Targeted Destructive Malware | CISA
Tags
country: Bolivia Italy Thailand Poland Singapore United States Of America
maec-delivery-vectors: Watering Hole
attack-pattern: Data Direct Dns - T1071.004 Dns - T1590.002 Domains - T1583.001 Domains - T1584.001 Hardware - T1592.001 Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002 Vulnerabilities - T1588.006 Brute Force - T1110 Connection Proxy - T1090
Show in Graph
Common Information
Type Value
UUID e1d31610-d3e7-4d53-902c-77f7a2e0b0a1
Fingerprint 4a19a728f36fc8a
Analysis status DONE
Considered CTI value 2
Text language
Published Dec. 19, 2014, midnight
Added to db Sept. 26, 2022, 9:31 a.m.
Last updated Nov. 17, 2024, 6:55 p.m.
Headline Alert (TA14-353A)
Title Targeted Destructive Malware | CISA
Detected Hints/Tags/Attributes 103/3/82
Source URLs
Redirection Url
Details Source https://www.us-cert.gov/ncas/alerts/TA14-353A
URL Provider
Details Provider Source level domain
Details us-cert.gov www.us-cert.gov
Attributes
Details Type #Events CTI Value
Details Domain 46 
www.yahoo.com
Details File 1 
sensvc.exe
Details File 1 
msensvc.exe
Details File 1 
netcfg.dll
Details File 2125 
cmd.exe
Details File 2 
taskhostxx.exe
Details File 312 
calc.exe
Details File 240 
wmic.exe
Details File 1 
d1c27ee7ce18675974edf42d4eea25c6.bin
Details File 2 
diskpartmg16.exe
Details File 2 
igfxtrayex.exe
Details File 2 
net_ver.dat
Details File 2 
iissvr.exe
Details File 1 
usbdrv3_32bit.sys
Details File 1 
usbdrv3_64bit.sys
Details File 1 
igfxtpers.exe
Details File 1 
kb25468.dat
Details File 1 
pmsconfig.msi
Details File 1 
pmslog.msi
Details File 32 
%systemroot%\system32\svchost.exe
Details File 1 
zz%d.bat
Details md5 1 
f6f48551d7723d87daeef2e840ae008f
Details md5 1 
194ae075bf53aa4c83e175d4fa1b9d89
Details md5 1 
f57e6156907dc0f6f4c9e2c5a792df48
Details md5 1 
838e57492f632da79dcd5aa47b23f8a9
Details md5 1 
11c9374cea03c3b2ca190b9a0fd2816b
Details md5 1 
7fb0441a08690d4530d2275d4d7eb351
Details md5 1 
7759c7d2c6d49c8b0591a3a7270a44da
Details md5 1 
7e48d5ba6e6314c46550ad226f2b3c67
Details md5 1 
0a87c6f29f34a09acecce7f516cc7fdb
Details md5 1 
25fb1e131f282fa25a4b0dec6007a0ce
Details md5 1 
9761dd113e7e6673b94ab4b3ad552086
Details md5 1 
c905a30badb458655009799b1274205c
Details md5 1 
40adcd738c5bdc5e1cc3ab9a48b3df39
Details md5 1 
68a26b8eaf2011f16a58e4554ea576a1
Details md5 1 
74982cd1f3be3d0acfb0e6df22dbcd67
Details md5 1 
734740b16053ccc555686814a93dfbeb
Details md5 1 
3b9da603992d8001c1322474aac25f87
Details md5 1 
e509881b34a86a4e2b24449cf386af6a
Details md5 1 
9ab7f2bf638c9d911c2c742a574db89e
Details md5 1 
a565e8c853b8325ad98f1fac9c40fb88
Details md5 1 
0bb82def661dd013a1866f779b455cf3
Details md5 1 
b8ffff8b57586d24e1e65cd0b0ad9173
Details md5 1 
4ef0ad7ad4fe3ef4fb3db02cd82bface
Details md5 1 
eb435e86604abced7c4a2b11c4637a52
Details md5 1 
ed7a9c6d9fc664afe2de2dd165a9338c
Details md5 1 
8dec36d7f5e6cbd5e06775771351c54e
Details md5 1 
a385900a36cad1c6a2022f31e8aca9f7
Details md5 1 
