SHARE
TWEET

#w00t!! TrojDownloader/Backdoor/Spy in GoDADDY + #CNC Solved

MalwareMustDie Oct 26th, 2012 167 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ===========================
  2. #MalwareMustDie #wOOt @unixfreaxjp
  3. Sat Oct 27 03:52:44 JST 2012
  4. PRETTY STRAIGHT-FORWARD PHP INFECTOR
  5. DROPPED TROJAN DOWNLOADER/BACKDOOR/SPYWARE
  6. ------------------------------
  7. VT:
  8. Original: (31/44) https://www.virustotal.com/file/78bcb03e9c4afa23a2ea4d54658fdf15cac9300e81f67af427209a9087fc78e3/analysis/
  9. Unpacked: (19/44) https://www.virustotal.com/file/89b69e84b478a9036d8e4961fec3fca3073412931f9b12a2bb32b54655b0faef/analysis/1351277619/  
  10. ===========================
  11.  
  12. ================
  13. SOURCE
  14. ================
  15.  
  16. --03:00:41--  h00p://grbusinessgroup.com/slpw/headerspages.php
  17.            => `headerspages.php'
  18. Resolving grbusinessgroup.com... 74.220.215.101
  19. Connecting to grbusinessgroup.com|74.220.215.101|:80... connected.
  20. HTTP request sent, awaiting response... 200 OK
  21. Length: unspecified [application/log]
  22. 03:00:42 (39.14 KB/s) - `headerspages.php' saved [24064]
  23.  
  24. $ myhex headerspages.php
  25.  
  26. 0000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00    MZ..............
  27. 0010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......
  28. 0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
  29. 0030   00 00 00 00 00 00 00 00 00 00 00 00 B8 00 00 00    ................
  30. 0040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
  31. 0050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
  32. 0060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
  33. 0070   6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00    mode....$.......
  34. 0080   58 CF CB 26 1C AE A5 75 1C AE A5 75 1C AE A5 75    X..&...u...u...u
  35. 0090   9F B2 AB 75 1D AE A5 75 75 B1 AC 75 09 AE A5 75    ...u...uu..u...u
  36. 00A0   F5 B1 A8 75 1D AE A5 75 52 69 63 68 1C AE A5 75    ...u...uRich...u
  37. 00B0   00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 00    ........PE..L...
  38. 00C0   AB 87 11 50 00 00 00 00 00 00 00 00 E0 00 0F 01    ...P............
  39. 00D0   0B 01 06 00 00 40 00 00 00 20 00 00 00 10 01 00    .....@... ......
  40. 00E0   50 5B 01 00 00 20 01 00 00 60 01 00 00 00 40 00    P[... ...`....@.
  41. 00F0   00 10 00 00 00 02 00 00 04 00 00 00 F4 15 03 00    ................
  42. 0100   04 00 00 00 00 00 00 00 00 80 01 00 00 10 00 00    ................
  43. 0110   00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00    ................
  44. 0120   00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00    ................
  45. 0130   00 00 00 00 00 00 00 00 44 7A 01 00 D4 00 00 00    ........Dz......
  46. 0140   00 60 01 00 44 1A 00 00 00 00 00 00 00 00 00 00    .`..D...........
  47. 0150   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
  48. 0160   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
  49. 0170   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
  50. 0180   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
  51. 0190   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
  52. 01A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
  53. 01B0   55 50 58 30 00 00 00 00 00 10 01 00 00 10 00 00    UPX0............
  54. 01C0   00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00    ................
  55. 01D0   00 00 00 00 80 00 00 E0 55 50 58 31 00 00 00 00    ........UPX1....
  56. 01E0   00 40 00 00 00 20 01 00 00 3E 00 00 00 04 00 00    .@... ...>......
  57. 01F0   00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 E0    ............@...
  58.  
  59. //↑Let's do binary analysis...
  60.  
  61. ---------------
  62. Sections:
  63. ---------------
  64.    UPX0 0x1000 0x11000 0
  65.    UPX1 0x12000 0x4000 15872
  66.    .rsrc 0x16000 0x2000 7168
  67.  
