A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19354  by EP_X0FF
 Tue May 21, 2013 2:00 am
This is PowerLoader Alureon cross-platform dropper.
[main]
srvurls=hxxp://r.gigaionjumbie.biz/images/gx.php;hxxp://x.dailyradio.su/images/gx.php;hxxp://w.kei.su/images/gx.php
srvdelay=15
srvretry=2
buildid=REE
here deobfuscated

https://www.virustotal.com/en/file/843f ... 369101506/
https://www.virustotal.com/en/file/6a9c ... 369101315/

Posts moved.
Attachments
pass: infected
(31.3 KiB) Downloaded 82 times
 #19373  by EP_X0FF
 Wed May 22, 2013 1:48 am
markusg wrote:2 files
r.gigaionjumbie.biz/images/gx.php
Second file f97834fh9348 is Dorkbot downloader with these links
hxxp://url9.de/Dvm?id=
hxxp://fur.ly/9jnk?foto=
hxxp://is.gd/21aJ2N?user=
hxxp://bit.ly/10K2VJY?profil=
hxxp://ow.ly/lfqd6?jpg=
 #19381  by tomatto007
 Wed May 22, 2013 1:37 pm
kekieres wrote:I've recently received a malware sample .

Spreading mechanisms: you receive a chat message from an skype contact saying (in spanish)
"esta es una foto muy amable de tu parte "
(It's gramatically correct but it doesn't sound natural in spanish)
And the the following URL:
hXXp://goo.gl/lLGdM?png=<your_skype_contact_name>
In fact parameters are irelevant.
Independently to the parameters it allways expands to:
hXXp://dc663.4shared.com/download/arUNCWir?clientType=BASE_WEB

The malware comes into a ZIP file and inside the EXE named: fotos_facebook-20052013-png.exe
SHA1: 882da1b7838bc087c753a14b0dd1e40cd3db78d3
Here you have the sample.
Right now it's almost undetected in virustotal (3/47).
I'm not good at reverse engineering and deep malware analysis, but I've used malwr.com to do a dynamic analysis (https://malwr.com/analysis/ZDdkOWViY2Qy ... TJjZTU5N2E)
Obviously it's nothing good. It tries to contact hXXp://r.gigaionjumbie.biz/images/gx.php

Is it a known malware?
New registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\eefdfdcdfsacfsfdsf: “”%Common Appdata%\eefdfdcdfsacfsfdsf.exe”"

New file:
%Common Appdata%\eefdfdcdfsacfsfdsf.exe

https://www.virustotal.com/ru/file/2c33 ... 369228217/
Attachments
pw=infected
(45.35 KiB) Downloaded 74 times
 #19397  by Blaze
 Thu May 23, 2013 5:20 pm
Yep, saw the same today.

https://www.virustotal.com/nl/file/6cd9 ... /analysis/
Code: Select all
hXXp://r.gigaionjumbie.biz/images/gx.php
hXXp://x.dailyradio.su/images/gx.php
hXXp://w.kei.su/images/gx.php
HKEY_CURRENT_USER\SOFTWARE\ebdfecfcbfsacfsfdsf
Related blogpost:
http://bartblaze.blogspot.com/2013/05/a ... -worm.html
Attachments
(73.47 KiB) Downloaded 70 times
 #19449  by PX5
 Tue May 28, 2013 1:17 pm
Same here but am having troubles with collecting the file while online, in either normal or safe mode, which I think is hilarious given fact Ive been doing this a while and am so out of practice, I barely remember how to infect anything!

Damn the bad luck!!!!! :lol:
 #19457  by EP_X0FF
 Wed May 29, 2013 3:43 am
Well, removal of this bot is trivial. You can do it without any additional tools. Just taskmanager, explorer and regedit (or Process Explorer, Process Monitor and Autoruns if you want to do this quick).

Autorun entry located in HKCU\Software\Microsoft\Windows\CurrentVersion\Run
File stored in %ALLUSERSPROFILE%\AppData, e.g. C:\Documents and Settings\All Users\Application Data\dbadacbbesacfsfdsf.exe

While work this Alureon injects itself into explorer.exe address space using Shell_TrayWnd trick or by NtQueueApcThread. This injected code running payload thread (thread id can be determined with ProcMon), that overwrites malware binary on disk every second as a part of antiremoval (same for registry key).

Variant A
1) Terminate explorer.exe with taskmanager;
2) Restart it from taskmanager, injected code still in newly created explorer? Do not worry, this is because of shared section trick this malware previously used. Even if this code is inside new explorer it is not executed;
3) Remove file, remove registry key.

Variant B
1) Determine Alureon payload thread with Process Monitor (filter by Explorer.exe, Disk I/O activity, also at call Stack page you can reveal memory address in Explorer VA space where Alureon sits);
2) Terminate this thread by Process Explorer;
3) Remove file, remove registry key (Autoruns).

Run full AV scan, as it can be more malware downloaded by this bot.
 #19462  by PX5
 Wed May 29, 2013 11:16 am
Thanks EP,

This is a clear example of how long I been outa the loop, not so sure I was ever in the loop, tbh! :lol:

Should be some more fun somewhere to get back into the swing of things, especially since our tools section does good to "Suck Wind"!!!!!!!!!!

Best, I shhhhh before i get myself into troubles at work. ;)

Cheers,

MJ
 #19478  by EP_X0FF
 Thu May 30, 2013 6:36 am
And PowerLoader itself, seems builder widely used by various script-kiddies.
Code: Select all
[main]
srvurls=hxxp://u.eastmoon.pl/p/c1.php;hxxp://t.richlab.pl/p/c1.php;hxxp://y.opennews.su/p/c1.php
srvdelay=15
srvretry=2
buildid=build1
VT

SHA256: 43aad379e0ef5cb7f09a6efa77ee3e3ea40ac529ef37efe66d0f96155fe80855
SHA1: 96881d0dbfce6087dc3217e9d144a0992456a882
MD5: 0a617c203e1f1b0acf18ed2ff8d84840

https://www.virustotal.com/en/file/43aa ... /analysis/

Original and decrypted dropper + extracted x64 loader attached.

x64
https://www.virustotal.com/en/file/4582 ... 369895728/
Attachments
pass: infected
(158.7 KiB) Downloaded 81 times