7bea4323807f7e8cf53776e24cbd71f1
Details md5 1 
d1c27ee7ce18675974edf42d4eea25c6
Details md5 1 
D1C27EE7CE18675974EDF42D4EEA25C6
Details md5 1 
93BC819011B2B3DA8487F964F29EB934
Details md5 1 
760C35A80D758F032D02CF4DB12D3E55
Details md5 1 
E1864A55D5CCB76AF4BF7A0AE16279BA
Details md5 1 
6AEAC618E29980B69721158044C2E544
Details md5 1 
86E212B7FC20FC406C692400294073FF
Details md5 1 
e904bf93403c0fb08b9683a9e858c73e
Details IPv4 2 
203.131.222.102
Details IPv4 3 
217.96.33.164
Details IPv4 3 
88.53.215.64
Details IPv4 3 
200.87.126.116
Details IPv4 2 
58.185.154.99
Details IPv4 2 
212.31.102.100
Details IPv4 2 
208.105.226.235
Details Yara rule 1 
rule SMB_Worm_Tool {
	strings:
		$STR1 = "Global\\FwtSqmSession106829323_S-1-5-19"
		$STR2 = "EVERYONE"
		$STR3 = "y0uar3@s!llyid!07,ou74n60u7f001"
		$STR4 = "\\KB25468.dat"
	condition:
		(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
}
Details Yara rule 1 
rule Lightweight_Backdoor1 {
	strings:
		$STR1 = "NetMgStart"
		$STR2 = "Netmgmt.srg"
	condition:
		(uint16(0) == 0x5A4D) and all of them
}
Details Yara rule 1 
rule LightweightBackdoor2 {
	strings:
		$STR1 = "prxTroy" ascii wide nocase
	condition:
		(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
}
Details Yara rule 1 
rule LightweightBackdoor6 {
	strings:
		$STR1 = { 8A 10 80 ?? 4E 80 ?? 79 88 10 }
		$STR2 = { 8A 10 80 ?? 79 80 ?? 4E 88 10 }
	condition:
		(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
}
Details Yara rule 1 
rule ProxyTool1 {
	strings:
		$STR1 = "pmsconfig.msi" wide
		$STR2 = "pmslog.msi" wide
	condition:
		(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and any of them
}
Details Yara rule 1 
rule ProxyTool3 {
	strings:
		$STR2 = { 8A 04 17 8B FB 34 A7 46 88 02 83 C9 FF }
	condition:
		(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and $STR2
}
Details Yara rule 1 
rule DestructiveHardDriveTool1 {
	strings:
		$str0 = "MZ"
		$str1 = { C6 84 24 ?? ( 00 | 01 ) 00 00 }
		$xorInLoop = { 83 EC 20 B9 08 00 00 00 33 D2 56 8B 74 24 30 57 8D 7C 24 08 F3 A5 8B 7C 24 30 85 FF 7E 3A 8B 74 24 2C 8A 44 24 08 53 8A 4C 24 21 8A 5C 24 2B 32 C1 8A 0C 32 32 C3 32 C8 88 0C 32 B9 1E 00 00 00 8A 5C 0C 0C 88 5C 0C 0D 49 83 F9 FF 7F F2 42 88 44 24 0C 3B D7 7C D0 5B 5F 5E 83 C4 20 C3 }
	condition:
		$str0 at 0 and $xorInLoop and #str1 > 300
}
Details Yara rule 1 
rule DestructiveTargetCleaningTool1 {
	strings:
		$s1 = { D3 00 00 00 [4] 2C 00 00 00 [12] 95 00 00 00 [4] 6A 00 00 00 [8] 07 00 00 00 }
	condition:
		(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
}
Details Yara rule 1 
rule DestructiveTargetCleaningTool2 {
	strings:
