A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #17030  by cjbi
 Wed Dec 05, 2012 11:11 am
Fresh PbBot bootkit dropper, payloads and MBR dump attached, again.

MBR code has been changed.

VirusTotal result(s):
mbr.bin 1/45 :oops: https://www.virustotal.com/file/6855de0 ... 354704811/
SamGal.exe.vir 26/46 https://www.virustotal.com/file/e01538b ... 354705625/
~DFA20.tmp.vir 26/46 https://www.virustotal.com/file/9748f64 ... 354705650/
lefapo.exe.vir & etc... No results yet.
Attachments
pass: infected
(1.53 MiB) Downloaded 104 times
 #17031  by EP_X0FF
 Wed Dec 05, 2012 1:01 pm
The only thing they change in MBR is number and location of nops :) Probably in manual mode vs VT.
 #17622  by unixfreaxjp
 Sat Jan 05, 2013 10:14 pm
A new PbBot bootkit in study. Trojan:Win32/Urelas variant. Reported by @2gg in twitter, nature of infection is Korean game software, I got involved because of one of the CnC is in Japan. I am in assisting position of this case (not familiar well with the infection nature)
VT is https://www.virustotal.com/file/5ca2471 ... 357307928/
It supposed to move my TestPC original MBR into 0×28 and also supposed to change the explorer into payload loader 32bit.
but somehow it crashed my TestPC in every reboot and every re-infection, made me difficult to compare MBR before and after infection. Tried it 3times.
Only I only got one shot for gathering all of the information below. Be free to help in any additional information.
The dropped payload (Trojan.Win32/Urelas bot client variant) uploaded here: https://www.virustotal.com/file/80f25ff ... /analysis/
The sample upon executed, self copied & self deleted & run itself to modify MBR (still under confirmation),
and drop the spyware component to send info + etc data to remote host. The process goes like this:
Image
The dropped trojan:
Image
Image
The batch file/command was used to erase the trace of original infector:
Code: Select all
0x02EB64   0x02EB64   _uninsep.bat
  :           :
0x037840   0x037840  :Repeat
0x037849   0x037849  del "%s"
0x037853   0x037853  if exist "%s" goto Repeat
0x03786E   0x03786E  rmdir "%s"
0x03787A   0x03787A  del "%s"
The CnC of this infection are in two servers, Japan & S.Korea:
Code: Select all
103.1.249.164
218.54.28.199 
Suspected a local online card game mafia group is using it.
PoC:
Image
This bootkit is targeting online games as auto-update installer to get the snapshot/capture screen of an infected gamers, game lists are:
Code: Select all
baduki.exe, RealBaduki.exe, highlow2.exe, LASPOKER.exe,
poker7.exe, Baduki.exe, HOOLA3.EXE, DuelPoker.exe,
FNF.EXE, i,e,, site:hanGame.co.jp

All of the callback to mothership are encrypted with "not" operator, which can be reversed as per below...
Image
Also the config file, looks like a binary but can be decoded the same way:
Image
I attached the analysis data (regshot/pcap/memdump, etc) here with password: infected.
If you want to seek more details about this sample I wrote official Japanese report in :
http://unixfreaxjp.blogspot.jp/2013/01/ ... 49164.html
(please use google translate to read, but for viewing the code better see japanese one)
Attachments
PbBot/Trojan:Win32/Urelas / Bootkit
(699.09 KiB) Downloaded 99 times
 #19133  by cjbi
 Wed May 01, 2013 10:06 am
Fresh PbBot bootkit dropper, payloads and MBR dump attached, again.
Temp727.exe.vir wrote:J:\PMS\_CurRSC\Projects(20130408)\GbpInstall_DllInjection\bin\GolfSetup_25.pdb
VirusTotal result(s):
Legit installer + Dropper
ChaosOne.exe.vir 17/46 https://www.virustotal.com/ru/file/5d15 ... 367402532/

Dropper
EEEE_Proc.exe.vir 18/46 https://www.virustotal.com/ru/file/185d ... 367402447/

