Carbon Black & VMware Announce Expanded Partnership to Secure the Software-Defined Data Center (SDDC) Learn more

Demo: Hunting the Sony Wiper Malware, ‘Destover,’ Using Carbon Black

Hunting the Sony Wiper Malware Destover Using Carbon Black
logo
February 10, 2015 / Threat Research Team

There has been a lot of coverage about the malware known as Destover.

Several hashes have been released by US-CERT, the FBI and other organizations. This blog examines how you can look for this malware and its indicators of compromise (IOCs) using Carbon Black.

The structure of this write up will start with ways to find known pieces of this malware within your organization using Carbon Black and will transition through some more advanced search techniques.

Examining:

4d4b17ddbcf4ce397f76cf0a2e230c9d513b23065f746a5ee2de74f447be39b9 (Dropper)

e2ecec43da974db02f624ecadc94baf1d21fd1a5c4990c15863bb9929f781a0a (igfxtrayex.exe)

Samples:

https://malwr.com/analysis/MWZkZjU4Mjc1ZTNlNDQzN2FkOWFhNWI1NjNmYjk0Nzc/

(Dropper)

https://malwr.com/analysis/MmRkZjgzMzFkODg1NGYzNmJkY2FhMDA1NzU0ODhlM2M/

(igfxtrayex.exe)

References:

https://www.us-cert.gov/ncas/alerts/TA14-353A

http://marshfieldchamber.com/wp-content/uploads/2014/12/FBI-News-Flash.pdf

In the Beginning…

First, a search can be constructed to see if any of the MD5 hashes have been seen in your environment.

From the US-CERT alert, we have the following hashes to look for:

  • f6f48551d7723d87daeef2e840ae008f
  • 194ae075bf53aa4c83e175d4fa1b9d89
  • f57e6156907dc0f6f4c9e2c5a792df48
  • 838e57492f632da79dcd5aa47b23f8a9
  • 11c9374cea03c3b2ca190b9a0fd2816b
  • 7fb0441a08690d4530d2275d4d7eb351
  • 7759c7d2c6d49c8b0591a3a7270a44da
  • 7e48d5ba6e6314c46550ad226f2b3c67
  • 0a87c6f29f34a09acecce7f516cc7fdb
  • 25fb1e131f282fa25a4b0dec6007a0ce
  • 9761dd113e7e6673b94ab4b3ad552086
  • c905a30badb458655009799b1274205c
  • 40adcd738c5bdc5e1cc3ab9a48b3df39
  • 68a26b8eaf2011f16a58e4554ea576a1
  • 74982cd1f3be3d0acfb0e6df22dbcd67
  • 734740b16053ccc555686814a93dfbeb
  • 3b9da603992d8001c1322474aac25f87
  • e509881b34a86a4e2b24449cf386af6a
  • 9ab7f2bf638c9d911c2c742a574db89e
  • a565e8c853b8325ad98f1fac9c40fb88
  • 0bb82def661dd013a1866f779b455cf3
  • b8ffff8b57586d24e1e65cd0b0ad9173
  • 4ef0ad7ad4fe3ef4fb3db02cd82bface
  • eb435e86604abced7c4a2b11c4637a52
  • ed7a9c6d9fc664afe2de2dd165a9338c
  • 8dec36d7f5e6cbd5e06775771351c54e
  • a385900a36cad1c6a2022f31e8aca9f7
  • 7bea4323807f7e8cf53776e24cbd71f1
  • D1C27EE7CE18675974EDF42D4EEA25C6
  • 93BC819011B2B3DA8487F964F29EB934
  • 760C35A80D758F032D02CF4DB12D3E55
  • E1864A55D5CCB76AF4BF7A0AE16279BA
  • 6AEAC618E29980B69721158044C2E544
  • 86E212B7FC20FC406C692400294073FF
  • e904bf93403c0fb08b9683a9e858c73e

The best and easiest way to look for these hash values is to use the “Respond -> Binary Search” dashboard. By entering the list above, as follows:

Destover1

In the query box, this will search to see if any of the hash values in the US-CERT bulletin are present in your organization. Here’s the result in one of our research systems.

Destover2

You can see there were a few hits, so let’s keep digging.

Since we know the hash D1C27EE7CE18675974EDF42D4EEA25C6 is the dropper, we can start digging there to attempt to understand as much of the story as possible. Clicking through the hash, and then onto the specific instance a graph like the one below appears.

Destover3

We know so far that we’ve seen several interesting hashes, one of them appears to be a dropper (dropper.exe), and it’s created a few other processes, one of them named “igfxtrayex.exe.”

It’s possible to search for this executable name in Carbon Black, simply use the “Respond -> Process Search” dashboard and type the executable name in the search box.

What else does the dropper do in addition to creating and starting the process above? It also writes a .dat file.

Destover4

Looking for this exact path would do you no good (unless all of your users are named ‘user’). Instead in the Process Search dashboard you can look for:

“c:\users\*\appdata\local\virtualstore\windows\syswow64\net_ver.dat”

This will tell you if this file has been written to any users’ directory.

Destover5

Protip: You can use several wildcards and even search across multiple drives with “*:\users\*\appdata\local\virtualstore\windows\syswow64\net_ver.dat”, however this will be slower due to the use of multiple wildcards.

This binary also created some network connections:

Destover6

The IPs that are contacted are all in the 43.120.141.0/24 class-C network. While not every IP in that network was contacted, a fair amount were. Rather than look for each IP individually, as we did above, we can leverage some advanced search syntax to look for anything in that class-C network. This may lead to a couple of false positives, but hunting is never easy. By leveraging the Process Search dashboard and a query of…

“ipaddr:[729976064 TO 729976319]”

…we can look for all network connections into that class-C.

Note, the IP addresses were converted to their decimal equivalent and used for the search. Carbon Black stored IPs as an integer for easy and quick searching (especially across ranges). It’s also possible to look for the identified C2 IPs (203.131.222.102, 217.96.33.164, 88.53.215.64, 200.87.126.116, 58.185.154.99, 212.31.102.100, 208.105.226.235) with the following: “ipaddr:203.131.222.102 or ipaddr:217.96.33.164 or ipaddr:88.53.215.64 or ipaddr:200.87.126.116 or ipaddr:58.185.154.99 or ipaddr:212.31.102.100 or ipaddr:208.105.226.235”.

 

 

TAGS: bit9 / Carbon Black / Destover / malware / research / SONY / threat intelligence

Related Posts