Blog

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Description

This report contains information obtained from automated analysis and is not intended to be a complete description of the submitted sample. Results may be limited due to the complexity of the samples, or due to the ability of the samples to defend against automated analysis techniques. If additional information is required, please contact the Cybersecurity and Infrastructure Security Agency (CISA) using the information provided at the end of this report.

One malicious Microsoft Word Document was submitted for analysis. The document is designed to drop files that injects malicious code into Windows processes.

For a downloadable copy of IOCs, see MIFR-10077745-1.v2.stix.

Files (3)

1676884af2f090307aa9d0c9997f01d7dfc2f0667019bec47e88229b2f8ee65f (purchaseorderno.89764125.doc)

c64657539a0e3a0ff8817705abc1afb081d4b86a42d4d358d7774207a8810beb (~WRD8811.tmp)

edd53e51acdf19ae2f287d20c858d6f9ac63415b034d0ed9ba8eaf49bb140782 (~WRD8911.tmp)

Domains (1)

indogulf.hopto.org

IPs (1)

104.255.68.92

1676884af2f090307aa9d0c9997f01d7dfc2f0667019bec47e88229b2f8ee65f

Tags

CVE-2015-1641droppertrojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This file is a Microsoft Word Document designed to drop two malicious executable files. These executable files are .NET PE files and share the same MD5 hash value. Upon execution, the Word document drops and executes the following files at run time:

— Begin Drop Files–

%AppData%LocalMicrosoftWindowsTemporary Internet FilesContent.Word~WRD8811.tmp
%AppData%LocalMicrosoftWindowsTemporary Internet FilesContent.Word~WRD8812.tmp

— End Drop Files–

c64657539a0e3a0ff8817705abc1afb081d4b86a42d4d358d7774207a8810beb

Tags

CVE-2015-1641trojan

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Packers/Compilers/Cryptors

Relationships

Description

This file is a .NET executable file and the original file name has been identified as “ubndetnj.exe”, which is displayed in the file’s properties. Upon execution, the malware checks if it is being run in a virtual environment. If the malware finds that it is being run in a virtual environment, it will drop a copy of itself into the following directory:

— Begin Drop Files–

%AppData%LocalMicrosoftWindowsTemporary Internet FilesContent.Word~WRD8811.tmp
%AppData%LocalMicrosoftWindowsTemporary Internet FilesContent.Word~WRD8812.tmp

— End Drop Files–

The file ubndetnj.exe, drops and loads a DLL file into the same directory as the previous dropper files.

If the malware does not detect that it is running in a virtual environment it will create a copy of itself into the following directories:

–Begin Directory–

%ProgramData%Client
%All Users%Client
%APPDATA%Roaming
%TEMP%4492

–End Directory–

The malware was copied into the victims profile.

Persistence was established by the malware in a 32 bit Windows environment with the creation of the following registry keys:

–Begin Registry Key–

HKEY: HKUSoftwareMicrosoftWindowsCurrentVersionRunOnce
Value Name: Client Monitor

Value Data: C:ProgramDataClientclient.exe” -a /a

HKEY: HKUSoftwareMicrosoftWindows NTCurrentVersionWinlog
Value Name: =shell

Value Data: explorer.exe,”C:UsersmarkieAppDataRoamingclientmonitor.exe”

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTasks{A8C524F2-14F2-4516-A9B1-8A03ECD6699A}DynamicInfo: 03 00 00 00 0C BE 4D 9E 83 4B D2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTreeClient MonitorId: “{A8C524F2-14F2-4516-A9B1-8A03ECD6699A}”
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTreeClient MonitorIndex: 0x00000002
HKUS-1-5-21-2627192596-1068805455-678978931-1000SoftwareyD/qT8z5WeCyU6IM+GEC+A==: “tIQiMmreK4JTiAmI6pS+nXANOkkx26ewEImrJin28xg=”
HKUS-1-5-21-2627192596-1068805455-678978931-1000SoftwareFObKsonc89Gou4fOabcF9A==: “cQU0xUd8mLddaatQ/cs+kVFSaSZRYtMuyJm2SpPLfaM=”
HKUS-1-5-21-2627192596-1068805455-678978931-1000SoftwarePTH: “C:ProgramDataClientclient.exe”
HKUS-1-5-21-2627192596-1068805455-678978931-1000SoftwareMTX: “85281209e3b0af40c74dbf5e62dfc366bef39d6e17e41ec056953a40e4c9fc01”
HKUS-1-5-21-2627192596-1068805455-678978931-1000SoftwarePRC: “3648”

