A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #23383  by Peter Kleissner
 Wed Jul 16, 2014 1:03 pm
The current (as of right now) C&C domain (fast flux):
Code: Select all
Domain name: 1413rrr1luqjub1bstdcunc3tnr.net
Registry Domain ID: 

Registrar WHOIS Server: whois.bizcn.com
Registrar URL: http://www.bizcn.com
Updated Date: 2014-07-16T11:29:10Z
Creation Date: 2014-07-16T11:29:11Z
Registrar Registration Expiration Date: 2015-07-16T11:29:11Z
Registrar: Bizcn.com,Inc.
Registrar IANA ID: 471
Registrar Abuse Contact Email: abuse@bizcn.com
Registrar Abuse Contact Phone: +86.5922577888
Reseller: Cnobin Technology HK Limited
Domain Status: clientDeleteProhibited
Domain Status: clientTransferProhibited
Registry Registrant ID: 
Registrant Name: indsay Goff
Registrant Organization: indsay S. Goff
Registrant Street: 952 Longview Avenue
Registrant City: Queens
Registrant State/Province: NY
Registrant Postal Code: 11413
Registrant Country: us
Registrant Phone: +1.7185279108
Registrant Phone Ext: 
Registrant Fax: +1.7185279108
Registrant Fax Ext: 
Registrant Email: goodepictures@gmx.us
Resolves here to IPs: 178.211.41.246, 211.108.69.117, 4.30.111.88
 #23397  by g0dmoney
 Thu Jul 17, 2014 8:22 pm
Unpacking the latest samples of V3 (eg md5: 5e5e46145409fb4a5c8a004217eef836) is a bit different from the last few versions that dropped the rootkit. The crypter used has checks for "VBoxService.exe" and "vmtoolsd.exe", then checks if sandboxie's module sbiedll.dll is loaded if any of those are found, it xor eax,eax then call's eax to terminate. Bypass those by breaking on CreateToolhelp32Snapshot, and modifying those strings in memory or modifying the ZF after they're checked.

Next you can set BPs on Get and SetThreadContext; after the Get you'll see some calls to NtUnmapViewOfSection, then a few calls to WriteProcessMemory (writing data to a process it created with CreateProcess). The last WriteProcessMemory call just before a call to SetThreadContext you'll see EAX modified to point to the new entry point just efore it calls ResumeThread. You can then write an EBFE to the child process at that OEP, run the ResumeThread call letting the parent exit then Dump the process and you should be unpacked, just change the EBFE back to whatever it was. Pretty common old crypter iirc, at least very similar to some I've seen in the past. Unpacked version looks like old zbot for the most part, haven't reversed the DGA yet though, I'd assume its different.
 #26458  by unixfreaxjp
 Fri Aug 07, 2015 3:01 am
BP Hosts & domains who serves GMO are serving different stuff still.. THAT is the one should be aimed.. new players always come..infrastructure is only few to use.
 #26863  by patriq
 Thu Oct 01, 2015 11:08 pm
EP_X0FF wrote:
Xylitol wrote: Bad Guys and Backends (slide blackhat): https://www.blackhat.com/docs/us-15/mat ... ckends.pdf

Image
Propaganda bullshit.
@EP_X0FF
I don't understand what you mean. "Propaganda", as in the FBI does not control GoZ as of now? Or propaganda that Bogachev likes pussy(cats)? He looks more like a perv pedo to be honest.


On a serious note: they got control of a few proxy nodes and then take down the principal proxies. How did the feds poison the network with the sinkhole p2p peerlist if the data is encrypted using a private RSA key? What am I missing?

This video that goes with those slides:
https://www.youtube.com/watch?v=dYJJZHYSQsk