c88636bad"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "CVE-2016-0167 exploit (x64)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797504",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5870f400-92d0-4150-b336-4188950d210f",
|
|
"value": "f3c2d4090f6f563928e9a9ec86bf0f1c6ee49cdc110b7368db8905781a9a966e"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Main payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797527",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5870f417-9e8c-44e7-aa42-4b41950d210f",
|
|
"value": "e9bd4375f9b0b95f385191895edf81c8eadfb3964204bbbe48f7700fc746e4dc"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Main payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797528",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5870f418-6144-41da-8f8f-4519950d210f",
|
|
"value": "5ca2a9de65c998b0d0a0a01b4aa103a9410d76ab86c75d7b968984be53e279b6"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "The main payload of Shifu uses .bit top-level domains which is a decentralized DNS system based on the Namecoin infrastructure. The malware requests the IP addresses of the domains by subsequently contacting the following hardcoded Namecoin DNS servers",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797686",
|
|
"to_ids": false,
|
|
"type": "ip-dst",
|
|
"uuid": "5870f459-8f84-46fb-8337-487d950d210f",
|
|
"value": "92.222.80.28"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "The main payload of Shifu uses .bit top-level domains which is a decentralized DNS system based on the Namecoin infrastructure. The malware requests the IP addresses of the domains by subsequently contacting the following hardcoded Namecoin DNS servers",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797696",
|
|
"to_ids": false,
|
|
"type": "ip-dst",
|
|
"uuid": "5870f45a-ced0-4005-8c53-4d40950d210f",
|
|
"value": "78.138.97.93"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "The main payload of Shifu uses .bit top-level domains which is a decentralized DNS system based on the Namecoin infrastructure. The malware requests the IP addresses of the domains by subsequently contacting the following hardcoded Namecoin DNS servers",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797707",
|
|
"to_ids": false,
|
|
"type": "ip-dst",
|
|
"uuid": "5870f45b-ab50-4287-a78c-4d5b950d210f",
|
|
"value": "77.66.108.93"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "At the time of analysis, only the following Namecoin DNS server was answering with the IP address of the actual C&C server:",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797670",
|
|
"to_ids": false,
|
|
"type": "hostname",
|
|
"uuid": "5870f4a6-fa74-4521-9406-436e950d210f",
|
|
"value": "ns1.dk.dns.d0wn.biz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Both domain names, klyatiemoskali.bit and slavaukraine.bit, resolved to the IP address 103.199.16.106 at the time of analysis.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797772",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5870f50c-8794-4494-94b6-411f950d210f",
|
|
"value": "103.199.16.106"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Both domain names, klyatiemoskali.bit and slavaukraine.bit, resolved to the IP address 103.199.16.106 at the time of analysis.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797790",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "5870f51e-2684-41fa-bd5c-411d950d210f",
|
|
"value": "klyatiemoskali.bit"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Both domain names, klyatiemoskali.bit and slavaukraine.bit, resolved to the IP address 103.199.16.106 at the time of analysis.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797791",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "5870f51f-3f24-4d5d-bdbf-416b950d210f",
|
|
"value": "slavaukraine.bit"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Initial obfuscated loader - Xchecked via VT: d3f9c4037f8b4d24f2baff1e0940d2bf238032f9343d06478b5034d0981b2cd9",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797834",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5870f54a-8dd4-4624-8120-4bad02de0b81",
|
|
"value": "472c49709b5bf423b05f9c516be9fcf6750c874b"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Initial obfuscated loader - Xchecked via VT: d3f9c4037f8b4d24f2baff1e0940d2bf238032f9343d06478b5034d0981b2cd9",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797834",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5870f54a-d7a4-401c-9416-4dbb02de0b81",
|
|
"value": "7e8eba7fb31ceab049fe43d020dc34bf"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Initial obfuscated loader - Xchecked via VT: d3f9c4037f8b4d24f2baff1e0940d2bf238032f9343d06478b5034d0981b2cd9",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797835",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5870f54b-3930-47d3-8f15-4ed602de0b81",
|
|
"value": "https://www.virustotal.com/file/d3f9c4037f8b4d24f2baff1e0940d2bf238032f9343d06478b5034d0981b2cd9/analysis/1476315072/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Initial obfuscated loader - Xchecked via VT: 368b23e6d9ec7843e537e9d6547777088cf36581076599d04846287a9162652b",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797836",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5870f54c-9760-4b93-b1eb-43f702de0b81",
|
|
"value": "3cd5a202fd64b8512557a80426f82c3359756f21"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Initial obfuscated loader - Xchecked via VT: 368b23e6d9ec7843e537e9d6547777088cf36581076599d04846287a9162652b",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797836",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5870f54c-9fc0-4b09-8064-498602de0b81",
|
|
"value": "f25528baf3d68444fa7d7fda382e9835"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Initial obfuscated loader - Xchecked via VT: 368b23e6d9ec7843e537e9d6547777088cf36581076599d04846287a9162652b",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797837",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5870f54d-98b4-4843-b50f-417502de0b81",
|
|
"value": "https://www.virustotal.com/file/368b23e6d9ec7843e537e9d6547777088cf36581076599d04846287a9162652b/analysis/1476120793/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Initial obfuscated loader - Xchecked via VT: e7e154c65417f5594a8b4602db601ac39156b5758889f708dac7258e415d4a18",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797838",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5870f54e-ddc8-451c-9241-424302de0b81",
|
|
"value": "d74fd4cd8d82450c9436b608631f5ae69fe45187"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Initial obfuscated loader - Xchecked via VT: e7e154c65417f5594a8b4602db601ac39156b5758889f708dac7258e415d4a18",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797839",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5870f54f-f520-4ce5-87bf-468202de0b81",
|
|
"value": "ebf3e72f8b698bbb0d026416d7a75a6a"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Initial obfuscated loader - Xchecked via VT: e7e154c65417f5594a8b4602db601ac39156b5758889f708dac7258e415d4a18",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797840",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5870f550-7bb0-4a2d-afa9-4fdc02de0b81",
|
|
"value": "https://www.virustotal.com/file/e7e154c65417f5594a8b4602db601ac39156b5758889f708dac7258e415d4a18/analysis/1476121083/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Initial obfuscated loader - Xchecked via VT: f63ec1e5752eb8b9a07104f42392eebf143617708bfdd0fe31cbf00ef12383f9",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797840",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5870f550-d244-46af-acc6-4d1102de0b81",
|
|
"value": "a09aa148ac6fbbbea05d63c923d44c7126f63ff3"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Initial obfuscated loader - Xchecked via VT: f63ec1e5752eb8b9a07104f42392eebf143617708bfdd0fe31cbf00ef12383f9",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797841",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5870f551-43f4-4734-9ea4-43c602de0b81",
|
|
"value": "e98459c647a6e328c8b65945884ef29a"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Initial obfuscated loader - Xchecked via VT: f63ec1e5752eb8b9a07104f42392eebf143617708bfdd0fe31cbf00ef12383f9",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1483797842",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5870f552-90a0-4f87-8962-426802de0b81",
|
|
"value": "https://www.virustotal.com/file/f63ec1e5752eb8b9a07104f42392eebf143617708bfdd0fe31cbf00ef12383f9/analysis/1476121104/"
|
|
}
|
|
]
|
|
}
|
|
} |