It's been a while since I've done a threat intel piece, so I wanted to put together a new one to show off some new methods and tips. This piece is called Web Crew due to the names of some malware they were hosting on some of their servers. So, let's get to it!


I started my search for new work by firing up Threat Inc.'s Tango app to see if there was anything new and exciting going on, on our honeypots. There's always usually something happening, so I just grabbed one incident that seemed pretty active at the time.

I started looking at this incident, since there were three sessions, all originating from the same attacker, going to two different honeypots in a short amount of time. The attacker in this case was, an IP based out of China. So, let's start digging...

Initial Investigation

I noticed that in each of the three sessions, the attacker was doing different things in each. For example, in the first session, 06/11/2015 14:07:02, he ran about 10 commands, whereas the other two sessions, 06/11/2015 14:11:14 and 06/11/2015 14:29:01 he ran 3 and 8 respectively. Also peculiar is the fact that in the first session he was grabbing the malware from a completly different domain, hxxp://, as opposed to the other two sessions where they reached out to hxxp:// At the time of the my investgation, the domain was down, however, the files seemed to be similar to the ones hosted on the address, with names such as www2.6, www2.4, wwwarm, wwwwrt indicating malware designged for various architectures.

Checking out the webserver for this address on port 6664 turns up the typical HFS server, however, surprisingly it was in Chinese. There are a few files being hosted on this server, most of which were being requested in the sessions seen in Tango.

For the three original sessions I started looking at, I noticed requests for files from that server that looked something like kkk.htm (kkk3.htm, kkk_4.htm, etc.) and one for KKK.htm. Most of the files hosted were of varying filesize, so, they are probably malware built for various architectures like the ones on the 183 domain.

Here's the Whois information for the host:

inetnum: -
country: CN
admin-c: BB324-AP
tech-c: CH119-AP
changed: zjnocip[email protected] 20120730
source: APNIC

All three sessions lasted under 3 seconds each, and the attacker was seen using two different SSH clients, SSH-2.0-PuTTY_Local:_May_14_2009_21:12:18 and SSH-2.0-libssh2_1.4.3. We also have sessions from this host going back to June 2nd, with the latest attack being the 6/11/15 14:29:01 session.

If we wanted to build a timeline of events for this host, we can run a Splunk query like this:

Trying to build a timeline of their attack history, we can run a search like this in our Splunk logs:

sourcetype=kippojson  [ search sourcetype=kippojson src_ip=""  
| stats count by session | fields session ]
| transaction session | search shasum=*
| stats count by url, _time

The above will give us all the URL's they attempted to download malware from, as well as the time they tried to download the malware.

Besides the two IP's we've found so far, if we go back to the 2nd of June, where the first attack happened from this host, we can see the attacker attempting to download malware from hxxp://, with the two files being:


Again, at the time of my investigation, this domain was offline.

The attacker waited a few days, then started back up again on the 8th, using the domain for hosting the malware they tried to grab. There were 2 sessions on the 8th, grabbing the following files:


Throughout 9th, 10th, and 11th of June, they switched between both malware domains ( and, both hosting files using the .htm extension.

File Analysis

Next, let's look at the files being downloaded on the honeypots. There's definitely overlap in the files, since it seems a lot of the files produce the same hash, even for ones which would look like they are for different architectures. In total, there are 13 different hashes being produced, for 41 different URLs.

Knowing all the different file hashes of this malware, I then looked at if anyone else was downloading these files. Turns out there were three total attackers:


One thing to note, they were all grabbing the malware from each of the IP's we know about (ex. grabbing malware from each of the other two IP's, and the same for each other IP).

Let's take a look at the other hosts involved...

Again, this IP was located in China and had the following Whois data:

inetnum: -
netname: CHINANET-GD
descr: CHINANET Guangdong province network
descr: Data Communication Division
descr: China Telecom
country: CN
admin-c: IC83-AP
tech-c: IC83-AP
remarks: service provider
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: [email protected] 20091009
mnt-by: APNIC-HM
source: APNIC

This host also used the same two SSH clients as our first IP:

  • SSH-2.0-PuTTY_Local:_May_14_2009_21:12:18
  • SSH-2.0-libssh2_1.4.3

Looking through the sessions that this host was seen in, we were able to acquire a new indicator, which was They were seen attempting to download the file User2.htm from on port 8888.