		$secureWipe = { 83 EC 34 53 55 8B 6C 24 40 56 57 83 CE FF 55 C7 44 24 2C D3 00 00 00 C7 44 24 30 2C 00 00 00 89 74 24 34 89 74 24 38 C7 44 24 3C 95 00 00 00 C7 44 24 40 6A 00 00 00 89 74 24 44 C7 44 24 14 07 00 00 00 FF 15 ?? ?? ?? ?? 3B C6 89 44 24 1C 0F 84 ( D8 | D9 ) 01 00 00 33 FF 68 00 00 01 00 57 FF 15 ?? ?? ?? ?? 8B D8 3B DF 89 5C 24 14 0F 84 ( BC | BD ) 01 00 00 8B 44 24 1C A8 01 74 0A 24 FE 50 55 FF 15 ?? ?? ?? ?? 8B 44 24 4C 2B C7 74 20 48 74 0F 83 E8 02 75 1C C7 44 24 10 03 00 00 00 EB 12 C7 44 24 10 01 00 00 00 89 74 24 28 EB 04 89 7C 24 10 8B 44 24 10 89 7C 24 1C 3B C7 0F 8E ( 5C | 5D ) 01 00 00 8D 44 24 28 89 44 24 4C EB 03 83 CE FF 8B 4C 24 4C 8B 01 3B C6 74 17 8A D0 B9 00 40 00 00 8A F2 8B FB 8B C2 C1 E0 10 66 8B C2 F3 AB EB ( 13 | 14 ) 33 F6 ( E8 | FF 15 ) ?? ?? ?? ?? 88 04 1E 46 81 FE 00 00 01 00 7C ( EF | EE ) 6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 C0 55 FF 15 ?? ?? ?? ?? 8B F0 83 FE FF 0F 84 FA 00 00 00 8D 44 24 20 50 56 FF 15 ?? ?? ?? ?? 8B 2D ?? ?? ?? ?? 6A 02 6A 00 6A FF 56 FF D5 8D 4C 24 18 6A 00 51 6A 01 53 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 6A 00 6A 00 6A 00 56 FF D5 8B 44 24 24 8B 54 24 20 33 FF 33 DB 85 C0 7C 5A 7F 0A 85 D2 76 54 EB 04 8B 54 24 20 8B CA BD 00 00 01 00 2B CF 1B C3 85 C0 7F 0A 7C 04 3B CD 73 04 2B D7 8B EA 8B 44 24 14 8D 54 24 18 6A 00 52 55 50 56 FF 15 ?? ?? ?? ?? 8B 6C 24 18 8B 44 24 24 03 FD 83 D3 00 3B D8 7C BE 7F 08 8B 54 24 20 3B FA 72 B8 8B 2D ?? ?? ?? ?? 8B 5C 24 10 8B 7C 24 1C 8D 4B FF 3B F9 75 17 56 FF 15 ?? ?? ?? ?? 6A 00 6A 00 6A 00 56 FF D5 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 8B 4C 24 4C 8B 6C 24 48 47 83 C1 04 3B FB 8B 5C 24 14 89 7C 24 1C 89 4C 24 4C 0F 8C ( AE | AD ) FE FF FF 6A 00 55 E8 ?? ?? ?? ?? 83 C4 08 53 FF 15 ?? ?? ?? ?? 5F 5E 5D 5B 83 C4 34 C3 }
	condition:
		$secureWipe
}
Details Yara rule 1 
rule DestructiveTargetCleaningTool3 {
	strings:
		$S1_CMD_Arg = "/install" fullword
		$S2_CMD_Parse = "\"%s\"  /install \"%s\"" fullword
		$S3_CMD_Builder = "\"%s\"  \"%s\" \"%s\" %s" fullword
	condition:
		all of them
}
Details Yara rule 1 
rule DestructiveTargetCleaningTool4 {
	strings:
		$BATCH_SCRIPT_LN1_0 = "goto x" fullword
		$BATCH_SCRIPT_LN1_1 = "del" fullword
		$BATCH_SCRIPT_LN2_0 = "if exist" fullword
		$BATCH_SCRIPT_LN3_0 = ":x" fullword
		$BATCH_SCRIPT_LN4_0 = "zz%d.bat" fullword
	condition:
		(#BATCH_SCRIPT_LN1_1 == 2) and all of them
}
Details Yara rule 1 
rule DestructiveTargetCleaningTool5 {
	strings:
		$MCU_DLL_ZLIB_COMPRESSED2 = { 5C EC AB AE 81 3C C9 BC D5 A5 42 F4 54 91 04 28 34 34 79 80 6F 71 D5 52 1E 2A 0D }
	condition:
		$MCU_DLL_ZLIB_COMPRESSED2
}
Details Yara rule 1 
rule DestructiveTargetCleaningTool6 {
	strings:
		$MCU_INF_StartHexDec = { 01 03 46 08 0A 30 D6 36 33 00 0B 62 63 75 0A 50 52 32 2A 00 10 3D 1B 57 0A 30 E6 7F 2A 00 13 09 52 69 0A 50 3A 0D 2A 00 0E 00 A2 6E 15 10 45 56 76 65 72 63 6C 76 69 64 2E 65 78 65 }
		$MCU_INF_StartHexEnc = { 6C 32 72 38 69 58 BF 07 52 30 78 0A 0A 54 67 61 66 02 49 68 79 0C 7A 67 79 58 8F 5E 47 31 27 39 31 01 63 61 5B 3D 59 68 67 21 CF 5F 21 20 26 3E 1F 54 13 53 1F 1E 00 45 43 54 4C 55 }
	condition:
		$MCU_INF_StartHexEnc or $MCU_INF_StartHexDec
}
Details Yara rule 1 
rule DestructiveTargetCleaningTool7 {
	strings:
		$a = "SetFilePointer"
		$b = "SetEndOfFile"
		$c = { 75 17 56 FF 15 ?? ?? ?? ?? 6A 00 6A 00 6A 00 56 FF D5 56 FF 15 ?? ?? ?? ?? 56 }
