A forum for reverse engineering, OS internals and malware analysis 

Win32/Tesch

Forum for analysis and discussion about malware.

Win32/Tesch

 #20320  by Cody Johnston
 Thu Aug 01, 2013 12:26 am
Found this running with one of the new ZeroAccess variants today (one is FUD other is very low 1/46):

The dll was loaded inside the exe process:
  • MD5: a83816056b0ab0d1d4e6898812288bfa
    File name: peokyur.dll
    Detection ratio: 1 / 46
https://www.virustotal.com/en/file/7919 ... 375311541/
  • MD5: e02dd60332cc3d8dd19795e1d9887b8b
    File name: ehojilcn.exe
    Detection ratio: 0 / 46
https://www.virustotal.com/en/file/f95d ... /analysis/

This was also running on the PC (FUD again):
  • MD5: 598107403d9fb8871d00470f8ff716d1
    File name:83A.exe
    Detection ratio: 0 / 46
https://www.virustotal.com/en/file/89fa ... /analysis/

Attachment quota has been reached. You can find it temporarily here:

https://dl.dropboxusercontent.com/u/176 ... eokyur.zip

Password: infected

Re: Win32/Tesch

 #20321  by EP_X0FF
 Thu Aug 01, 2013 4:53 am
83A.exe is a trojan downloader with very custom obfuscation. Inside real trojan written in MSVC and packed with UPX. Widely using ntdll common API (Registry access, FS I/O). Full of lame code.

Main purpose:

1) Set itself to autorun each windows boot via HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run as TimeServer;
2) Contact C&C at

javafrogs.com
antispyes.com
inpdfconvers.com

download and execute additional payload. At the moment of writing this post all of them unavailable.

peokyur is a DLL stored encrypted inside ehojilcn.exe

Probably ehojilcn.exe is the payload of above mentioned trojan.

ehojilcn.exe decrypts, drops and execute peokyur.dll

peokyur starts execution from exported entry peokyur. First it decrypting strings inside (simple symbols rotations e.g.). Then it loads kernel32.dll with LoadLibrary exported by kernel32.dll (which is not in process address space by opinion of crapware author) and allocates additional pointers to functions from it. Then it does the same for advapi32.dll and ws2_32.dll, ntdll.dll. After all required API collected trojan inserts itself to HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List (Windows Firewall whitelist) as
<path to dll>\peokyur.dll:*:Enabled:peokyur. Creates shared mutex with name "FGKWR-5YCZA+S56-KJ" <- this help it determine if it already running on affected system. After preparations connects to 85.17.137.153. Hangs waiting answer here.
 Return to “Malware”