i'm looking for hash Badrabbit https://www.dp.ru/a/2017/10/24/Hakeri_atakovali_metro_a
Here you go.
BR,
Antelox
A forum for reverse engineering, OS internals and malware analysis
Attachments
(458.65 KiB) Downloaded 94 times
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
this is а DLL:
this is а DLL:
Code: Select all
10 - time (in minutes) before the system restartsrundll32 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648.dll, #1 10additional samples
Attachments
pw virus
(393.49 KiB) Downloaded 86 times
(393.49 KiB) Downloaded 86 times
New trend of home made analysts - post sandbox log photoshoped as "analysis".
What attract my attention here is part about Tcb privilege adjustment.
As author of this collage likely don't know that this privilege is not available in default configuration for windoze "admins" and probably also doesn't know what it does and for what purpose it even exist.
So I downloaded this trash in expectation of some "magic". To get payload dll without catching it on disk, put dropper into ollydbg and set breakpoint on NtCreateFile, once it hit with "\??\C:\windows\infpub.dat" inspect process virtual memory and dump region with dll inside.
Privileges adjusted just right in first subroutine of "payload main" which is first exported ordinal.
No magic here, set of ridiculous shit copy-paste code where authors not really understand why they need some parts as well as these who "analyse" it. Also ridiculous use of DiskCryptor, how fuck lol is that just because initially it is supposed to be part of malware rootkit self defense.
What attract my attention here is part about Tcb privilege adjustment.
As author of this collage likely don't know that this privilege is not available in default configuration for windoze "admins" and probably also doesn't know what it does and for what purpose it even exist.
So I downloaded this trash in expectation of some "magic". To get payload dll without catching it on disk, put dropper into ollydbg and set breakpoint on NtCreateFile, once it hit with "\??\C:\windows\infpub.dat" inspect process virtual memory and dump region with dll inside.
Privileges adjusted just right in first subroutine of "payload main" which is first exported ordinal.
Code: Select all
TCB required for setting SessionId value in token impersonation operations. If you look code more you will find this part too (with check if privilege was adjusted via looking up global variable)..100078BB: 68F8160110 push 0100116F8 ;'SeShutdownPrivilege
.100078C0: A3907B0110 mov [010017B90],eax
.100078C5: 33F6 xor esi,esi
.100078C7: E8F9030000 call .010007CC5 --↓2'AdjustPrivilegeProc
.100078CC: 85C0 test eax,eax
.100078CE: 7401 jz .0100078D1 --↓3
.100078D0: 46 inc esi
.100078D1: 6820170110 3push 010011720 ;'SeDebugPrivige
.100078D6: E8EA030000 call .010007CC5 --↓2'AdjustPrivilegeProc
.100078DB: 85C0 test eax,eax
.100078DD: 7403 jz .0100078E2 --↓5
.100078DF: 83CE02 or esi,2
.100078E2: 68D8160110 5push 0100116D8 ;'SeTcbPrivilege
.100078E7: E8D9030000 call .010007CC5 --↓2'AdjustPrivilegeProc
.100078EC: 85C0 test eax,eax
.100078EE: 7403 jz .0100078F3 --↓7
.100078F0: 83CE04 or esi,4
.100078F3: 8935C07B0110 7mov [010017BC0],esi'remember set of adjusted privilegesNo magic here, set of ridiculous shit copy-paste code where authors not really understand why they need some parts as well as these who "analyse" it. Also ridiculous use of DiskCryptor, how fuck lol is that just because initially it is supposed to be part of malware rootkit self defense.
Ring0 - the source of inspiration
Antelox wrote:Here you go.hi! what is the password of the "samples.zip" for extract?
BR,
Antelox
rever_ser wrote:infected...Antelox wrote:Here you go.hi! what is the password of the "samples.zip" for extract?
BR,
Antelox
BR,
Antelox