To spin up the ftp server the following command was used:
twistd -n ftp -p 21This allowed the malware to connect and allow me to pull the FTP username and FTP password was was being utilized. I was also able to gather the SMTP information that I needed. The DNS and other information was gathered with dnsspoof and other utilities.
To spin up the smtp server I needed to to allow for some sort of AUTH. I utilized the following command:
twistd -n mail --smtp=25 --maildirdbmdomain='test.com=test' --user='test@test.com=password' --auth=anonymous -E --hostname=test.comThis tool was quick and efficient to gather information that I needed quickly. From the malware I was able to identify the following indicators of compromise:
Email with Subject: Fw: CREDIT PAYMENT ALERT!($14,700.00)
Link in email downloads: bank payment slip.zip
Drops the following files after installation:
Console.exe - Virustotal Results (0/52) (hxxps://www.virustotal.com/en/file/30f083a7dc2cb9f3d242cb59bd935f5654dc7144f8b258c2b0da32504777b555/analysis/)
conf.ini - This contains the settings for Console.ex
core.dll - Virustotal Results (0/51) (hxxps://www.virustotal.com/en/file/8e1105aace5b1cb3a38bad511ef69361b41960bb62b2bb9de6131ec776825b41/analysis/)
runasservice.exe
service.ini
Other indicators:
Sends an email outbound every 4 hours with the keystrokes, screenshots and other information that is dropped.
Sends outbound an SMTP message with subject "Money !!! OH MONEY !!!"
SMTP Account used to auth and relay the message is sholm3000@163.com
SMTP Server is smtp.163.com
Send to account: sholm3000@yahoo.com
Another way to send the files captured is by FTP:
FTP Server: sholm1000.bplaced.net
FTP Username: sholm1000
FTP Password: slowdown1234
No comments:
Post a Comment