A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #32305  by Patrick
 Thu Dec 06, 2018 7:21 pm
Write-up from Kaspersky from back in Nov.

SHA256:
Code: Select all
dce2d575bef073079c658edfa872a15546b422ad2b74267d33b386dc7cc85b47
Anyone ever take a look into this malware? Share your findings and experiences. I've taken a very quick and limited look so far...

Packed w/ UPX (UPX 0/1)
Executing in a non-intended environment only makes a few changes to the OS, like:
Code: Select all
HKLM\SOFTWARE\Microsoft\DownloadManager
Nothing gets dropped here afaik due to the detection and nature of the environment.
Code: Select all
HKU\S-1-5-21-2143623086-3970857485-2198902424-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL
Opens IE to the Gusanito webpage, which is the Spanish translation "An endeering term to describe shady, scared and mischievous people. Spanish translation - Worm/Caterpillar."
 #32309  by Patrick
 Tue Dec 11, 2018 9:50 am
I had some time tonight so I took a look with Olly.

Definitely packed w/ UPX as the program pauses at a PUSHAD unpack stub at 0000F51AD0.
Code: Select all
00F51AD0 > $ 60 PUSHAD
If we step into the PUSHAD and follow the ESP register's contents in memory dump, we wind up at 0000F51AD1, which is the MOV instruction for moving the executable and the ESI register. Highlighting the first 4 hex dump values (zeroed out), setting a hardware breakpoint, and executing the program leads us to 0000F526AA's compare of EAX>ESP. Notice we now also have reached our series of DB00:
Code: Select all
00F526AA   . 39C4           CMP ESP,EAX
00F526AC   .^75 FA          JNZ SHORT DarkTequ.00F526A8
00F526AE   . 83EC 80        SUB ESP,-80
00F526B1   .-E9 E882F2FF    JMP DarkTequ.00E7A99E
00F526B6     00             DB 00
00F526B7     00             DB 00
00F526B8     48             DB 48                                    ;  CHAR 'H'
00F526B9     00             DB 00
00F526BA     00             DB 00
00F526BB     00             DB 00

...

From here we can see our tail jump prior the the first DB00, at address 0000F526B1. If we set a BP on this instruction and then execute the program to trigger it, we can then step over and reach our OEP.
Code: Select all
00E7A99E   E8 54120000      CALL DarkTequ.00E7BBF7
The malware does not allow a dump of the process with Olly, so it's likely checking for a debugger environment and may even be deleting its own PE. Not sure.