SmartConnect.exe Malware


VirusTtoal

SHA-256 — 7c3e2a38dcacc3246409151ecdf283814611a8f9d98ed0e5996fb2615adc2cc2

I pulled the request for malware sample from Malshare for analysis and renamed the file with .exe extension.

Tools I used: Ollydbg, WireShark, PEExplorer,

I downloaded malware sample, opened in PE explorer, and found resource information

1

Before I start debugginh, I extracted the malware executable file using 7-zip. There were 2 vpn applications KVPN kerio application and openvpn.

extractedfile.PNG

On opening settings.ini file from above list, There was license owner information given as www. WebTune . ir

WebTune

I started debugging of malware executable in ollydbg. It shows the behavior of application, check below image.

exe files

Malware program got installed and location was

C:\Program Files (x86)\P3Filter v2.3714840114\SmartConnection.exe

It also added short cut file in start program menu.

StartupLocation.PNG

it also installed kerio vpn switch adapter on my virtual machine.

VPNInstalled.PNG

Wireshark packets showed, application is trying to connect to below URL and DNS is resolving to domain mycn .ir

domain — mycn. ir

DNS

smaconn_sm_https64_txt_1

Please post your suggestions to improve my analysis.

Thanks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.