A forum for reverse engineering, OS internals and malware analysis 

Win32/Mikcer (Jadtre/Wapomi)

Forum for analysis and discussion about malware.

Win32/Mikcer (Jadtre/Wapomi)

 #19475  by EP_X0FF
 Thu May 30, 2013 4:53 am
Not a bootkit.

Features:

1) PE32 files infection:

Entry point overwrite, malware attached to infected file as a new section;
Payload packed with ASPack 2.1X;
Controls WFP behaviour;
Malware contain two additional files encrypted with custom algo (for decrypt see @00402F1C, decrypt(ResourceCatalog, hInstance, ResourceId));
Payload dll (dmlocalsvc.dll) packed with UPX

2) Driver agent is second encrypted file and it used for SSDT restoration (creates device named "Sixser" and works with it via DeviceIoControl), driver miss obfuscation and was already modified by authors to avoid signature detection (splitting strings);

3) Kill AV features implemented with "Image File Execution Options", "debugger" trick, blacklist:
Code: Select all
MPSVC.exe
MPMon.exe
MPSVC1.exe
MPSVC2.exe
RavMonD.exe
360tray.exe
MPSVC.exe
KSafeTray.exe
RsAgent.exe 
avp.exe
Original dropper, malware, unpacked malware, driver, dll in attach.

https://www.virustotal.com/en/file/af80 ... /analysis/
https://www.virustotal.com/en/file/6de2 ... /analysis/
https://www.virustotal.com/en/file/a0b8 ... /analysis/
https://www.virustotal.com/en/file/6f2b ... /analysis/
https://www.virustotal.com/en/file/8d59 ... /analysis/
Attachments
pass: infected
(824.54 KiB) Downloaded 73 times
 Return to “Malware”