FireEye_6.25_Cyber_Attack_Analysis_Report_ver1.0.pdf (536 KB)

FireEye's 6.25 Cyber Attack Analysis Report describes the June 25, 2013 campaign in which attackers modified a web-hard installer to distribute malware, build a botnet, and trigger DDoS activity at a scheduled time. The report says the malware used Themida packing, anti-VM and anti-debugging techniques, and Tor-based proxying to complicate analysis and follow-on tracing. It identifies SimDiskup.exe as the file created by the tampered installer, c.jpg as a downloaded executable that created Tor-related files such as svchost.exe, thttp.exe/explorer.exe, and config.ini, and a later main dropper that created temporary loaders and service DLLs. The dropper contacted C&C paths at webmail.genesyshost.com/mail/images/ct.jpg and www.hostmypic.net/pictures/e02947e8573918c1d887e04e2e0b1570.jpg before delivering wuauieop.exe, which generated large DNS queries against randomized gcc.go.kr subdomains.