Kaspersky_Lab_crouching_yeti_appendixes_eng_final

More documents

Recommendations

Info

16 Size: 251392 Compiled: Fri, 16 May 2014 08:42:28 UTC SHA-256: 6aca45bb78452cd78386b8fa78dbdf2dda7fba6cc06482251e2a6820849c9e82 Size: 251392 Compiled: Fri, 16 May 2014 08:42:28 UTC Detailed analysis All currently known samples are completely identical in terms of code and differ only in the content of the resource. Code flow: • Decrypt config Config consists of RSA ID (29 bytes) and RSA key (1024 bit) and is stored inside resource TYU 0215 (bzip compressed and xored with “1312312”) 29 39ee448cf196304cfe9c6b1c2e436 344 AATFfxXmUZl/j8JBAwHkk8BcwTIKDcex+0GQp/V9EX4nt64NGsGsTXFhuorwjKCRt6Av3v+hB+gT9mAP9kqY 3TnN1x+MUHaoib1dw8SG9mW5YL+JNu3Kwud/bYGu916U/EGh8PFGruVE2PHXD8EII710gKm00lyi5+Ehjn5C SLLPKwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAQAB • Create lock file in %TEMP%\{rand}.tmp (empty) • Create debug log in %TEMP%\{rand}.tmp.dat Programm was started at %02i:%02i:%02i %02i:%02i:%02i.%04i: ************************************************************************** Start finging of LAN hosts... Finding was fault. Unexpective error Was found %i hosts in LAN: Hosts was’t found. Start finging of OPC Servers... Was found %i OPC Servers. %i) [\] TLP: Green For any inquire please contact intelreports@kaspersky.com
17 CLSID: UserType: VerIndProgID: OPC version support: OPC Servers not found. Programm finished Thread %02i return error code: Start finging of OPC Tags... %i)[%s\%s] Saved in ‘OPCServer%02i.txt’ %i)[%s] (not aviable) Thread %02i was terminated by ThreadManager(2) Thread %02i running... Thread %02i finished. • Look for LAN resources using Windows Networking COM objects: WNetOpenEnumW WNetEnumResource • For each resource found, create a thread which checks if it’s an OPC server & gets detailed OPC information using the following interfaces: IID_IOPCEnumGUID IID_IOPCServerList IID_IOPCServerList2 IID_IOPCServer IID_IOPCBrowse IID_IOPCBrowseServerAddressSpace IID_IOPCItemProperties CATID_OPCDAServer10 CATID_OPCDAServer20 CATID_OPCDAServer30 {55C382C8-21C7-4E88-96C1-BECFB1E3F483} {13486D51-4821-11D2-A494-3CB306C10000} {9DD0B56C-AD9E-43ee-8305-487F3188BF7A} {39C13A4D-011E-11D0-9675-0020AFD8ADB3} {39227004-A18F-4B57-8B0A-5235670F4468} {39C13A4F-011E-11D0-9675-0020AFD8ADB3} {39C13A72-011E-11D0-9675-0020AFD8ADB3} {63D5F430-CFE4-11D1-B2C8-0060083BA1FB} {63D5F432-CFE4-11D1-B2C8-0060083BA1FB} {CC603642-66D7-48F1-B69A-B625E73652D7} and writes collected info to the OPCServer.txt file: %s (Type=%i, Access=%i, ID=’%s’) OPC Server[%s\%s] v%i.%i(b%i) Server state: %i Group count value: %i Server band width: %08x TLP: Green For any inquire please contact intelreports@kaspersky.com
Page 1 and 2: Crouching Yeti — Appendixes Kaspe
Page 3 and 4: 3 I. Appendix 1: Indicators of comp
Page 5 and 6: 5 II. Appendix 2: Havex loader - de
