Description

INCOMPLETE SECTION OR ARTICLE

This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Detection

File information

Suspicious files

%user%\application data\
├── Apvim
│   └──fudya.poz
├── Cywino
│   └── opomu.exe
├── ivivo
│   ├──cache
│   │  ├── CACHEDIR.TAG
│   │  └── plugins-04041e.dat
│   ├── ivivobin
│   └── ivivorc
└── Izpibe

opomu.exe

• SHA256: fc40bcdc2b5ce4b84c93cf01048f0715910ad25470d8f2799e3b85fb1a2bf264
• SHA1: aaa4c81b1227d09a081d63d2171602e8c0e07ace
• MD5: 1fa8159447d1629e2e703a9136403100
• File size: 354.0 KB ( 362496 bytes )
• File name: opomu.exe
• File type: Win32 EXE
• Detection ratio: 3 / 47 (2013-06-14 11:19:27 UTC)

Network behavior

Connections to http://www.google.com/webhp

Impacts

• Key, Mouse, Clipboard, Microphone and Screen Caputering
  • Contains functionality to read the clipboard data
  • Contains functionality to retrieve information about pressed keystrokes
• Networking
  • Contains functionality to download additional files from the internet
  • Urls found in memory or binary data
    • http://%02x%02x%02x%02x%02x%02x%02x%02x.com/%02x%02x%02x%02x/%02x%02x%02x%02x.php
    • http://www.google.com/webhp
  • Found strings which match to known social media urls
    • String found in binary or memory: facebook.com equals www.facebook.com (Facebook)
• Remote Access Functionality
  • Contains VNC / remote desktop functionality (RFB version string found)
• Obfuscation/Evasion
  • Binary may include packed or crypted data
  • Contains functionality to dynamically determine API calls
  • PE file contains sections with non-standard names
  • PE sections with suspicious entropy found
  • HIPS / PFW / Operating System Protection Evasion
    • Contains functionality to add an ACL to a security descriptor
    • Contains functionality to create a new security descriptor
    • Contains functionality to inject threads in other processes
  • Anti Debugging
    • Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
    • Contains functionality to dynamically determine API calls
    • Contains functionality which may be used to detect a debugger (GetProcessHeap)
    • Creates guard pages, often used to prevent reverse engineering and debugging
    • Program does not show much activity (idle)
  • Virtual Machine Detection
    • Contains functionality to enumerate / list files inside a directory
    • Contains functionality to query local drives
• Spreading
  • Contains functionality to enumerate / list files inside a directory
  • Contains functionality to query local drives
• System Summary
  • Contains functionality to access the windows certificate store
  • Contains functionality to adjust token privileges (e.g. debug / backup)
  • Contains functionality to enum processes or threads
  • Contains functionality to call native functions
  • Contains functionality to shutdown / reboot the system
  • Language, Device and Operating System Detection
    • Contains functionality to query local / system time
    • Contains functionality to query the account / user name
    • Contains functionality to query time zone information
    • Contains functionality to query windows version

Links

• VT: https://www.virustotal.com/en/file/fc40bcdc2b5ce4b84c93cf01048f0715910ad25470d8f2799e3b85fb1a2bf264/analysis/1371208767/
• Download: https://www.dropbox.com/s/ksvl9k2mklh5j9j/1fa8159447d1629e2e703a9136403100-opomu.exe.zip (pass: infected)