A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #3871  by Meriadoc
 Tue Dec 07, 2010 8:01 pm
Header modification, MSIL Injection warrants a look in vmware xpsp3 :)

Drops Win32.Spyrat http://www.symantec.com/security_respon ... 99&tabid=2

C:\WINDOWS\system32\install (hidden+system)

Registry entry "HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{261B00RD-4480-DW02-A1BH-7DL00FD600NL}\StubPath" created set to <C:\WINDOWS\system32\install\svchost.exe>

Registry entry "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Policies\Explorer\Run\Policies" created set to <C:\WINDOWS\system32\install\svchost.exe>

Registry entry "HKEY_CURRENT_USER\software\microsoft\windows\currentVersion\Policies\Explorer\Run\Policies" created set to <C:\WINDOWS\system32\install\svchost.exe>

Registry entry "HKEY_CURRENT_USER\software\microsoft\windows\currentVersion\Run\HKCU" created set to <C:\WINDOWS\system32\install\svchost.exe>

Registry entry "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run\HKLM" created set to <C:\WINDOWS\system32\install\svchost.exe>

injects Process IEXPLORE.EXE

opens backdoor
Attachments
pass=malware
(809.45 KiB) Downloaded 76 times
 #3873  by EP_X0FF
 Wed Dec 08, 2010 10:24 am
markusg wrote:http://www.virustotal.com/file-scan/rep ... 1291740511
Crypted with NET framework based cryptor.
Trivial stealer + backdoor, and I would say it is very well known trojan.
Executable written on Delphi.

http://www.virustotal.com/file-scan/rep ... 1291803307

From interesting pars of this trash, inside it contains detection of kernel mode based debuggers, such as Syser and SoftIce.
\\.\Syser \\.\SyserDbgMsg \\.\SyserBoot \\.\SICE \\.\NTICE
and VirtualBox, Sandboxie detection + a lot of others (if somebody interested all detection code placed at @0040B0F0, see attach from Meriadoc).
VBoxService.exe SbieDll.dll
Topic title changed to malware name.
 #3874  by EP_X0FF
 Wed Dec 08, 2010 10:54 am
markusg wrote:http://www.virustotal.com/file-scan/rep ... 1291725015
Meriadoc wrote:Creates a directory C:\WINDOWS\system32\Windows (hidden+system)
file : winlogon.exe

opens backdoor
Didn't found any new winlogons in system.

This trojan starts actual winlogon copy from windows\system32 directory and maps payload code to newly started winlogon memory. Winlogon binary itself is not malicious.

Payload code looks similar to http://www.kernelmode.info/forum/viewto ... f=16&t=518.

I think it's the modification of the same stuff.

edit: forum software killed posts order.
 #3902  by EP_X0FF
 Thu Dec 09, 2010 2:04 pm
markusg wrote:http://www.virustotal.com/file-scan/rep ... 1291894474
Yet the same.

New copy of winlogon.exe spawned and payload code (crypted inside container in .NET dropper) mapped. Payload contains VM detection code, described above.
 #4060  by EP_X0FF
 Sat Dec 18, 2010 1:56 pm
After additional analysis (thanks to topic starter for pointing on this) actual malware found. It is second file placed in container together with MS Office 2007 keygen.
Some sort of Spyrat modification.

Malware attached.
Attachments
pass: malware
(323.83 KiB) Downloaded 55 times
  • 1
  • 2
  • 3
  • 4
  • 5
  • 7