[en] Malware with “big size”

Two days ago, i came across an exploit kit that drop a file with a 16mo size.
I didn't keep the URL - the detections was good.
Yesterday, on a removal forum, i came across of a two others malwares with "big size".

HKShip.exe (16Mo) - it also on the startup directory and creates the random numeric files : http://pjjoint.malekal.com/files.php?read=20130123_z14z15r15h6x6
Malwarebyte Anti-Malware is able to detect thoses random files but not the HKShip.exe file : http://cjoint.com/13jv/CAwvKEFdeLE.htm

dropper_bigfile_HKShip

The second file is v8uivv8.exe
A service with a bat file launch it :

@echo off
set path=C:\Users/Floriane/AppData/Roaming\
set exe="%path%"v8uivv8.exe
%exe%

Very simple but probably efficient to bypass detection.

dropper_bigfile_205mo_file
And also a Run Key : dropper_bigfile_205mo_file2
and yeah you don't dream, the file has a 205 Mo size :
dropper_bigfile_205mo_file3

This one is very interresting.
Zipped the size drop to 205ko.
It's a VB Packed with probably anti-vm stuffs (doesn't work on VMWare and VirtualBox).
Also malwr.com or Anubis failed.
It Creates a mutex and leaves : http://malwr.com/analysis/c75a563eeb67bc3f03bfd12dd33d327b/

Here the detection of a cleaned version (Thank you to Horgh ) : https://www.virustotal.com/file/ef37e496392fa87ad7b6d446dffcdadfe26068f87d0f46db9429936cc3ab8257/analysis/

SHA256: ef37e496392fa87ad7b6d446dffcdadfe26068f87d0f46db9429936cc3ab8257
File name: v8uivv8.exe
Detection ratio: 8 / 45
Analysis date: 2013-01-23 17:39:28 UTC ( 13 heures, 7 minutes ago )

AntiVir TR/Dropper.Gen 20130123
Avast Win32:Downloader-QUA [Trj] 20130123
AVG Downloader.VB.ACPG 20130123
CAT-QuickHeal (Suspicious) - DNAScan 20130123
ESET-NOD32 a variant of Win32/TrojanDownloader.VB.QBA 20130123
Fortinet W32/VBKrypt.C!tr 20130123
GData Win32:Downloader-QUA 20130123
Panda Suspicious file 20130123

I was able to run it :
dropper_bigfile
First it contacts Yahoo to test the connectivity : dropper_bigfile_Yahoo

then connect to 210.83.80.66 port 82

descr: China Unicom CncNet
country: CN
origin: AS9929
mnt-by: MAINT-CNCGROUP-RR
changed: [email protected] 20060330
source: APNICdropper_bigfile2

after that it launchs the WEB browser : dropper_bigfile4
and again 205mo file size : dropper_bigfile3
WEB connections - so Trojan Clicker stuffs :  dropper_bigfile5

The traffic with 210.83.80.66
returns some others malicious files to be downloaded :

dropper_bigfile6

Look like Chinese stuffs.
Detection are really good :

dropper_bigfile_205mo_file4

Why this size trick ?
Probably to prevent malicious files to be grab automatcly by Antivirus Client (most of the Antivirus Client send file or hash to lab to add detection).
It's also a pain to sent it to vendors because most of them work with email procedure.

Cet article est sous licence Creative Commons BY-NC-SA.
Vous êtes autorisé à partager et modifier cet article, à condition de créditer le site ainsi que la licence, d'utiliser la même licence si vous modifiez l'oeuvre et de ne pas en faire d'utilisation commerciale.

Trouver la solution sur le forum d'aide

Vous êtes arrivé au terme de l'article [en] Malware with “big size” mais vous n'avez pas trouvé la solution à votre problème...

Suivez ces articles du forum pour trouver une réponse :
Sinon créez votre propre demande pour obtenir de l'aide gratuite.
Plus de détails : Comment obtenir de l'aide sur le forum

Tags: