Final1stspy for fun

Yesterday evening i downloaded a copy of ‘Final1stspy‘ malware played by Jay Rosenberg (https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/)  in the same day. This is a variant of a malicious component being part of a larger malware set adopted by the Reaper Group in order to conduct their operations. Original discovery is to be attribuited to Unit 42 of Palo Alto Networks (https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/).

I perfomed some analysis over the Final1stspy variant obtained in order to spot out any new CnC beyond those already discovered by original researchers. Unfortunately, at the moment I write this post, i can say the sample in my possession is communicating with the same CnC already reported by Unit 42, which is kmbr1.nitesbr1[.]org. Interesting enough to see a dynamic load of many functions, included those responsible for external HTTP requests:

1

and the following calls:

2

IoC:

sha1: 38f28bfce4d0b2b497e6cf568d08a2b6af244653

sha256: 2011b9aa61d280ca9397398434af94ec26ddb6ab51f5db269f1799b46cf65a76

CnC: kmbr1.nitesbr1[.]org

I developed finally a YARA rule to help in hunting of this specific threat.


rule Reaper_Final1stspy  {
meta:
description = "YARA - Final1stspy"
author = "Emanuele De Lucia"
score = 70
strings:
/* Strings */
$s0 = "MachineId=%s&InfoSo=%s&Index=%s&Account=%s&Group=%s" ascii fullword
$s1 = "vNLwAvHl9vsC8Lzl9vsCvPb6/gQCvPb9AwLnve/3758=" ascii fullword
$s2 = "1/zw87/P8fwAAvDwv9LvA/7zAp8=" ascii fullword
$s3 = "+PoB8a69/fbzAvAB8a69/PEEnw==" ascii fullword
/* 10001B40+4C to 10001B40+9B - Dina Import Libs  */
$h0 = {6898540310FF15349002108B35389002108BF868B054031057FFD668C0540310578BD8FFD668D454031057898550FBFFFFFFD668E854031057898560FBFFFFFFD668FC54031057898548FBFFFFFFD6680C550310}
/* XOR Cycle */
$h1 = {0F10040F0F28CA660FFCC2660FEFC30F11040F0F10440F10660FFCC8660FEFCB0F114C0F1083C1203BCA7CD4}
condition:
uint16(0) == 0x5a4d and filesize < 500KB and 4 of ($s*) or 2 of ($h*) or (all of them)
}

Leave a Reply

Your email address will not be published. Required fields are marked *


7 + 3 =