Using the site, we were able to see that this domain resolved to, which was our first indicator and our initial IP we started investigating, what a coincidence! More information can be found here.

This host was seen attempting to grab malware from the domain (which resolved to the host at the time), as well as their own IP.

Next up on our list is the host, which again, was located in China.

inetnum: -
netname: CHINANET-JS
descr: CHINANET jiangsu province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
admin-c: CH93-AP
tech-c: CJ186-AP
mnt-by: APNIC-HM
remarks: This object can only modify by APNIC hostmaster
remarks: If you wish to modify this object details please
remarks: send email to [email protected] with your
remarks: organisation account name in the subject line.
changed: [email protected] 20040223

This host was seen a lot earlier than the other two, with attacks dating back to 03/02/2015. We also noted some more SSH clients in use:

  • SSH-2.0-PuTTY_Local:_May_14_2009_21:12:18
  • SSH-2.0-libssh2_1.4.3
  • SSH-2.0-libssh2_1.4.2
  • SSH-2.0-paramiko_1.8.1

One thing to note about all our attackers so far, is, while some of the sessions vary by activity and time, they all seem to use SSH libraries to connect to our honeypots, which are a good indicator that these hosts are bots and not manually controlled. libssh is a common used SSH library, and Paramiko is a "Native Python SSHv2 protocol library", meaning these are definitely scripts doing the work for them.

Using passivetotal, we can see the domain resolved to on 06-11-2015. So, this tells us they've switched the DNS records for this domain at some point, since it resolved to the host, and the host. As of right now, this domain still resolves to the host.

I checked out the registrar details for this domain and pulled back the following:

Email [email protected] (a,t,r)
Name peng yong (a,t,r)
Organization Bitcomm ltd. (a,t,r)
Street yinyuan building (a,t,r)
City changzhou (a,t,r)
State Jiangsu (a,t,r)
Postal 213002 (a,t,r)
Country CN (a,t,r)
Phone 8651968887168 (a,t,r)
Fax 8651968887169 (a,t,r)

Indicator Analysis

Utilizing virustotal, I searched for all four of our attackers/domains:

  • previously resolved to on 12-13-2014
  • No Further Information (NFI) on
  • resolved to on 6-12-15 and to on 10-27-13

Nothing of value could be gleaned from the WHOIS of except for the registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN

With what we know right now, we can almost say with a fact, that all three of these IP's and one domain are all related to the same actor/group of actors operating out of China.

One quick note, the best thing about all the work done so far has all been passive research, we haven't even touched their actual infrastructure, which is great. I will make a note here though, that before we continue, we may not have all the malware samples from each of these sites. That's where TOR/proxychains can come into play.

Since we'd want to grab all their malware, we don't want to give up who we are by browsing their sites (although I'm sure they wouldn't notice...). Anyways, we can fire up the TOR browser bundle and hit up our command line with something like:

proxychains4 wget -r https://<badguyip>:<port>  

The above will use TOR to mask our source IP and grab all the files hosted on the sites we've seen above. If we can't do passive, we might as well be sneaky as possible...

Now that we have a good baseline of our attackers, we can start digging more into the malware to see it's purpose and to possibly glean any more useful information from the malware.

Malware Analysis

Alright, let's start looking at our files, first let's see what type of files we're dealing with:

[email protected] ~/Desktop/ > file *  
123.rar:   RAR archive data, v1d, os: Win32  
KKK_htm:   ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, stripped  
KKSS.rh:   ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped  
kkk_3.htm: ELF 32-bit LSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, stripped  
kkk_4.htm: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped  
kkk_6.htm: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped  
rrrr.1:    ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped  

Now let's get their hashes:

