Analysis of Delta Charlie Attack Malware
Contents
TLP:WHITE
Malware Analysis Report (MAR) - 10132963
2017-08-14
Notification
This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties
of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this
bulletin or otherwise.
This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no
foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules,
TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov
/tlp/.
Summary
Description
US-CERT received three files associated with the DeltaCharlie attack malware. The files are designed to conduct three types of attacks,
NTP_Attack, DNS_Attack, and CGN_Attack. The files also establish backdoor command-and-control capability on the victim system.
Files
Processed
3
584ac94142f0b7c0df3d0adde6e661ed (mimefilter.xml_584AC94142F0B7C0DF3D0ADDE6E661ED)
5d29dfe2ea9ca8da3ff7a14fb20c5e86 (5D29DFE2EA9CA8DA3FF7A14FB20C5E86)
8f4fc2e10b6ec15a01e0af24529040dd (8F4FC2E10B6EC15A01E0AF24529040DD)
IPs
Identified
2
202.126.90.89
153.68.198.14
US-CERT MAR-10132963
TLP:WHITE
1 of 10
TLP:WHITE
Files
5D29DFE2EA9CA8DA3FF7A14FB20C5E86
Details
Name
5D29DFE2EA9CA8DA3FF7A14FB20C5E86
Size
180224
Type
PE32 executable (GUI) Intel 80386, for MS Windows
MD5
5d29dfe2ea9ca8da3ff7a14fb20c5e86
SHA1
3fdf856b6fbcb23e7c3372a3f53ce26c0fe6de77
ssdeep
3072:9sCh49HhQS2qaWuLYyJHYnGerQJDu70cSrzdZHlIbFX:9sCh4TQqaZYyJHYGen70lzdZFSZ
Entropy
6.13711245238
Antivirus
ClamAV
Win.Trojan.Agent-1388767
Kaspersky
HackTool.Win32.Agent.aesh
Microsoft Security Essentials
Backdoor:Win32/Winsec.B!dha
TrendMicro House …
Malware Analysis Report (MAR) - 10132963
2017-08-14
Notification
This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties
of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this
bulletin or otherwise.
This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no
foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules,
TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov
/tlp/.
Summary
Description
US-CERT received three files associated with the DeltaCharlie attack malware. The files are designed to conduct three types of attacks,
NTP_Attack, DNS_Attack, and CGN_Attack. The files also establish backdoor command-and-control capability on the victim system.
Files
Processed
3
584ac94142f0b7c0df3d0adde6e661ed (mimefilter.xml_584AC94142F0B7C0DF3D0ADDE6E661ED)
5d29dfe2ea9ca8da3ff7a14fb20c5e86 (5D29DFE2EA9CA8DA3FF7A14FB20C5E86)
8f4fc2e10b6ec15a01e0af24529040dd (8F4FC2E10B6EC15A01E0AF24529040DD)
IPs
Identified
2
202.126.90.89
153.68.198.14
US-CERT MAR-10132963
TLP:WHITE
1 of 10
TLP:WHITE
Files
5D29DFE2EA9CA8DA3FF7A14FB20C5E86
Details
Name
5D29DFE2EA9CA8DA3FF7A14FB20C5E86
Size
180224
Type
PE32 executable (GUI) Intel 80386, for MS Windows
MD5
5d29dfe2ea9ca8da3ff7a14fb20c5e86
SHA1
3fdf856b6fbcb23e7c3372a3f53ce26c0fe6de77
ssdeep
3072:9sCh49HhQS2qaWuLYyJHYnGerQJDu70cSrzdZHlIbFX:9sCh4TQqaZYyJHYGen70lzdZFSZ
Entropy
6.13711245238
Antivirus
ClamAV
Win.Trojan.Agent-1388767
Kaspersky
HackTool.Win32.Agent.aesh
Microsoft Security Essentials
Backdoor:Win32/Winsec.B!dha
TrendMicro House …
IoC
11eab7228491af5ac109f58055c8f94f
153.68.198.14
153.87.255.255
1bdda8ad01a81904160d4aaff5028678
1f21185303b7992d6ef54b23e816d48911496b9d
202.126.90.89
219125d84f95e9ec104a49383da7b991
3fdf856b6fbcb23e7c3372a3f53ce26c0fe6de77
584AC94142F0B7C0DF3D0ADDE6E661ED
584ac94142f0b7c0df3d0adde6e661ed
5D29DFE2EA9CA8DA3FF7A14FB20C5E86
5d29dfe2ea9ca8da3ff7a14fb20c5e86
6a5356bedf23ccecac180cd887c15de8
6dd10b0e9a62a4943665e32d36c02b9f
72d9f7da3d7eb917a18954668399ce67
8A4C040480F15D80C171884C04044083F8107CEC
8A4D0080F19580E97C884D00454B75F0
8F4FC2E10B6EC15A01E0AF24529040DD
8f4fc2e10b6ec15a01e0af24529040dd
a4fc300b72266ccce1977f93b1bca3b5
af59deeeff5d5f41ecdd092b80536d25
b164ba5e5734c469839292ede4d5c04e76523bae
b994d715f522732213ea03cb2013a469
153.68.198.14
153.87.255.255
1bdda8ad01a81904160d4aaff5028678
1f21185303b7992d6ef54b23e816d48911496b9d
202.126.90.89
219125d84f95e9ec104a49383da7b991
3fdf856b6fbcb23e7c3372a3f53ce26c0fe6de77
584AC94142F0B7C0DF3D0ADDE6E661ED
584ac94142f0b7c0df3d0adde6e661ed
5D29DFE2EA9CA8DA3FF7A14FB20C5E86
5d29dfe2ea9ca8da3ff7a14fb20c5e86
6a5356bedf23ccecac180cd887c15de8
6dd10b0e9a62a4943665e32d36c02b9f
72d9f7da3d7eb917a18954668399ce67
8A4C040480F15D80C171884C04044083F8107CEC
8A4D0080F19580E97C884D00454B75F0
8F4FC2E10B6EC15A01E0AF24529040DD
8f4fc2e10b6ec15a01e0af24529040dd
a4fc300b72266ccce1977f93b1bca3b5
af59deeeff5d5f41ecdd092b80536d25
b164ba5e5734c469839292ede4d5c04e76523bae
b994d715f522732213ea03cb2013a469