VirusTotal scan: https://www.virustotal.com/en/file/fad4dc6268d03bcae8dbe2ff079798eff4ecb380233677b243bcd50d96273180/analysis/1456238541/
Download of file (INFECTED): nevergreen.net/6no
Decompiled with Exe2Aut.
So when I first obtained the sample, I tried to analyze it on malwr but I was unable to due to the fact that malwr was down (Probably due to a cyber attack). It was able to evade Anubis (https://anubis.iseclab.org/?action=result&task_id=1409319bac3c15d44bda1818b345394de&format=html) so my next thought was Hybrid Analysis but due to the long wait I am doing static analysis first. In the VirusTotal scan, I noticed the fact that a file called Au1.tmp is created, which means this file probably is an AutoIt script! According to my source, this file was crypted using a crypter, and this explains it. I quickly threw it in my VM, and decompiled it. The source is available to researchers, if you want it send me a request at [firstname.lastname@example.org removing all of the numbers from it].
The source is obfuscated manually and while it uses some of the methods I mentioned in my previous post, it was not very well done. Only basic StringReverse and variables were used, and the variables were not divided up at all.
Activity analysis based on code:
- Installs itself to AppData\ZGIJJTiKhPcKTTZX.exe
- Removes ZoneId
- Set file attribute to hidden and system
- Uses both StartupDir and Registry keys for startup (HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Cooperation and HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Cooperation)
- Detects VBox, Sandboxie, VmWare
- Drops to Microsoft .NET folder RegAsm.exe
More analysis will be done soon after Hybrid-Analysis complete analyzing the file.