Detection update request (4 files, 1 certificate)

I am requesting that these malware compromised/tampered files be detected:

SHA-256
1A4A5123D7B2C534CB3E3168F7032CF9EBF38B9A2A97226D0FDB7933CF6030FF
SHA-1
C705C0B0210EBDA6A3301C6CA9C6091B2EE11D5B
MD5
75735DB7291A19329190757437BDB847

SHA-256
6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9
SHA-1
8983A49172AF96178458266F93D65FA193EAAEF2
MD5
EF694B89AD7ADDB9A16BB6F26F1EFAF7


SHA-256
276936C38BD8AE2F26AAB14ABFF115EA04F33F262A04609D77B0874965EF7012
SHA-1
45F9B1EC30140BDE2F5C40BADB6E8B25E6C71505
MD5
A3D00B7362DB6DF0FCC49B6AB17B3CF0

SHA-256
36B36EE9515E0A60629D2C722B006B33E543DCE1C8C2611053E0651A0BFDB2E9
SHA-1
7E9CFA3CCA5000FE56E4CF5C660F7939487E531A
MD5
D488E4B61C233293BEC2EE09553D3A2F

 

 

I am requesting that all implicit trust (Norton reputation and otherwise) be revoked for this code signing certificate (attached), which was used to sign malware:

 

Thumbprint
F4BDA9EFA31EF4A8FA3B6BB0BE13862D7B8ED9B0
Serial Number
4B48B27C8224FE37B17A6A2ED7A81C9F
CN = Piriform Ltd
O = Piriform Ltd
L = London
S = London
C = GB

bjm_:
password_password:

Status update:
#3
276936C38BD8AE2F26AAB14ABFF115EA04F33F262A04609D77B0874965EF7012
No detection/response yet (this sample was less widely discussed)

File name: cc_setup533.exe
Detection ratio: 29 / 64
Analysis date: 2017-09-19 21:10:49 UTC ( 1 hour, 57 minutes ago )

Still not detected. Last report from Symantec/Norton was "NotMalicious". No explanation from piriform on this sample either.

installer (v5.33.0.6162)

04bed8e35483d50a25ad8cf203e6f157e0f2fe39a762f5fbacd672a3495d6a11 ccsetup533_te.exe
0564718b3778d91efd7a9972e11852e29f88103a10cb8862c285b924bc412013 ccupdate5.33.6162.exe
1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff ccsetup533.exe*
276936c38bd8ae2f26aab14abff115ea04f33f262a04609d77b0874965ef7012 ccsetup533.exe*
2fe8cfeeb601f779209925f83c6248fb4f3bfb3113ac43a3b2633ec9494dcee0 ccsetup533_be.exe
4f8f49e4fc71142036f5788219595308266f06a6a737ac942048b15d8880364a ccsetup533_slim.exe
a013538e96cd5d71dd5642d7fdce053bb63d3134962e2305f47ce4932a0e54af ccsetup533pro.exe
bd1c9d48c3d8a199a33d0b11795ff7346edf9d0305a666caa5323d7f43bdcfe9 CCleaner_UNK
c92acb88d618c55e865ab29caafb991e0a131a676773ef2da71dc03cc6b8953e ccsetup533_pro.exe
e338c420d9edc219b45a81fe0ccf077ef8d62a4ba8330a327c183e4069954ce1 ccsetup533_be_trial.exe
3c0bc541ec149e29afb24720abc4916906f6a0fa89a83f5cb23aed8f7f1146c3 CCleaner?
7bc0eaf33627b1a9e4ff9f6dd1fa9ca655a98363b69441efd3d4ed503317804d CCleaner?

Main program (32-bit v5.33.0.6162)

36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9 CCleaner.exe*
6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9 CCleaner.exe*


1st stage payload DLL found in

3a34207ba2368e41c051a9c075465b1966118058f9b8cdedd80c19ef1b5709fe CCleaner
19865df98aba6838dcc192fbb85e5e0d705ade04a371f2ac4853460456a02ee3 CCleanerCloud


loader of the 2nd stage payload

7ac3c87e27b16f85618da876926b3b23151975af569c2c5e4b0ee13619ab2538 (32-bit)
a414815b5898ee1aa67e5b2487a11c11378948fcd3c099198e0f9c6203120b15 (64-bit)

 

2nd stage payload DLL

3a34207ba2368e41c051a9c075465b1966118058f9b8cdedd80c19ef1b5709fe GeeSetup_x86.dll
4ae8f4b41dcc5e8e931c432aa603eae3b39e9df36bf71c767edb630406566b17 32-bit DLL dropped

 

DLL dropped from the 2nd stage payload

4ae8f4b41dcc5e8e931c432aa603eae3b39e9df36bf71c767edb630406566b17 64-bit DLL
A6c36335e764b5aae0e56a79f5d438ca5c42421cae49672b79dbd111f884ecb5 32-bit inner DLL
B3badc7f2b89fe08fdee9b1ea78b3906c89338ed5f4033f21f7406e60b98709e 64-bit inner DLL


Unknown if infected or just other files

CCleanerCloud installer (32-bit v1.7.0.3191)
a3e619cd619ab8e557c7d1c18fc7ea56ec3dfd13889e3a9919345b78336efdb2

CCleanerCloudAgent.exe (32-bit v1.7.0.3191)
0d4f12f4790d2dfef2d6f3b3be74062aad3214cb619071306e98a813a334d7b8

CCleanerCloudAgentHealtCheck.exe (32-bit v1.7.0.3191)
9c205ec7da1ff84d5aa0a96a0a77b092239c2bb94bcb05db41680a9a718a01eb

CCleanerCloudTray.exe (32-bit v1.7.0.3191)
bea487b2b0370189677850a9d3f41ba308d0dbd2504ced1e8957308c43ae4913

 

Stage 2 payload. I don't think samples are readily available at the moment.

