sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab
15.07.2013 Views
Share Embed Flag

sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab

sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab

sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
crysys.hu

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

START NOW

We also share some samples with the encryptions above to make it easier to pinpoint the<br />

encryption algorithm:<br />

0000000000: FF F5 FF FF FF FE FE 23 │ FC FF FF FE 6F FE FF E4 ˙ő˙˙˙ţţ#ü˙˙ţoţ˙ä<br />

0000000010: CE 4C 3E 00 00 00 00 00 │ 00 00 FD FB FF FF FF 46 ÎL> ýű˙˙˙F<br />

Figure 23 – Sample for encryption/encoding boot32drv.sys – simple XOR with 0xFF<br />

0000000000: 75 EA EA EA FA 15 66 EA │ EE 15 66 EA EA EA E0 EA uęęęú§fęî§fęęęŕę<br />

0000000010: EA F7 EF FC 24 EA EA EA │ 0D 0D 0D 0D 91 EA EA EA ę÷ďü$ęęę♪♪♪♪'ęęę<br />

Figure 24 – Sample for encryption/encoding made with encryption E1; 0xEA 0x00<br />

4.2. Registry parts<br />

The malware does not modify too many registry keys as most information, data,<br />

configuration are stored in files. The affected registry entries are the following:<br />

• For installations and startup, LSA is abused:<br />

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Autenthication<br />

Packages will contain in new line mssecmgr.ocx:<br />

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]<br />

"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,6d,\<br />

00,73,00,73,00,65,00,63,00,6d,00,67,00,72,00,2e,00,6f,00,63,00,78,00,00,00,\<br />

00,00<br />

• For some communications between processes wave8 and wave9 are used. Wave8<br />

possibly stores some PID, but this is just a guess. Wave9 is a name for the stored version<br />

of the “main module”:<br />

23:34:34,1794024 rundll32.exe 2388 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows<br />

NT\CurrentVersion\Drivers32\wave9 NAME NOT FOUND Length: 536<br />

23:35:05,5405919 wmiprvse.exe 2472 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows<br />

NT\CurrentVersion\Drivers32\wave9 NAME NOT FOUND Length: 536<br />

23:35:39,6297465 rundll32.exe 2388 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows<br />

NT\CurrentVersion\Drivers32\wave9 NAME NOT FOUND Length: 144<br />

23:35:39,6299138 rundll32.exe 2388 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows<br />

NT\CurrentVersion\Drivers32\wave9 NAME NOT FOUND Length: 144<br />

23:35:39,6300097 rundll32.exe 2388 RegSetValue HKLM\SOFTWARE\Microsoft\Windows<br />

NT\CurrentVersion\Drivers32\wave9 SUCCESS Type: REG_SZ, Length: 2, Data:<br />

23:35:39,6302820 rundll32.exe 2388 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows<br />

NT\CurrentVersion\Drivers32\wave9 SUCCESS Type: REG_SZ, Length: 2, Data:<br />

<strong>Lab</strong>oratory of Cryptography and System Security (<strong>CrySyS</strong>)<br />

Budapest University of Technology and Economics<br />

www.crysys.hu 32

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!