Two days ago, i came across an exploit kit that drop a file with a 16mo size.
I didn’t keep the URL – the detections was good.
Yesterday, on a removal forum, i came across of a two others malwares with “big size”.
HKShip.exe (16Mo) – it also on the startup directory and creates the random numeric files : http://pjjoint.malekal.com/files.php?read=20130123_z14z15r15h6x6
Malwarebyte Anti-Malware is able to detect thoses random files but not the HKShip.exe file : http://cjoint.com/13jv/CAwvKEFdeLE.htm
The second file is v8uivv8.exe
A service with a bat file launch it :
Very simple but probably efficient to bypass detection.
This one is very interresting.
Zipped the size drop to 205ko.
It’s a VB Packed with probably anti-vm stuffs (doesn’t work on VMWare and VirtualBox).
Also malwr.com or Anubis failed.
It Creates a mutex and leaves : http://malwr.com/analysis/c75a563eeb67bc3f03bfd12dd33d327b/
Here the detection of a cleaned version (Thank you to Horgh ) : https://www.virustotal.com/file/ef37e496392fa87ad7b6d446dffcdadfe26068f87d0f46db9429936cc3ab8257/analysis/
File name: v8uivv8.exe
Detection ratio: 8 / 45
Analysis date: 2013-01-23 17:39:28 UTC ( 13 heures, 7 minutes ago )
AntiVir TR/Dropper.Gen 20130123
Avast Win32:Downloader-QUA [Trj] 20130123
AVG Downloader.VB.ACPG 20130123
CAT-QuickHeal (Suspicious) – DNAScan 20130123
ESET-NOD32 a variant of Win32/TrojanDownloader.VB.QBA 20130123
Fortinet W32/VBKrypt.C!tr 20130123
GData Win32:Downloader-QUA 20130123
Panda Suspicious file 20130123
then connect to 220.127.116.11 port 82
The traffic with 18.104.22.168
returns some others malicious files to be downloaded :
Look like Chinese stuffs.
Detection are really good :
Why this size trick ?
Probably to prevent malicious files to be grab automatcly by Antivirus Client (most of the Antivirus Client send file or hash to lab to add detection).
It’s also a pain to sent it to vendors because most of them work with email procedure.