A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #17698  by Xylitol
 Sun Jan 13, 2013 10:28 am
Hello, received this via mail
Image
Source:
Code: Select all
x-store-info:fHNTDlzCF8Nxw6HwcfGQy+S7Ax/lqLSmNphQ3OF+T9E=
Authentication-Results: hotmail.com; spf=fail (sender IP is 81.176.66.76) smtp.mailfrom=tracking@ups.com; dkim=none header.d=ups.com; x-hmca=fail
X-SID-PRA: tracking@ups.com
X-AUTH-Result: FAIL
X-SID-Result: FAIL
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0wO0Q9MjtHRD0yO1NDTD02
X-Message-Info: 5cuOr7VrmjBwCXgOIB2nrvf4ZaCDc222MVL8F3m6AMtRnltspNEVQWHYtcWTSj+UT+9KXsUkBqSTqplqKpA4sTv87aOz/cGlvTMMvZaSXEPIaYjBvAExCELI8m9TvsVDEEphW5MkxxfjSVDnujHN3WptbUPViMmd
Received: from hgc.hostingcenter.ru ([81.176.66.76]) by BAY0-MC1-F12.Bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
	 Sun, 13 Jan 2013 01:13:41 -0800
Received: from Unknown (p54BF5C74.dip.t-dialin.net [84.191.92.116])
	by hgc.hostingcenter.ru (Postfix) with ESMTPA id AEEFB215C9
	for <phoenixbytes@live.fr>; Sun, 13 Jan 2013 13:13:39 +0400 (MSK)
Message-ID: <29E42DE23C724658A3C75DB3876F36E7@qavl>
From: "UPS" <tracking@ups.com>
To: <phoenixbytes@live.fr>
Subject: Delivery Ivnoice
Date: Sun, 13 Jan 2013 03:13:27 -0600
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_034B_01CDF13B.F47364A0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6109
Return-Path: tracking@ups.com
X-OriginalArrivalTime: 13 Jan 2013 09:13:41.0624 (UTC) FILETIME=[47C28780:01CDF16E]

This is a multi-part message in MIME format.

------=_NextPart_000_034B_01CDF13B.F47364A0
Content-Type: text/plain;
	charset="windows-1251"
Content-Transfer-Encoding: quoted-printable


    Delivery Information

   Tracking number : http://valentinastocchi.com/tracking.ups.com/Z [Trac=
k this delivery]

   Number of packages : 1

   UPS Service : Express

   Weight : 1508202732183583.0
  =20

  =20

    Please note that in case of a failure to contact your local UPS offic=
e within 21 days the parcel will be returned to sender.

------=_NextPart_000_034B_01CDF13B.F47364A0
Content-Type: text/html;
	charset="windows-1251"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>UPS Service</TITLE>
<META content=3D"text/html; charset=3Dwindows-1251" http-equiv=3DContent-=
Type>
<META name=3DGENERATOR content=3D"MSHTML 8.00.6001.19154">
<BODY>
<DIV><IMG border=3D0 hspace=3D0 alt=3D""=20
src=3D"http://upsstore.5302078.attractionsbook.com/parse/image.php?image_=
id=3D94093"=20
width=3D744 height=3D210></DIV>
<DIV>&nbsp;&nbsp;&nbsp;<FONT size=3D6><STRONG> Delivery=20
Information</STRONG></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D5>&nbsp;&nbsp; Tracking number : <A=20
href=3D"http://valentinastocchi.com/tracking.ups.com/">Z1508202732183583=20
[Track this delivery]</A></FONT></DIV>
<DIV><FONT size=3D5></FONT>&nbsp;</DIV>
<DIV><FONT size=3D5>&nbsp;&nbsp; Number of packages : 1</FONT></DIV>
<DIV><FONT size=3D5></FONT>&nbsp;</DIV>
<DIV><FONT size=3D5>&nbsp;&nbsp; UPS Service : Express</FONT></DIV>
<DIV><FONT size=3D5></FONT>&nbsp;</DIV>
<DIV><FONT size=3D5>&nbsp;&nbsp; Weight :=20
0.4</FONT><BR>&nbsp;&nbsp; </DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;&nbsp; </DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;&nbsp;&nbsp; Please note that in case of a failure to contact =
your=20
local UPS office within 21 days the parcel will be returned to sender.</D=
IV>
<DIV></DIV></BODY></HTML>

