[Xylitol]

in the wild, just upx -d

[bsteo]

Thanks Xyly! Can't believe this malware is so "not protected"

even after simple "strings" you can see what happens, like where it sends logs and so on...anyway your review is straightforward.

www.posterminalworld.la
/api/process.php?xy=

dmpz.log
KARTOXA007

[kloent]

The same string "kartoxa" you can find in mmon.exe from this post: http://www.kernelmode.info/forum/viewto ... 756#p17063

[aaSSfxxx]

Hello,

Just found these samples today on http://royjamesinsurance.com/images/ (the sload.exe and sload1.exe are just malicious firefox extension droppers, sload1.exe was dropped by andromeda bot).

They seem to target posw32.exe (software used in petrol stations as far I found)

https://www.virustotal.com/file/46504b8 ... 359279697/ > 5/46
https://www.virustotal.com/file/e585f95 ... 359279699/ > 5/46

[unixfreaxjp]

Hello,
Just found these samples today on http://royjamesinsurance.com/images/ (the sload.exe and sload1.exe are just malicious firefox extension droppers, sload1.exe was dropped by andromeda bot).

I am sorry, I wanted to help analyze this, but I did not understand your report.
1. You put attachments of three files as per below:

I saw two of them (the rad marked) were uploaded in the VT as per you posted url.
Are these your mentioned THEY or sload.exe and sload1.exe file? Because I didn't find these sload.exe and sload1.exe and don't know the hash of it.
2. You mentioned you get it from http://royjamesinsurance.com/images/ ? from which url precisely?
I flushed the server:

And can't see any binary location on it, Poc:


Your reply will help. thanks.

[bsteo]

Here there are all of them + latest one before the bad guy removed all the files because malware report.

Let us know about your finds.

[unixfreaxjp]

To: @exitthematrix
Cc: @Xylit0l

Here there are all of them + latest one before the bad guy removed all the files..

Oh man..., why don't you say this sooner?
Anyway friend, I just finished analyzed the two binaries you posted to PC as per "previous" attachment....
Will post to this thread soon.

To @Xylit0l Like I promised, I investigated, but did not know the nature / scheme of infection, thus I am so confused & not sure which one binary are you mentioned in PM to analyzed, anyway I did wack every data (almost everything I think) from TcpAdaptorService.exe and TcpAdaptorService1.exe. This is going to be a long post, I will post soon..
Salute to KernelMode, I will share my monitor data, so feel free to submit your thought.

[unixfreaxjp]

There are two samples that I fetched from this forum, with guessing it as the subject (looks wrong ones in the end..)
Both work with the same logic. so let's call it as per filename TcpAdaptorService.exe I started with the below details.
Yes I run it:

It run net command & executed net1.exe to start the malicious daemon process:

In the end this process/daemon is responsible for everything and stays resident.
With the service name retalix:


During infecting, it runs this operation: http://pastebin.com/raw.php?i=99FE4MYs
You'll see registry, file queries. The points is, it sets this Cryptography values (see long above/ not FP, important to crack the crypt)

Code: Select all

"RegSetValue","HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed","SUCCESS","Type: REG_BINARY, Length: 80, Data: 6D 7B CA A8 FF C8 F9 02 99 7F B6 FD 9C 12 11 DE"

Additionally the below values are queried:

Code: Select all

HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
HKLM\System\CurrentControlSet\Control\ServiceCurrent\(Default)","SUCCESS","Type: REG_DWORD, Length: 4, Data: 13"
HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode","NAME NOT FOUND","Length: 16"

You'll see more details in pastebin, so what about the Daemon/Process kicked ?
This is the full log: http://pastebin.com/raw.php?i=U08Re7GF
And the highlights are: The computer name info, Terminal Server & \WinSock2\Parameters data was grabbed.
In memory we know how it executed:

Code: Select all

Retalix
cmd /c net start %s

What had happened if we let this run?
Actually NO networking at my monitoring case.. Oh yes I captured every traffic fo rsome hours, PoC:


Capture Data;
I had memory dump strings here http://pastebin.com/raw.php?i=80kHafVK with binary here http://www.mediafire.com/?7alsybv27c9rwvt
All the registry I shot is here: http://pastebin.com/raw.php?i=KrPg2n23 <maybe There's a little miss, pls check/
Sorry cant share the PCAP for privacy purpose..(nothing in there anyway)

[unixfreaxjp]

Ah, one more thing, it used the MS encryption, I bet it with the key just being made in registry:

Worth to try to decrypt the callbacks traffic.
PS: @Xylit0l if you have the traffic I can help to decode with the above base.

[bsteo]

Does the exe send any TCP data encoded with that key in the registy? And if so, what type of encryption? Thanks! Very good work.