A forum for reverse engineering, OS internals and malware analysis 

TrojanSpy/Injector

Forum for analysis and discussion about malware.

TrojanSpy/Injector

 #25918  by ithurricane
 Sat May 23, 2015 7:09 am
The virus on VT:
https://www.virustotal.com/en/file/8f35 ... 432362743/

The virus inject many process like it:
Image

but I cann't found how it autostart.

When OS restarted, it start itself via explorer.exe, but I do not know how it auto started.
log:
2015/05/23 15:54:55 c:\windows\explorer.exe Create new process c:\users\test\appdata\roaming\mozilla\firefox\profiles\4ude5xz7.default\storage\permanent\xulstore.exe Cmd line: "C:\Users\test\AppData\Roaming\Mozilla\Firefox\Profiles\4ude5xz7.default\storage\permanent\xulstore.exe"
Attachments
pass: infected
(121.35 KiB) Downloaded 124 times

Re: Adware.Variant.Kazy

 #25921  by nullptr
 Sat May 23, 2015 4:13 pm
It looks like some Zbot variant.
The autorun entry gets written to HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Play with it a bit more to discover how and when the entry gets written ;)

Re: Adware.Variant.Kazy

 #25927  by ithurricane
 Mon May 25, 2015 1:03 am
nullptr wrote:It looks like some Zbot variant.
The autorun entry gets written to HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Play with it a bit more to discover how and when the entry gets written ;)
Thank you for your answer,
maybe when os shutdown, it written to HKCU\Software\Microsoft\Windows\CurrentVersion\Run?

Re: Adware.Variant.Kazy

 #25994  by EP_X0FF
 Tue Jun 02, 2015 8:34 am
It runs from HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. It confused you because this "masterpiece of code" actually deteles it key after start and writes it back during shutdown. If you reset machine while this malware work it will die. From the behavior this is typical trojan with multiple injects and API hooking (wininet/ws_32) similar to ZBot. More info unavailable as malware server C&C (technologyincorp.com) is dead. Consider it as piece of junk.

Re: TrojanSpy/Injector

 #26050  by pyre08
 Wed Jun 10, 2015 2:04 am
The sample is a new ZeusVM variant, the dropped file location has been changed, different API obfuscation method and minor bug fix to work on win8.

ZeusVM 2.0.b.0

Image

Re: Adware.Variant.Kazy

 #26569  by Jeb
 Thu Aug 20, 2015 6:24 pm
ithurricane wrote:Thank you for your answer,
maybe when os shutdown, it written to HKCU\Software\Microsoft\Windows\CurrentVersion\Run?
I'm new here, so hello, and sorry for bringing up an older thread. When in doubt, run Process Monitor. Set it to create a boot log, then you can see how the malware writes itself to the autostart location. This may help you with other malware as well.
 Return to “Malware”