Good day to all! Can you help me to analyze this backdoor?

L

Leonardo Esqui

Level 1
Thread author
Nov 26, 2016
2
Hello guys, I am new to FireEye nx2400. Malwares detected on my network, I don't have a background on malware analysis, can somebody help me to figure out those things?

Code: 
<?xml version="1.0" encoding="utf-8" ?>
- <alert id="5234" name="malware-callback" severity="crit">
- <explanation analysis="content" protocol="tcp">
- <malware-detected>
  <malware name="Backdoor.APT.Mirage" sid="33352722" stype="bot-command" />
  </malware-detected>
- <cnc-services>
- <cnc-service port="80" protocol="tcp">
  <address>107.151.206.103</address>
  <location>US/WY/Cheyenne</location>
  <channel>POST /search%3Fgid%3Dgfadpbdbptcpajedsxbwpnugpemgzofa HTTP/1.1 Accept: */* Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; Tablet PC 2.0) Content-Type: application/x-www-form-urlencoded Connection: Close Host: 107.151.206.103 Content-Length: 320 \251\221\200\377\311\322{\314\307$=\321\350\250\351(\226}t\3500\243\237\332A4\275\226Kh\245\240\212\207\350\260\257,\373\303__\370\334]\314Xg\250\242\243\315\246?\225*`L\224.{\230\323\362\313\361\200\266\377\366t\334\352y>\325e8\346g~\222\237tY*B\277\000\374J6\361\225\212\340\262\312\214\277\366\316\245q_\251*8\257\262\371\2574\304\337q\345\226\356\314\370!*b=\244\224}\340S\353\243\215z@\364\370S^\326\321\357\331\377\324\310D\232\202\303\226\304c+m\321U\324#\3454\206\336\274\300+wC\342\234#t\353\340\241\305\305?p<P\261\312\346\241\347\363\253\374nY\203\210U"\341\316\262\321\3146\335\325\235\324xFW|\245q \231%\345J\233\271\232\327%Q\335\232\220*\311 \223\307\260\271\233cq\300\274lL\205|\201\341n\331\362\215\3379\362,0\363\237cV\321\304\362G\373&\261\350\214?\250\260\232\235\237\2228\224\272!?\336s\314-\336Q</channel>
  </cnc-service>
  </cnc-services>
  </explanation>
- <src vlan="0">
  <ip>--</ip>
  <port>50931</port>
  <mac>--</mac>
  </src>
- <dst>
  <ip>107.151.206.103</ip>
  <mac>--</mac>
  <port>80</port>
  </dst>
  <locations>US/WY/Cheyenne</locations>
  <occurred>2016-11-26T03:50:33Z</occurred>
  <interface label="A" mode="inline">pether4</interface>
  <alert-url>--</alert-url>
  <action>blocked</action>
  </alert>
 
Last edited by a moderator:
  • Like
Reactions: Venustus, Der.Reisende, Deleted member 2913 and 2 others
RoboMan

RoboMan

Level 35
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,400
If you wish to know what the mentioned malware is able to do to your system, you could upload the file to the Malware Analysis Forum. If you wish to know what the malware has done so far on your network, we'll need you to run some tools to see the logs. But i won't help you there since TwinHeadedEagle is the one allowed to help with malware removal or malware assistance. Check the forum mentioned by @Wave. Have a great day! :)

So far, i guess you could take a look to this The Mirage Campaign
 
Last edited by a moderator:
  • Like
Reactions: Rengar, Leonardo Esqui, Venustus and 7 others
L

Leonardo Esqui

Level 1
Thread author
Nov 26, 2016
2
Wave said:
I don't understand what you want us to do for you, there's not much we can do as you haven't us to provided a sample for us to actually analyse to give you information, nor do we have any sort of access to your system. If you are requesting malware removal assistance (e.g. if your system is currently infected) then go to this area: Malware Removal Assistance
Click to expand...

Ok bro, I will update you with the result. Thanks :)

RoboMan said:
So far, i guess you could take a look to this The Mirage Campaign
Click to expand...
The link you provide is very informative. Thanks for this bro. I hope you can help me to figure out malware activity. If it is not annoying, can you tag me in some of your troubleshooting guide?

tim one said:
As @Wave said, could you elaborate by providing us more details regarding your system and the detected sample.
What you have provided is a log, but it does not provide sufficient info to deal with your request.
Click to expand...
Ok bro, I will upload some sample. NX2400 detected the malware, but didn't delete or remove the malware on the infected pc. So I need to manually delete it. Do you have any open source software that can do the task? Thanks for your effort :)
 
Last edited by a moderator:
Exterminator

Exterminator

Community Manager
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
Leonardo Esqui said:
I will upload some sample. NX2400 detected the malware, but didn't delete or remove the malware on the infected pc. So I need to manually delete it. Do you have any open source software that can do the task? Thanks for your effort :)
Click to expand...

If you are trying to get help with removing malware from your PC please post it here Malware Removal Assistance
 
  • Like
Reactions: Rengar, DardiM, Wave and 3 others
T

tim one

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
From the Log it seems you are infected by APT backdoor.
It is a complex malware designed to be persistent and intercept mail, attachments, passwords, and sensitive data.
APT malware send the stolen data to intermediate servers: encrypt and compress them, and then direct them to the final destination.
Being an advanced malware, in my opinion, it is necessary to take control of the situation by creating a new thread in Malware Removal Assistance, as already suggested above.
 
  • Like
Reactions: Rengar, DardiM and Wave
askmark

askmark

Level 12
Verified
Top Poster
Well-known
Aug 31, 2016
578
Hi Leonardo

The FireEye nx2400 is an enterprise class network threat protection appliance that costs many thousands of dollars. Are you using such a powerful device on your home network?

Just to make you aware, the forum staff on this site are not paid for their time and as a result can only provide malware removal assistance to home users.
 
  • Like
Reactions: Rengar, DardiM, tim one and 1 other person
Wingman

Wingman

Level 4
Verified
Well-known
Feb 6, 2017
154
Leonardo Esqui said:
Hello guys, I am new to FireEye nx2400. Malwares detected on my network, I don't have a background on malware analysis, can somebody help me to figure out those things?
Click to expand...

Based on the XML output, it appears that your Web fireye blocked a POST callback from your internal IP (removed in the XML) to 107.151.206.103. You FE instance would have a pcap for the specific traffic so you would be able to trace and identify what was trying to be sent out (there was a POST request that was blocked).
 
  • Like
Reactions: Dmitry_rus, DardiM, Rengar and 1 other person
You must log in or register to reply here.

Similar threads

DardiM
    • Like
Malware Analysis For the fun : Deobfuscation of 98079394859.js - 523 urls to hide the right one(s)
Replies
4
Views
1,640
Malware Analysis Archive
DardiM
DardiM

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top