Malware Analysis with twistd

On Kali Linux is an application called "twistd".  I utilized this program to spin up a quick FTP server and then an SMTP server to analyze some malware.  

To spin up the ftp server the following command was used:
twistd -n ftp -p 21
This allowed the malware to connect and allow me to pull the FTP username and FTP password was was being utilized.  I was also able to gather the SMTP information that I needed.  The DNS and other information was gathered with dnsspoof and other utilities.

To spin up the smtp server I needed to to allow for some sort of AUTH.   I utilized the following command:

twistd -n mail --smtp=25 --maildirdbmdomain='test.com=test' --user='test@test.com=password' --auth=anonymous -E --hostname=test.com
This tool was quick and efficient to gather information that I needed quickly.  From the malware I was able to identify the following indicators of compromise:

Email with Subject: Fw: CREDIT PAYMENT ALERT!($14,700.00) 
Link in email downloads: bank payment slip.zip 

Drops the following files after installation:
Console.exe - Virustotal Results (0/52) (hxxps://www.virustotal.com/en/file/30f083a7dc2cb9f3d242cb59bd935f5654dc7144f8b258c2b0da32504777b555/analysis/)

conf.ini - This contains the settings for Console.ex

core.dll - Virustotal Results (0/51) (hxxps://www.virustotal.com/en/file/8e1105aace5b1cb3a38bad511ef69361b41960bb62b2bb9de6131ec776825b41/analysis/)

runasservice.exe
service.ini
 
Other indicators: 
Sends an email outbound every 4 hours with the keystrokes, screenshots and other information that is dropped.
Sends outbound an SMTP message with subject "Money !!! OH MONEY !!!"
SMTP Account used to auth and relay the message is sholm3000@163.com
SMTP Server is smtp.163.com
Send to account: sholm3000@yahoo.com

Another way to send the files captured is by FTP:
FTP Server: sholm1000.bplaced.net
FTP Username: sholm1000
FTP Password: slowdown1234

Comments

Popular posts from this blog

Netflix Streaming Blocked by Sophos UTM

BSides 2016 Hackers Challenge

VBA - Script to Download a file from a URL

Python - Vega Conflict Script to Maximize Fleet Sizes based on Fleet Mass

IoT Malware Analysis - CnC Server - Part 3