[email protected] ~/Desktop/ > md5 *  
MD5 (123.rar) = 040e679028b1dde876bb49b09e43509d  
MD5 (KKK_htm) = e1d69b8c480cc2a50c94255e8bc5fba6  
MD5 (KKSS.rh) = f59b74fbe80b0f48fcfb192d9f28c4d0  
MD5 (kkk_3.htm) = 6c7734cad8e0fc1d1b52087b9d09610b  
MD5 (kkk_4.htm) = 89ed34683d2b81d9e5cde1c1ad97710a  
MD5 (kkk_6.htm) = 51e7501e9a04d3eb7f90d1b1dd1b3f37  
MD5 (rrrr.1) = b1acbefac08d5ed3c2aa2f6d62e7c93d  
[email protected] ~/Desktop/ > shasum -a 256 *  
863cbf4ff59624e0df8c3d71664917e0820597df306743d93cf79907997044f9  123.rar  
2ba446d48141b19921e1c623c610eccb021c8b20f05fdcd2baeeb8be80645fe3  KKK_htm  
b0f3adc6eceee2d198c94a21484bf94c848533f9efe9748e2a94a13ed805e92b  KKSS.rh  
6d4f38761039a2f064b57b29e1f0a0575866adf8be157b5e9d9c386798fe66c1  kkk_3.htm  
7d25523aa0b857a262953c281a92ae9c759f7f79dde244bf7c161c0b08cc678d  kkk_4.htm  
8f915e4777daba125de5d2c6ec2aa70bf2af65985c8c1fb8b8a55817470faafc  kkk_6.htm  
5962c55404cd55e5fca4e0daadd6c1d9e249e4b849d271bb83441d91b314e52d  rrrr.1  

And lastly, file sizes:

[email protected] ~/Desktop/ > ls -alh  
drwxr-xr-x   4 Brian  staff   136B Jun 12 10:36 123  
-rw-r-----@  1 Brian  staff   442K Jun 11 21:30 KKK_htm
-rw-r-----@  1 Brian  staff   385K Jun 11 21:30 KKSS.rh
-rw-r-----@  1 Brian  staff   444K Jun 11 21:30 kkk_3.htm
-rw-r-----@  1 Brian  staff   348K Jun 11 21:30 kkk_4.htm
-rw-r-----@  1 Brian  staff   734K Jun 11 21:30 kkk_6.htm
-rw-r-----@  1 Brian  staff   474K Jun 11 21:30 rrrr.1

Next, let's submit these to VirusTotal to see what's been seen before and what hasn't.

123.rar was not submitted previously, and had no hits. We open the .rar file and notice's just two text files with Chinese filenames containing a list of IP's, ports, usernames and passwords, most likely a list of potential victims.

The first file contained a list of 254,293 hosts, the second one contained the same results, just formatted a little differently.

Next, KKK_htm was analyzed for the first time as well in VT, and produced some hits. Looks like a file from the MrBLack malware family.

KKSS.rh was analyzed about a week ago, and had 8/56 hits, which were:

Antivirus Result Update
Ikarus Trojan.Linux.Setag 20150531
ESET-NOD32 Linux/Setag.B.Gen 20150531
AVG Linux/BackDoor_c.CK 20150530
AhnLab-V3 Linux/Backdoor.393728 20150530
DrWeb Linux.BackDoor.Gates.6 20150531
Kaspersky HEUR:Backdoor.Linux.Ganiw.a 20150531
Avast ELF:Elknot-AY [Cryp] 20150531
Jiangmin Backdoor/Linux.ab 20150529

kkk_3.htm, kkk_4.htm and kkk_6.htm were all analyzed for the first time and had signatures for MrBlack and Dofloo.

rrrr.1 had a little less hits than the others, with only 7 out of 57. It's hits were for:

Antivirus Result Update
AVG Linux/Backdoor.A 20150612
Avast ELF:Elknot-BL [Cryp] 20150612
DrWeb Linux.BackDoor.Gates.7 20150612
ESET-NOD32 Linux/Setag.B 20150612
Ikarus Backdoor/ 20150612
Jiangmin HEUR:Backdoor.Linux.Ganiw.a 20150610
Kaspersky HEUR:Backdoor.Linux.Ganiw.a 20150612

Next, let's see if these files are packed. There are a few ways to do this, but, let's start with something basic.

I started by running strings on rrrr.1 to see if it was unpacked, since if a file was packed, we wouldn't be able to make out many of the strings. Looking through the file, everything is complete gibberish, most likely meaning it was packed. I get about 3/4 of the way through the file and notice this string:

$Info: This file is packed with the UPX executable packer $
$Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $

So, if the gibberish ASCII strings were any indication that it was packed, this surely tells us it was packed. Next thing to do is unpack it:

[email protected] ~/Desktop/ > upx -d rrrr.1  

Now, when we run strings, we can see a lot more legiable strings in the file, things such as:


The above strings go along with the fact that these are DDoS files, and the above are various types of DDos attacks.