  68. //↑ this will mess-up the whole thing.. unpack it!
  69.  
  70.  
  71.    File size         Ratio      Format      Name
  72. ------------------   ------   -----------   -----------
  73. 69632 <-     24064   34.56%    win32/pe     sample
  74.  
  75. //real one came up :-)
  76. --------------
  77. Sections:
  78. --------------
  79.    .text 0x1000 0xc7e0 53248
  80.    .data 0xe000 0x365c 4096
  81.    .rsrc 0x12000 0x1a2c 8192
  82. ----------------------
  83. // Pointers.....
  84. -----------------------
  85. Entry Point at 0x1968
  86. Virtual Address is 0x401968
  87. CRC Failed! Claimed:  0  Actual:  81200
  88. Compile Time: 2012-07-27 03:08:43
  89. Compiler: Microsoft Visual Basic v6.0
  90. ------------------------
  91. // faking WinAmp...
  92. -------------------------
  93. FILE-POS MEM-POS  STRINGS..
  94. 0x00F1E6 0x4121E6 VS_VERSION_INFO
  95. 0x00F242 0x412242 VarFileInfo
  96. 0x00F262 0x412262 Translation
  97. 0x00F286 0x412286 StringFileInfo
  98. 0x00F2AA 0x4122AA 040904B0
  99. 0x00F2C2 0x4122C2 Comments
  100. 0x00F2D4 0x4122D4 Visit http://www.winamp.com/ for updates.
  101. 0x00F32E 0x41232E CompanyName
  102. 0x00F348 0x412348 Nullsoft, Inc.
  103. 0x00F36E 0x41236E FileDescription
  104. 0x00F390 0x412390 Winamp
  105. 0x00F3A6 0x4123A6 LegalCopyright
  106. 0x00F3DA 0x4123DA  1997-2011, Nullsoft, Inc.
  107. 0x00F416 0x412416 LegalTrademarks
  108. 0x00F438 0x412438 Nullsoft and Winamp are trademarks of Nullsoft, Inc.
  109. 0x00F4AA 0x4124AA ProductName
  110. 0x00F4C4 0x4124C4 Winamp
  111. 0x00F4DA 0x4124DA FileVersion
  112. 0x00F4F4 0x4124F4 5620.03.0992
  113. 0x00F516 0x412516 ProductVersion
  114. 0x00F534 0x412534 5620.03.0992
  115. 0x00F556 0x412556 InternalName
  116. 0x00F570 0x412570 nostaugia_1
  117. 0x00F58E 0x41258E OriginalFilename
  118. 0x00F5B0 0x4125B0 nostaugia_1.exe
  119. ------------------------------
  120. //suspicious assembly calls.....
  121. ------------------------------
  122. 0x407AFB   call    ds:__vbaObjSet
  123. 0x407B01   mov     edx, offset aKgjhk0vckxUb3r ; "KgJhK0vCKx+ub3RyK32Lc3+CK32hKnRDKgb"
  124. 0x407B06   lea     ecx, [ebp+var_2C]
  125.    :
  126. 0x407BEE   call    ds:__vbaHresultCheckObj
  127. 0x407BF4
  128. 0x407BF4   loc_407BF4:                             ; CODE XREF: sub_407A80+160
  129. 0x407BF4   cmp     word ptr [ebp+var_70], si
  130. 0x407BF8   jnz     loc_40811A
  131. 0x407BFE   mov     edx, offset aKpbckgGk0ahGvl ; "KpbCKg+GK0Ah/gvLK3vhk0RyKpbhb3+GbxphKgv"...
