A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #5203  by markusg
 Mon Feb 28, 2011 1:34 pm
vt is not working at this moment
Attachments
(52.07 KiB) Downloaded 140 times
Last edited by EP_X0FF on Fri Apr 19, 2013 4:15 am, edited 2 times in total. Reason: thread title changed
 #5210  by EP_X0FF
 Mon Feb 28, 2011 3:02 pm
markusg wrote:vt is not working at this moment
Bifrost RAT

Dropper spawns vbc.exe with injected payload code. After this starts IEXPLORE.exe copy with Bitfrost injected code inside.

Copies itself to %program files%\ssss\sever.exe
Runs through HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
SOFTWARE\Microsoft\Active Setup\Installed Components 5 s ZwSetValueKey ZwWriteFile cpf.exe SOFTWARE\%s IsNTAdmin advpack.dll \ c:\ 0ok3s SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe SOFTWARE\Classes\HTTP\shell\open\command delay klg nck \explorer.exe %s%s %s\%s ProgramFilesDir SOFTWARE\Microsoft\Windows\CurrentVersion SOFTWARE\Microsoft\Windows\CurrentVersion\Run GetProcAddress GetModuleHandleA KERNEL32.DLL DeleteFileA CreateProcessA MoveFileA kernel32.dll VirtualFree SetWindowsHookExW SetWindowsHookExA \user32.dll user32.dll ZwWriteVirtualMemory ZwProtectVirtualMemory ZwCreateThread NtWriteVirtualMemory NtSetValueKey NtProtectVirtualMemory NtCreateThread LdrLoadDll \ntdll.dll ntdll.dll LoadLibraryA LoadLibraryW LoadLibraryExA LoadLibraryExW ExitProcess CreateProcessW CreateRemoteThread WriteProcessMemory VirtualProtectEx VirtualAllocEx VirtualProtect \kernel32.dll umxtray.exe GetCurrentProcess EnableAutodial SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings capCreateCaptureWindowA capGetDriverDescriptionA avicap32.dll \avicap32.dll plg1 GetLastInputInfo %s 5 %c2%u svchost %c%u|%u|%u|%u|%u| %c%u|%u|%u|%u|%u|%u| %c%u|%u| DISPLAY kavsvc.exe kav.exe GetModuleFileNameExA EnumProcessModules EnumProcesses psapi.dll %s 4%u * %c%s %c:\ %c%u| %c %c%d.%d.%d.%d|%s|%s|%s|%s|%s|%u|%i|%i|%u|%i|%i|%i|%i|%x|%s|%s|%s|%s|%s|%s| 3 Temporary Internet Files %s\* ccp.dat 123456789012345678 AdjustTokenPrivileges \Advapi32.dll SeDebugPrivilege hD8 plg torShutdown torClose torConnect torRead torWrite torInit Mozilla/5.0 (compatible) tor gs gen eplgn init f2 f1 Close running server at this computer Bifrost Remote Controller
CLIPBOARD: %s
%s
PASSWORD: %s
<%u-%.2u-%.2u %.2u:%.2u><%s>
CLIPBOARD: %s
<%u-%.2u-%.2u %.2u:%.2u><%s>
PASSWORD: %s
<%u-%.2u-%.2u %.2u:%.2u><%s>
%s
Some general info from developers.
Bifrost is a backdoor trojan horse family of more than 10 variants which can infect Windows 95 through Vista. Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attacker, who uses client, to execute arbitrary code on the compromised machine (which runs the server whose behavior can be controlled by the server editor).

The server component (29,053 bytes) is dropped to C:\Program Files\Bifrost\server.exe with default settings and, when running, connects to a predefined IP address on TCP port 81, awaiting commands from the remote user who uses the client component. It can be assumed that once all three components are operational, the remote user can execute arbitrary code at will on the compromised machine.

The server builder component has the following capabilities:

* Create the server component
* Change the server component's port number and/or IP address
* Change the server component's executable name
* Change the name of the Windows registry startup entry
* Include rootkit to hide server process
* Include extensions to add features (adds 22,759 bytes to server)
* Use persistence (makes the server harder to remove from the infected system)

The client component has the following capabilities:

* Process Manager (Browse or kill running processes)
* File manager (Browse, upload, download, or delete files)
* Window Manager (Browse, close, maximize/minimize, or rename windows)
* Get system information
* Extract passwords from machine
* Keystroke logging
* Screen capture
* Webcam capture
* Desktop logoff, reboot or shutdown
* Registry editor
* Remote shell
 #14245  by EP_X0FF
 Mon Jun 25, 2012 1:53 am
markusg wrote:bifrose?
Yes, protected by unregistered version of Eziriz's ".NET Reactor".