Just hours after the FBI and President Obama called out North Korea as being responsible for the destructive cyber attack against Sony Pictures, US-CERT issued an alert describing the primary malware used by the attackers, along with indicators of compromise.
While not mentioning Sony by name in its advisory, instead referring to the victim as a “major entertainment company,” US-CERT said that the attackers used a Server Message Block (SMB) Worm Tool to conduct the attacks.
According to the advisory, the SMB Worm Tool is equipped with five componments, including a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool.
The advisory also provides a summary of the C2 IP addresses, Snort signatures for the various components, host based Indicators, potential YARA signatures to detect malware binaries on host machines, and recommended security practices and tactical mitigations.
In its alert, US-CERT provided the following list of the Indicators of Compromise (IOCs) that should be added to network security solutions to determine whether they are present on a network.
MD5s:
SMB worm tool:
MD5: f6f48551d7723d87daeef2e840ae008f
Characterization: File Hash Watchlist
Notes: “SMB worm tool”
Earliest PE compile Time: 20141001T072107Z
Most Recent PE compile Time: 20141001T072107Z
MD5: 194ae075bf53aa4c83e175d4fa1b9d89
Characterization: File Hash Watchlist
Notes: “SMB worm tool”
Earliest PE compile Time: 20141001T120954Z
Most Recent PE compile Time: 20141001T142138Z
Lightweight backdoor:
MD5: f57e6156907dc0f6f4c9e2c5a792df48
Characterization: File Hash Watchlist
Notes: “Lightweight backdoor”
Earliest PE compile time: 20110411T225224Z
Latest PE compile time: 20110411T225224Z
MD5: 838e57492f632da79dcd5aa47b23f8a9
Characterization: File Hash Watchlist
Notes: “Lightweight backdoor”
Earliest PE compile time: 20110517T050015Z
Latest PE compile time: 20110605T204508Z
MD5: 11c9374cea03c3b2ca190b9a0fd2816b
Characterization: File Hash Watchlist
Notes: “Lightweight backdoor”
Earliest PE compile time: 20110729T062417Z
Latest PE compile time: 20110729T062958Z
MD5: 7fb0441a08690d4530d2275d4d7eb351
Characterization: File Hash Watchlist
Notes: “Lightweight backdoor”
Earliest PE compile time: 20120128T071327Z
Latest PE compile time: 20120128T071327Z
MD5: 7759c7d2c6d49c8b0591a3a7270a44da
Characterization: File Hash Watchlist
Notes: “Lightweight backdoor”
Earliest PE compile time: 20120309T105837Z
Latest PE compile time: 20120309T105837Z
MD5: 7e48d5ba6e6314c46550ad226f2b3c67
Characterization: File Hash Watchlist
Notes: “Lightweight backdoor”
Earliest PE compile time: 20120311T090329Z
Latest PE compile time: 20120311T090329Z
MD5: 0a87c6f29f34a09acecce7f516cc7fdb
Characterization: File Hash Watchlist
Notes: “Lightweight backdoor”
Earliest PE compile time: 20120325T053138Z
Latest PE compile time: 20130513T090422Z
MD5: 25fb1e131f282fa25a4b0dec6007a0ce
Characterization: File Hash Watchlist
Notes: “Lightweight backdoor”
Earliest PE compile time: 20130802T054822Z
Latest PE compile time: 20130802T054822Z
MD5: 9761dd113e7e6673b94ab4b3ad552086
Characterization: File Hash Watchlist
Notes: “Lightweight backdoor”
Earliest PE compile time: 20130913T013016Z
Latest PE compile time: 20130913T013016Z
MD5: c905a30badb458655009799b1274205c
Characterization: File Hash Watchlist
Notes: “Lightweight backdoor”
Earliest PE compile time: 20140205T090906Z
Latest PE compile time: 20140205T090906Z
MD5: 40adcd738c5bdc5e1cc3ab9a48b3df39
Characterization: File Hash Watchlist
Notes: “Lightweight backdoor”
Earliest PE compile time: 20140320T152637Z
Latest PE compile time: 20140402T023748Z
MD5: 68a26b8eaf2011f16a58e4554ea576a1
Characterization: File Hash Watchlist
Notes: “Lightweight backdoor”
Earliest PE compile time: 20140321T014949Z
Latest PE compile time: 20140321T014949Z
MD5: 74982cd1f3be3d0acfb0e6df22dbcd67
Characterization: File Hash Watchlist
Notes: “Lightweight backdoor”
Earliest PE compile time: 20140506T020330Z
Latest PE compile time: 20140506T020330Z
Proxy tool:
MD5: 734740b16053ccc555686814a93dfbeb
Characterization: File Hash Watchlist
Notes: “Proxy tool”
Earliest PE compile time: 20140611T064905Z
Latest PE compile time: 20140611T064905Z
MD5: 3b9da603992d8001c1322474aac25f87
Characterization: File Hash Watchlist
Notes: “Proxy tool”
Earliest PE compile time: 20140617T035143Z
Latest PE compile time: 20140617T035143Z
MD5: e509881b34a86a4e2b24449cf386af6a
Characterization: File Hash Watchlist
Notes: “Proxy tool”
Earliest PE compile time : 20140618T064527Z
Latest PE compile time: 20140618T064527Z
MD5: 9ab7f2bf638c9d911c2c742a574db89e
Characterization: File Hash Watchlist
Notes: “Proxy tool”
Earliest PE compile time: 20140724T011233Z
Latest PE compile time: 20140724T011233Z
MD5: a565e8c853b8325ad98f1fac9c40fb88
Characterization: File Hash Watchlist
Notes: “Proxy tool”
Earliest PE compile time: 20140724T065031Z
Latest PE compile time: 20140902T135050Z
MD5: 0bb82def661dd013a1866f779b455cf3
Characterization: File Hash Watchlist
