A forum for reverse engineering, OS internals and malware analysis 

Malwox (Cidox, Mayachok, Vundo)

Forum for analysis and discussion about malware.

Malwox (Cidox, Mayachok, Vundo)

 #4871  by Xylitol
 Fri Feb 04, 2011 1:41 am
My monitoring bot who download ransomwares have found something different today when he have downloaded the sample from kliikers.info (http://www.kernelmode.info/forum/viewto ... t=40#p4840)
Code: Select all
03/02/2011 - 21:12:16 - 74EF46EC6C2C92A032144F0D8E80875A_pornoplayer.exe.ViR
03/02/2011 - 23:12:19 - 8CAA5E3348478C3C0023BD0310593F96_pornoplayer.exe.ViR
gmt+1
Image

VirusTotal 1/43 ~ 8CAA5E3348478C3C0023BD0310593F96_pornoplayer.exe.ViR
http://www.virustotal.com/file-scan/rep ... 1296779373
VirusTotal 1/43 ~ 74EF46EC6C2C92A032144F0D8E80875A_pornoplayer.exe.ViR
http://www.virustotal.com/file-scan/rep ... 1296779377

I see he drop also some stuff in sys32
here a dll: 2/41
http://www.virustotal.com/file-scan/rep ... 1296781866

About what's i understand that drop a dll in sys32 with a random name and register it
Code: Select all
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
LoadAppInit_DLLs = 1
AppInit_DLLs = C:\WINDOWS\system32\bhjadom.dll
you will get after some problem when you launch a exe file (for me the dll is broken)
If someone was able do understand/identify what's actions are exactly done with the loaded dll?
stuff attached
Attachments
passwd: xylibox
(106.15 KiB) Downloaded 72 times

Re: Malware

 #4872  by EP_X0FF
 Fri Feb 04, 2011 5:53 am
Well I believe they are the same. Both drops dll, write data to AppInit and initiate reboot with ExitWindowsEx

http://www.virustotal.com/file-scan/rep ... 1296787970

packed with Mystic Compressor, payload damaged.

Second sample working, payload dll called DStub.dll (IntMayak.dll), decrypts itself in memory of target process. Inside found
SOFTWARE\Microsoft\ Windows \CurrentVersion NT\ NT \Explorer\Shell Folders HTTP/1.1 404 Not Found
Content-Length: 0
HTTP/1.1 302 Moved
Content-Length: 0
Location: Common AppData AppInit_DLLs ProgramFilesDir Content-Length: none
close A t l A x W i n t e s t c l 1 kernel32.dll user32.dll ws2_32.dll advapi32.dll
c:\ ProductId iphlpapi.dll http://
and POST/GET requests. However while running of test app I didn't noticed network activity.

Re: Malware

 #4891  by GMax
 Sat Feb 05, 2011 12:18 pm
URL strings in the file IntMayak.dll
194.247.58.25/loPtfdn3dSasoicn/get.php?key=
&z=304
V1s.co/loPtfdn3dSasoicn/get.php?key=
&z=304
1nfo.co/loPtfdn3dSasoicn/get.php?key=
&z=304
'<script>',0Dh,0Ah,'document.write("<script src=',27h,'http" +',0Dh,0Ah, '(("https:" == document.location.protocol) ? "s" : "") +',0Dh,0Ah,'"://sites.google.com/static.js?t=stat&ran=' </body>
help.vkontakte.ru
194.247.58.25/lo_nhyg38deijiwsx/vhelp.php?uid=
&url=
sites.google.com
194.247.58.25/loPtfdn3dSasoicn/gjs.php?uid=
&url=
admin.vkontakte.ru
194.247.58.25/lo_nhyg38deijiwsx/kr_vnhuirw43/vadmin.php?uid=
&url=
update.microsoft.com
194.247.58.25/bt_pdfn3skxler/index.php?uid=
&url=
update.mozilla.org
194.247.58.25/bt_pdfn3skxler/index.php?uid=
&url=
download.opera.com
194.247.58.25/bt_pdfn3skxler/index.php?uid=
&url=
chrome.google.com
194.247.58.25/bt_pdfn3skxler/index.php?uid=
&url=
194.247.58.25/loPtfdn3dSasoicn/post.php?id=

Malwox

 #9595  by EP_X0FF
 Wed Nov 09, 2011 10:10 am
Xylitol blogged about Malwox - Cidox distribution affilate http://xylibox.blogspot.com/2011/11/tra ... cidox.html

In attach Cidox/Mayachok_1 samples from the given affiliate. Pass malware, multipart archive, 450+ samples.

VT
http://www.virustotal.com/file-scan/rep ... 1320832219
Attachments
(2.06 MiB) Downloaded 74 times
(4.63 MiB) Downloaded 73 times
(4.63 MiB) Downloaded 65 times
(4.63 MiB) Downloaded 72 times
(4.63 MiB) Downloaded 66 times
(4.63 MiB) Downloaded 68 times
(4.63 MiB) Downloaded 81 times

Re: Malware package (bundle of malware samples)

 #9753  by EP_X0FF
 Sat Nov 19, 2011 3:42 am
Cidox samples collected today. Multipart archive, 491 sample, unpacked size 46 Mb.
Pass: malware
Attachments
(3.35 MiB) Downloaded 61 times
(5 MiB) Downloaded 67 times
(5 MiB) Downloaded 67 times
(5 MiB) Downloaded 65 times
(5 MiB) Downloaded 67 times
(5 MiB) Downloaded 72 times
(5 MiB) Downloaded 68 times

Re: Malware package (bundle of malware samples)

 #9832  by Xylitol
 Tue Nov 22, 2011 5:56 pm
Malwox guys moved to
Code: Select all
http://runit.biz/files/user_445.exe
In attach, 234 Cidox samples.
Attachments
infected
(4.88 MiB) Downloaded 61 times
infected
(4.88 MiB) Downloaded 64 times
infected
(4.88 MiB) Downloaded 66 times

Re: Malwox

 #9876  by EP_X0FF
 Thu Nov 24, 2011 7:26 am
Fresh todays Cidox from malwox, multipart archive, 531 sample, unpacked size 46 Mb. Pass malware

VT
http://www.virustotal.com/file-scan/rep ... 1322118513
Attachments
(3.31 MiB) Downloaded 69 times
(5 MiB) Downloaded 69 times
(5 MiB) Downloaded 66 times
(5 MiB) Downloaded 115 times
(5 MiB) Downloaded 63 times
(5 MiB) Downloaded 67 times
(5 MiB) Downloaded 75 times

Re: Malwox

 #9924  by EP_X0FF
 Sat Nov 26, 2011 1:45 pm
Small remover for Cidox payload dll known as IntMayak. Nothing special, but should work for some old and currently distributed by malwox mayachok version (in theory lol). Manual registry cleanup after reboot is required I was lazy to implement it.
Attachments
pass: 123
(2.8 KiB) Downloaded 51 times
 Return to “Malware”