We have reviewed portions of the malware through dynamic analysis. It appears the malware was likely hand crafted for persistence in the Sony breach, due to the static hostnames the malware queries when initiated.
One of the hostnames the sony malware queries when run can be correlated with historical Sony information relating to the hostname
USSDIXTRAN21. Searching through historical information, one can see that
USSDIXTRAN21.spe.sony.com has historically resolved to 18.104.22.168.
Why is this important? While the FBI FLASH report did not mention Sony, it did mention MD5 hashes of hostile piece of malware (
d1c27ee7ce18675974edf42d4eea25c6), this malware while rumored as being correlated is officially confirmed to correlate to the FBI Flash report and the Sony compromise.