Page 7 and 8: 7 030: 309276719429789193750028F978
Page 9 and 10: 9 Decoded RSA 1024 bit key: 0000000
Page 11 and 12: 11 • Running Processes • Proxy
Page 13 and 14: 13 Control Panel\International\ sCo
Page 15: 15 version 029 3x1 version 030 3x1
Page 19 and 20: 19 Config in stored in resource WRT
Page 21 and 22: 21 compiled: Thu, 02 Feb 2012 09:50
Page 23 and 24: 23 the RSAeuro library. They recomp
Page 25 and 26: 25 N parameter in one sample: The E
Page 27 and 28: 27 Havex sample details by version
Page 29 and 30: 29 Compiled: Mon, 07 Nov 2011 09:40
Page 31 and 32: 31 SHA-256: 8d343be0ea83597f041f9cb
Page 33 and 34: 33 SHA-256: 0f4046be5de15727e8ac786
Page 35 and 36: 35 Compiled: Tue, 10 Jan 2012 14:04
Page 37 and 38: 37 SHA-256: 72ff91b3f36ccf07e3daf67
Page 39 and 40: 39 Compiled: C2 URLs: Mon, 12 Mar 2
Page 41 and 42: 41 Compiled: Fri, 26 Oct 2012 10:12
Page 43 and 44: 43 www.idweb.ru/assets/modules/docm
Page 45 and 46: 45 C2 URLs: www.pc-service-fm.de/mo
Page 47 and 48: 47 III. Appendix 3: The Sysmain bac
Page 49 and 50: 49 antibioticsdrugstore.com/err/log
Page 51 and 52: 51 The path to this file is saved i
Page 53 and 54: 53 • “dll”: load dll sent fro
Page 55 and 56: 55 index.cgi/?loc=258 • Get systi
Page 57 and 58: 57 V. Appendix 5: The ClientX backd
Page 59 and 60: 59 public string[] servers; public
Page 61 and 62: 61 Once it is done filling the prSe
Page 63 and 64: 63 5.5.3 TIM The TIM command is res
Page 65 and 66: 65 VI. Appendix 6: Karagany backdoo
Page 67 and 68:
67 • Xfrost • Killklg List of s
Page 69 and 70:
69 Main Features: * Full Screen Cap
Page 71 and 72:
71 VII. Appendix 7: C&C Analysis Th
Page 73 and 74:
73 VIII. Appendix 8: Victim identif
Page 75 and 76:
75 Victim 24 Areas of activity: rec
Page 77 and 78:
77 Victim 49 Telecommunications and
Page 79 and 80:
79 Victim 75 University in Taiwan.
Page 81 and 82:
81 IX. Appendix 9: Hashes Havex, Sy
Page 83 and 84:
83 c66525285707daff30fce5d79eb1bdf3
Page 85 and 86:
85 ClientX: 66ab3a26ffe5d9fb72083dc
Page 87 and 88:
87 data\sydmain.dll”,AGTwLoad eWo
Page 89 and 90:
89 Path: %TEMP%\qln.dbx Size: 2 Des
Page 91 and 92:
91 SHA-256: e94b97716d354a21dcff365
Page 93 and 94:
93 After the strcat call values sma
Page 95 and 96:
95 And when decoded, the contents o
Page 97 and 98:
97 kool.jar ¦ fcswzHCx.class, 330
Page 99 and 100:
99 The encoding algo was a simple a
Page 101 and 102:
101 The decoded strings here: TLP:
Page 103 and 104:
103 f0.appendChild(document.createE
Page 105 and 106:
105 10.5. Related Targeted Software
Page 107 and 108:
107 the relevant code is called in
Page 109 and 110:
109 Exploit URL roxsuite.com/compon
Page 111 and 112:
111 Compromised Referrer Referrer P
Page 113 and 114:
113 Compromised Referrer Referrer P
Page 115 and 116:
115 XII. Appendix 12: Previous and
show all

Kaspersky_Lab_crouching_yeti_appendixes_eng_final

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?