------=_NextPart_000_034B_01CDF13B.F47364A0--
Image

VT
https://www.virustotal.com/file/c6c97b4 ... 358070390/ > 15/46

Download malwares, i have not the material to debug them but names seem explicit enought.
Code: Select all
www.residencemoresco.com/ita/hermes.exe
www.residencemoresco.com/ita/sti.exe
egeneration.it/css/socks.exe
egeneration.it/css/hermes.exe
omyeem.com/plugins/socks.exe <- spambot
omyeem.com/plugins/sti.exe
173.236.100.226/~italiang/JavaJREinstaller_KB62519857.exe <- Pony
socks.exe load a driver: https://www.virustotal.com/file/e0b193d ... 358078288/ > 40/46

Pony panel:
Code: Select all
http://95.170.86.85/pony/admin.php
fail: http://95.170.86.85/pony/setup.php
hermes: https://www.virustotal.com/file/3332731 ... 358072526/ > 21/46
socks: https://www.virustotal.com/file/f76dc9f ... 358072530/ > 14/46
sti: https://www.virustotal.com/file/4453c83 ... 358072532/ > 20/46
spambot activity:
Image
clickfraud activity:
Image

• dns: 1 ›› ip: 151.1.24.232 - adresse: RESIDENCEMORESCO.COM
• dns: 1 ›› ip: 119.59.120.14 - adresse: OMYEEM.COM
• dns: 1 ›› ip: 195.182.210.221 - adresse: EGENERATION.IT
Server are probably compromised and egeneration.it/css/ residencemoresco.com/ita/ lead on Keitaro.

Found via bruteforce:
https://www.virustotal.com/file/c2d9c35 ... 358075568/ > 5/46
Code: Select all
http://omyeem.com/plugins/564.exe
And
Code: Select all
http://www.residencemoresco.com:80/ita/pony.exe
Same file as JavaJREinstaller_KB62519857.exe

Seem Malekal wrote on this http://www.malekal.com/2013/01/09/spam- ... ucher-zip/
Different mail different domains, same file.
Code: Select all
gouter-matrimonial.be/tracking.ups.com
hotel-alhambra.fr/tracking.ups.com
• dns: 1 ›› ip: 213.186.33.19 - adresse: GOUTER-MATRIMONIAL.BE
• dns: 1 ›› ip: 87.106.155.90 - adresse: HOTEL-ALHAMBRA.FR
Attachments
infected
(155.98 KiB) Downloaded 89 times
infected
(614.67 KiB) Downloaded 95 times
 #17700  by aaSSfxxx
 Sun Jan 13, 2013 1:33 pm
Hello,

I also began to analyse the socks.exe provided by Xylitol. It uses the same crypter than JavaUpdate_KB62519857.exe.
Then the program is packed with another packer, and the unpacked file drops a DLL stored ressources which drops another DLL (which seems to be a http proxy, but not fully reversed yet).

But I found this domain: security-connection-server3.net

Whois:
Code: Select all
Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Domain Name: SECURITY-CONNECTION-SERVER3.NET
   Registrar: CLOUD GROUP LIMITED
   Whois Server: whois.hostingservicesinc.net
   Referral URL: http://www.resell.biz
   Name Server: NS1.EVROHOSTER.COM
   Name Server: NS2.EVROHOSTER.COM
   Status: clientTransferProhibited
   Updated Date: 27-dec-2012
   Creation Date: 27-dec-2012
   Expiration Date: 27-dec-2013