GeeSetup_x86.dll	dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83
EFACli64.dll		128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f
TSMSISrv.dll		07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902
DLL in Registry: 	f0d1f88c59a005312faad902528d60acbf9cd5a7b36093db8ca811f763e1292a

 

Now that piriform has moved to a new certificate it would be a good time remove any implicit trust (Norton reputation, etc..) for this code signing certificate (formerly attached to post #2), which was used to sign malware.

Thumbprint (SHA1)
F4BDA9EFA31EF4A8FA3B6BB0BE13862D7B8ED9B0
Serial Number
4B48B27C8224FE37B17A6A2ED7A81C9F

Whether or not piriform actually has the old certificate officially revoked and invalidated at some point is up to them. (one would hope this is their plan)

The point is that this malware was not "detected" by Norton or any AV yesterday.
Avast chose yesterday to tell everybody about it.

Digitally signed:
10:42 AM 8/3/2017
10:58 AM 8/3/2017

But released into the world 8/15. Where do the files sit around for 12 days after being signed before being released?

Also piriform's code signing certificate was removed from my (2nd) post for some reason... This is a commonly available and not harmful file, I don't know why it's been removed.

You could use piriform's certificate to manually revoke trust on your own system if you wanted. This will not nullify any Norton insight reputation gained by being signed by a "trusted" certificate. I don't know when or if (or if they have already) changed anything with regard to how much (if anything) being signed by piriform currently contributes to a file's Norton insight reputation.

Yeah.  No explanation.  First seen Aug 15th.  Detection determined Sept 18th. 

 

bjm_:
password_password:

Status update:
#3
276936C38BD8AE2F26AAB14ABFF115EA04F33F262A04609D77B0874965EF7012
No detection/response yet (this sample was less widely discussed)

File name: cc_setup533.exe
Detection ratio: 29 / 64
Analysis date: 2017-09-19 21:10:49 UTC ( 1 hour, 57 minutes ago )

Still no explanation from avast/piriform as to the (above) second infected installer / 32-bit main exe created just a handful of minutes after the first.

password_password:

Status update:
#3
276936C38BD8AE2F26AAB14ABFF115EA04F33F262A04609D77B0874965EF7012
No detection/response yet (this sample was less widely discussed)

File name: cc_setup533.exe
Detection ratio: 29 / 64
Analysis date: 2017-09-19 21:10:49 UTC ( 1 hour, 57 minutes ago )

 

Status update:

#2
6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9
Mon, 18 Sep 2017 23:30 +0000 (GMT/UTC) -- clean
Tue, 19 Sep 2017 06:30 +0000 (GMT/UTC) -- New Threat Trojan.Sibakdi (https://www.symantec.com/security_response/writeup.jsp?docid=2017-091816-0945-99)

#4
36B36EE9515E0A60629D2C722B006B33E543DCE1C8C2611053E0651A0BFDB2E9
Tue, 19 Sep 2017 04:45 +0000 (GMT/UTC) AlreadyDetected  Trojan.Sibakdi (https://www.symantec.com/security_response/writeup.jsp?docid=2017-091816-0945-99)

#1
1A4A5123D7B2C534CB3E3168F7032CF9EBF38B9A2A97226D0FDB7933CF6030FF
Tue, 19 Sep 2017 05:15 +0000 (GMT/UTC)  -- New Threat Trojan.Sibakdi (https://www.symantec.com/security_response/writeup.jsp?docid=2017-091816-0945-99)

#3
276936C38BD8AE2F26AAB14ABFF115EA04F33F262A04609D77B0874965EF7012
No detection/response yet (this sample was less widely discussed)

password_password:
bjm_:

We'll see what progress.   As we know different security-soft have different criteria.

I would hope malware tampered would be enough for most any guidelines. What they do about the certificate's trust I'm less certain of.

https://community.norton.com/en/comment/7632801#comment-7632801 

bjm_:

We'll see what progress.   As we know different security-soft have different criteria.

I would hope malware tampered would be enough for most any guidelines. What they do about the certificate's trust I'm less certain of.

We'll see what progress.   As we know different security-soft have different criteria.

bjm_:

on 64bit machines....delete languages & 32bit installer

Um, update to current CCleaner version.

I don't use the program, I'm just trying to get the detection updated. Is the installer itself tampered, or just the (32-bit version of the) installed program?

on 64bit machines....delete languages & 32bit installer

Um, update to current CCleaner version.

bjm_:

https://submit.symantec.com/websubmit/retail.cgi

Already done, but they tend to take multiple weeks to get back to you sometimes - if they ever get back to you at all. I have another unrelated case that is still unresolved for 3+ weeks).

Also this is a special case with the malware being digitally signed and the certificate being in question.

1119.png

https://submit.symantec.com/websubmit/retail.cgi

Apparently there are different rules for which type of files can be attached to the first post of a thread VS all replies.

New thread allowed attachments:
txt pdf png

New post in an existing thread allowed attachments:
txt pdf zip

[Admin Edit: Attachment removed]