[en] Malware with « big size »

Two days ago, i came across an exploit kit that drop a file with a 16mo size.
I didn’t keep the URL – the detections was good.
Yesterday, on a removal forum, i came across of a two others malwares with « big size ».

HKShip.exe (16Mo) – it also on the startup directory and creates the random numeric files : http://pjjoint.malekal.com/files.php?read=20130123_z14z15r15h6x6
Malwarebyte Anti-Malware is able to detect thoses random files but not the HKShip.exe file : http://cjoint.com/13jv/CAwvKEFdeLE.htm

dropper_bigfile_HKShip

The second file is v8uivv8.exe
A service with a bat file launch it :

@echo off
set path=C:\Users/Floriane/AppData/Roaming\
set exe= »%path% »v8uivv8.exe
%exe%

Very simple but probably efficient to bypass detection.

dropper_bigfile_205mo_file
And also a Run Key : dropper_bigfile_205mo_file2
and yeah you don’t dream, the file has a 205 Mo size :
dropper_bigfile_205mo_file3

This one is very interresting.
Zipped the size drop to 205ko.
It’s a VB Packed with probably anti-vm stuffs (doesn’t work on VMWare and VirtualBox).
Also malwr.com or Anubis failed.
It Creates a mutex and leaves : http://malwr.com/analysis/c75a563eeb67bc3f03bfd12dd33d327b/

Here the detection of a cleaned version (Thank you to Horgh ) : https://www.virustotal.com/file/ef37e496392fa87ad7b6d446dffcdadfe26068f87d0f46db9429936cc3ab8257/analysis/

SHA256: ef37e496392fa87ad7b6d446dffcdadfe26068f87d0f46db9429936cc3ab8257
File name: v8uivv8.exe
Detection ratio: 8 / 45
Analysis date: 2013-01-23 17:39:28 UTC ( 13 heures, 7 minutes ago )

AntiVir TR/Dropper.Gen 20130123
Avast Win32:Downloader-QUA [Trj] 20130123
AVG Downloader.VB.ACPG 20130123
CAT-QuickHeal (Suspicious) – DNAScan 20130123
ESET-NOD32 a variant of Win32/TrojanDownloader.VB.QBA 20130123
Fortinet W32/VBKrypt.C!tr 20130123
GData Win32:Downloader-QUA 20130123
Panda Suspicious file 20130123

I was able to run it :
dropper_bigfile
First it contacts Yahoo to test the connectivity : dropper_bigfile_Yahoo

then connect to 210.83.80.66 port 82

descr: China Unicom CncNet
country: CN
origin: AS9929
mnt-by: MAINT-CNCGROUP-RR
changed: abuse@cnc-noc.net 20060330
source: APNICdropper_bigfile2

after that it launchs the WEB browser : dropper_bigfile4
and again 205mo file size : dropper_bigfile3
WEB connections – so Trojan Clicker stuffs :  dropper_bigfile5

The traffic with 210.83.80.66
returns some others malicious files to be downloaded :

dropper_bigfile6

Look like Chinese stuffs.
Detection are really good :

dropper_bigfile_205mo_file4

Why this size trick ?
Probably to prevent malicious files to be grab automatcly by Antivirus Client (most of the Antivirus Client send file or hash to lab to add detection).
It’s also a pain to sent it to vendors because most of them work with email procedure.

Comment lire d'autres tutoriels de malekal.com ?

Si le site vous a aidé, svp, débloquez les bloqueurs de publicités, n'hésitez pas non plus à partager l'article ou le site sur les réseaux sociaux.

Pour pouvoir lire plus d'articles et tutoriels, utilisez le menu en haut du site. Plein d'articles et tutos utiles vous attendent !

Besoin d'aide ?

Posez votre question ou soumettez votre problème sur le forum malekal.com pour obtenir une aide efficace : Aller sur le forum malekal.com
(Visited 25 times, 1 visits today)

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *