Security Experts:

Indicators of Compromise for Malware Used by Sony Hackers

Just hours after the FBI and President Obama called out North Korea as being responsible for the destructive cyber attack against Sony Pictures, US-CERT issued an alert describing the primary malware used by the attackers, along with indicators of compromise.

While not mentioning Sony by name in its advisory, instead referring to the victim as a “major entertainment company,” US-CERT said that the attackers used a Server Message Block (SMB) Worm Tool to conduct the attacks.

According to the advisory, the SMB Worm Tool is equipped with five componments, including a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool.

The advisory also provides a summary of the C2 IP addresses, Snort signatures for the various components, host based Indicators, potential YARA signatures to detect malware binaries on host machines, and recommended security practices and tactical mitigations.

In its alert, US-CERT provided the following list of the Indicators of Compromise (IOCs) that should be added to network security solutions to determine whether they are present on a network.

MD5s:

SMB worm tool:

MD5: f6f48551d7723d87daeef2e840ae008f

Characterization: File Hash Watchlist

Notes: "SMB worm tool"

         Earliest PE compile Time: 20141001T072107Z

         Most Recent PE compile Time: 20141001T072107Z

 

MD5: 194ae075bf53aa4c83e175d4fa1b9d89

Characterization: File Hash Watchlist

Notes: "SMB worm tool"

         Earliest PE compile Time: 20141001T120954Z

         Most Recent PE compile Time: 20141001T142138Z


Lightweight backdoor:

MD5: f57e6156907dc0f6f4c9e2c5a792df48

Characterization: File Hash Watchlist

Notes: "Lightweight backdoor"

         Earliest PE compile time: 20110411T225224Z

         Latest PE compile time: 20110411T225224Z

 

MD5: 838e57492f632da79dcd5aa47b23f8a9

Characterization: File Hash Watchlist

Notes: "Lightweight backdoor"

         Earliest PE compile time: 20110517T050015Z

         Latest PE compile time: 20110605T204508Z

 

MD5: 11c9374cea03c3b2ca190b9a0fd2816b

Characterization: File Hash Watchlist

Notes: "Lightweight backdoor"

         Earliest PE compile time: 20110729T062417Z

         Latest PE compile time: 20110729T062958Z

 

MD5: 7fb0441a08690d4530d2275d4d7eb351

Characterization: File Hash Watchlist

Notes: "Lightweight backdoor"

         Earliest PE compile time: 20120128T071327Z

         Latest PE compile time: 20120128T071327Z

 

MD5: 7759c7d2c6d49c8b0591a3a7270a44da

Characterization: File Hash Watchlist

Notes: "Lightweight backdoor"

         Earliest PE compile time: 20120309T105837Z

         Latest PE compile time: 20120309T105837Z

 

MD5: 7e48d5ba6e6314c46550ad226f2b3c67

Characterization: File Hash Watchlist

Notes: "Lightweight backdoor"

         Earliest PE compile time: 20120311T090329Z

         Latest PE compile time: 20120311T090329Z

 

MD5: 0a87c6f29f34a09acecce7f516cc7fdb

Characterization: File Hash Watchlist

Notes: "Lightweight backdoor"

         Earliest PE compile time: 20120325T053138Z

         Latest PE compile time: 20130513T090422Z

 

MD5: 25fb1e131f282fa25a4b0dec6007a0ce

Characterization: File Hash Watchlist

Notes: "Lightweight backdoor"

         Earliest PE compile time: 20130802T054822Z

         Latest PE compile time: 20130802T054822Z

 

MD5: 9761dd113e7e6673b94ab4b3ad552086

Characterization: File Hash Watchlist

Notes: "Lightweight backdoor"

         Earliest PE compile time: 20130913T013016Z

         Latest PE compile time: 20130913T013016Z

 

MD5: c905a30badb458655009799b1274205c

Characterization: File Hash Watchlist

Notes: "Lightweight backdoor"

         Earliest PE compile time: 20140205T090906Z

         Latest PE compile time: 20140205T090906Z

 

MD5: 40adcd738c5bdc5e1cc3ab9a48b3df39

Characterization: File Hash Watchlist

Notes: "Lightweight backdoor"

         Earliest PE compile time: 20140320T152637Z

         Latest PE compile time: 20140402T023748Z

 

MD5: 68a26b8eaf2011f16a58e4554ea576a1

Characterization: File Hash Watchlist

Notes: "Lightweight backdoor"

         Earliest PE compile time: 20140321T014949Z

         Latest PE compile time: 20140321T014949Z

 

MD5: 74982cd1f3be3d0acfb0e6df22dbcd67

Characterization: File Hash Watchlist

Notes: "Lightweight backdoor"

         Earliest PE compile time: 20140506T020330Z

         Latest PE compile time: 20140506T020330Z

 

Proxy tool:

MD5: 734740b16053ccc555686814a93dfbeb

Characterization: File Hash Watchlist

Notes: "Proxy tool"

         Earliest PE compile time: 20140611T064905Z

         Latest PE compile time: 20140611T064905Z

 

MD5: 3b9da603992d8001c1322474aac25f87

Characterization: File Hash Watchlist

Notes: "Proxy tool"

         Earliest PE compile time: 20140617T035143Z

         Latest PE compile time: 20140617T035143Z

 

MD5: e509881b34a86a4e2b24449cf386af6a

Characterization: File Hash Watchlist

Notes: "Proxy tool"

         Earliest PE compile time : 20140618T064527Z

         Latest PE compile time: 20140618T064527Z

 

MD5: 9ab7f2bf638c9d911c2c742a574db89e

Characterization: File Hash Watchlist

Notes: "Proxy tool"

         Earliest PE compile time: 20140724T011233Z

         Latest PE compile time: 20140724T011233Z

 

MD5: a565e8c853b8325ad98f1fac9c40fb88

Characterization: File Hash Watchlist

Notes: "Proxy tool"

         Earliest PE compile time: 20140724T065031Z

         Latest PE compile time: 20140902T135050Z


MD5: 0bb82def661dd013a1866f779b455cf3

Characterization: File Hash Watchlist

Notes: "Proxy tool"

         Earliest PE compile time: 20140819T024812Z

         Latest PE compile time: 20140819T024812Z

 

MD5: b8ffff8b57586d24e1e65cd0b0ad9173

Characterization: File Hash Watchlist

Notes: "Proxy tool"

         Earliest PE compile time: 20140902T172442Z

         Latest PE compile time: 20140902T172442Z


MD5: 4ef0ad7ad4fe3ef4fb3db02cd82bface

Characterization: File Hash Watchlist

Notes: "Proxy tool"

         Earliest PE compile time: 20141024T134136Z

         Latest PE compile time: 20141024T134136Z

MD5: eb435e86604abced7c4a2b11c4637a52

Characterization: File Hash Watchlist

Notes: "Proxy tool"

         Earliest PE compile time: 20140526T010925Z

         Latest PE compile time: 20140526T010925Z

MD5: ed7a9c6d9fc664afe2de2dd165a9338c

Characterization: File Hash Watchlist

Notes: "Proxy tool"

         Earliest PE compile time: 20140611T064904Z

Destructive hard drive tool:

MD5: 8dec36d7f5e6cbd5e06775771351c54e

Characterization: File Hash Watchlist

Notes: "Destructive hard drive tool"

         Earliest PE compile time: 20120507T151820Z

         Latest PE compile time: 20120507T151820Z

MD5: a385900a36cad1c6a2022f31e8aca9f7

Characterization: File Hash Watchlist

Notes: "Destructive target cleaning tool"

         Earliest PE compile time: 20130318T003315Z

         Latest PE compile time: 20130318T003315Z


MD5: 7bea4323807f7e8cf53776e24cbd71f1

Characterization: File Hash Watchlist

Notes: "Destructive target cleaning tool"

