[Jaxryley]

Another novel dropper, tested by proxy over messenger (Danke PX5 ;))

http://www.virustotal.com/file-scan/rep ... 1283281751

This one needs to stew for a bit...

Dropped a temp file with no extension which has the same md5 as loader.exe and a S5e55.dll at the same size but different md5.
.
S5e55.dll - 10/43 - Dr Web - BackDoor.Tdss.4057
http://www.virustotal.com/file-scan/rep ... 1283296248

S5e55.rar

(193.56 KiB) Downloaded 87 times

[PX5]

Dropped more than just a temp file. ;)

[PX5]

The best detection I saw was for the dropper itself but the rest were pretty pitiful, most were detected by only 4 vendors with the exception of the patched driver.

Enjoy, adding in a collection of infected MBRs, I dont think mine was, it just blew away the Recovery Console and forced me to use a boot cd.

Pretty obvious code for tdl is wide open and different groups are using different methods to accomplish whatever goal they are after.

Very nice catch ade, Ive only seen a small handful of these type installs. :mrgreen:

[Jaxryley]

PX5 did you run the exploits via VM?

Morphed version of loader.exe.

loader.exe - 8/43 - MD5 : 6f2a0e810469a71fb569d6af2999cb44
http://www.virustotal.com/file-scan/rep ... 1283312708

loader.rar

(98.06 KiB) Downloaded 82 times

[4r0]

TDSS x64?..

http://www.virustotal.com/file-scan/rep ... 1283342212
MD5 : 5243c42e5fec39efa9421f41ca42c753
Result:
4/ 43 (9.3%)

[PX5]

Whats a VM? ;)

All live here, VM/VBox are just for, well, I really dont know why I use them anymore. :?:

I can do a re-run using the same file and produce a capture log that may shed more light on how the infection rolls down for me but I definitly cant do it before I get rid of this frigin hangover! :lol:


Small Edit: My name is Mike or other 4 letter words my wife enjoys using, you dont have to refer to me by PX5, its just a Prevx thing for me. :)

[EP_X0FF]

TDSS x64?..

http://www.virustotal.com/file-scan/rep ... 1283342212
MD5 : 5243c42e5fec39efa9421f41ca42c753
Result:
4/ 43 (9.3%)

Doesn't looks so. Just same dll injection method through spooler. Some sort of downloader.

WININET.dll SHLWAPI.dll RPCRT4.dll imagehlp.dll USERENV.dll ADVAPI32.dll ole32.dll %s%s SeTcbPrivilege explorer.exe InstallDate SOFTWARE\Microsoft\Windows NT\CurrentVersion d%X%X%X%X winsta0\default .exe %s http://%s/dd.php?i=%s&a=%d&f=%d \x%s.dll spooler InternetConnectA InternetCrackUrlA InternetReadFile HttpOpenRequestA l HttpSendRequestA l InternetOpenA InternetCloseHandle SHGetValueA PathFindFileNameA StrStrIW UuidToStringA RpcStringFreeA 4 CheckSumMappedFile 7 CreateEnvironmentBlock CreateProcessAsUserA OpenProcessToken s GetTokenInformation DuplicateToken PrivilegeCheck LookupPrivilegeValueA OpenServiceA k CloseServiceHandle A StartServiceA QueryServiceStatusEx OpenSCManagerA t CoInitialize CoCreateGuid

http://www.virustotal.com/file-scan/rep ... 1283347323

downloads something named setup.exe from hxxp://noteups.com/ by hxxp://noteups.com/dd.php?i=%s&a=%d&f=%d

http://support.clean-mx.de/clean-mx/vir ... escr%20asc

[EP_X0FF]

Good bye TDL3 :)

hxxps://damagelab.org/index.php?showtopic=18254&st=20&p=116951&#entry11695

[Jaxryley]

Whats a VM? ;)

All live here, VM/VBox are just for, well, I really dont know why I use them anymore. :?:

I can do a re-run using the same file and produce a capture log that may shed more light on how the infection rolls down for me but I definitly cant do it before I get rid of this frigin hangover! :lol:


Small Edit: My name is Mike or other 4 letter words my wife enjoys using, you dont have to refer to me by PX5, its just a Prevx thing for me. :)

LOL, thanks for the reply Mike. :)

Yep live is really the best way to go.

Sandboxie, Bufferzone, Returnil and VM's etc are OK for some malware samples but a lot are aware of such and won't run or only half run.

[PX5]

Whats that mean EP?..... I do good to speak and understand english! :cry: