I searched for the md5 hash on virustotal and someone had already uploaded it here.
CFF Explorer output:
Aside from some function calls being stored as character arrays, there was hardly any obfuscation in this malware. It was packed with UPX, so unpacking was trivial.
I searched the source IP in Shodan and got this:
The first thing I noticed was "220 RMNetwork FTP". This is indicative of being part of the Ramnit botnet. RDP is also enabled. Before I took this screenshot of the Shodan results, I was able to connect to it via RDP. Its a Windows 2003 server in China. I'm under the impression that this server has been infected multiple times by different malware. I found a few things that didn't match up with being related to the Ramnit botnet.
From Thor APT Scanner:
Signature Match - THOR APT Scanner Detection ============================ Rule: IronTiger_Gh0stRAT_variant Ruleset: Chinese Threat Groups Description: This is a detection for a s.exe variant seen in Op. Iron Tiger Reference: http://goo.gl/T5fSJC Author: Cyber Safety Solutions, Trend Micro Score: 70 Detection Snapshot ============================ Detection Timestamp: 2018-12-17 18:19 AV detection ratio: 50 / 70
Within the binary I found a reference to a script called "jingtisanmenxiachuanxiao.vbs", which is referenced in this whitepaper about Operation PZCHAO written by Bitdefender.
After some static analysis I discovered that this creates a new user and enables RDP.
**POST IN PROGRESS**