A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19822  by unixfreaxjp
 Wed Jun 26, 2013 9:42 am
unixfreaxjp wrote:It has the botnet communication with HTTP & SSL, the SSL is for the handshake...
avast! Blog / Mr. Ivan Jedek made a thorough payload binary analysis which is revealing the hidden C&C server information in the Cutwail payload binary.
Please check out his good reversing analysis in here: http://blog.avast.com/2013/06/25/15507/#more-15507
It worth to read, and I learned a lot by this post.
 #20940  by forty-six
 Mon Sep 23, 2013 5:04 pm
I believe so:

0x12e148 (13): smtp.live.com
0x160334 (38): smtp.mail.yahoo.com
0x161740 (24): smtp.sbcglobal.yahoo.com
0x1619fc (26): smtp.live.com
0x1621ac (48): smtp.sbcglobal.yahoo.com
0x18b93c (48): smtp.sbcglobal.yahoo.com
0x1a1544 (48): smtp.sbcglobal.yahoo.com
0xb3f894 (19): smtp.mail.yahoo.com
0x40065c4 (19): smtp.compuserve.com
0x40065ec (18): smtp.directcon.net
0x4006600 (24): smtp.sbcglobal.yahoo.com
0x400661c (19): smtp.mail.yahoo.com
0x4006630 (13): smtp.live.com
0x89062d9 (19): smtp.compuserve.com
0x8906301 (18): smtp.directcon.net
0x8906315 (24): smtp.sbcglobal.yahoo.com
0x8906331 (19): smtp.mail.yahoo.com
0x8906345 (13): smtp.live.com
 #20941  by Horgh
 Mon Sep 23, 2013 7:35 pm
Is it Pushdo?
MS says TrojanDownloader:Win32/Cutwail.BS on my shitty dump, it behaves like it, so yeah pushdo (even if i doubt it's the .BS variant, I don't remember it looked like this).

The file is easy to unpack : shit -> UPX packed MZ -> final binary ; call eax to go to the newly allocated zone each time.
You have the classic stuff in the cutwail binary, I gave it a quick look, like dynamic apis resolution, traffic encryption via crypto apis, and obviously spamming. The requests contains informations on the victim computer, crypted, and sent to hacked (?) websites (cbsprinting.com.au / naijagurus.com / lockerlookz.com / upsilon89.com / agence-des-druides.com) in the usual manner. I haven't took a look further in the spamming process.
 #20942  by GMax
 Mon Sep 23, 2013 8:19 pm
unpacked file
Attachments
pw: malware
(29.88 KiB) Downloaded 66 times
 #20961  by patriq
 Tue Sep 24, 2013 8:38 pm
This url was in the cutwail.7z archive..posted earlier.
Code: Select all
hxxp://173.237.198.42/closest/i9jfuhioejskveohnuojfir.php
more interesting items on this IP

Blackhole EK (no bhadmin.php or front end that I see)
Code: Select all
hxxp://173.237.198.42/channels/templates/
Samples pulled from
Code: Select all
hxxp://173.237.198.42/least/
hxxp://173.237.198.42/mix/ (some Jar files in here)


attached (ZeroAccess, etc) - pretty low detection rates.
Code: Select all
834af630ca797db828560b20ff215df3
12a2041b21d6a4542fb6402bcbb2c19f
3dd5efcc8a520c807d40c2ef0e82d155
a00ca295a954e432e041d0e60aaf5ac8
cb37e5b89370b7b7d4ac257ede6ecdbe
26915f4c1750735e4ad82896f9e830a2
Attachments
infected
(630.53 KiB) Downloaded 73 times
 #22620  by unixfreaxjp
 Fri Apr 04, 2014 9:37 am
Any recent sample of PushDo / Cutwail please friends?
Looks like their email template is changing I wonder why..
With thanks in advance, era;;y appreciated the share beforehand.

Rick of MalwareMustDie