>>> Last update of whois database: Sun, 13 Jan 2013 13:24:56 UTC <<<

NOTICE: The expiration date displayed in this record is the date the 
registrar's sponsorship of the domain name registration in the registry is 
currently set to expire. This date does not necessarily reflect the expiration 
date of the domain name registrant's agreement with the sponsoring 
registrar.  Users may consult the sponsoring registrar's Whois database to 
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois 
database through the use of electronic processes that are high-volume and 
automated except as reasonably necessary to register domain names or 
modify existing registrations; the Data in VeriSign Global Registry 
Services' ("VeriSign") Whois database is provided by VeriSign for 
information purposes only, and to assist persons in obtaining information 
about or related to a domain name registration record. VeriSign does not 
guarantee its accuracy. By submitting a Whois query, you agree to abide 
by the following terms of use: You agree that you may use this Data only 
for lawful purposes and that under no circumstances will you use this Data 
to: (1) allow, enable, or otherwise support the transmission of mass 
unsolicited, commercial advertising or solicitations via e-mail, telephone, 
or facsimile; or (2) enable high volume, automated, electronic processes 
that apply to VeriSign (or its computer systems). The compilation, 
repackaging, dissemination or other use of this Data is expressly 
prohibited without the prior written consent of VeriSign. You agree not to 
use electronic processes that are automated and high-volume to access or 
query the Whois database except as reasonably necessary to register 
domain names or modify existing registrations. VeriSign reserves the right 
to restrict your access to the Whois database in its sole discretion to ensure 
operational stability.  VeriSign may restrict or terminate your access to the 
Whois database for failure to abide by these terms of use. VeriSign 
reserves the right to modify these terms at any time. 

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: SECURITY-CONNECTION-SERVER3.NET      
                                   
 Registrant:                       
     private person
    ivan konuhov        (admin@itismybestsite443262.in)
    Tverskaya 11
    Moscow
    Moscow,123456
    RU
    Tel. +7.9371234567
    Fax. +7.9371234567     
                                   
 Creation Date: 27-Dec-2012  
 Expiration Date: 27-Dec-2013  
                                   
 Domain servers in listed order:   
     ns1.evrohoster.com
    ns2.evrohoster.com
                   
                                   
 Administrative Contact:           
     private person
    ivan konuhov        (admin@itismybestsite443262.in)
    Tverskaya 11
    Moscow
    Moscow,123456
    RU
    Tel. +7.9371234567
    Fax. +7.9371234567 
                                   
 Technical Contact:                
     private person
    ivan konuhov        (admin@itismybestsite443262.in)
    Tverskaya 11
    Moscow
    Moscow,123456
    RU
    Tel. +7.9371234567
    Fax. +7.9371234567      
                                   
 Billing Contact:                  
     private person
    ivan konuhov        (admin@itismybestsite443262.in)
    Tverskaya 11
    Moscow
    Moscow,123456
    RU
    Tel. +7.9371234567
    Fax. +7.9371234567        
                                   
 Status:LOCKED
	Note: This Domain Name is currently Locked. In this status the domain 
	name cannot be transferred, hijacked, or modified. The Owner of this 
	domain name can easily change this status from their control panel. 
	This feature is provided as a security measure against fraudulent domain name hijacking.
	                
