Académique Documents
Professionnel Documents
Culture Documents
Summary
The Federal Bureau of Investigations (FBI) released a FLASH Alert on 1 December 2014 pertaining to a
recently discovered destructive malware campaign (FLASH Alert, 2014). According to the FBI, this
particular malware is capable of overwriting an infected machines master boot record (Base, n.d.) and
erasing data files stored on the machine. Some open source media outlets are making the connection
between this FLASH Alert and the recent campaign that impacted Sony Pictures last week ("Sony's New
Movies Leak Following Hack," 2014). However, the FBI issues FLASH Alerts and Advisories to the
general public periodically regarding investigation findings; they make no such connection to any specific
campaign or victim ("FBI Urges United States Companies to Beware Malicious Software Attacks,"
2014).
The following are some of the technical indicators gleaned from the FBI FLASH Alert.
Installer:
o File: d1c27ee7ce18675974edf42d4eea25c6.bin (originally diskpartmg16.exe)
o Size: 262.3 KB
o MD5: D1C27EE7CE1867597EDF42D4EEA25C6
o PE Compile Time: 22 November 2014
o Observed Language: Korean
o Objective: Installs the destructive malware file as well as the data, listener, and both
system read/write access files.
Destructive Malware:
o File: igfxtrayex.exe
o Size: 244 KB
o MD5: 760C35A80D758F032D02CF4DB12D3E55
o PE Compile Time: 24 November 2014
o Observed Language: Korean
o Objective: Copies itself into three different files (taskhost16.exe; taskhost32.exe; and
taskhost64.exe) and establishes connection with command-and-control (C2) servers over
port 445, 139, 8080, and 8000. Once connectivity is established with C2 servers, it
initiates a two hour countdown at which time the infected machine will reboot.
Data File:
o File: net_ver.dat
o Size: 4.5 KB
TLP: GREEN
TLP: GREEN
o
o
MD5: 93BC819011B2B3DA8487F964F29EB934
Objective: Contains victim IP addresses and hostnames.
Listener File:
o File: iissvr.exe
o Size: 112 KB
o MD5: E1864A55D5CCB76AF4BF7A0AE16279BA
o PE Compile Time: 13 November 2014
o Observed Language: Korean
o Objective: Monitors traffic over port 80.
The installer file, diskpartmg16.exe, also re-installs itself with another naming convention,
WinsSschMgmt, and then deleted the original file. Other files that were observed are as follows:
recdiscm32.exe; taskhosts64.exe; taskchg16.exe; rdpshellex32.exe; mobysynclm64.exe;
common32.exe; dpnsvr16.exe; expandmn32.exe; and hwrcompsvc64.exe
TLP: GREEN
TLP: GREEN
TLP: GREEN
TLP: GREEN
TLP: GREEN