Attachments
(146.97 KiB) Downloaded 116 times
A forum for reverse engineering, OS internals and malware analysis
markusg wrote:https://www.virustotal.com/file/74a7d50 ... 350585070/This is backdoor CLSID variant without autoruner and without file infection part. In attach decrypted dropper, extract payload cab manually.
markusg wrote:SHA256:Decrypted dropper, n32, n64, s32, s64 attached.
f30d55120d31f1e75f618e6c8b272c6475a87815f2ca12fa9e890805c78ecd9f
File name:
setup (2).exe
Detection ratio:
3 / 46
https://www.virustotal.com/file/f30d551 ... /analysis/
Landing page: http://33sdfguuh.mywww.biz/closest/209t ... kjskga.phpThe contacts.exe is ZeroAccess, this case's topic.
PluginDetect0.7.9 used: http://pastebin.com/raw.php?i=HSPfPzF1
Following the infector logic to fetching below samples:
(If you interested to see more details in BHEK overall infection that serving this, please see different post here, not a promotion pls, a share.)
LdrLoadDll
LdrGetDllHandle
dtdlb.dll
etdlc.dll
ftdld.dll
gtdle.dll
htdlf.dll
itdlg.dll
jtdlh.dll
ktdli.dll
ltdlj.dll
mtdlk.dll
fd43u.dll
^tdl\.dll
_tdl].dll
`tdl^.dll
atdl_.dll
btdl`.dll
ctdla.dll
Windows Defender
wscntfy.exe
MSASCui.exe
MpCmdRun.exe
NisSrv.exe
msseces.exe
fp.exe
MsMpSvc
windefend
SharedAccess
iphlpsvc
wscsvc
mpssvc
(etc)
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
..\System\CurrentControlSet\Services\SharedAccess\Setup
..\System\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate
..\System\CurrentControlSet\Services\wscsvc
..\System\CurrentControlSet\Services\wscsvc\Enum
..\System\CurrentControlSet\Services\wscsvc\Parameters
..\System\CurrentControlSet\Services\wscsvc\Security
InprocServer32
{fbeb8a05-beee-4442-804e-409d6c4515e9}
\registry\machine\Software\Classes\clsid\{5839fca9-774d-42a1-acda-d6a79037f57f}\InprocServer32
HKLM\Software\Classes\ClsId\{...some ID....}\InprocServer32\
--→"C:\WINDOWS\system32\wbem\fastprox.dll"/"C:\RECYCLER\S-1-5-18\$6576a1a85f9fdb0e20568660563a58ee\n."
GET /app/geoip.js HTTP/1.0
Host: j.maxmind.com
Connection: close
:
geoip_country_code
GET /5699017-3C912481A04E584CDF231C519E1DF857/counter.img?theme=%u&digits=10&siteId=%u HTTP/1.1
Host: bigfatcounters.com
User-Agent: Opera/9 (Windows NT %u.%u; %s; %s)
Connection: close
194.165.17.3:53 ADM-SERVICE-NET (Monaco)
66.85.130.234:53 TechEVE Ltd TE-SAFESUGAR (UK)
92.254.253.254:16464
88.254.253.254:16464
87.254.253.254:16464
71.254.253.254:16464
69.254.253.254:16464
1.172.141.253:16464
122.110.95.253:16464
85.86.69.253:16464
90.230.2.2:16464
115.31.23.2:16464
174.101.87.249:16464
187.74.74.249:16464
61.86.42.249:16464
194.165.17.3:123
91.242.217.247:123
94.183.234.248:16464
180.254.253.254:16464
166.254.253.254:16464
135.254.253.254:16464
134.254.253.254:16464
119.254.253.254:16464
117.254.253.254:16464
115.254.253.254:16464
126.13.87.248:16464
89.215.205.2:16464
222.109.23.4:16464
203.171.244.4:16464
109.90.149.240:16464
173.217.73.3:16464
98.26.183.2:16464
84.55.11.24:16464
116.73.35.4:16464
86.126.1.74:16464
121.242.162.55:16464
175.181.230.42:16464
190.208.75.36:16464
150.214.68.251:16464
188.6.88.61:16464
206.254.253.254:16464
190.254.253.254:16464
182.254.253.254:16464