Shylock In-Depth Malware Analysis

From prodefence.org

Hi everyone!  We got a special piece of malware on the docket.  Mila over @ contagiodump and Trusteerreported a new type of malware called Shylock.  They were mum on the details aside from some threat report which was very sparse on information.  So I requested a sample and proceeded to do some RE on it.  So we’ll look into it together to combine traditional Reverse Engineering for the goal of finding artifacts to verify infection in Volatility.  (Download the Shylock infected memory sample here)

The dropper can be downloaded from here (the pw is “infected”) and does some basic decryption of itself then proceeds to create a few files.  One is a copy of itself in a random path as well as a .bat file that is ran from cmd.exe with the \c to change attributes on the dropped files then erase them after malicious code is injected into explorer.exe.  The dropper spawns this command shell to process the .bat file.  The bat file is pasted below.

Read more…