A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #17276  by RageMachine
 Wed Dec 19, 2012 1:57 am
Although ID'd as Bamital I have found a system where this guy was moving around, causing an FBI popup. The system may have multiple issue but this was the only one I have been able to narrow down.
*SVCHOST creates the FBI screen (runs as user)
*Can bypass by doing control alt delete -> switch user -> do not kill the instance of the malware, it only runs one at a time.
*creates threads to all SVChost instances and writes to SVCHOST process memory
*Appears to use MSHTML from within Svchost, generates files in IE's temp
*Memory analysis shows plenty of strings to different domains, failure to resolve a domain name via DNS also shows up.
*No MBR modifications\Drivers appear to be running
*~60kb larger than clean version of this file

Detection ratio 5 / 45 - so far nothing will remove it, I'll replace it manually and observe results.
Attachments
infected
(447.98 KiB) Downloaded 78 times
 #17281  by EP_X0FF
 Wed Dec 19, 2012 2:37 am
RageMachine wrote:Although ID'd as Bamital I have found a system where this guy was moving around, causing an FBI popup. The system may have multiple issue but this was the only one I have been able to narrow down.
*SVCHOST creates the FBI screen (runs as user)
*Can bypass by doing control alt delete -> switch user -> do not kill the instance of the malware, it only runs one at a time.
*creates threads to all SVChost instances and writes to SVCHOST process memory
*Appears to use MSHTML from within Svchost, generates files in IE's temp
*Memory analysis shows plenty of strings to different domains, failure to resolve a domain name via DNS also shows up.
*No MBR modifications\Drivers appear to be running
*~60kb larger than clean version of this file

Detection ratio 5 / 45 - so far nothing will remove it, I'll replace it manually and observe results.
Hello,

please attach ntdll.dll, kernel32.dll from infected machine if available. This is Bamital.
 #17284  by Cody Johnston
 Wed Dec 19, 2012 4:36 am
From what I have noticed, and please take this with a grain of salt since I do not actually reverse the executables, I have seen Bamital as a route for reinfection when the FBI ransomwares are removed. I mentioned the same issues in a previous post about Bamital and rogue antivirus. I notice that when my techs remove any of the screen lockers but the PC still has Bamital, our clients call in complaining of reinfection without visiting the web. I have also observed this by disinfecting them myself, rebooting the PC, then waiting anywhere between 15 and 30 mins. It seems to me to be every time the 2 infections are found together that this occurs. I would be happy to post samples of the infected exe files (svchost, winlogon, explorer, ntdll.dll, kernel32.dll) next time I come across them if more samples than above mentioned are necessary. I have yet to find anything that effectively drops Bamital on the PC though (ITW).
 #17285  by EP_X0FF
 Wed Dec 19, 2012 5:12 am
OK, reversed without additional files.

Working scheme equal to previous executables infector.

Code flow:

1) Modified OEP
2) Antiav trick (simple jump out is too obvious and can be triggered even by VT fakeavs)
3) Locate pointer to kernel32!VirtualAlloc <- this part is highly OS dependant and lead to many failures for noob analysts
4) EAX = pVirtualAlloc(NULL, dwPayloadSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
5) Copy to @EAX payload data block (located near the end of file, 0xC3000 for this user32.dll), see picture below
Image
Image
6) JMP EAX
7) Decrypt payload, see picture below
Image
8) Call payload

Decrypted Bamital code attached.
Due to system modification Bamital disables System Restore.
Code: Select all
SYSTEM\CurrentControlSet\Services\sr\Parameters SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore FirstRun DisableSR
Attachments
pass: malware
(20.54 KiB) Downloaded 74 times
 #17304  by RageMachine
 Thu Dec 20, 2012 8:29 pm
EP_X0FF wrote: please attach ntdll.dll, kernel32.dll from infected machine if available. This is Bamital.
Running SFC appears to have purged it, but the file size is still larger than it should be (compared to WinSXS\Other Systems). I am doing additional checks but VT shows these are clean - I will re-run SFC and see if it flags it and check the System restore keys modified.
Attachments
infected
(1.35 MiB) Downloaded 92 times
 #17307  by EP_X0FF
 Fri Dec 21, 2012 2:14 am
RageMachine wrote:
EP_X0FF wrote: please attach ntdll.dll, kernel32.dll from infected machine if available. This is Bamital.
Running SFC appears to have purged it, but the file size is still larger than it should be (compared to WinSXS\Other Systems). I am doing additional checks but VT shows these are clean - I will re-run SFC and see if it flags it and check the System restore keys modified.
Probably you scanned with updated AV. user32.dll you attached cured already by AV. EP restored and virus code filled with zeroes.

Check all files in
\System32
\dllcache
\ServicePackFiles\i386
\SysWoW64
\wbem\
where available. Also Bamital are known to infect various system files, for example svchost.exe, winlogon.exe, explorer.exe (in Bamital previous variants). Check them too. Probably there should be second infected file except user32.dll.
 #18163  by EP_X0FF
 Tue Feb 12, 2013 7:15 am
why no one posted this?
Because there is no "Iran" and no "super cyberweapon" dotnet and lolkits.
Only ~2M of infected computers, nothing to PR.
Posts moved.
 #25814  by EP_X0FF
 Thu May 07, 2015 3:58 pm
Fresh Bamital (internal build date 06/05/2015) infected advapi32.dll, encrypted malware body with base independent decoder is in .rsrc section of victim.

Execution flow:

Overwritten EP -> overwritten AccessCheckAndAuditAlarmW -> allocate ERW memory, copy encrypted body to it, launch decryption -> execute actual malware.

Decrypter code
Code: Select all
seg000:00000003                 mov     edx, eax
seg000:00000005                 mov     ecx, 941Eh
seg000:0000000A
seg000:0000000A xor_cycle:                                  
seg000:0000000A                 xor     [eax], cl
seg000:0000000C                 add     eax, 1
seg000:0000000F                 loop    xor_cycle
seg000:00000011                 mov     [edx+12h], esi
seg000:00000014                 jmp     short loc_1B
Infected file, extracted infection part and decrypted bamital dll in attach.

decrypted bamital extracted from infected advapi32.dll
https://www.virustotal.com/en/file/3210 ... 431012960/

Also notice debug strings inside and UAC autoelevation tricks.

Sample courtesy of malekal_morte.
Attachments
pass: infected
(523.47 KiB) Downloaded 76 times
 #25815  by EP_X0FF
 Thu May 07, 2015 4:27 pm
+ another component stored inside main.dll as encrypted bytes array. It seems it is ransomware module.

lock.dll

https://www.virustotal.com/en/file/86a0 ... 431015859/

Edit:

hardcoded domains inside are:

fbisoftanalitics.com
fbisoftanalitics.net
fbisoftanalitics.ru

attempt to access knck.php on them.
Attachments
pass: infected
(7.28 KiB) Downloaded 58 times