         Earliest PE compile time: 20130318T003319Z

         Latest PE compile time: 20130318T003319Z


Name: d1c27ee7ce18675974edf42d4eea25c6.bin

Size: 268579 bytes (268.6 KB)

MD5: D1C27EE7CE18675974EDF42D4EEA25C6

PE Compile Time: 2014-11-22 00:06:54

While the original filename of this file is unknown, it was likely “diskpartmg16.exe”. This file serves as a dropper. It drops destructive malware: “igfxtrayex.exe”. When the dropper file was executed, it started a second instance of itself with “-i” as an argument, and then terminated. The second instance of the dropper file installed itself as the “WinsSchMgmt” service with “-k” as a command line argument, started the service, and then terminated. The “WinsSchMgmt” service executed the file with “-k” as an argument, which started another instance of the file using “-s” as an argument. The “-s” instance dropped and executed “igfxtrayex.exe”, created “net_ver.dat”, and began generating network traffic over TCP ports 445 and 139 to victim IP addresses.

Name: net_ver.dat

Size: 4572 bytes (4.6 KB)  (size will vary)

MD5: 93BC819011B2B3DA8487F964F29EB934  (hash will vary)

This is a log file created by the dropper, and appended to as the scans progress  It contains what appear to be hostnames, IP addresses, and the number 2.   Entries in the file have the structure “HOSTNAME | IP Address | 2”.

Name: igfxtrayex.exe

Size: 249856 bytes (249.9 KB)

MD5: 760C35A80D758F032D02CF4DB12D3E55

PE Compile Time: 2014-11-24 04:11:08

This file is destructive malware: a disk wiper with network beacon capabilities. If “igfxtrayex.exe” is run with no parameters, it creates and starts a copy of itself with the “–i” argument. After 10 minutes, the “igfxtrayex.exe” makes three copies of itself and places them in the same directory from which it was executed. These copies are named according to the format “taskhostXX.exe” (where X is a randomly generated ASCII character). These copies are then executed, each with a different argument (one being “-m”, one being “-d” and the other “-w”). Network connection attempts are made to one of three hard-coded IP addresses in a random order to port 8080 or 8000. If a connection to the IP address cannot be made, it attempts to connect to another of the three IP addresses, until connections to all three IP addresses have been attempted. The following command-line string is then executed: “cmd.exe /c net stop MSExchangeIS /y”. A 120-minute (2 hour) sleep command is issued after which the computer is shut down and rebooted.

Name: iissvr.exe

Size: 114688 bytes (114.7 KB)

MD5: E1864A55D5CCB76AF4BF7A0AE16279BA

PE Compile Time: 2014-11-13 02:05:35

This file, when executed, starts a listener on localhost port 80. It has 3 files contained in the resource section; all xor’d with 0x63.

Name: usbdrv3_32bit.sys

Size: 24280 bytes (24.3 KB)

MD5: 6AEAC618E29980B69721158044C2E544

PE Compile Time: 2009-08-21 06:05:32

This SYS file is a commercially available tool that allows read/write access to files and raw disk sectors for user mode applications in Windows 2000, XP, 2003, Vista, 2008 (32-bit). It is dropped from resource ID 0x81 of “igfxtrayex.exe”.

Name: usbdrv3_64bit.sys

Size: 28120 bytes (28.1 KB)

MD5: 86E212B7FC20FC406C692400294073FF

PE Compile Time: 2009-08-21 06:05:35

This SYS file is a also a commercially available tool that allows read/write access to files and raw disk sectors for user mode applications in Windows 2000, XP, 2003, Vista, 2008 (64-bit). It is dropped from resource ID 0x83 of “igfxtrayex.exe”.

Name: igfxtpers.exe

Size: 91888 bytes (91.9 KB)

MD5: e904bf93403c0fb08b9683a9e858c73e

PE Compile Time: 2014-07-07 08:01:09 

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.