A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #17959  by unixfreaxjp
 Fri Feb 01, 2013 7:24 am
Hi all. Found this trojan downloaded via JDB Exploit Kit Infection.
Background:
You'll see all aspect of the infection here http://malwaremustdie.blogspot.jp/2013/ ... ector.html
The problem is, innocent people has to be satisfied with antivirus products who detected this sample as either DarkKomet or Zusy or maybe Bublik < signature detection by all means.
The fact is, it was compiled by VB .Net, dropped c:\MyTest.txt with zerobyte, containing music Genre as per below snip:
Code: Select all
0x0050C7   Blues           0x00561D   Folk/Rock         0x005369   Meditative           0x005871   Tango
0x0050D3   Classic Rock    0x005631   National Folk     0x00537F   Instrumental Pop     0x00587D   Samba
0x0050ED   Country         0x00564D   Swing             0x0053A1   Instrumental Rock    0x005889   Folklore
 etc etc etc
Registry only shows the clearance of cache:
Code: Select all
Deleted:
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013012120130122
Added:
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013013020130131
(etc)
With no networking exist...I cannot see malicious act on it.

Target:
What I really want to know is, the verdict of AV signature are strong trojan detection: as per you know, Dark Komet and or Zusy are dropper, backdoor, PWS, maybe downloader etc. But this one doesn't even opening a network socket. Oh, yes in memory dump you'll see interesting stuff, but that's it. Anyone can advice me in gaining a crime evidence of this payload? Rgds,

Research Reference:
Memory DUMP: http://www.mediafire.com/?27eyhso8luqj4f7
Memory strings DUMP: http://www.mediafire.com/?m1k621sj6n7565b
Regshot: http://pastebin.com/raw.php?i=tyyjjHFh
File Activity of this malware PID: http://pastebin.com/raw.php?i=cdR0gKuU
Virus Total: https://www.virustotal.com/file/90359af ... /analysis/
Sample Downloads: http://www.mediafire.com/?km2a3zaeusvard9
#MalwareMUSTDie!
Last edited by Xylitol on Fri Feb 01, 2013 11:04 pm, edited 1 time in total. Reason: Changed title
 #17960  by unixfreaxjp
 Fri Feb 01, 2013 7:56 am
Looks Matt could make it work: http://blog.zonbi.org/blog/2013/01/31/j ... t-payload/
Networking:
Image
NOTED Comments..
I’m not entirely sure why the sample didn’t execute properly in my other environment. It may be the version of Windows I have. I’m hoping to configure a version of Windows 7 over the weekend when I have some time.
KM friends, more input of this case will help us to understand more of the target of this malware, pls post.
 #17965  by rinn
 Fri Feb 01, 2013 9:27 am
Hello.

This is old Nayrabot IRC based backdoor with the following features:

1) USB worm autorunner;
2) UDP flood;
3) Bot Killer;
4) Downloader;
5) Can update itself.

Named Nayrabot because of the following self-identification string "AryaN".
The fact is, it was compiled by VB .Net, dropped c:\MyTest.txt with zerobyte, containing music Genre as per below snip:
Code: Select all
    0x0050C7   Blues           0x00561D   Folk/Rock         0x005369   Meditative           0x005871   Tango
    0x0050D3   Classic Rock    0x005631   National Folk     0x00537F   Instrumental Pop     0x00587D   Samba
    0x0050ED   Country         0x00564D   Swing             0x0053A1   Instrumental Rock    0x005889   Folklore
etc etc etc
It is just dotnet obfuscator junk. Nayrabot written in assembler, MASM IMO.

See attached malware with removed dotnet junk. Bot body clearly self-explaining. Pass "infected" without quotes.

Old ThreatExpert entry about the same bot.
http://www.threatexpert.com/report.aspx ... 6fbdba2b17

Best Regards,
-rin

P.S.

More info about AryaN IRC Botnet
https://www.mysonicwall.com/sonicalert/ ... cle&id=430
https://www.mysonicwall.com/Sonicalert/ ... cle&id=434
Attachments
(13.88 KiB) Downloaded 70 times
 #17994  by unixfreaxjp
 Sat Feb 02, 2013 1:48 pm
Thank you for kindly fixing the thread name to the right malware name.
The server that served Win32/Nayrabot malware is loaded with more....took 6hrs to grab all..
And these are not crime/commercial malwares, some to stealer or backdoor IRC.
Is anonymous really behind this scheme Flushed samples Pic:
Image
What's wrong with this skids.., I share samples here
I am sorry, not a promotion, but if you want to know the details of this infection is in here and here
 #18183  by sijal
 Wed Feb 13, 2013 5:41 am
rinn wrote:
It is just dotnet obfuscator junk. Nayrabot written in assembler, MASM IMO.

See attached malware with removed dotnet junk.
Hello
Can you explain how you do it?
is there any tools for this?
thx
 #18188  by EP_X0FF
 Wed Feb 13, 2013 1:36 pm
sijal wrote:
rinn wrote:
It is just dotnet obfuscator junk. Nayrabot written in assembler, MASM IMO.

See attached malware with removed dotnet junk.
Hello
Can you explain how you do it?
is there any tools for this?
thx
Same as http://www.kernelmode.info/forum/viewto ... =13&t=2479