Flamer goes ITW

Original CrySys very detailed and useful research http://www.crysys.hu/skywiper/skywiper.pdf.

CrySys report was updated with adding of Kaspersky info about mssecmgr.ocx structure.

Steps to infection: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1675&start=40#p13569

Code for mscrypt.dat, ntcache.dat decryption http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1675&start=40#p13593

On infected machine (symptoms of infection):

Kaspersky - Stuxnet dropper contains Flame-liked component in resource http://www.securelist.com/en/blog/208193568/Back_to_Stuxnet_the_missing_link

Stuxnet orig dropper

MD5: 2fb979eb3e8d8b1571cdd0df33427969
SHA1: 46104bf26300a5fb7a4f799d80e141b95465d0cc
File size: 611840 bytes

Unpacked/decrypted

MD5: 2f4e30a497ae6183aabfe8ba23068c1b
SHA1: 1df6ae2a5594ab29a6e60b6d9296128b1f9fd980
File size: 1603072 bytes

MD5: 7d49d4a9d7f0954a970d02e5e1d85b6b
SHA1: e6c671bc74d638cc2aa5cce656d8e1461dc7bb79
File size: 458869 bytes
File name: browse32.ocx

MD5: 2512321f27a05344867f381f632277d8
SHA1: 2909e3aec7ce35a7646e94ae9f0a32589d01d5d3
File size: 729536 bytes
File name: msglu32.ocx

Flamer has uninstaller module [browse32.ocx] - Symantec http://www.symantec.com/connect/blogs/flamer-urgent-suicide

MD5: 1f61d280067e2564999cac20e386041c
SHA1: d36fad73c6aeff98906008f3eb5a16812cc3188a
File size: 29928 bytes

File name: WuSetupV.exe - signed infector, look http://www.securelist.com/en/blog/208193558/Gadget_in_the_middle_Flame_malware_spreading_vector_identified

and

http://www.symantec.com/connect/blogs/w32flamer-microsoft-windows-update-man-middle

Microsoft Security Advisory (2718704)
Unauthorized Digital Certificates Could Allow Spoofing
http://technet.microsoft.com/en-us/security/advisory/2718704
http://support.microsoft.com/kb/2718704

MD5: bddbc6974eb8279613b833804eda12f9
SHA1: 93d6f85e369f92ba369fb90ce85f371663f9b700
File size: 188416 bytes
File name: component - PE-exe (service) that was extracted from mscrypt.dat (c4d1ca8dd6ada3eb1c5eb507516f7c84).

Timestamp - 30 Jul 2008

Only 11/42 detection ratio: https://www.virustotal.com/file/04c84a36542d400675a4026f34f18afa019e9d62b3129ea70d00a62e1d5a0dba/analysis/1338521820/

MD5: b51424138d72d343f22d03438fc9ced5
SHA1: 6afb715831477625d4889482840c2fef3e8d2648
File size: 892417 bytes
File name: MSSECMGR.OCX

MD5: 0a17040c18a6646d485bde9ce899789f
SHA1: edac8c89813327101a611a13e46f18dcd44a8c23
File size: 1236992 bytes
Date: 2012-05-30 12:45:05 UTC
File name: MSSECMGR.OCX

MD5: e5a49547191e16b0a69f633e16b96560
SHA1: f6a3ebbd2e6d6c1f470af5c823daf2b938819152
File size: 1236992 bytes
Date: 2012-05-30 14:22:32 UTC
File name: MSSECMGR.OCX

MD5: 2afaab2840e4ba6af0e5fa744cd8f41f
SHA1: e26a176c88cd57cdddce2960d604c0d95a8bf9a0
FIle size: 116224 bytes
Date: 2009-05-21 03:01:33 UTC

MD5: 6f7325bb482885e8b85acddec685f7fa
SHA1: f3cb38d85c562136279eeec8c22ebf1e68fcd2fd
File size: 146944 bytes
Date: 2009-12-22 08:36:23 UTC

MD5: 7a2eded2c5d8bd70e1036fb5f81c82d2
SHA1: 8cd71cf5a45654e12a0e821b8f7bc66af82e7856
File size: 146944 bytes
Date: 2009-12-22 09:27:31 UTC

MD5: ee4b589a7b5d56ada10d9a15f81dada9
SHA1: 005a0a4a931333f05dc16c73224e5b9b42e83836
File size: 391168 bytes
ITW date: 2009-07-29 08:45:52 UTC

MD5: 20732c97ef66dd97389e219fc0182cb5
SHA1: 40516c37c60b1e9837ab9c1397b628a4fde24e63
File size: 634880 bytes
File name: comspol32.ocx
ITW date: 2010-07-20 13:41:34 UTC

MD5: 8ed3846d189c51c6a0d69bdc4e66c1a5
SHA1: a7e0118c0479298f2ba6d8bed118367368ffa1e3

File size: 421888 bytes

File name: advnetcfg.ocx

MD5: f0a654f7c485ae195ccf81a72fe083a2
SHA1: 9c376b014225a708e9bcdc3cce2dc463d65e405f
File size: 643944 bytes
ITW date: 2012-05-28 14:37:54 UTC
File name: advnetcfg.ocx

MD5: bb5441af1e1741fca600e9c433cb1550
SHA1: 60d5dbddae21ecb4cfb601a2586dae776ca973ef
File size: 643072 bytes
File name: advnetcfg.ocx
ITW date: 2011-05-15 04:31:30 UTC