Next, I found the following strings, which would indicate some sort of HTTP requests:

image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg,  
application/x-ms-xbap, application/, application/,  
application/msword, */*  
gzip, deflate  

Along with some user-agents:

Mozilla/5.0 (|S|) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/|D&23&25|.  
|D&0&9|.|D&1000&9000|.|D&10&99| Safari/537.17
Mozilla/5.0 (|S|; rv:18.0) Gecko/20100101 Firefox/18.0  
|D&70&90| (|S|) Presto/2.|D&8&18|.|D&90&890| Version/|D&11&12|.|D&10&19|

We can also see a large amount of hardcoded IP address in here. We can use a function that @Andrew__morris wrote called ipgrab, to just run a regex on the output of strings to look for anything that is an IP address.

strings rrrr.1 | ipgrab > ips.txt  

The code for the function below, for anyone interested:

function ipgrab()  
read line; echo $line | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}';  
while read line; do echo $line | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'; done  
echo $line | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}';  

Just plop that in your .bashrc file and you should be good to go.

After running the ipgrab function on the file and piping that to ips.txt file, we can check the file out. Turns out there are 356 IP Addresses in rrrr.1.

Running cat ips.txt | sort -u | wc -lleaves us with 348 IP's after sorting

We can use a quick little python script to spit out the network description and country code to get a better list of the IP's in this file.

from ipwhois import IPWhois  
from pprint import pprint

with open('ips.txt') as f:  
    for ip in f:
            obj = IPWhois(ip.strip())
            results = obj.lookup()
            print results['nets'][0]['description'], results['asn_country_code']

With this script we can run python > filtered.txt

Then, with our finalized list of IP's, we can run something like cat filtered.txt | sort | uniq -c | sort -n and be left with a sorted list of unique networks, which gives us the top networks targeted:

10 CHINANET jiangsu province network  
14 A12,Xin-Jie-Kou-Wai Street  
14 Beijing 100088 CN  
17 China Mobile Communications Corporation  
17 Internet Service Provider in China CN  
17 Mobile Communications Network Operator in China  
24 China Telecom  
37 China Telecom CN  
37 Data Communication Division  
51 China Unicom CN  

Given the above list, we can clearly see this is targeting a good bit of IP's in China.

Dynamic Analysis

Next, let's go ahead and run this file inside a Vagrant VM to see what's going on...

First, we make the rrrr.1 file executable chmod +x rrrr.1, then run it ./rrrr.1

In another terminal, we'll run tcpdump to see what type of traffic we're seeing:

tcpdump -i eth0 -nnvvXS port not 22  

We run the malware, and start noticing it's sending traffic to one of the three known hosts - over port 36000

Just like my last post on MrBlack, we can see some identifying traffic being transmitted, like:

    0x0000:  4500 009c c6ab 4000 4006 c6bb 0a00 020f  E.....@.@.......
    0x0010:  b73c e9a9 b661 8ca0 c1cb 7078 1944 c002  .<...a....px.D..
    0x0020:  5018 7210 ad83 0000 0100 0000 6c00 0000  P.r.........l...
    0x0030:  00f4 0100 0032 0000 00e8 0300 0000 0000  .....2..........
    0x0040:  0000 0000 0000 0000 0000 0101 0200 0000  ................
    0x0050:  0100 0000 0a00 020f 0a00 020f 0a00 020f  ................
    0x0060:  0a00 020f 0a00 020f ffff 0100 0000 0000  ................
    0x0070:  3a00 0100 0000 0909 0000 e901 0000 4c69  :.............Li
    0x0080:  6e75 7820 332e 3133 2e30 2d34 352d 6765  nux.3.13.0-45-ge
    0x0090:  6e65 7269 6300 4733 2e31 3100            neric.G3.11.

We'll let this run for a while and then open it up in Wireshark to see what we found out...

After letting this run for a good bit, we fire up wireshark. Let's see what IP's this box was communicating with during this time. By going to Statistics -> Endpoints -> IPv4, we can see there were only three hosts involved: my Vagrant machine, my host machine and the attacking machine.

Looking at the traffic, we see the same type of traffic being sent around 30 to 40 seconds to the attacking host. It's 116 bytes of data being sent along with the 54 bytes for headers resulting in packets 170 bytes in size, with the data never changing and always looking like the following:

This is different from when I looked at the other Mr. Black samples in the past, since they would have pipe delimted fields with the string MrBlack in the actual sample. I'm sure they realized that wasn't the smartest idea to include the name of their malware in traffic since that could easily be picked up by any IDS.

