WinNT/Bedep

#24008 by Kafeine
Mon Sep 29, 2014 3:47 pm

Cf : http://www.virusradar.com/en/Win32_Bedep.A/description

http://malware.dontneedcoffee.com/2014/ ... eless.html

and this :

Here are samples (sorry only one 64 bits....but is distributed in 64bits too).

Attachments

Win32_Bedep_2014-09-29.zip

Pass Infected - 32 items - only 1 x64
(3.09 MiB) Downloaded 169 times

Username

Kafeine

Posts

105

Joined

Thu Jul 28, 2011 1:19 pm

Re: Win32/Bedep

#24011 by EP_X0FF
Mon Sep 29, 2014 10:39 pm

Interesting part of it seems to be able to create native usermode threads with CSRSS self notification plus it have a piece of x64 code in win32 loader, so I think it will work for x64 too.

5ff4f9c65e5e14db4cda736a374236fe_0b249f61a58aa5a1f8b01c4ea866b1c6 unpacked in attach.
https://www.virustotal.com/en/file/755e ... 412030155/

sup dlls mentioned above x86-x64 in attach

Attachments

sup_dlls.rar

pass: infected
(5.23 KiB) Downloaded 107 times

unp.rar

pass: infected
(47.88 KiB) Downloaded 115 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Win32/Bedep

#24502 by kloent
Tue Dec 02, 2014 2:30 pm

One more from Angler EK.

Attachments

bedep_c.zip

pass: infected
(48.18 KiB) Downloaded 124 times

Username

kloent

Posts

10

Joined

Sat Nov 10, 2012 9:00 am

Re: Win32/Bedep

#24582 by Munsta
Thu Dec 11, 2014 9:07 pm

create native usermode threads with CSRSS self notification

This means that it has ring0 component and it is creating new thread in the Windows fashion instead of some APC shellcode injection to usermode?

Username

Munsta

Posts

21

Joined

Tue Sep 30, 2014 6:52 pm

Re: Win32/Bedep

#24583 by EP_X0FF
Fri Dec 12, 2014 4:42 am

Munsta wrote:
create native usermode threads with CSRSS self notification
This means that it has ring0 component and it is creating new thread in the Windows fashion instead of some APC shellcode injection to usermode?

There are no ring0 components. You do not understand the post. See @1000736B in unp.dmp -> NtCreateThread -> CsrClientCallServer.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Win32/Bedep

#24587 by Munsta
Fri Dec 12, 2014 1:17 pm

EP_X0FF wrote: There are no ring0 components. You do not understand the post. See @1000736B in unp.dmp -> NtCreateThread -> CsrClientCallServer.

Right. Good, I remember now that it was used in some game hack, the tricky part was cross session thread creation, is this the case here? (creating hack thread from different user session via Csr* API and then you switch users to play the game :lol: )

Username

Munsta

Posts

21

Joined

Tue Sep 30, 2014 6:52 pm

Re: Win32/Bedep

#24795 by EP_X0FF
Fri Jan 02, 2015 8:25 am

Few samples of dropped Bedep components. Samples courtesy of Cody Johnston.

dpwsocksx_fake.dll
trksvr_fake.dll

both contain inside Win32/Bedep downloader.

bedep_stage2.dll extracted from them.

To manually extract payload - set break on RtlDecompressBuffer.

Attachments

bedep.rar

pass: infected
(329.25 KiB) Downloaded 103 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Win32/Bedep

#25097 by forty-six
Wed Jan 28, 2015 10:19 pm

Bedep stage 1 & 2.

Attachments

stage_2.7z

pass: infected
(58.93 KiB) Downloaded 83 times

stage_1.7z

pass: infected
(113.17 KiB) Downloaded 86 times

Username

forty-six

Posts

66

Joined

Tue Sep 03, 2013 3:23 pm

Re: Win32/Bedep

#26171 by R136a1
Wed Jun 24, 2015 6:48 pm

Hi folks,

attached are the samples of a test version of Bedep that uses a fileless persistency method. More info:
https://translate.google.com/translate? ... edit-text=