MD5: 296e04abb00ea5f18ba021c34e486746
SHA1: 5fdd7f613db43a5b0dbec8583d30ea7064983106
File size: 160768 bytes
File name: soapr32.ocx
ITW date [MIS first upload]: 2012-05-29 00:42:43 UTC

MD5: c9e00c9d94d1a790d5923b050b0bd741
SHA1: 7105b17d07fd5b30d5386862a3b9cc1ff53a2398
File size: 827392 bytes
File name: nteps32.ocx
ITW date: 2012-05-28 05:42:31 UTC

MD5: c81d037b723adc43e3ee17b1eee9d6cc
SHA1: d4b21620d68fdc44caa20362a417b251ff833761
File size: 1300 bytes
File name: boot32drv.sys
ITW date: 2012-05-28 06:10:10 UTC

MD5: bdc9e04388bda8527b398a8c34667e18
SHA1: a592d49ff32fe130591ecfde006ffa4fb34140d5
File size: 6166528 bytes
File name: mssecmgr.ocx
ITW date: 2012-05-29 00:40:44 UTC

MD5: 5ad73d2e4e33bb84155ee4b35fbefc2b
SHA1: faaef4933e5f738e2abaff3089d36801dd871e89
File size: 53534 bytes
File name: ccalc32.sys
ITW date: 2012-05-28 15:01:01 UTC

MD5: d53b39fb50841ff163f6e9cfd8b52c2e
SHA1: 3a9ac7cd49e10a922abce365f88a6f894f7f1e9e
File size: 1721856 bytes
File name: msglu32.ocx
ITW date: 2012-05-29 00:28:45 UTC

MD5: 37c97c908706969b2e3addf70b68dc13
SHA1: 2d3e5e896c93ea2c852ad4a3ab95655c27388330
File size: 6172160 bytes
ITW date: 2012-05-30 01:43:30 UTC

Aliases:
CrySys: sKyWIper
MS: Worm:Win32/Flame.A
Kaspersky: Worm.Win32.Flame.a
Symantec: W32.Flamer
McAfee: SkyWiper

mssecmgr.ocx by McAfee http://blogs.mcafee.com/enterprise/security-perspectives/skywiper-fanning-the-flames-of-cyber-warfare
soapr32.ocx analyse http://stratsec.blogspot.com/2012/05/flame-component-soapr32ocx.html
msglu32.ocx analyse http://stratsec.blogspot.com/2012/05/flame-msglu32ocx-component-that-can.html
mssecmgr.ocx description by Kaspersky http://www.securelist.com/en/blog/208193538/Flame_Bunny_Frog_Munch_and_BeetleJuice
mssecmgr.ocx by Symantec http://www.symantec.com/connect/blogs/painting-picture-w32flamer

hashes by Sophos http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Flame-Gen/detailed-analysis.aspx

Another hashes and dates info http://labs.alienvault.com/labs/index.php/2012/how-old-is-flame/
Hashes and dates by McAfee http://blogs.mcafee.com/mcafee-labs/what-the-skywiper-files-tell-us

Symantec: http://www.symantec.com/connect/blogs/flamer-highly-sophisticated-and-discreet-threat-targets-middle-east
Flamer: A Recipe for Bluetoothache http://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache

Kaspersky: http://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers
Flame: Replication via Windows Update MITM proxy server http://www.securelist.com/en/blog/208193566/Flame_Replication_via_Windows_Update_MITM_proxy_server

Tool for removal from BitDefender http://labs.bitdefender.com/2012/05/cyber-espionage-reaches-new-levels-with-flamer/

W32.Flamer: Spreading Mechanism Tricks and Exploits http://www.symantec.com/connect/blogs/w32flamer-spreading-mechanism-tricks-and-exploits

Bit9: https://www.bit9.com/files/Threat_Advisor_Flame_FINAL.pdf

List of hashes will be updated...
#malware #cyberwar #APT

Flamer goes ITW

Trending Articles

Practice Sheet of Right form of verbs for HSC Students

Download: FK ft Shenky – Nakuyewa ”Prod by: Shenky”

How to win at Markstrat (Markstrat Tips and Tricks) – Vodites

Ominde Commission Report and Recommendations – Ominde Report of 1964

Bureau of Internal Revenue: Regional Offices (Directory)

GO 53 on Enhancement of Ex-gratia upto 5 Lakhs Toddy Tappers in Telangana

Cakewalk CA-2A Leveling Amplifier v2.0.1.97 WiN, v2.0.1.96 OSX Incl Keygen

Mp3 Download: Mdu - Kunjenjenjena

How the kill the job , when DTP request running for long hours.

Microsoft Intune から展開しているアプリのアップデートについて

18-year-old girl was beaten for half an hour by two Northampton men in 'an...

Car crash in Dunton Bassett leaves driver in critical condition

Macky 2, Two Others In Road Accident

Application log 00000000000000089514: Could not convert queue DLVST90CLNT

Detroit mafia: D’Anna Brothers agree to plea deal

Delivery block field greyed out using VA02

Muloraki Au

【個人撮影】スマホのプライベート映像♪「中に出さないで///」カラオケ屋での生ハメ撮りが流出ｗ【リベンジポルノ】＠PornHub

BREAKING NEWS: Diamond Platnumz Is Reported Dead After Ghastly Car Accident

FIAT 500 B0111 B0112