A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #28029  by EP_X0FF
 Tue Mar 15, 2016 4:30 pm
Thanks for analysis. It seems author of this crapware stuck somewhere in the middle of 200x with his constant attempts to patch system files with shellcode. Well actually expectations for this loader were too high since beginning.
 #28067  by 0x16/7ton
 Fri Mar 18, 2016 7:21 pm
Ironically, I found AV "bypass" functionality in that crap.
Early samples have av name hash table
hash_table.png
hash_table.png (2.08 KiB) Viewed 805 times
Old sample hash function:
Code: Select all
 for char_ in str_:
        char_int = ord(char_)
        hash_ = (rol(hash_,3) & 0xFFFFFFFF)
        hash_ = (hash_&0xFFFFFF00)|((hash_&0x000000ff)^char_int)
Malware enumerate processes list and check presence of AV processes via hash table. If malware founds any AV processes, it launches process in suspended state and injects payload in it.
Injected payload code is again enumerating AV processes and suspends their threads.
dumb_code.png
dumb_code.png (2.64 KiB) Viewed 805 times
So basically it is a lame proxy injecting attack. In new samples AFAIK the hash table is cutted.
 #28686  by teddybear
 Wed Jun 15, 2016 8:38 am
Recent sample distributed in Italy via spam:

https://www.virustotal.com/en/file/6875 ... /analysis/

Lots of info in VT comments (not my own work):
Code: Select all
estero .pw/065n2azk.php
halinanos .online/065n2azk.php
ipuzu .site/065n2azk.php
Code: Select all
"botnet":	"new",
"check_config":	327685,
"send_report":	327685,
"check_update":	327685,
"url_config":	"https:// sakovel .xyz/1bahimyegowidezehutez.dat",
"url_webinjects":	"https:// sakovel .xyz/webinjects.dat",
"url_update":	"https:// sakovel .xyz/1bahimyegowidezehutez.exe",
"url_plugin_vnc32":	"https:// sakovel .xyz/vnc32.bin",
"url_plugin_vnc64":	"https:// sakovel .xyz/vnc64.bin",
"url_plugin_vnc_backserver":	"tQwxNuA2+fHsa/puvn94fz6T",
"url_plugin_backsocks":	"https:// sakovel .xyz/backsocks.bin",
"url_plugin_backsocks_backserver":	"tQwxNuA2+fHsa/puvn94fz6T",
"url_plugin_grabber":	"https:// sakovel .xyz/grabber.bin",
"grab_pass":	1,
"grab_form":	1,
"grab_cert":	1,
"grab_cookie":	1,
"grab_del_cookie":	0,
Attachments