A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #22456  by unixfreaxjp
 Sat Mar 15, 2014 5:40 am
Three malvertisements of Upatre.
Image
Downloading Zbot(GMO) in the below URLs
Code: Select all
h00p://sienashops.it/image_data/al2602.nub
h00p://theeventroom.co.uk/Images/al2602.nub
h00p://gobemall.com/img/p/1/0/1/1203a.ton
h00p://gobehost.info/images/headers/13003UKp.ton
h00p://creativemindsplanet.com/images/headers/a.ssa
h00p://mpbp.org/images/banners/1203UKp.ssa
Hashes are listed in here: http://pastebin.com/raw.php?i=N6AgVqzt

VT:
https://www.virustotal.com/en/file/539f ... /analysis/
https://www.virustotal.com/en/file/8091 ... /analysis/
https://www.virustotal.com/en/file/130c ... /analysis/

tips: Malware typical headers used for downloads zbots:
Image

I attached all downloaded + Zbot (+drops) files
Attachments
password: infected
(2.99 MiB) Downloaded 103 times
 #22473  by unixfreaxjp
 Tue Mar 18, 2014 11:43 pm
Today's Upatre with attempt for downloading ZeusP2P Gameover
Pic:
Image
VT: https://www.virustotal.com/en/file/f5bc ... 395183670/

Spam source: yua.dynamic.so-net.net.tw (61.62.44.173)
Template: (suspected) Cutwail (it looks like a new template used, so I have no reference on this one)

Download callback URL: 184.172.57.26 (hacked WP sites, USA service)
Code: Select all
Wed Mar 19 08:41:49 JST 2014|184.172.57.26|184.172.57.26-static.reverse.softlayer.com.|36351 | 184.172.0.0/18 | SOFTLAYER | US | SOFTLAYER.COM | THEPLANET.COM INTERNET SERVICES INC.
HTTP Download request header:
Code: Select all
GET /blog/wp-content/uploads/2014/03/1803FR.enc HTTP/1.1
Accept: text/*, application/*
User-Agent: Updates downloader
Host: kbpark.com
Cache-Control: no-cache

Sample is attached, w/o traffic.
Attachments
pwd: infectedinfected
(18.62 KiB) Downloaded 74 times
 #22518  by unixfreaxjp
 Sat Mar 22, 2014 12:45 pm
Received this Upatre campaign today:
Image
Is downloading another payload, not the usual gameover or zbot, I call it "unknown trojan stealer", anyone knows what it is?

details I wrote in VT's comments, please bare to look at those, sorry, I am outside (travelling) now.

Upatre: https://www.virustotal.com/en/file/2842 ... 395479710/
stealer: https://www.virustotal.com/en/file/7056 ... 395480781/

Samples:
Code: Select all
2014/03/22  18:13            11,899 012.eml
2014/03/22  10:14           360,448 2103USa.qta
2014/03/22  10:14               111 40425350.cmd.bat
2014/03/22  10:14            11,264 aplib.dll
2014/03/22  10:14            12,800 aplib64.dll
2014/03/22  10:14           360,448 asmlo.exe
2014/03/22  10:14           228,864 client.dll
2014/03/21  17:14            19,456 FAX-032114.scr
2014/03/22  10:14            19,492 mazon.exe
2014/03/22  10:14            59,904 zlib1.dll

6699f43545f6aff4750584e59878c0ae 012.eml
589d74b40157c23cee00135ed388e554 2103USa.qta
27af77c860b9b3fc234175154d09f643 40425350.cmd.bat
7fe2b0b3fc2078130f20070a05daf8d5 aplib.dll
3f4fe60b6d1e05144f6efa098ac381a8 aplib64.dll
589d74b40157c23cee00135ed388e554 asmlo.exe
f428fca692288a1437df2871ebbcc81f client.dll
6b6d5c012f403999c62145668437e617 FAX-032114.scr
52d32a3da4ac83cec80f8fb9d9d38ee6 mazon.exe
80e41408f6d641dc1c0f5353a0cc8125 zlib1.dll
Attachments
pwd: malware!=
(539.18 KiB) Downloaded 72 times
 #25607  by sysopfb
 Fri Apr 10, 2015 9:11 pm
Stub changed today, they added an xor loop over the patcheable data section. All samples I went through today used a single byte xor of 13

Lots of samples attached easy to unpack

psuedocode C representation of the added xor loop on the data
Code: Select all
int i = data_blob_position_in_file;
while(file[i] != 0x1)
{
    if(file[i] != 0x0)
        file[i] ^= 0x13;
    i++;

}
Haven't had any time to go over the rest but the payload appears to be the same, rolling xor and then shellcode on top of a LZNT compressed MZ.
Attachments
pw: infected
(56.83 KiB) Downloaded 55 times