A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #16392  by EP_X0FF
 Sat Nov 03, 2012 8:58 am
markusg wrote:https://www.virustotal.com/file/74a7d50 ... 350585070/
This is backdoor CLSID variant without autoruner and without file infection part. In attach decrypted dropper, extract payload cab manually.
Posts moved.
Attachments
pass: malware
(108.81 KiB) Downloaded 101 times
 #17669  by EP_X0FF
 Wed Jan 09, 2013 12:38 am
markusg wrote:SHA256:
f30d55120d31f1e75f618e6c8b272c6475a87815f2ca12fa9e890805c78ecd9f 
File name:
setup (2).exe 
Detection ratio:
3 / 46 
https://www.virustotal.com/file/f30d551 ... /analysis/
Decrypted dropper, n32, n64, s32, s64 attached.
Attachments
pass: malware
(164.99 KiB) Downloaded 118 times
 #18044  by unixfreaxjp
 Wed Feb 06, 2013 5:58 am
First of all, I tried to find whether this malware is already in the thread but could't find it so allow me to open this topic. Pls forgive if I open the wrong ones.
I encountered interesting payload dropped by Blackhole Exploit Kit "/closest/" version, with the infector details as below:
Landing page: http://33sdfguuh.mywww.biz/closest/209t ... kjskga.php
PluginDetect0.7.9 used: http://pastebin.com/raw.php?i=HSPfPzF1
Following the infector logic to fetching below samples:
Image
(If you interested to see more details in BHEK overall infection that serving this, please see different post here, not a promotion pls, a share.)
The contacts.exe is ZeroAccess, this case's topic.
I attached the sample with the unpack version (made by Horgh) in this post,
And for the memory string dumps can be viewed here

I run it and debugged it at the same time.
Image
It looks loading dlls by these methods:
Code: Select all
LdrLoadDll
LdrGetDllHandle
It brutes the dlls to load like below catch-record...
Code: Select all
dtdlb.dll
etdlc.dll
ftdld.dll
gtdle.dll
htdlf.dll
itdlg.dll
jtdlh.dll
ktdli.dll
ltdlj.dll
mtdlk.dll
fd43u.dll
^tdl\.dll
_tdl].dll
`tdl^.dll
atdl_.dll
btdl`.dll
ctdla.dll
You can see it the details of loading these dll in the contacts.exe process full session I captured here
↑PS:There are also rsgistry access & file access records↑

This malware was detected below software/program/service.. suspected registry token keys.
Code: Select all
Windows Defender
wscntfy.exe
MSASCui.exe
MpCmdRun.exe
NisSrv.exe
msseces.exe
fp.exe
MsMpSvc
windefend
SharedAccess
iphlpsvc
wscsvc
mpssvc
(etc)
The reason is for deletion purpose, I found many stuffs deleted in registry like:
Code: Select all
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
..\System\CurrentControlSet\Services\SharedAccess\Setup
..\System\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate
..\System\CurrentControlSet\Services\wscsvc
..\System\CurrentControlSet\Services\wscsvc\Enum
..\System\CurrentControlSet\Services\wscsvc\Parameters
..\System\CurrentControlSet\Services\wscsvc\Security
In memory this deletion trace was clearly exposed:
Code: Select all
InprocServer32
{fbeb8a05-beee-4442-804e-409d6c4515e9}
\registry\machine\Software\Classes\clsid\{5839fca9-774d-42a1-acda-d6a79037f57f}\InprocServer32
And so does the result in registry also:
Code: Select all
HKLM\Software\Classes\ClsId\{...some ID....}\InprocServer32\
   --→"C:\WINDOWS\system32\wbem\fastprox.dll"/"C:\RECYCLER\S-1-5-18\$6576a1a85f9fdb0e20568660563a58ee\n."
Looks it used RECYCLER for some deletion..

It requests & saved/used infected machine'S GeoIP:
Code: Select all
GET /app/geoip.js HTTP/1.0
Host: j.maxmind.com
Connection: close
  :
geoip_country_code
PoC:
Image
Requesting counter...
Code: Select all
GET /5699017-3C912481A04E584CDF231C519E1DF857/counter.img?theme=%u&digits=10&siteId=%u HTTP/1.1
Host: bigfatcounters.com
User-Agent: Opera/9 (Windows NT %u.%u; %s; %s)
Connection: close
PoC:
Image
↑These access:
Image

If you run it with the network you'll get the DNS request in not only to google (8.8.8.8:53) but to below remote DNS (which I didnt even register it in my system)
Code: Select all
194.165.17.3:53  ADM-SERVICE-NET (Monaco)
66.85.130.234:53 TechEVE Ltd TE-SAFESUGAR (UK)
And requesting UDP/16464
Code: Select all
92.254.253.254:16464
88.254.253.254:16464
87.254.253.254:16464
71.254.253.254:16464
69.254.253.254:16464
1.172.141.253:16464
122.110.95.253:16464
85.86.69.253:16464
90.230.2.2:16464
115.31.23.2:16464
174.101.87.249:16464
187.74.74.249:16464
61.86.42.249:16464
194.165.17.3:123
91.242.217.247:123
94.183.234.248:16464
180.254.253.254:16464
166.254.253.254:16464
135.254.253.254:16464
134.254.253.254:16464
119.254.253.254:16464
117.254.253.254:16464
115.254.253.254:16464
126.13.87.248:16464
89.215.205.2:16464
222.109.23.4:16464
203.171.244.4:16464
109.90.149.240:16464
173.217.73.3:16464
98.26.183.2:16464
84.55.11.24:16464
116.73.35.4:16464
86.126.1.74:16464
121.242.162.55:16464
175.181.230.42:16464
190.208.75.36:16464
150.214.68.251:16464
188.6.88.61:16464
206.254.253.254:16464
190.254.253.254:16464
182.254.253.254:16464
↑These access looks like:
Image
In details:
Image

So based on the UDP works and the RECYCLER method, I suspected is a ZeroAccess Recycle(r) variant.
The problem is detection ratio is poor = (6/46)
VT: https://www.virustotal.com/file/1861555 ... 360070307/
By all means overall detection atio is too low...
Image
Please help to register this infection sample. Please feel free in adding/correcting/directing this post into the better goals. Rgds.
Attachments
The packed and unpacked version of contacts.exe
(248.95 KiB) Downloaded 68 times
  • 1
  • 32
  • 33
  • 34
  • 35
  • 36
  • 56