Page 1 of 2

Trojan Oficla (alias Sasfis)

PostPosted:Fri Mar 26, 2010 6:15 am
by EP_X0FF
Trojan that using Microsoft Office component - Word to survive and download additional stuff.
If Microsoft Office not installed / Word not present, trojan starting additional svchost process and uses it for it's purposes (in both cases trojan maps malicious dll inside address space of victim processes).

Bot (file.ex_ in attach) is trying to contact _hxxp://netmegasite.net/source/bb.php (C&C link obfuscated) to get additional instructions.

Norton Safe Web report

It is getting additional commands looking like this:
[info]runurl:_hxxp://www.gynweb.de/forum/customavatars/2_u.e ... 0|backurls:[/info]
(link obfuscated)

VirusTotal report for 2_u.exe

Set itself to autorun through HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell registry key.

Original dropper VirusTotal result
Extracted malicious code to be injected inside svchost/winword VirusTotal result

All samples, including payload, attached.

Re: Trojan Oficla (alias Sasfis, Sisron)

PostPosted:Thu Apr 01, 2010 4:00 pm
by cjbi

Re: Trojan Oficla

PostPosted:Fri Jun 18, 2010 1:17 pm
by gjf
Another dropper. Not detecetd in present time. Password is virus
hxxp://www.megaupload.com/?d=JZNRGNVZ

Re: Trojan Oficla

PostPosted:Sat Jun 19, 2010 11:34 am
by tomatto007
gjf wrote:Another dropper. Not detecetd in present time. Password is virus
hxxp://www.megaupload.com/?d=JZNRGNVZ
I downloaded the file but I can not unzip it - please, write your password once again? ;)

Re: Trojan Oficla

PostPosted:Sat Jun 19, 2010 7:24 pm
by Alex
The password which gjf has been posted above - virus - is correct. If you have any security software installed try to disable it while extracting the archive.

Re: Trojan Oficla

PostPosted:Sat Jun 19, 2010 8:35 pm
by tomatto007
Oooops :roll:

Re: Trojan Oficla

PostPosted:Mon Jun 21, 2010 9:23 am
by happyhappy
tomatto007 wrote:Oooops :roll:
Pass: virus

Re: Trojan Oficla

PostPosted:Mon Jun 21, 2010 5:28 pm
by tomatto007
Thanks ;)

Re: Trojan Oficla (alias Sasfis)

PostPosted:Sat Jul 03, 2010 5:44 am
by EP_X0FF
UPX -> custom cryptor -> Delphi.
pro WinSock System SysInit Windows Types Unit1 MagicApiHook ShellAPI
original (in attach)
http://www.virustotal.com/analisis/654d ... 1278134671

removed upx
http://www.virustotal.com/analisis/b8ad ... 1278135472

Oficla

PostPosted:Fri Sep 24, 2010 8:55 am
by Evilcry
Hi,

The following sample come out from a malicious domain tha has the particularity of caching victim's IP
second access lead to 404; here the Oficla trojan I''ve extracted from.

Regards