Thursday, May 8, 2014

Malware Analysis with twistd

On Kali Linux is an application called "twistd".  I utilized this program to spin up a quick FTP server and then an SMTP server to analyze some malware.  

To spin up the ftp server the following command was used:
twistd -n ftp -p 21
This allowed the malware to connect and allow me to pull the FTP username and FTP password was was being utilized.  I was also able to gather the SMTP information that I needed.  The DNS and other information was gathered with dnsspoof and other utilities.

To spin up the smtp server I needed to to allow for some sort of AUTH.   I utilized the following command:

twistd -n mail --smtp=25 --maildirdbmdomain='test.com=test' --user='test@test.com=password' --auth=anonymous -E --hostname=test.com
This tool was quick and efficient to gather information that I needed quickly.  From the malware I was able to identify the following indicators of compromise:

Email with Subject: Fw: CREDIT PAYMENT ALERT!($14,700.00) 
Link in email downloads: bank payment slip.zip 

Drops the following files after installation:
Console.exe - Virustotal Results (0/52) (hxxps://www.virustotal.com/en/file/30f083a7dc2cb9f3d242cb59bd935f5654dc7144f8b258c2b0da32504777b555/analysis/)

conf.ini - This contains the settings for Console.ex

core.dll - Virustotal Results (0/51) (hxxps://www.virustotal.com/en/file/8e1105aace5b1cb3a38bad511ef69361b41960bb62b2bb9de6131ec776825b41/analysis/)

runasservice.exe
service.ini
 
Other indicators: 
Sends an email outbound every 4 hours with the keystrokes, screenshots and other information that is dropped.
Sends outbound an SMTP message with subject "Money !!! OH MONEY !!!"
SMTP Account used to auth and relay the message is sholm3000@163.com
SMTP Server is smtp.163.com
Send to account: sholm3000@yahoo.com

Another way to send the files captured is by FTP:
FTP Server: sholm1000.bplaced.net
FTP Username: sholm1000
FTP Password: slowdown1234

No comments:

Post a Comment

Prepare, Bait, Hook, Execute and Control - Buffer Overflows

This post is the third of four that I am planning to write about social engineering specifically about phishing.  The form of phishing that...