	condition:
		(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them
}
Details Yara rule 1 
rule DestructiveTargetCleaningTool8 {
	strings:
		$license = { E9 03 FF FF 82 00 50 00 6F 00 72 00 74 00 69 00 6F 00 6E 00 73 00 20 00 63 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 20 00 52 00 6F 00 62 00 65 00 72 00 74 00 20 00 64 00 65 00 20 00 42 00 61 00 74 00 68 00 2C 00 20 00 4A 00 6F 00 72 00 69 00 73 00 20 00 76 00 61 00 6E 00 20 00 52 00 61 00 6E 00 74 00 77 00 69 00 6A 00 6B 00 2C 00 20 00 44 00 65 00 6C 00 69 00 61 00 6E 00 00 00 00 00 00 00 02 50 00 00 00 00 0A 00 22 00 CE 00 08 00 EA 03 FF FF 82 00 }
		$PuTTY = { 50 00 75 00 54 00 54 00 59 00 }
	condition:
		(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $license and not $PuTTY
}
Details Yara rule 1 
rule Malwareusedbycyberthreatactor1 {
	strings:
		$heapCreateFunction_0 = { 33 C0 6A 00 39 44 24 08 68 00 10 00 00 0F 94 C0 50 FF 15 ?? ?? ?? ?? 85 C0 A3 ?? ?? ?? ?0 74 36 E8 93 FE FF FF 83 F8 03 A3 ?? ?? ?? ?0 75 0D 68 F8 03 00 00 E8 ?? 00 00 00 59 EB 0A 83 F8 02 75 18 E8 ?? ?? 00 00 85 C0 75 0F FF 35 ?? ?? ?? ?0 FF 15 ?? ?? ?? ?0 33 C0 C3 6A 01 58 C3 }
		$heapCreateFunction = { 55 8B EC B8 2C 12 00 00 E8 ?? ?? FF FF 8D 85 68 FF FF FF 53 50 C7 85 68 FF FF FF 94 00 00 00 FF 1? ?? ?? ?? ?0 85 C0 74 1A 83 BD 78 FF FF FF 02 75 11 83 BD 6C FF FF FF 05 72 08 6A 01 58 E9 02 01 00 00 8D 85 D4 ED FF F6 89 01 00 00 05 06 8? ?? ?? ?? 0F F1 5? ?? ?? ?? 08 5C 00 F8 4D 00 00 00 03 3D B8 D8 DD 4E DF FF F3 89 DD DF FF F7 41 38 A0 13 C6 17 C0 83 C7 A7 F0 42 C2 08 80 14 13 81 97 5E D8 D8 5D 4E DF FF F6 A1 65 06 8? ?? ?? ?? 0E 8? ?? ?0 00 08 3C 40 C8 5C 07 50 88 D8 5D 4E DF FF FE B4 98 D8 56 4F EF FF F6 80 40 10 00 05 05 3F F1 5? ?? ?? ?? 03 89 D6 4F EF FF F8 D8 D6 4F EF FF F7 41 38 A0 13 C6 17 C0 83 C7 A7 F0 42 C2 08 80 14 13 81 97 5E D8 D8 56 4F EF FF F5 08 D8 5D 4E DF FF F5 0E 8? ?? ?? ?? ?5 95 93 BC 37 43 E6 A2 C5 0E 8? ?? ?? ?? ?5 93 BC 35 97 43 04 08 BC 83 81 87 40 E8 03 93 B7 50 48 81 9E B0 14 13 81 97 5F 26 A0 A5 35 0E 8? ?? ?0 00 08 3C 40 C8 3F 80 27 41 D8 3F 80 37 41 88 3F 80 17 41 38 D4 5F C5 0E 89 8F EF FF F8 07 DF C0 65 91 BC 08 3C 00 35 BC 9C }
		$getMajorMinorLinker = { 56 8B 74 24 08 6A 00 83 26 00 FF 15 ?? ?? ?? ?0 66 81 38 4D 5A 75 14 8B 48 3C 85 C9 74 0D 03 C1 8A 48 1A 88 0E 8A 40 1B 88 46 01 5E C3 }
		$openServiceManager = { FF 15 ?? ?0 ?0 ?0 8B ?8 85 ?? 74 ?? ?? ?? ?? ?? ?? ?? ?? 5? FF 15 ?? ?0 ?0 ?0 8B ?? ?? ?0 ?0 ?0 8B F? 85 F? 74 }
	condition:
		all of them
}
Details Yara rule 1 
rule Malwareusedbycyberthreatactor2 {
	strings:
		$str1 = "_quit"
		$str2 = "_exe"
		$str3 = "_put"
		$str4 = "_got"
		$str5 = "_get"
		$str6 = "_del"
		$str7 = "_dir"
		$str8 = { C7 44 24 18 1F F7 }
	condition:
		(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
}
Details Yara rule 1 
rule Malwareusedbycyberthreatactor3 {
	strings:
		$STR1 = { 50 68 80 00 00 00 68 FF FF 00 00 51 C7 44 24 1C 3A 8B 00 00 }
	condition:
		(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them
}