 The data in this whois database is provided to you for information purposes only, 
that is, to assist you in obtaining information about or related 
to a domain name registration record. We make this information available "as is", 
and do not guarantee its accuracy. By submitting a whois query, you agree that you will 
use this data only for lawful purposes and that, under no circumstances will you use this data to: 
(1) enable high volume, automated, electronic processes that stress 
or load this whois database system providing you this information; or 
(2) allow, enable, or otherwise support the transmission of mass unsolicited, 
commercial advertising or solicitations via direct mail, electronic mail, or by telephone. 
The compilation, repackaging, dissemination or other use of this data is expressly prohibited without 
prior written consent from us. The Registrar of record is UK2 Group Ltd.. 
We reserve the right to modify these terms at any time. 
By submitting this query, you agree to abide by these terms.
 #18471  by unixfreaxjp
 Thu Mar 07, 2013 3:58 pm
Hello! It has been a while. Kindly forgive me if I posted this in the wrong section.
Just found the fresh Win32/Fareit (it detects Wow64 too though) which downloads Win32/Medfos.
It is served at the blackhole server infected through 2(two) ways: BHEK and TDS.
Code: Select all
BHEK infector: h00p://17.247nycr.com/news/breaks-harmless.php
TDS is via: h00p://17.optimax-fuel-saver.us/adobe/
The VT of the samples are:
Fareit: https://www.virustotal.com/en/file/9ec1 ... 362658048/
Medfos: https://www.virustotal.com/en/file/120f ... 362658075/
Fareit was packed with
Code: Select all
"aPLib v1.01"  -  the smaller the better :)
Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved.
More information: "http://www.ibsensoftware.com/"
And having a simple loop anti-reversing at first block:
Code: Select all
0x401174 mov eax esi
0x401176 add esi 0x403110
0x401178 sub esi 0x6d
0x40117e mov esi [si-0x1]
0x401181 push 0x55
0x401184 shl esi 0xc
0x401186 pop ecx
0x401189 shl esi 0x4
0x40118a add eax esi
0x40118d add eax 0x8f
0x40118f mov edx [eax+ecx2+0x2]
0x401192 shr edx 0x8
0x401196 add esi edx
0x401199 mov ecx [si+0x1d]
0x40119b sub cl 0x0
0x40119e jz 0x4011c6L
0x4011a1 mov dl 0x1c
0x4011a3 cmp cl dl
0x4011a5 jb 0x4011bdL
0x4011a7 mov dl 0xc0
0x4011a9 cmp cl dl
0x4011ab nop "
0x4011ad ja 0x4011bdL
0x4011ae mov r15d 0x404000
0x4011b0 xor eax eax
0x4011b5 jz 0x4010d0L
0x4011b7 xor eax eax
0x4011bd mov [fs:ax] esp "
0x4011bf nop
0x4011c2 pushad
0x4011c3 jmp near 0x4011bdL
0x4011c4 xor eax eax
0x4011bd mov [fs:ax] esp
0x4011bf nop
   :      : //loops..
Other stuffs are as usual I guess.
Infection Summary Picture is here:
Image
Summary is in here
The string after depacked is --> here
With shows the two important sets of callbacks; One of the sent credential to(POST, HTTP/1.0)
Code: Select all
h00p://64.13.172.42:8080/forum/viewtopic.php
h00p://20.anythinginternational.biz/forum/viewtopic.php
h00p://20.anythinginternational.com/forum/viewtopic.php
h00p://20.chelsiamd.com/forum/viewtopic.php
PoC:
Image
And the other to download the Win32/Medfos:
Code: Select all
h00p://kfz-youngtimerservice.de/P81.exe
h00p://mtmedia.net/tJr4H.exe
h00p://cinemacityhu.iq.pl/iN5Vf.exe
PoC:
Image
The medfos itself grab the other malware from megaupload.com as per traffic below :
Image
↑The payload at megaupload.com was reported & removed. (sorry)

List of software slurped:
Code: Select all
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
Password
HostName
User
Line
wcx_ftp.ini
\GHISLER
InstallDir
FtpIniName
Software\Ghisler\Windows Commander
Software\Ghisler\Total Commander
\Ipswitch
Sites\
\Ipswitch\WS_FTP
\win.ini
.ini
WS_FTP
DIR
DEFDIR
CUTEFTP
QCHistory
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
// please see http://pastebin.com/raw.php?i=FHv73m95 for more
The wordings coded in binary are printed below:
Code: Select all
phpbb     taylor   charlie   iloveyou!  cheese    google   william   cocacola   shadow    london   mother    zxcvbnm    heaven    bandit   canada    1q2w3e4r  
qwerty    forum    daniel    1q2w3e     internet  friends  iloveyou2 jordan23   christ    123qwe   snoopy    samuel     pepper    enter    silver    baby 
jesus     john316  jennifer  viper      joshua    hope     nicole    ilovegod   sunshine  startrek jessica   mike       hunter    anthony  robert    red123 
abc123    richard  single    genesis    fuckyou   shalom   muffin    football1  master    george   welcome   dallas     lovely    corvette forever   blabla  
letmein   blink182 hannah    knight     blessed   nintendo gateway   loving     computer  winner   pokemon   green      andrew    hockey   asdfgh    prince 
test      peaches  qazwsx    qwerty1    baseball  looking  fuckyou1  nathan     princess  maggie   iloveyou1 testtest   thomas    power    rachel    qwert 
love      cool     happy     creative   starwars  harley   asshole   emmanuel   tigger    trinity  mustang   maverick   angels    benjamin rainbow   chelsea  
password1 flower   matrix    foobar     purple    smokey   hahaha    scooby     football  online   helpme    onelove    hello1    cassie     guitar    angel1 
hello     scooter  pass      adidas     jordan    joseph   poop      fuckoff    angel     123abc   justin    david      eminem    stella     peanut    hardcore 
monkey    banana   aaaaaa    rotimi     faith     lucky    blessing  sammy      jesus1    chicken  jasmine   mylove     dakota    prayer     batman    dexter 
dragon    james    amanda    slayer     summer    digital  blahblah  maxwell    whatever  junior   orange    church     samantha  hotdog       cookie    saved 
trustno1  asdfasdf nothing   wisdom     ashley    thunder  myspace1  jason      freedom   chris    testing   friend     compaq    windows     bailey    hallo 
iloveyou  victory  ginger    praise     buster    spirit   matthew   john       killer    passw0rd apple     god        diamond   mustdie      soccer1   jasper 
soccer    sparky   peace     none       gfhjkm    billgates    biteme    kitten     asdf      austin   michelle  destiny    ghbdtn    gates      mickey    danielle 
superman  admin    secret   microsoft   cryptimplus michael  merlin grace  bubbles    
The sample and PCAP analyzed is attached in 7zip with password "infected" without quotes.
Hope this will help. @unixfreaxjp
*) Thank's to Xylit0l for the invitation to KM < you guys rocks!
Attachments
(343.8 KiB) Downloaded 91 times
 #18542  by Mosh
 Fri Mar 15, 2013 6:48 pm
Hello

