A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #21961  by unixfreaxjp
 Thu Jan 16, 2014 2:41 am
Trojan/PWS Win32/Cridex

I think is same as @forty-six posted http://www.kernelmode.info/forum/viewto ... 961#p21955

CNC LIST:
Code: Select all
h00p://portasible.ru
h00p://ssshsecur.ru
h00p://glebstark.ru
h00p://kuchereneltd.ru
Noted..New Creds Templates:
Code: Select all
4118b0 -> <message set_hash="%%.%us" req_set="%%%%u" req_upd="%%%%u"> // OS info..
          <header>
          <unique>%%.%us</unique>
          <version>%%u</version>
          <system>%%u</system>
          <network>%%u</network>
          </header><data>
411a3c -> </data></message>

411730: <pop3 time="%%%uu"><server><![CDATA[%%u.%%u.%%u.%%u:%%u]]></server> //pop3 mail
         <user><![CDATA[%%.%us]]></user><pass><![CDATA[
4117a4 -> ]]></pass></pop3>

411850: <ff time="%u"><data><![CDATA[     // firefox
411870: ]]></data></ff>

411880: <mm time="%u"><data><![CDATA[    // mm? macromedia?
4118a0 -> ]]></data></mm>

4117d0: <cert time="%u"><pass><![CDATA[   // certification/pwd
4117f0: ]]></pass><data><![CDATA[
41180c -> ]]></data></cert>

411648: <httpshot time="%%%uu"><url><![CDATA[%%.%us]]></url><data><![CDATA[  //links, etc
41168c -> ]]></data></httpshot>

4116a8: <ftp time="%%%uu"><server>            // FTP credential sender format:
        <![CDATA[%%u.%%u.%%u.%%u:%%u]]></server>
        <user><![CDATA[%%.%us]]></user><pass><![CDATA[
41171c:  ]]></pass></ftp>

4115c8: <http time="%%%uu">            // links
        <url><![CDATA[%%.%us]]></url>
        <useragent><![CDATA[%%.%us]]></useragent><data><![CDATA[
411634 -> ]]></data></http>

411820: <ie time="%u"><data><![CDATA[ // internet explorer grabs...
411840 -> ]]></data></ie>
I made draft analysis for more details: http://pastebin.com/raw.php?i=DQ7G0Vz0
Mr. Kyle Yang decoded the downloaded config in here: http://pastebin.com/766faxPH

Germany banks is on target...(thx Kyle!)
Code: Select all
cortalconsors\.de  
deutsche\-bank\.de  
finanzportal\.fiducia\.de  
postbank\.de  
deutsche\-bank\.de  
^https://web.de  
^https://banking.postbank.de/rai/\?x=  
^https://banking.postbank.de/rai/login  
^https://banking\.dkb\.de/.*  
^https://.*finanzportal\.fiducia\.de/.*entry.*  
^https://.*finanzportal\.fiducia\.de/.*portal.*  
^https://banking\.dkb\.de/portal/portal.*  
^https://banking\.dkb\.de/dkb.*  
^https://ssl2\.haspa\.de/OnlineFiliale/banking/authenticate/login.*  
^https://ssl2\.haspa\.de/OnlineFiliale/banking/services.*  
^https://.*finanzportal\.fiducia\.de/.*entry.*  
^https://.*finanzportal\.fiducia\.de/.*portal.*  
Samples & PCAP attached.
Attachments
pwd: infected
(252.87 KiB) Downloaded 150 times
 #22452  by unixfreaxjp
 Fri Mar 14, 2014 2:06 pm
Marv3!ous wrote:wanna know where could find C&C of this bot.?
Before that, please explain us, what is the relation with this thread? (Win32/Cridex). Thank you in advance.
 #23073  by forty-six
 Mon Jun 09, 2014 7:07 pm
Newish Cridex variant.

Unpacked dll strings
Code: Select all
Software\Microsoft\Office\Common\%X\%XCS
%X%X%X%X
%XI
%XM
%XE
UNKNOWN
%s_%s_%X%X
NtResumeThread
ntdll.dll
Software\Microsoft\Office\Common\%X\%XPS
173.236.185.238:8080
64.202.249.5:8080
173.236.153.210:8080
212.64.151.75:8080
176.28.31.137:8080
208.113.235.41:8080
122.155.3.6:8080
50.31.146.109:8080
103.28.148.51:8080
80.91.191.158:8080
192.154.110.228:8080
Software\Microsoft\Office\Common\%X\%XRS
http://%s/%x/%x/
%XRM
Software\Microsoft\Office\Common\%X\%XSS
RtlComputeCrc32
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
Software\Microsoft\Windows\CurrentVersion\Run
%s\Microsoft\%c%c%c%S.exe
*/*
Attachments
(85.59 KiB) Downloaded 116 times
 #23638  by Horgh
 Tue Aug 19, 2014 5:31 pm
Sample courtesy of Kafeine.

loader.bin + dump. Detected by MS as TrojanDownloader:Win32/Awavs.gen!A

cfg :
Code: Select all
<config
   botnet="120"
   servers="202.124.205.84:8080;212.59.117.207:8080"
/>
https://feodotracker.abuse.ch/host/202.124.205.84/

Downloads 238.tmp, unpacked joined.

cfg :
Code: Select all
<config
   botnet="120"
   servers="149.154.67.144:8080,150.214.24.132:8080,188.165.200.162:8080,62.76.187.78:8080,85.214.26.248:8080,95.140.34.140:8080,188.40.181.203:8080,90.156.238.76:8080,83.17.220.66:8080"
   timeout="20"
   delay="30:60"
   interval="1020:1260"
/>
Public PGP Key :
Code: Select all
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9pYTezdSjwI7J9bZDFGeljChb
LB8VxQNmiIKU/VMY5TS0oYjzdY9zB6QVJC779Iwi+TQqX2Bf0rGAHCXm/3ehoe+t
Bfw8XpLt6wnK/olx3g7eY41jO4rMORPCRCmqGfhJSs07IDGwOJFn2URfTcIabowB
fAJgVhchGFQVhchGFQV91eLCQIDAQAB
-----END PUBLIC KEY-----
+ anti_rapport.dll packed in the 238.tmp as well.
Attachments
pwd infected
(395.63 KiB) Downloaded 119 times
 #24191  by unixfreaxjp
 Thu Oct 23, 2014 9:55 am
Dridex campaign described here: http://blog.dynamoo.com/2014/10/this-em ... -file.html
Using the Doc with malicious macro https://www.virustotal.com/en/file/d328 ... 413981219/
to download the dridex downloader: https://www.virustotal.com/en/file/992f ... 414052698/
which dwonloaded this dll : https://www.virustotal.com/en/file/7360 ... 413998492/

overall dridex scheme itself is about like this, cnc is up during analysis:
Image
#MalwareMustDie
Attachments
7z/infected
(268.52 KiB) Downloaded 103 times
 #24506  by forty-six
 Tue Dec 02, 2014 6:05 pm
P2P version :
Code: Select all
port
build
status
online
startup
nodes
tick
node
VncStartServer
VncStopServer
Start
public
version
system
type
hash
name
servers
_x32
deny
allow
conditions
contentType
modifiers
actions
modify
pattern
replacement
settings
onget
onpost
clicks
xrange
yrange
postfwd
commands
Attachments
(250.23 KiB) Downloaded 99 times
  • 1
  • 7
  • 8
  • 9
  • 10
  • 11
  • 15