So, besides trying to dig deeper into this malware, which I don't feel confident enough to do yet, we can try to generate some YARA rules to scan for this type of malware on other systems.

YARA Signatures

I just started messing around with an awesome tool called yarGen which can take a malicious file and compare the strings found to known good strings from goodware files, which leaves us with strings that are probably bad. To run this, we simply run:

python -m ~/vagrant/ubuntu_64_analysis/rr/  

The above will recursively scan the rr directory for files, then read in the good-strings.db file and then produce a YARA rules file to be used to search for this malware.

Here it is in action:

Reading goodware strings from database 'good-strings.db'...  
Processing malware files ...  
Processing: /Users/Brian/vagrant/ubuntu_64_analysis/rr/rrrr.1  
Generating statistical data ...  
Generating Super Rules ... (a lot of foo magic)  
Applying intelligent filters to string findings ...  
Filtering string set for /Users/Brian/vagrant/ubuntu_64_analysis/rr/rrrr.1 ...  
Generating simple rules ...  
Generating super rules ...  
Generated 1 SIMPLE rules.  
Generated 0 SUPER rules.  
All rules written to yargen_rules.yar  

Bam! Rule created.

Let's check out yargen_rules.yar to see what it came up with:

[email protected] ~/Desktop/yarGen-master > cat yargen_rules.yar  
    Yara Rule Set
    Author: YarGen Rule Generator
    Date: 2015-06-12

/* Global Rule -------------------------------------------------------------- */
/* Will be evaluated first, speeds up scanning process, remove at will */

global private rule gen_characteristics {  
        uint16(0) == 0x457f and filesize < 7429KB

/* Rule Set ----------------------------------------------------------------- */

rule _Users_Brian_vagrant_ubuntu_64_analysis_rr_rrrr {  
        description = "Auto-generated rule - file rrrr.1"
        author = "YarGen Rule Generator"
        reference = "not set"
        date = "2015-06-12"
        hash = "536b282fb9990451fc08a7a827c688c6c385bf63"
        $s0 = "_ZN14CThreadHttpGet11ProcessMainEv" fullword ascii
        $s1 = "_ZN19CThreadFXConnection17GetFakeDetectPortEv" fullword ascii
        $s2 = "_ZN17CThreadConnection17GetFakeDetectPortEv" fullword ascii
        $s3 = "_ZN17CThreadFakeDetect11ProcessMainEv" fullword ascii
        $s4 = "ThreadHttpGet.cpp" fullword ascii
        $s5 = "_ZN14CThreadRecycle11ProcessMainEv" fullword ascii
        $s6 = "_ZN19CThreadShellRecycle11ProcessMainEv" fullword ascii
        $s7 = "_ZN8CManager19RecycleShellProcessEv" fullword ascii
        $s8 = "_ZN15CFakeDetectInfo17GetFakeDetectPortEv" fullword ascii
        $s9 = "_ZN14CThreadLoopCmd11ProcessMainEv" fullword ascii
        $s10 = "_ZNSt18_Vector_alloc_baseIP14CThreadHttpGetSaIS1_ELb1EEC2ERKS2_" fullword ascii
        $s11 = "_ZN8CManager19DoFakeDetectCommandEP7CCmdMsg" fullword ascii
        $s12 = "_ZN17CThreadFakeDetect16SetFakeDetectCmdER15CFakeDetectInfo" fullword ascii
        $s13 = "_ZSt11__copy_aux2IP14CThreadHttpGetEPT_S3_S3_S3_11__true_type" fullword ascii
        $s14 = "_ZSt19__copy_backward_auxIPP14CThreadHttpGetS2_ET0_T_S4_S3_" fullword ascii
        $s15 = "_ZSt13__destroy_auxIPP14CThreadHttpGetEvT_S3_11__true_type" fullword ascii
        $s16 = "relocation processing: %s%s" fullword ascii
        $s17 = "%s%s%s:%u: %s%sAssertion `%s' failed." fullword ascii
        $s18 = "ELF load command address/offset not properly aligned" fullword ascii
        $s19 = "_ZN8CManager14RecycleProcessEv" fullword ascii
        $s20 = "_ZNSt12_Vector_baseIP14CThreadHttpGetSaIS1_EED2Ev" fullword ascii
        uint16(0) == 0x457f and filesize < 7429KB and all of them

For those who haven't messed with YARA rules before, I'll try to break out what it's searching for:

The top section between the /* and */ are just comments we can put in. Next is a global rule which looks for a certain condition. The condition is stating that there is an unsigned integer that is 16 bits long at offset 0 which is 0x457f in hexadecimal, and that the filesize is less than 7.5MB (7,429KB). The uint16(0) == 0x457f part I mentioned above, is looking for the Executable and Linkable Format (ELF) "magic number" which indicates that it is an ELF file.