  132. 0x407C03   lea     ecx, [ebp+var_2C]
  133. 0x407C06   call    ds:__vbaStrCopy
  134. 0x407C0C   mov     edx, dword_40E070
  135. 0x407C12   push    edx
  136. 0x407C13   push    offset unk_40E050
  137. 0x407C18   push    offset unk_40E04C
  138. 0x407C1D   push    offset unk_40E048
  139. 0x407C22   lea     eax, [ebp+var_2C]
  140. 0x407C25   push    eax
  141.    :
  142. 0x407D0F   mov     edx, offset aK3Hb0CkxUbgb4 ; "K3/hb0+CKx+ubgb4"
  143. 0x407D14   lea     ecx, [ebp+var_2C]
  144.   :
  145. 0x408893   call    ds:__vbaOnError
  146. 0x408899   mov     edx, offset aKpbckgGk0ahG_0 ; "KpbCKg+GK0Ah/gvLK3vhk0RyKpbuK0RyK3xGc0+"...
  147. 0x40889E   lea     ecx, [ebp+var_24]
  148. 0x4088A1   mov     edi, ds:__vbaStrCopy
  149. 0x4088A7   call    edi ; __vbaStrCopy
  150.  :
  151. 0x40892A  call    esi ; __vbaStrMove
  152. 0x40892C  mov     edx, offset aBga ; "bgA"
  153. 0x408931  lea     ecx, [ebp+var_34]
  154. 0x408934  call    edi ; __vbaStrCopy
  155.  
  156. ------------------------------------
  157. DLL's imported... the VB libs...
  158. -----------------------------------
  159. 0x401000     __vbaVarSub               MSVBVM60
  160. 0x4010x4     _CIcos                    MSVBVM60
  161. 0x401008     _adj_fptan                MSVBVM60
  162. 0x40100C     __vbaStrI4                MSVBVM60
  163. 0x401010     __vbaVarMove              MSVBVM60
  164.   :             :                        :
  165. 0x401164     _CItan                    MSVBVM60
  166. 0x401168     __vbaNextEachCollAd       MSVBVM60
  167. 0x40116C 546 rtcGetPresentDate         MSVBVM60
  168. 0x401170     __vbaFPInt                MSVBVM60
  169. 0x401174     _CIexp                    MSVBVM60
  170. 0x401178     __vbaFreeStr              MSVBVM60
  171. 0x40117C     __vbaFreeObj              MSVBVM60
  172. 0x401180 581 rtcR8ValFromBstr          MSVBVM60
  173. ------------------------
  174. BEHAVIOR
  175. ------------------------
  176. //Drops Malicious API hook drivers
  177. C:\Documents and Settings\<USER>\Application Data\libmscr.dll <-- malicious API Hook Drivers..
  178.  
  179. //EVENT Created;
  180. Global\userenv: User Profile setup event
  181. Global\crypt32LogoffEvent
  182.  
  183. //REGISTRY:
  184. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\LastConnect\kibars.db.7172228.hostedresource.com
  185. VALUE: -737529334:tcp:kibars.db.7172228.hostedresource.com,1433
  186.  
  187.  
  188. ----------------------
  189. // CNC:
  190. ------------------------
  191. 184.168.194.39
  192. kibars.db.7172228.3d8.hostedresource.net
  193. (kibars.db.7172228.hostedresource.com)
  194. Proof: DNS (For downloading components..) & TCP Connections (Backdoor)
  195.  
  196. //N/W:
  197. NetRange:       184.168.0.0 - 184.168.255.255
  198. CIDR:           184.168.0.0/16
  199. OriginAS:       AS26496
  200. NetName:        GO-DADDY-COM-LLC
  201.  
  202. //Domain
  203.    Registered through: WWDomains.com
  204.    Domain Name: HOSTEDRESOURCE.NET
  205.       Created on: 24-May-11
  206.       Expires on: 24-May-21
  207.       Last Updated on: 20-Jun-11
  208.    Technical Contact:
  209.       Special Domain Services, Special Domain Services  dns@jomax.net
  210.       Special Domain Services
  211.       14455 N Hayden Rd Suite 219
  212.       Scottsdale, Arizona 85260
  213.       United States
  214.       +1.4805058800      Fax -- +1.4805058844
  215.  
  216.  
