Brief Analysis of OCI.DLL

FILE DETAILS

Filename : oci.dll
Size : 90KiB (91648 bytes)
Type : pedll 64bits 
Description : PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Architecture : 64 Bit
SHA256 : 51a5684ed1b7846ff8a08922a09556ceb7c201f297c4bcc820475c3fe91882c3
CRC-32 : 268f81df
MD4 : eb74a5b2d39a5de2b783ce259d533e96
MD5 : b128d0e2b0ae64591b42edce029aad67
SHA-1 : 541626f734278d6329d2172cb464668b8108ca82

THREAT BEHAVIOR

LOCATION

Generally used by MSDTC, which is an acronym for Microsoft Distributed Transaction Coordinator. As the name says, MSDTC is a Windows service providing transaction infrastructure for distributed systems. In this case, a transaction means a general way of structuring the interactions between autonomous agents in a distributed system.
This specific binary in question when copied in the location of the original oci.dll, users would observe high CPU usage combined with network activity. frequent disconnections and system reboots.

MALICIOUS INDICATORS

Anti-VM

Contains a known anti-VM trick i.e. “CPUID trick” in “51a5684ed1b7846ff8a08922a09556ceb7c201f297c4bcc820475c3fe91882c3.dll.bin” (Offset: 6668)

INSTALLATION/PERSISTENCE/PATTERN MATCHING

Ability to download files from the internet – InternetReadFile@WININET.dll
Ability to query machine time GetSystemTimeAsFileTime@KERNEL32.dll

IMPORTS SUSPICIOUS APIs

•         GetModuleHandleW
•         TerminateProcess
•         GetModuleHandleExW
•         WriteFile
•         CreateFileW
•         Sleep
•         VirtualAlloc
•         InternetReadFile
•         InternetOpenUrlA
•         InternetCloseHandle
•         InternetOpenA
•         IsDebuggerPresent
•         GetModuleFileNameA
•         GetCommandLineW
•         UnhandledExceptionFilter
•         LoadLibraryExW
•         GetStartupInfoW
•         GetCommandLineA
•         GetProcAddress
•         CreateThread
•         GetModuleHandleA
•         FindFirstFileExA
•         FindNextFile

ANTI-REVERSE ENGINEERING

Ability to register a top-level exception handler and is often used as anti-debugging trick
SetUnhandledExceptionFilter@KERNEL32.dll
SetUnhandledExceptionFilter@KERNEL32.dll
SetUnhandledExceptionFilter@KERNEL32.dll

CONTAINS PDB PATHWAYS

“H:\projects\DllTest\DllTest\x64\Release\DllTest.pdb”

BRIEF ANALYSIS

Due to the fact that the DLL is being side-loaded by the Operating system and the DLL is specifically compiled for 64-bit operating system, this particular sample is under observation and further research is being conducted.

Update

eScan actively detects OCI.DLL as a treat and tags it as Trojan.Agent.CUEP

Share

Tweet

Share

Share

Share