FILE DETAILS
Filename : oci.dll Size : 90KiB (91648 bytes) Type : pedll 64bits Description : PE32+ executable (DLL) (GUI) x86-64, for MS Windows Architecture : 64 Bit SHA256 : 51a5684ed1b7846ff8a08922a09556ceb7c201f297c4bcc820475c3fe91882c3 CRC-32 : 268f81df MD4 : eb74a5b2d39a5de2b783ce259d533e96 MD5 : b128d0e2b0ae64591b42edce029aad67 SHA-1 : 541626f734278d6329d2172cb464668b8108ca82
THREAT BEHAVIOR
LOCATION
Generally used by MSDTC, which is an acronym for Microsoft Distributed Transaction Coordinator. As the name says, MSDTC is a Windows service providing transaction infrastructure for distributed systems. In this case, a transaction means a general way of structuring the interactions between autonomous agents in a distributed system.
This specific binary in question when copied in the location of the original oci.dll, users would observe high CPU usage combined with network activity. frequent disconnections and system reboots.
MALICIOUS INDICATORS
Anti-VM
Contains a known anti-VM trick i.e. “CPUID trick” in “51a5684ed1b7846ff8a08922a09556ceb7c201f297c4bcc820475c3fe91882c3.dll.bin” (Offset: 6668)
INSTALLATION/PERSISTENCE/PATTERN MATCHING
Ability to download files from the internet – InternetReadFile@WININET.dll
Ability to query machine time GetSystemTimeAsFileTime@KERNEL32.dll
IMPORTS SUSPICIOUS APIs
- GetModuleHandleW
- TerminateProcess
- GetModuleHandleExW
- WriteFile
- CreateFileW
- Sleep
- VirtualAlloc
- InternetReadFile
- InternetOpenUrlA
- InternetCloseHandle
- InternetOpenA
- IsDebuggerPresent
- GetModuleFileNameA
- GetCommandLineW
- UnhandledExceptionFilter
- LoadLibraryExW
- GetStartupInfoW
- GetCommandLineA
- GetProcAddress
- CreateThread
- GetModuleHandleA
- FindFirstFileExA
- FindNextFile
ANTI-REVERSE ENGINEERING
Ability to register a top-level exception handler and is often used as anti-debugging trick
SetUnhandledExceptionFilter@KERNEL32.dll
SetUnhandledExceptionFilter@KERNEL32.dll
SetUnhandledExceptionFilter@KERNEL32.dll
CONTAINS PDB PATHWAYS
“H:\projects\DllTest\DllTest\x64\Release\DllTest.pdb”
BRIEF ANALYSIS
Due to the fact that the DLL is being side-loaded by the Operating system and the DLL is specifically compiled for 64-bit operating system, this particular sample is under observation and further research is being conducted.
Update
eScan actively detects OCI.DLL as a treat and tags it as Trojan.Agent.CUEP