Possible Related Malware to Sony Breach


There have been various pieces of information floating around in regards to the recent Sony breach. We have been groking netflow data, emails from the attackers, and correlating information shared privately and publicaly.

Searching various partner repositories we had discovered a likely related piece of malware that predates information listed in the recent FBI flash report. The original compile time on this malware is dated as July 7th, 2014, further providing deeper clues on the topic.

Malware Hash:

eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55

Intelligence Source:
  • Partner ThreatGrid / Cisco
Positive Correlations:
  • 1) The remote call back IP is the correlation. - 203.131.222.102 *(Listed in recent FBI Flash advisory)

  • 2) OriginalFilename: igfxtpers.exe *(Listed in recent FBI Flash advisory)

Takeaways and Further Pointers:
  • 1) The date of this sample 08/28/14.
  • 2) The compile time of this binary - Mon Jul 7 08:01:09 2014 UTC
  • 3) Other IPs related with this sample: rrcs-208-105-226-235.nys.biz.rr.com / 208.105.226.235