Description

Probable name: SAPE.Heur?
MD5: 775b7139d05281094ab6434378770483
SHA1: 106f65043a9480b41cf97214f746b5eb032e9651
SHA256: b52dfce5f89a429888f35bf530eb9efc6d24431f606f1a98795ee13f2c9b1c79
VirusTotal
HybridAnalysis
RobotHash

Timeline

Tue Apr 5 00:01:51 CEST 2016

stared win7

Tue Apr 5 00:03:41 CEST 2016

infected

After 13 hours, it successfully connected to the C&C server

Tue Apr 5 19:36:50 CEST 2016

I started the calculator program by hand. To see if the C&C reflects this new process.

Analysis

13:59:39.079194 IP 10.0.2.107.50424 > 77.81.104.169.14221: Flags [P.], seq 15:293, ack 1, win 64240, length 278 CONNECT=P4CK3T=FUCKBOY-9686316^{$^56^$}11:50:22^{$^[taskmgr] Windows Task Manager^$}WIN7^{$^Microsoft Windows 7 Ultimate 32-bit Desktop^$}1.5^{$^04-05-2016^$}N/A^{$^425d804aa328d98d348f6474b46b914630d5fdfe4b686b3d93ce1a54ef43c3a1^$}FUCKBOY^{$^N^$}8_=_8

13:59:39.847525 IP 77.81.104.169.14221 > 10.0.2.107.50424: Flags [P.], seq 1:157, ack 293, win 65535, length 156 C=P4CK3T=1TR4MPanq=()=4TR4MPSTOP=()=6TR4MPN=()=9TR4MP20408|13101|10472|48206|78356|78674|49580|64029|=()=10TR4MPhttp://files.catbox.moe/do3aqb.gifv=()=8_=8SEARCHLOGS=P4CK3T=paypal8=_8

We downloaded this file from outside the vm. do3aqb.gifv

Sun May 1 12:15:24 CEST 2016

I restarted after several weeks to see if the malware activates again. It came alive again! So we will wait...