To verify that the magic number is present, we can run something like hexdump and check it out for ourselves.

[email protected] ~/Desktop/yarGen-master > hexdump ~/vagrant/ubuntu_64_analysis/rr/rrrr.1 | head  
0000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00  
0000010 02 00 03 00 01 00 00 00 e0 80 04 08 34 00 00 00  
0000020 38 03 12 00 00 00 00 00 34 00 20 00 03 00 28 00  
0000030 1f 00 1c 00 01 00 00 00 00 00 00 00 00 80 04 08  
0000040 00 80 04 08 e8 68 11 00 e8 68 11 00 05 00 00 00  
0000050 00 10 00 00 01 00 00 00 00 70 11 00 00 f0 15 08sa  

We can see right there at offset 0 is 7f 45, which as you'll notice is reversed from what we are searching for. That's because we look for them in YARA as little-endian format, which means the least signficant bits first, so, if you were to take 7f45, the "least signficant" bits would be 45 since they are not as valuable as 7F. For example, 0x7f45 in decimal is 32,581, which is 0111111101000101 in binary, meaning the farthest left bit that is a 1 equals 16,384, thus making it a lot larger than the farthest right bit, which is equal to 1.

I went ahead and tried making my own YARA rule before I messed with yarGen, and produced something like the following:

rule MrBlack  
        description = "MrBlack Malware Family"
        author = "Brian Warehime"
        date = "2015-06-12"
        $attack_string1 = "9CAttackIe"
        $attack_string2 = "9CAttackCc"
        $attack_string3 = "10CTcpAttack"
        $attack_string4 = "15CAttackCompress"
        $attack_string5 = "10CAttackPrx"
        $attack_string6 = "10CAttackAmp"
        $attack_string7 = "10CAttackDns"
        $attack_string8 = "11CAttackIcmp"
        $attack_string9 = "10CAttackSyn"
        $attack_string10 = "10CAttackUdp"
        $attack_string11 = "13CPacketAttack"
        $attack_string12 = "11CAttackBase"
        $attack_string13 = "7CSerial"
        $user_agent1 = "Mozilla/5.0 (|S|) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/|D&23&25|.
|D&0&9|.|D&1000&9000|.|D&10&99| Safari/537.17"
        $user_agent2 = "Mozilla/5.0 (|S|; rv:18.0) Gecko/20100101 Firefox/18.0"
        $user_agent3 = "Opera/|D&7&9|.|D&70&90| (|S|) Presto/2.|D&8&18|.
|D&90&890| Version/|D&11&12|.|D&10&19|"
         all of them

Looking at what yarGen produced versus what I produced turned me on to some new things to implement in the future, things like the "magic number" and filesize. In my rule, I just searched for specific attack strings seen as well as the user agents noted in the malware. I'm sure both would work equally well, however, I enjoyed the practice of trying to make my own.

Once we have the rules created, we can go ahead and scan our system like so:

[email protected] ~/Desktop > yara -r mrblack.yara ~/vagrant/ubuntu_64_analysis/  
MrBlack /Users/Brian/vagrant/ubuntu_64_analysis/cywlooxx11  
MrBlack /Users/Brian/vagrant/ubuntu_64_analysis/rr/rrrr.1  

So, we can see our rrrr.1 file got picked up, as well as another file I had sitting around that was another MrBlack sample.

Next up, let's put together a Maltego graph illustrating their attacker/domain infrastructure. We can see a lot of overlap between the filenames and hashes associated with each domain. Here's a screenshot of what it looks like, but, feel free to play around with the maltego graph here as well.


Well, that about covers it. I'm sure there was a lot more I could have done, but, I think this touched on a few new things that I've been doing lately and hopefully was educational for some.

If you have any questions or thoughts about this post, feel free to message me on Twitter, @brian_warehime.