Notes: “Proxy tool”
Earliest PE compile time: 20140819T024812Z
Latest PE compile time: 20140819T024812Z
MD5: b8ffff8b57586d24e1e65cd0b0ad9173
Characterization: File Hash Watchlist
Notes: “Proxy tool”
Earliest PE compile time: 20140902T172442Z
Latest PE compile time: 20140902T172442Z
MD5: 4ef0ad7ad4fe3ef4fb3db02cd82bface
Characterization: File Hash Watchlist
Notes: “Proxy tool”
Earliest PE compile time: 20141024T134136Z
Latest PE compile time: 20141024T134136Z
MD5: eb435e86604abced7c4a2b11c4637a52
Characterization: File Hash Watchlist
Notes: “Proxy tool”
Earliest PE compile time: 20140526T010925Z
Latest PE compile time: 20140526T010925Z
MD5: ed7a9c6d9fc664afe2de2dd165a9338c
Characterization: File Hash Watchlist
Notes: “Proxy tool”
Earliest PE compile time: 20140611T064904Z
Destructive hard drive tool:
MD5: 8dec36d7f5e6cbd5e06775771351c54e
Characterization: File Hash Watchlist
Notes: “Destructive hard drive tool”
Earliest PE compile time: 20120507T151820Z
Latest PE compile time: 20120507T151820Z
MD5: a385900a36cad1c6a2022f31e8aca9f7
Characterization: File Hash Watchlist
Notes: “Destructive target cleaning tool”
Earliest PE compile time: 20130318T003315Z
Latest PE compile time: 20130318T003315Z
MD5: 7bea4323807f7e8cf53776e24cbd71f1
Characterization: File Hash Watchlist
Notes: “Destructive target cleaning tool”
Earliest PE compile time: 20130318T003319Z
Latest PE compile time: 20130318T003319Z
Name: d1c27ee7ce18675974edf42d4eea25c6.bin
Size: 268579 bytes (268.6 KB)
MD5: D1C27EE7CE18675974EDF42D4EEA25C6
PE Compile Time: 2014-11-22 00:06:54
While the original filename of this file is unknown, it was likely “diskpartmg16.exe”. This file serves as a dropper. It drops destructive malware: “igfxtrayex.exe”. When the dropper file was executed, it started a second instance of itself with “-i” as an argument, and then terminated. The second instance of the dropper file installed itself as the “WinsSchMgmt” service with “-k” as a command line argument, started the service, and then terminated. The “WinsSchMgmt” service executed the file with “-k” as an argument, which started another instance of the file using “-s” as an argument. The “-s” instance dropped and executed “igfxtrayex.exe”, created “net_ver.dat”, and began generating network traffic over TCP ports 445 and 139 to victim IP addresses.
Name: net_ver.dat
Size: 4572 bytes (4.6 KB) (size will vary)
MD5: 93BC819011B2B3DA8487F964F29EB934 (hash will vary)
This is a log file created by the dropper, and appended to as the scans progress It contains what appear to be hostnames, IP addresses, and the number 2. Entries in the file have the structure “HOSTNAME | IP Address | 2”.
Name: igfxtrayex.exe
Size: 249856 bytes (249.9 KB)
MD5: 760C35A80D758F032D02CF4DB12D3E55
PE Compile Time: 2014-11-24 04:11:08
This file is destructive malware: a disk wiper with network beacon capabilities. If “igfxtrayex.exe” is run with no parameters, it creates and starts a copy of itself with the “–i” argument. After 10 minutes, the “igfxtrayex.exe” makes three copies of itself and places them in the same directory from which it was executed. These copies are named according to the format “taskhostXX.exe” (where X is a randomly generated ASCII character). These copies are then executed, each with a different argument (one being “-m”, one being “-d” and the other “-w”). Network connection attempts are made to one of three hard-coded IP addresses in a random order to port 8080 or 8000. If a connection to the IP address cannot be made, it attempts to connect to another of the three IP addresses, until connections to all three IP addresses have been attempted. The following command-line string is then executed: “cmd.exe /c net stop MSExchangeIS /y”. A 120-minute (2 hour) sleep command is issued after which the computer is shut down and rebooted.
Name: iissvr.exe
Size: 114688 bytes (114.7 KB)
MD5: E1864A55D5CCB76AF4BF7A0AE16279BA
PE Compile Time: 2014-11-13 02:05:35
This file, when executed, starts a listener on localhost port 80. It has 3 files contained in the resource section; all xor’d with 0x63.
Name: usbdrv3_32bit.sys
Size: 24280 bytes (24.3 KB)
MD5: 6AEAC618E29980B69721158044C2E544
PE Compile Time: 2009-08-21 06:05:32
This SYS file is a commercially available tool that allows read/write access to files and raw disk sectors for user mode applications in Windows 2000, XP, 2003, Vista, 2008 (32-bit). It is dropped from resource ID 0x81 of “igfxtrayex.exe”.
Name: usbdrv3_64bit.sys
Size: 28120 bytes (28.1 KB)
MD5: 86E212B7FC20FC406C692400294073FF
PE Compile Time: 2009-08-21 06:05:35
This SYS file is a also a commercially available tool that allows read/write access to files and raw disk sectors for user mode applications in Windows 2000, XP, 2003, Vista, 2008 (64-bit). It is dropped from resource ID 0x83 of “igfxtrayex.exe”.
Name: igfxtpers.exe
Size: 91888 bytes (91.9 KB)
MD5: e904bf93403c0fb08b9683a9e858c73e
PE Compile Time: 2014-07-07 08:01:09