I found this today with the help from MalwareMustDie, this is an update from the unixfreaxjp post

update_flash_player.exe
Detection ratio: 3 / 45
AhnLab-V3 Spyware/Win32.Zbot
Malwarebytes Trojan.Zbot
McAfee PWS-Zbot-FARA!35E89448774E
https://www.virustotal.com/en/file/ddb5 ... 363364738/

this downloads the files:
1338406.exe and 1359187.exe
Detection ratio: 3 / 45
Fortinet W32/Clicker.LOL!tr
McAfee Medfos-FBGQ!889AD8870E43
Sophos Mal/Medfos-M
https://www.virustotal.com/es/file/a38c ... /analysis/

and finally executes
nsqof.dll
Detection ratio: 4 / 45
Fortinet W32/Clicker.LOL!tr
Kaspersky UDS:DangerousObject.Multi.Generic
McAfee Medfos-FBGQ!8A6F987F8E14
Sophos Mal/Medfos-M
https://www.virustotal.com/es/file/7e2f ... 363368600/

Regards
password: malware
(493.63 KiB) Downloaded 81 times
 #18546  by EP_X0FF
 Sat Mar 16, 2013 4:04 am
update_flash_player.exe - Fareit, all rest are Medfos
 #18551  by EP_X0FF
 Sun Mar 17, 2013 4:26 am
Fareit

9f529b8beecf0ea1344fa24f6bc3b7f1a0f4e15d
6f8d22c11bd52a0dbaa62e934106da082c372ad2

https://www.virustotal.com/en/file/94cf ... /analysis/
https://www.virustotal.com/en/file/5494 ... /analysis/

Downloads arbitrary files (all zeus)

hxxp://cmonline.co.nz/1D2e.exe
hxxp://DOWNLOADS.ARGO-NETWORKS.COM/jsPRUmRu.exe
hxxp://ftp.riddlepress.com/ZNap.exe
Attachments
pass: infected
(129.62 KiB) Downloaded 90 times
 #19433  by unixfreaxjp
 Mon May 27, 2013 9:41 am
Win32/Fareit via Spam Malvertising + Blackhole (landing page at IP:184.95.51.123)
Spread via Rogue Windows Server SMTP Service.

The sample was carried below spam sets:
Image
Image

You'll see Fareit verdict as per described in this VT report

The blackhole was used in this campaign with the related domain report is here: https://docs.google.com/document/d/1AGa ... sp=sharing
Is (again) using the disaster traps for lurking innocent users, like:
Code: Select all
[...]
lifestylehurricaneguide.com,184.95.51.123,NS13.DOMAINCONTROL.COM NS14.DOMAINCONTROL.COM
lifestylehurricaneproducts.com,184.95.51.123,NS23.DOMAINCONTROL.COM NS24.DOMAINCONTROL.COM
lifestylehurricaneproducttimeline.com,184.95.51.123,NS53.DOMAINCONTROL.COM NS54.DOMAINCONTROL.COM
lifestylehurricanetimeline.com,184.95.51.123,NS11.DOMAINCONTROL.COM NS12.DOMAINCONTROL.COM
[...]
I share the sample as per attached with the password=infected
Image
Attachments
(306.74 KiB) Downloaded 70 times
  • 1
  • 2
  • 3
  • 4
  • 5
  • 7