Kaspersky_Lab_crouching_yeti_appendixes_eng_final

More documents

Recommendations

Info

Contents I. Appendix 1: Indicators of compromise 3 II. Appendix 2: Havex loader – detailed analysis 5 III. Appendix 3: The Sysmain backdoor – detailed analysis 47 IV. Appendix 4: Ddex loader – detailed analysis 54 V. Appendix 5: The ClientX backdoor – detailed analysis 57 VI. Appendix 6: Karagany backdoor – detailed analysis 65 VII. Appendix 7: C&C Analysis 71 VIII. Appendix 8: Victim identification 73 IX. Appendix 9: Hashes 81 X. Appendix 10: Delivery methods – detailed analysis 86 10.1. Hijacked installers of legitimate software 86 10.2. Exploitation 90 10.3. Obvious Metasploit Rips 102 10.4. Changing Lights Out exploit sites’ download flow 104 10.5. Related Targeted Software and CVE Entries 105 XI. Appendix 11: Malicious Domains and Redirectors 108 XII. Appendix 12: Previous and parallel research 115 TLP: Green For any inquire please contact intelreports@kaspersky.com
3 I. Appendix 1: Indicators of compromise Files: %SYSTEM%\TMPprovider0XX.dll %SYSTEM%\svcprocess0XX.dll %SYSTEM%\Phalanx-3d.Agent.dll %SYSTEM%\Phalanx-3d.ServerAgent.dll %COMMON_APPDATA%\TMPprovider0XX.dll %COMMON_APPDATA%\Phalanx-3d.Agent.dll %COMMON_APPDATA%\Phalanx-3d.ServerAgent.dll %APPDATA%\TMPprovider0XX.dll %APPDATA%\Phalanx-3d.Agent.dll %APPDATA%\Phalanx-3d.ServerAgent.dll %APPDATA%\sydmain.dll %TEMP%\TMPprovider0XX.dll %TEMP%\Phalanx-3d.Agent.dll %TEMP%\Phalanx-3d.ServerAgent.dll %TEMP%\srvsce32.dll %TEMP%\~tmpnet.dll %TEMP%\tmp687.dll %TEMP%\*.xmd %TEMP%\*.yls %TEMP%\qln.dbx %TEMP%\Low\ddex.exe %TEMP%\Low\~tmppnet.dll %TEMP%\Low\~ntp.tmp %TEMP%\Low\~task.tmp %TEMP%\Low\~ldXXXX.TMP %TEMP%\bp.exe %TEMP%\~tmp1237.txt C:\ProgramData\ C:\ProgramData\Cap\ C:\ProgramData\Mail\ C:\ProgramData\Mail\MailAg\ C:\ProgramData\Cap\Cap.exe C:\ProgramData\Mail\MailAg\scs.jpg TLP: Green For any inquire please contact intelreports@kaspersky.com
Page 1: Crouching Yeti — Appendixes Kaspe
Page 5 and 6: 5 II. Appendix 2: Havex loader - de
Page 7 and 8: 7 030: 309276719429789193750028F978
Page 9 and 10: 9 Decoded RSA 1024 bit key: 0000000
Page 11 and 12: 11 • Running Processes • Proxy
Page 13 and 14: 13 Control Panel\International\ sCo
Page 15 and 16: 15 version 029 3x1 version 030 3x1
Page 17 and 18: 17 CLSID: UserType: VerIndProgID:
Page 19 and 20: 19 Config in stored in resource WRT
Page 21 and 22: 21 compiled: Thu, 02 Feb 2012 09:50
Page 23 and 24: 23 the RSAeuro library. They recomp
Page 25 and 26: 25 N parameter in one sample: The E
Page 27 and 28: 27 Havex sample details by version
Page 29 and 30: 29 Compiled: Mon, 07 Nov 2011 09:40
Page 31 and 32: 31 SHA-256: 8d343be0ea83597f041f9cb
Page 33 and 34: 33 SHA-256: 0f4046be5de15727e8ac786
Page 35 and 36: 35 Compiled: Tue, 10 Jan 2012 14:04
Page 37 and 38: 37 SHA-256: 72ff91b3f36ccf07e3daf67
Page 39 and 40: 39 Compiled: C2 URLs: Mon, 12 Mar 2
Page 41 and 42: 41 Compiled: Fri, 26 Oct 2012 10:12
Page 43 and 44: 43 www.idweb.ru/assets/modules/docm
Page 45 and 46: 45 C2 URLs: www.pc-service-fm.de/mo
Page 47 and 48: 47 III. Appendix 3: The Sysmain bac
Page 49 and 50: 49 antibioticsdrugstore.com/err/log
Page 51 and 52: 51 The path to this file is saved i
Page 53 and 54:
53 • “dll”: load dll sent fro
Page 55 and 56:
55 index.cgi/?loc=258 • Get systi
Page 57 and 58:
57 V. Appendix 5: The ClientX backd
Page 59 and 60:
59 public string[] servers; public
Page 61 and 62:
61 Once it is done filling the prSe
Page 63 and 64:
63 5.5.3 TIM The TIM command is res
Page 65 and 66:
65 VI. Appendix 6: Karagany backdoo
Page 67 and 68:
67 • Xfrost • Killklg List of s
Page 69 and 70:
69 Main Features: * Full Screen Cap
Page 71 and 72:
71 VII. Appendix 7: C&C Analysis Th
Page 73 and 74:
73 VIII. Appendix 8: Victim identif
Page 75 and 76:
75 Victim 24 Areas of activity: rec
Page 77 and 78:
77 Victim 49 Telecommunications and
Page 79 and 80:
79 Victim 75 University in Taiwan.
Page 81 and 82:
81 IX. Appendix 9: Hashes Havex, Sy
Page 83 and 84:
83 c66525285707daff30fce5d79eb1bdf3
Page 85 and 86:
85 ClientX: 66ab3a26ffe5d9fb72083dc
Page 87 and 88:
87 data\sydmain.dll”,AGTwLoad eWo
Page 89 and 90:
89 Path: %TEMP%\qln.dbx Size: 2 Des
Page 91 and 92:
91 SHA-256: e94b97716d354a21dcff365
Page 93 and 94:
93 After the strcat call values sma
Page 95 and 96:
95 And when decoded, the contents o
Page 97 and 98:
97 kool.jar ¦ fcswzHCx.class, 330
Page 99 and 100:
99 The encoding algo was a simple a
Page 101 and 102:
101 The decoded strings here: TLP:
Page 103 and 104:
103 f0.appendChild(document.createE
Page 105 and 106:
105 10.5. Related Targeted Software
Page 107 and 108:
107 the relevant code is called in
Page 109 and 110:
109 Exploit URL roxsuite.com/compon
Page 111 and 112:
111 Compromised Referrer Referrer P
Page 113 and 114:
113 Compromised Referrer Referrer P
Page 115 and 116:
115 XII. Appendix 12: Previous and
show all

Kaspersky_Lab_crouching_yeti_appendixes_eng_final

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?