Trojan Oficla (alias Sasfis)

Forum for analysis and discussion about malware.
User avatar
EP_X0FF
Global Moderator
Posts: 4806
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Trojan Oficla (alias Sasfis)

Post by EP_X0FF » Fri Mar 26, 2010 6:15 am

Trojan that using Microsoft Office component - Word to survive and download additional stuff.
If Microsoft Office not installed / Word not present, trojan starting additional svchost process and uses it for it's purposes (in both cases trojan maps malicious dll inside address space of victim processes).

Bot (file.ex_ in attach) is trying to contact _hxxp://netmegasite.net/source/bb.php (C&C link obfuscated) to get additional instructions.

Norton Safe Web report

It is getting additional commands looking like this:
(link obfuscated)

VirusTotal report for 2_u.exe

Set itself to autorun through HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell registry key.

Original dropper VirusTotal result
Extracted malicious code to be injected inside svchost/winword VirusTotal result

All samples, including payload, attached.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration


User avatar
gjf
Posts: 198
Joined: Mon Mar 15, 2010 10:23 am
Location: Where I lay my head is home
Contact:

Re: Trojan Oficla

Post by gjf » Fri Jun 18, 2010 1:17 pm

Another dropper. Not detecetd in present time. Password is virus
hxxp://www.megaupload.com/?d=JZNRGNVZ
VirusInfo / Defendium / SafeZone Helpers Crew

tomatto007
Posts: 24
Joined: Fri Mar 19, 2010 8:16 pm

Re: Trojan Oficla

Post by tomatto007 » Sat Jun 19, 2010 11:34 am

gjf wrote:Another dropper. Not detecetd in present time. Password is virus
hxxp://www.megaupload.com/?d=JZNRGNVZ
I downloaded the file but I can not unzip it - please, write your password once again? ;)

User avatar
Alex
Posts: 268
Joined: Sun Mar 07, 2010 11:34 am

Re: Trojan Oficla

Post by Alex » Sat Jun 19, 2010 7:24 pm

The password which gjf has been posted above - virus - is correct. If you have any security software installed try to disable it while extracting the archive.
I am Jack's NULL pointer (actual e-mail contact.ntinternals_at_gmail.com)

tomatto007
Posts: 24
Joined: Fri Mar 19, 2010 8:16 pm

Re: Trojan Oficla

Post by tomatto007 » Sat Jun 19, 2010 8:35 pm

Oooops :roll:

happyhappy
Posts: 1
Joined: Thu Mar 25, 2010 4:18 am

Re: Trojan Oficla

Post by happyhappy » Mon Jun 21, 2010 9:23 am

tomatto007 wrote:Oooops :roll:
Pass: virus

tomatto007
Posts: 24
Joined: Fri Mar 19, 2010 8:16 pm

Re: Trojan Oficla

Post by tomatto007 » Mon Jun 21, 2010 5:28 pm

Thanks ;)

User avatar
EP_X0FF
Global Moderator
Posts: 4806
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Trojan Oficla (alias Sasfis)

Post by EP_X0FF » Sat Jul 03, 2010 5:44 am

UPX -> custom cryptor -> Delphi.
pro WinSock System SysInit Windows Types Unit1 MagicApiHook ShellAPI
original (in attach)
http://www.virustotal.com/analisis/654d ... 1278134671

removed upx
http://www.virustotal.com/analisis/b8ad ... 1278135472
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

Evilcry
Posts: 135
Joined: Tue Apr 20, 2010 6:10 pm

Oficla

Post by Evilcry » Fri Sep 24, 2010 8:55 am

Hi,

The following sample come out from a malicious domain tha has the particularity of caching victim's IP
second access lead to 404; here the Oficla trojan I''ve extracted from.

Regards
You do not have the required permissions to view the files attached to this post.

Post Reply