[RageMachine]

I'm having some trouble with a piece of malware I'm trying to work with, the main issue is that it manages to always terminate outside the user code. When I run it normally under BSA, it runs and terminates like so:

Code: Select all

LoadLibrary(uxtheme.dll) [c:\documents and settings\not_a_vm\yuksfgiluegwufywpcjt.exe]
IsDebuggerPresent() [c:\documents and settings\not_a_vm\yuksfgiluegwufywpcjt.exe]
FreeLibrary(C:\WINDOWS\system32\uxtheme.dll) [c:\documents and settings\not_a_vm\yuksfgiluegwufywpcjt.exe]
Sleep(50) [c:\documents and settings\not_a_vm\yuksfgiluegwufywpcjt.exe]
ExitProcess(0) [c:\documents and settings\not_a_vm\yuksfgiluegwufywpcjt.exe]
OpenProcess(taskmgr.exe) [c:\documents and settings\not_a_vm\yuksfgiluegwufywpcjt.exe]
OpenProcess(hpqtra08.exe) [c:\documents and settings\not_a_vm\yuksfgiluegwufywpcjt.exe]
OpenProcess(wscntfy.exe) [c:\documents and settings\not_a_vm\yuksfgiluegwufywpcjt.exe]
OpenProcess(hpwuSchd2.exe) [c:\documents and settings\not_a_vm\yuksfgiluegwufywpcjt.exe]
GetModuleHandle(EXPLORER.EXE) [c:\documents and settings\not_a_vm\yuksfgiluegwufywpcjt.exe]

I am not sure how to deal with GetModuleHandle as far as BSA is concerned, I cannot see how this would trigger my VM's detection or sandbox detection. Secondly, when I load it into Olly, It always terminates after IsDebuggerPresent even if I modify the return. Sleep works fine, but it seems to just quit at ExitProcess(0). I am not sure how to handle this, I thought it was TLS, and I can see some TLS import when i examine it in CFF Explorer, but the TLS directory and offset are just 00000. If i step through the code for awhile, I can eventually find some code outside the code section, but it so robust It would take weeks to get through it all. Is there some sort of "sweet spot" to look for to prevent termination of this process so I can continue reversing it?

[EP_X0FF]

Telepaths on vacation.

Please attach your malware in password protected archive.

[RageMachine]

Telepaths on vacation.
Please attach your malware in password protected archive.

Attached as requested

[STRELiTZIA]

pass is my username

The correct password is in lowercase...

Please use stantard password (malware, infected or virus)

[STRELiTZIA]

Aggressive Fake AV (System progressive protection)
Before infecting the system it checks if c:\mscheck.dbg exists...
Try to create an empty file (c:\mscheck.dbg) and run the malware (wait a few seconds :twisted:)... Tested on VMWare...

[Xylitol]

anti vm:

mscheck.dbg things STRELiTZIA says:

unpack in attach.
https://www.virustotal.com/file/f9eafb0 ... 354368890/

[RageMachine]

Aggressive Fake AV (System progressive protection)
Before infecting the system it checks if c:\mscheck.dbg exists...
Try to create an empty file (c:\mscheck.dbg) and run the malware (wait a few seconds :twisted:)... Tested on VMWare...

Yes, I see that now in procmon! How interesting... I didn't even think to use process monitor when attempting to reverse it. Thank you for the tip!

Thank you as well Xylitol.

With the tips you guys gave me, I was able to use BSA to run the program and then configured it to dump it to disk. Using the dump, I then loaded the malware into Olly, bypassed debugger checks, let it run until OpenProcess(), and then used imprec to fix the original dump. Then I removed the extras. I thank you for your help.

[STRELiTZIA]

Also, take a look on the executables name length on infected machine, all length name equal to 16 can be launched...
e.g: Rename calc.exe to 0123456789ABCDEF.exe then try to launch it.

[Tigzy]

Classic rogue

¤¤¤ Processus malicieux : 1 ¤¤¤
[Rogue.AntiSpy-ST] ACA906A94F43CF610000ACA85A04D33F.exe -- C:\Documents and Settings\All Users\Application Data\ACA906A94F43CF610000ACA85A04D33F\ACA906A94F43CF610000ACA85A04D33F.exe -> TUÉ [TermProc]
[Rogue.AntiSpy-ST][BLACKLIST] ACA906A94F43CF610000ACA85A04D33F.exe -- C:\Documents and Settings\All Users\Application Data\ACA906A94F43CF610000ACA85A04D33F\ACA906A94F43CF610000ACA85A04D33F.exe -> TUÉ [TermThr]

¤¤¤ Entrees de registre : 2 ¤¤¤
[RUN][Rogue.AntiSpy-ST] HKCU\[...]\RunOnce : ACA906A94F43CF610000ACA85A04D33F (C:\Documents and Settings\All Users\Application Data\ACA906A94F43CF610000ACA85A04D33F\ACA906A94F43CF610000ACA85A04D33F.exe) -> TROUVÉ
[RUN][Rogue.AntiSpy-ST] HKUS\S-1-5-21-823518204-842925246-839522115-1003[...]\RunOnce : ACA906A94F43CF610000ACA85A04D33F (C:\Documents and Settings\All Users\Application Data\ACA906A94F43CF610000ACA85A04D33F\ACA906A94F43CF610000ACA85A04D33F.exe) -> TROUVÉ

[RageMachine]

Also, take a look on the executables name length on infected machine, all length name equal to 16 can be launched...
e.g: Rename calc.exe to 0123456789ABCDEF.exe then try to launch it.

I'm having a blast with these, just searching for little doors all over the code :lol: I get so jazzed up about this stuff.
Although I did my dump and i can see all the code, running the unpacked just terminates -_- but I can still see all that it does. I'm sure im overlooking something.