–End Registry Key–

The malware employed the following mutex objects:

–Begin Mutex–

Sessions1BaseNamedObjectsFireFX2836
Sessions1BaseNamedObjectsFireFX1536
Sessions1BaseNamedObjectsFireFX3148

–End Mutex–

The malware will then make a DNS query to the following domain:

–Begin Domain–

indogulf[.]hopto[.]org

–End Domain–

At the time of analysis the domain resolved to the following IP:

–Begin IP–

104[.]255.68.92

–End IP–

indogulf.hopto.org

Tags

command-and-control

URLs

• indogulf.hopto.org

Whois

Domain Name: HOPTO.ORG
Domain ID: D20065021-LROR
WHOIS Server:
Referral URL: http://www.srsplus.com
Updated Date: 2015-12-21T17:43:40Z
Creation Date: 2000-02-17T19:56:50Z
Registry Expiry Date: 2021-02-17T19:56:50Z
Sponsoring Registrar: TLDS L.L.C. d/b/a SRSPlus
Sponsoring Registrar IANA ID: 320
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registrant ID: cm8dnqb78dtu7b9c
Registrant Name: Domain Operations No-IP.com
Registrant Organization: Vitalwerks Internet Solutions, LLC
Registrant Street: 425 Maestro Dr.
Registrant Street: Second Floor
Registrant City: Reno
Registrant State/Province: NV
Registrant Postal Code: 89511
Registrant Country: US
Registrant Phone: +1.17758531883
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: domains@no-ip.com
Admin ID: cm8dnqb78dtu7b9c
Admin Name: Domain Operations No-IP.com
Admin Organization: Vitalwerks Internet Solutions, LLC
Admin Street: 425 Maestro Dr.
Admin Street: Second Floor
Admin City: Reno
Admin State/Province: NV
Admin Postal Code: 89511
Admin Country: US
Admin Phone: +1.17758531883
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: domains@no-ip.com
Tech ID: cm8dnqb78dtu7b9c
Tech Name: Domain Operations No-IP.com
Tech Organization: Vitalwerks Internet Solutions, LLC
Tech Street: 425 Maestro Dr.
Tech Street: Second Floor
Tech City: Reno
Tech State/Province: NV
Tech Postal Code: 89511
Tech Country: US
Tech Phone: +1.17758531883
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: domains@no-ip.com
Name Server: NF1.NO-IP.COM
Name Server: NF2.NO-IP.COM
Name Server: NF3.NO-IP.COM
Name Server: NF4.NO-IP.COM
Name Server: NF5.NO-IP.COM
DNSSEC: unsigned

Relationships

Description

The malware made a DNS query to this domain.

edd53e51acdf19ae2f287d20c858d6f9ac63415b034d0ed9ba8eaf49bb140782

Tags

CVE-2015-1641trojanvirus

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships

Description

This file is a DLL file. The file is designed to start new instances of the following Windows processes. The code injected into these processes is used for process enumeration:

–Begin Processes–

svchost.exe
dwm.exe
taskhost.exe
slui.exe

–End Processes–

104.255.68.92

Relationships

Description

The domain indogulf.hopto.org resolved to this IP.

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

• Maintain up-to-date antivirus signatures and engines.
• Keep operating system patches up-to-date.
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
• Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
• Scan all software downloaded from the Internet prior to executing.
• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.

• 1-888-282-0870
• NCCICCustomerService@us-cert.gov (UNCLASS)
• us-cert@dhs.sgov.gov (SIPRNET)
• us-cert@dhs.ic.gov (JWICS)

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or soc@us-cert.gov.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

• Web: https://malware.us-cert.gov
• E-Mail: submit@malware.us-cert.gov
• FTP: ftp.malware.us-cert.gov (anonymous)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.us-cert.gov.