IOCs
Network:
- 188.215.92.104 – hurtmehard.net – Good Man gate
- 86.106.131.120 – bestdoosales.club – RIG exploit kit
- 185.100.87.161 – badlywantyou.top – GET /smk/config.jpg – ZeusVM config URL
- 185.100.87.161 – badlywantyou.top – POST /smk/gate.php – ZeusVM dropzone URL
- 77.88.55.88 – yandex.ru – Connectivity check
File System:
- o32.tmp is dropped and executed in %TEMP% (self-deletes)
- The payload q2tlgu9t.exe is dropped and executed in %TEMP% (self-deletes)
- Folder created in %TEMP% using the pattern [a-zA-Z0-9]{6,7}.tmp contains System.dll
- The payload copies itself to %APPDATA% in randomly named folders
Registry:
- Entries created in HKCUSoftwareMicrosoft
- Each folder has numerous REG_BINARY values
Hashes:
SHA256: 1b9bf35a6662775e538f01738c1f6c94a35481192b63d2229030526d8c3f39f9
File name: Flash Exploit.swf
SHA256: b7e2ac891a8e524668261b149515ccb0105655f1bcb5c8ad72a3fb78de2d02d3
File name: o32.tmp
SHA256: 035a56f1bfa148bf58d48971aa9b71d8cbd78dd5a54055d4caf0a8b4d8c14de6
File name: qwjh89ks.exe
Hybrid-Analysis Report
SHA256: ec93953304bda318b4f6e2f0fae9d619bcb60679a874d977721d033ec3649398
File name: Archimedes.dll
SHA256: 2b57b0cfa09d86f2e7da17998c4890e5ab8069178211fddf304b53c7f1e6cb1e
File name: uloxg.exe
Hybrid-Analysis Report
Infection Chain
The infection chain starts off with visiting a Good Man gate. In this infection chain I used the Good Man gate hurtmehard[.]net. For those of you that don’t know I discovered gates being used to redirect users to various exploit kits on January 20th, 2017. I called them Good Man gates because the registrant name and email had “good man” in them.
They have added 3 more domains since my last post on Good Man:
| Good Man Domains | Registrant Email | Registered | Expires |
| n1shop.net.in | goodmandilaltain@gmail.com | 3/31/2017 | 3/31/2018 |
| adobeflashpayer.net.in | goodmandilaltain@gmail.com | 3/29/2017 | 3/29/2018 |
| sipasalar.net.in | goodmandilaltain@gmail.com | 3/24/2017 | 3/24/2018 |
There is already evidence that these domains are being used for malicious purposes. You can read more about the Good Man gates HERE.
Below is the infection chain captured by Wireshark:
Hurtmehard[.]net auto refreshed 3 times. That is why you’re seeing 3 different infection chains. This is also why you’ll see multiple files created by the three same payloads later on in this post.
Injected in hurtmehard[.]net is the following script:
Inside the script is an iframe containing the URL for the RIG exploit kit landing page.
The host is then redirected to the landing page and is eventually sent the malware payload. The payload is dropped into %TEMP% and executed:
You’ll notice that the only one payload in %TEMP% is q2tlgu9t.exe; however, I only kept one sample out of the many that I got. The multiple malware payloads caused the numerous .tmp folders to be created in %TEMP%.
The malware copies itself to %APPDATA%:
Again, there are multiple files created in %APPDATA% because of the multiple payloads I received as a result of the gate refreshing numerous times. Here are some of the files:
And here are some entries found in HKCUSoftwareMicrosoft:
We then see a connectivity check using yandex.ru, followed by the ZeusVM C&C activity:
- badlywantyou.top/smk/config.jpg
- badlywantyou.top/smk/gate.php
| ZeuS C&C: | badlywantyou.top | ||
| Malware: | VMZeuS | ||
| IP address: | 185.100.87.161 | ||
| Host status: | online | ||
| Uptime: | 01:24:05 | ||
| Hostname: | n/a | ||
| SBL: | SBL338948 | ||
| AS number: | 200651 | ||
| AS name: | FLOKINET, RO | ||
| Country: |  Romania (RO) |
||
| Level: | 4 (Unknown / not categorized) | ||
| Sponsoring registrar: | n/a | ||
| Nameserver(s): | n/a | ||
| Date added: | 2017-04-03 | ||
| Last checked: | 2017-04-03 | ||
| Last updated: | never | ||
| BL status: | This host is being published on the ZeuS Blocklist! | ||
ZeuS ConfigURLs on this C&C:
| Date added | ConfigURL | Status | V | Filesize | MD5 hash | HTTP Status | File download |
| 2017-04-03 | badlywantyou.top/smk/config.jpg | online | 2 | 179’337 | 31ac27b2e7cc24f506953febcb6e4098 | 200 |  ZeuS_config |
ZeuS DropURLs (Dropzones) on this C&C:
| Date added | DropURL | Status | HTTP Status |
| 2017-04-03 | badlywantyou.top/smk/gate.php | online | 200 |
ZeusVM uses steganography (the practice of concealing a file, message, image, or video within another file, message, image, or video) to hide the configuration code which is embedded in the JPG file:
We then see POST requests to /smk/gate.php. The C&C domain is being hosted at 185.100.87.161. Here is the login panel for the C&C domain:
The Whois information for badlywantyou.top is shown below:
| WHOIS Server | www[.]eranet[.]com |
| Registrar | Eranet International Limited |
| kentgitan732@mail.ru | |
| Name | john alex |
| Organization | NA |
| Phone | 00380662963886 |
| NameServers | ns7.01isp.com |
| ns8.01isp.net |
I found only 2 domains using that registrant email:
| Domain | Registrant Email | Registered | Expires |
| whoareyoume.top | kentgitan732@mail.ru | 3/26/2017 | 3/26/2018 |
| badlywantyou.top | kentgitan732@mail.ru | 3/26/2017 | 3/26/2018 |
Download the Artifacts (password is infected):
Until next time!
Malware breakdown 