[en] Malware with « big size »

Two days ago, i came across an exploit kit that drop a file with a 16mo size.
I didn’t keep the URL – the detections was good.
Yesterday, on a removal forum, i came across of a two others malwares with « big size ».

HKShip.exe (16Mo) – it also on the startup directory and creates the random numeric files : http://pjjoint.malekal.com/files.php?read=20130123_z14z15r15h6x6
Malwarebyte Anti-Malware is able to detect thoses random files but not the HKShip.exe file : http://cjoint.com/13jv/CAwvKEFdeLE.htm


The second file is v8uivv8.exe
A service with a bat file launch it :

@echo off
set path=C:\Users/Floriane/AppData/Roaming\
set exe= »%path% »v8uivv8.exe

Very simple but probably efficient to bypass detection.

And also a Run Key : dropper_bigfile_205mo_file2
and yeah you don’t dream, the file has a 205 Mo size :


This one is very interresting.
Zipped the size drop to 205ko.
It’s a VB Packed with probably anti-vm stuffs (doesn’t work on VMWare and VirtualBox).
Also malwr.com or Anubis failed.
It Creates a mutex and leaves : http://malwr.com/analysis/c75a563eeb67bc3f03bfd12dd33d327b/

Here the detection of a cleaned version (Thank you to Horgh ) : https://www.virustotal.com/file/ef37e496392fa87ad7b6d446dffcdadfe26068f87d0f46db9429936cc3ab8257/analysis/

SHA256: ef37e496392fa87ad7b6d446dffcdadfe26068f87d0f46db9429936cc3ab8257
File name: v8uivv8.exe
Detection ratio: 8 / 45
Analysis date: 2013-01-23 17:39:28 UTC ( 13 heures, 7 minutes ago )

AntiVir TR/Dropper.Gen 20130123
Avast Win32:Downloader-QUA [Trj] 20130123
AVG Downloader.VB.ACPG 20130123
CAT-QuickHeal (Suspicious) – DNAScan 20130123
ESET-NOD32 a variant of Win32/TrojanDownloader.VB.QBA 20130123
Fortinet W32/VBKrypt.C!tr 20130123
GData Win32:Downloader-QUA 20130123
Panda Suspicious file 20130123

I was able to run it :
First it contacts Yahoo to test the connectivity : dropper_bigfile_Yahoo

then connect to port 82

descr: China Unicom CncNet
country: CN
origin: AS9929
changed: abuse@cnc-noc.net 20060330
source: APNICdropper_bigfile2

after that it launchs the WEB browser : dropper_bigfile4
and again 205mo file size : dropper_bigfile3
WEB connections – so Trojan Clicker stuffs :  dropper_bigfile5

The traffic with
returns some others malicious files to be downloaded :


Look like Chinese stuffs.
Detection are really good :


Why this size trick ?
Probably to prevent malicious files to be grab automatcly by Antivirus Client (most of the Antivirus Client send file or hash to lab to add detection).
It’s also a pain to sent it to vendors because most of them work with email procedure.

(Visité 93 fois, 1 visites ce jour)