A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #17870  by bsteo
 Sat Jan 26, 2013 10:55 am
Thanks Xyly! Can't believe this malware is so "not protected"

even after simple "strings" you can see what happens, like where it sends logs and so on...anyway your review is straightforward.
www.posterminalworld.la
/api/process.php?xy=
dmpz.log
KARTOXA007
 #17881  by aaSSfxxx
 Sat Jan 26, 2013 7:15 pm
Hello,

Just found these samples today on http://royjamesinsurance.com/images/ (the sload.exe and sload1.exe are just malicious firefox extension droppers, sload1.exe was dropped by andromeda bot).

They seem to target posw32.exe (software used in petrol stations as far I found)

https://www.virustotal.com/file/46504b8 ... 359279697/ > 5/46
https://www.virustotal.com/file/e585f95 ... 359279699/ > 5/46
Attachments
infected
(165.22 KiB) Downloaded 137 times
 #17937  by unixfreaxjp
 Thu Jan 31, 2013 10:31 am
aaSSfxxx wrote:Hello,
Just found these samples today on http://royjamesinsurance.com/images/ (the sload.exe and sload1.exe are just malicious firefox extension droppers, sload1.exe was dropped by andromeda bot).
I am sorry, I wanted to help analyze this, but I did not understand your report.
1. You put attachments of three files as per below:
Image
I saw two of them (the rad marked) were uploaded in the VT as per you posted url.
Are these your mentioned THEY or sload.exe and sload1.exe file? Because I didn't find these sload.exe and sload1.exe and don't know the hash of it.
2. You mentioned you get it from http://royjamesinsurance.com/images/ ? from which url precisely?
I flushed the server:
Image
And can't see any binary location on it, Poc:
Image

Your reply will help. thanks.
 #17939  by unixfreaxjp
 Thu Jan 31, 2013 12:27 pm
To: @exitthematrix
Cc: @Xylit0l
exitthematrix wrote:Here there are all of them + latest one before the bad guy removed all the files..
Oh man..., why don't you say this sooner? :-)
Anyway friend, I just finished analyzed the two binaries you posted to PC as per "previous" attachment....
Will post to this thread soon.

To @Xylit0l Like I promised, I investigated, but did not know the nature / scheme of infection, thus I am so confused & not sure which one binary are you mentioned in PM to analyzed, anyway I did wack every data (almost everything I think) from TcpAdaptorService.exe and TcpAdaptorService1.exe. This is going to be a long post, I will post soon..
Salute to KernelMode, I will share my monitor data, so feel free to submit your thought.
 #17941  by unixfreaxjp
 Thu Jan 31, 2013 1:40 pm
There are two samples that I fetched from this forum, with guessing it as the subject (looks wrong ones in the end..)
Both work with the same logic. so let's call it as per filename TcpAdaptorService.exe I started with the below details.
Yes I run it:
Image
It run net command & executed net1.exe to start the malicious daemon process:
Image
In the end this process/daemon is responsible for everything and stays resident.
With the service name retalix:
Image

During infecting, it runs this operation: http://pastebin.com/raw.php?i=99FE4MYs
You'll see registry, file queries. The points is, it sets this Cryptography values (see long above/ not FP, important to crack the crypt)
Code: Select all
"RegSetValue","HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed","SUCCESS","Type: REG_BINARY, Length: 80, Data: 6D 7B CA A8 FF C8 F9 02 99 7F B6 FD 9C 12 11 DE"
Additionally the below values are queried:
Code: Select all
HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
HKLM\System\CurrentControlSet\Control\ServiceCurrent\(Default)","SUCCESS","Type: REG_DWORD, Length: 4, Data: 13"
HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode","NAME NOT FOUND","Length: 16"
You'll see more details in pastebin, so what about the Daemon/Process kicked ?
This is the full log: http://pastebin.com/raw.php?i=U08Re7GF
And the highlights are: The computer name info, Terminal Server & \WinSock2\Parameters data was grabbed.
In memory we know how it executed:
Code: Select all
Retalix
cmd /c net start %s
What had happened if we let this run?
Actually NO networking at my monitoring case.. Oh yes I captured every traffic fo rsome hours, PoC:
Image

Capture Data;
I had memory dump strings here http://pastebin.com/raw.php?i=80kHafVK with binary here http://www.mediafire.com/?7alsybv27c9rwvt
All the registry I shot is here: http://pastebin.com/raw.php?i=KrPg2n23 <maybe There's a little miss, pls check/
Sorry cant share the PCAP for privacy purpose..(nothing in there anyway)
 #17942  by unixfreaxjp
 Thu Jan 31, 2013 1:50 pm
Ah, one more thing, it used the MS encryption, I bet it with the key just being made in registry:
Image
Worth to try to decrypt the callbacks traffic.
PS: @Xylit0l if you have the traffic I can help to decode with the above base.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 25