  217. ==================================
  218. NETWORK TRAFFIC DETAILS
  219. =================================
  220.  
  221. remote:
  222. IP: 184.168.194.39
  223. Port: TCP/1433
  224. Protocol: Unknown
  225.  
  226. Data sent:
  227.  
  228.    
  229. 1201 0034 0000 0000 0000 1500 0601 001b    ...4............
  230. 0001 0200 1c00 0c03 0028 0004 ff08 0001    .........(......
  231. 5500 0000 4d53 5351 4c53 6572 7665 7200    U...MSSQLServer.
  232. b004 0000                                  ....
  233.  
  234. Data received:
  235.  
  236.    
  237. 0401 0025 0000 0100 0000 1500 0601 001b    ...%............
  238. 0001 0200 1c00 0103 001d 0000 ff0a 3210    ..............2.
  239. a700 0000 00                               .....
  240.  
  241. Data received:
  242.  
  243.    
  244. 0401 0025 0000 0100 0000 1500 0601 001b    ...%............
  245. 0001 0200 1c00 0103 001d 0000 ff0a 3210    ..............2.
  246. a700 0000 00                               .....
  247.  
  248. Data sent:
  249.  
  250.    
  251. 1201 004e 0000 0000 1603 0100 4101 0000    ...N........A...
  252. 3d03 014d 6ed2 fa41 7a79 d17f 599e 3b32    =..Mn..Azy..Y.;2
  253. 9aea 9e90 f45a 4818 b6e7 bf80 ff67 1be2    .....ZH......g..
  254. 3c4c 2e00 0016 0004 0005 000a 0009 0064    <L.............d
  255. 0062 0003 0006 0013 0012 0063 0100         .b.........c..
  256.  
  257. Data received:
  258.  
  259.    
  260. 1201 0262 0000 0000 1603 0102 5502 0000    ...b........U...
  261. 4603 0150 8ada 9c4c ffea 4ba0 be32 bd85    F..P...L..K..2..
  262. 7120 3126 edce 653b dba6 1437 a061 8fba    q 1&..e;...7.a..
  263. c2d6 2420 7c2a 0000 da01 e188 e247 4e70    ..$ |*.......GNp
  264. 82a0 da01 de9a a672 dca9 34c6 c756 3ac9    .......r..4..V:.
  265. 5ce0 c2e6 0005 000b 0002 0300 0200 0001    \...............
  266. fd30 8201 f930 8201 62a0 0302 0102 0210    .0...0..b.......
  267. 3fd7 0913 e161 b0b0 4a0c 5d54 1ee0 57a4    ?....a..J.]T..W.
  268. 300d 0609 2a86 4886 f70d 0101 0505 0030    0...*.H........0
  269. 3b31 3930 3706 0355 0403 1e30 0053 0053    ;1907..U...0.S.S
  270. 004c 005f 0053 0065 006c 0066 005f 0053    .L._.S.e.l.f._.S
  271. 0069 0067 006e 0065 0064 005f 0046 0061    .i.g.n.e.d._.F.a
  272. 006c 006c 0062 0061 0063 006b 301e 170d    .l.l.b.a.c.k0...
  273. 3132 3130 3132 3037 3430 3234 5a17 0d34    121012074024Z..4
  274. 3231 3031 3230 3734 3032 345a 303b 3139    21012074024Z0;19
  275. 3037 0603 5504 031e 3000 5300 5300 4c00    07..U...0.S.S.L.
  276. 5f00 5300 6500 6c00 6600 5f00 5300 6900    _.S.e.l.f._.S.i.
  277. 6700 6e00 6500 6400 5f00 4600 6100 6c00    g.n.e.d._.F.a.l.
  278. 6c00 6200 6100 6300 6b30 819f 300d 0609    l.b.a.c.k0..0...
  279. 2a86 4886 f70d 0101 0105 0003 818d 0030    *.H............0
  280. 8189 0281 8100 b723 bf01 a2c2 4948 6867    .......#....IHhg
  281. 4013 9a8f 60df 5931 0079 ab9d 86ec faae    @...`.Y1.y......
  282. 6a29 ca24 310a 9503 49c5 1a68 fba7 6e27    j).$1...I..h..n'
  283. 0194 806c 984c 7d9f d9a7 bf1b 4a21 2ac4    ...l.L}.....J!*.
  284. f991 15d0 78ec 3616 3fbd 2e29 284b 4fe6    ....x.6.?..)(KO.
  285. 95d9 1652 c074 bfef 7011 f49c f298 d049    ...R.t..p......I
  286. 3644 83fc 6b45 c073 33c4 11d2 c643 5c54    6D..kE.s3....C\T
  287. 366d bed7 1f32 95e0 66af 1b5a 1705 44df    6m...2..f..Z..D.
  288. e2dd bbdd 4a5b 0203 0100 0130 0d06 092a    ....J[.....0...*
  289. 8648 86f7 0d01 0105 0500 0381 8100 3fb9    .H............?.
  290. 2a04 9d21 a08b 246d 50b5 c6fa f43c 2068    *..!..$mP....< h
  291. 06b4 1fe8 8d87 63d9 db8c e26a 0350 1b4e    ......c....j.P.N
  292. 43f6 0028 d949 509b 40f7 45fd 1704 77ff    C..(.IP.@.E...w.
  293. 43ac 7691 9e3e 904e 2865 383e 92d4 36f2    C.v..>.N(e8>..6.
  294. f288 a1c1 17de fe1a d802 5845 5441 84a0    ..........XETA..
  295. 2a44 ccc1 3255 73fa 5a1b 00b4 1a5d 99e6    *D..2Us.Z....]..
  296. 9f70 e7bf 180a e038 3b8d d062 529e 1454    .p.....8;..bR..T
  297. 47af e431 03ba e29b 4427 655e 604f 0e00    G..1....D'e^`O..
  298. 0000                                       ..
  299.  
  300. Data sent:
  301.  
  302.    
  303. 1201 00c2 0000 0000 1603 0100 8610 0000    ................
  304. 8200 80b3 d498 e24c 1dc7 f64f 3936 9003    .......L...O96..
  305. 39d8 b500 6b69 b224 8f6f c28c 2a3b 239f    9...ki.$.o..*;#.
  306. 2a58 c8df 5e25 2152 d16d e2e5 0734 8428    *X..^%!R.m...4.(
  307. d297 2ef1 debe 114d 5a1e 0831 168f 26ce    .......MZ..1..&.
  308. f3c9 3d51 d3a2 1e8b ccf2 a795 ccef de18    ..=Q............
  309. bc05 c33c 533b a4d5 30ba f192 18e8 4699    ...<S;..0.....F.
  310. 91fd 601a 74df 2f1d 7db2 095f 9964 ef04    ..`.t./.}.._.d..
  311. 5606 3231 8a02 9fa7 37f5 90d2 ea8f bb68    V.21....7......h
  312. 3a39 6414 0301 0001 0116 0301 0024 b7cd    :9d..........$..
  313. 6104 1932 a285 637a e79e fd73 42bb df15    a..2..cz...sB...
  314. b6d2 7ae9 5b4d 878b a986 c41d 059e 5e83    ..z.[M........^.
  315. 7486                                       t.
  316.  
  317. Data received:
  318.  
  319.    
  320. 1201 0037 0000 0000 1403 0100 0101 1603    ...7............
  321. 0100 2409 770c ced7 501f 2755 01f9 2a55    ..$.w...P.'U..*U
  322. d935 2976 c9f4 4614 0b0e 908a cc33 bae1    .5)v..F......3..
  323. 51d0 5b6c 6963 79                          Q.[licy
  324.  
  325. Data received:
  326.  
  327.    
  328. 0000 0000 0000                             ......
  329.  
  330.  
  331.  
  332. ---
  333. #MalwareMustDie!!!!!!!!!!
  334. @unixfreaxjp
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top