Payload: MBR
mbr.bin 0/46 :!: https://www.virustotal.com/ru/file/3fe6 ... 367401741/

Payloads: PbBot bootkit
E1F11C.exe.vir 25/46 https://www.virustotal.com/ru/file/adeb ... 367402283/
Temp727.exe.vir 22/46 https://www.virustotal.com/ru/file/90cd ... 367401169/
ydziq.exe.vir 7/46 https://www.virustotal.com/ru/file/b098 ... 367401155/

Final payload: Delphi coded PbBot
dyqex.exe.vir 12/46 https://www.virustotal.com/ru/file/41b2 ... 367401027/
Attachments
pass: infected
(2.15 MiB) Downloaded 89 times
 #28763  by R136a1
 Fri Jun 24, 2016 11:41 am
Hi folks,

here is a fresh sample from 2016. After a brief comparison it shows there are only some minor updates, presumably for compatibility reasons. However, I haven't checked in detail.

Strings from 16-bit loader:
Code: Select all
-------------- ReadInitData ------------
------- IsPMSInstalled -------------
C:\Windows
Windows folder not exist!
gbp.ini
C:\Windows\gbp.ini
Starting GBP
_GBP
_GBP
Reading boot sector Failed!
SectorsPerCluster:
PMS already installed!
Start File Creating
File Creating Fail!
End of Creating!
FAT12
FAT16
FAT32
NTFS
Read Mbr Sector failed!!!
Reading Fail!
Writing Fail!
Not FAT32!
Find file
Read FAT Failed!
Finding "." from
Read FAT Failed!
Finding File Name:
Not Found!
Found!
Finding File Name:
Finding
Not Found!
Found!
----------- FAT32_CreateFile -------------
FAT32_FindFile failed
Already Exist!
Creating File Name:
New allocated Cluster No:
New entry pos:
Need Cluster Count:
Writing File Data
Empty Cluster No:
Creating File Entry
Read FAT  Failed!
NTFS
Not NTFS!
Finding File Name:
Reading boot sector Failed!
Reading MFT Failed!
Finding directory Fail:
Found!
Finding:
------- NTFS_FindFileInEntrys  -----------
file sequence:
Index buffer count
change directory entry success
FindAttribute bitmap failed
NTFS_FindRun failed
file sequence:
find filename attribute of prev file failed
FindAttribute bitmap failed
write new file record failed
:\windows\explorer.exe
-------------- NTFS_CreateFile ------------
Directory Rec No:
FindEmptyBitmapAttrPosOfMFT failed
File Rec No:
Creating File Record
Creating Directory Entry
make run byte
allocated size of bitmap
init size of bitmap
ReAllocateBitmapAttrOfMFT failed
Strings from injector:
Code: Select all
f:\Zombie_work\zombi_gbp\MainWork\win7_GBP\bin\Release\mmc64.pdb
OpenProcessToken error: %u
LookupPrivilegeValue error: %u
AdjustTokenPrivileges error: %u
The token does not have the specified privilege. 
OpenProcess(%d) failed!!!
LoadLibraryA
kernel32.dll
\acm.dll
IDR_DLL
explorer.exe
_uninsep.bat
test_WATCHDOG
SeDebugPrivilege
Strings from final payload:
Code: Select all
highlow2.exe
LASPOKER.exe
poker7.exe
Baduki.exe
HOOLA3.EXE
DuelPoker.exe
FRN.exe
FN AND FRN ver1.0
pmlauncher.exe
image/jpeg
Calculator
DISPLAY
47.88.8.135
Dropper: https://virustotal.com/de/file/7335e4f5 ... /analysis/

MBR: https://www.virustotal.com/en/file/5bf7 ... /analysis/
MBR (with NOPs): https://www.virustotal.com/en/file/d5c1 ... /analysis/
16-bit loader: https://www.virustotal.com/en/file/c93d ... /analysis/

Injector: https://www.virustotal.com/en/file/06b0 ... /analysis/
Payload: https://www.virustotal.com/en/file/981e ... /analysis/
Attachments
PW: infected
(75.27 KiB) Downloaded 61 times