A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19444  by EP_X0FF
 Tue May 28, 2013 9:05 am
rough_spear wrote:Hi All,

two more cutwail samples.

MD5 - 357423154CF2DEB27CEA8219633158CA

https://www.virustotal.com/en/file/14ae ... /analysis/

MD5 - F76D105EAF3E29CCF817EB5E0D83A221

https://www.virustotal.com/en/file/c5df ... /analysis/

Regards,

rough_spear. ;)
Your attachement is missing.
 #19445  by rkhunter
 Tue May 28, 2013 10:34 am
EP_X0FF wrote:Your attachement is missing.
LOL It was advertisements ;)
 #19450  by EP_X0FF
 Tue May 28, 2013 3:00 pm
rkhunter wrote:
EP_X0FF wrote:Your attachement is missing.
LOL It was advertisements ;)
Or maybe stealth request? :)
 #19502  by unixfreaxjp
 Fri May 31, 2013 3:50 am
Note to: @EP_X0FF : I tried to search the right thread for this spambot but could not find the right one, this is the closest category that I can search. so allow me to paste the report here.

It was started from spam series of Paypal, eFax & Chase (etc)
As usual I expect PWS (Fareit or Cridex), Zeus or other PWS,
Instead they distributed the SpamBot Trojan too.

Spam email that lead to this spambot:
Image
If we analyze the header:
Image
we'll see significant characteristic of the MUA (or bot) sender sigs:
Code: Select all
Microsoft SMTP Server id 8.0.685.24;
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9)
Gecko/20100921 Thunderbird/3.1.4
with the relay signature too:
Code: Select all
Received: from unknown (HELO Spammer/FQDN) (Spammer Used MTA IP/x.x.x.x)
MIME-Version: 1.0
Status: RO
The link in spam itself redirect us to blackhole:
Code: Select all
h00p://papakarlo24.ru/wp-gdt.php?H00OTWYN3DI3Z4
Resolving papakarlo24.ru... seconds 0.00, 92.38.227.2
Caching papakarlo24.ru => 92.38.227.2
Connecting to papakarlo24.ru|92.38.227.2|:80... seconds 0.00, connected.
  :
GET /wp-gdt.php?H00OTWYN3DI3Z4 h00p/1.0
Host: papakarlo24.ru
h00p request sent, awaiting response...
  :
h00p/1.1 302 Moved Temporarily
Server: nginx/0.8.55
Date: Wed, 29 May 2013 08:16:21 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.17
Location: h00p://uninstallingauroras・net/closest/i9jfuhioejskveohnuojfir.php
Content-Length: 0
  :
302 Moved Temporarily
Location: h00p://uninstallingauroras・net/closest/i9jfuhioejskveohnuojfir.php [following]
  :
h00p://uninstallingauroras・net/closest/i9jfuhioejskveohnuojfir.php
conaddr is: 92.38.227.2
Resolving uninstallingauroras.net... seconds 0.00, 80.78.247.227
Caching uninstallingauroras.net => 80.78.247.227
Which was designed only to drop one of these two exploit PDF (depend on your adobe plugin version)
Image
Both PDF leads to our spambot binary sample at:
Code: Select all
h00p://uninstallingauroras.net/closest/i9jfuhioejskveohnuojfir.php?orsjgvtp=1n:1j:2w:1m:1i&zxlegtgp=1k:1f:2w:1m:31:1o:1l:1l:30:31&tqdybltx=1h&mryvsc=pcyxjux&sctxbc=liolty
( If you interest to the exploit kit who backboned it you can refer to my analysis report in HERE )

I put the sample on VT in here:
https://www.virustotal.com/en/file/6d41 ... 369818590/
This is when the challange starts. I received the very confusing malware verdict in VT like the below...
Code: Select all
F-Secure                 : Trojan.GenericKDZ.19645
DrWeb                    : Trojan.DownLoad3.23197
GData                    : Trojan.GenericKDZ.19645
Symantec                 : WS.Reputation.1
AhnLab-V3                : Trojan/Win32.Tepfer
McAfee-GW-Edition        : PWS-Zbot-FAQD!0D2AF51B2813
TrendMicro-HouseCall     : TROJ_GEN.R47H1ES13
MicroWorld-eScan         : Trojan.GenericKDZ.19645
Avast                    : Win32:Dropper-gen [Drp]
Kaspersky                : Trojan-Spy.Win32.Zbot.lvxs
BitDefender              : Trojan.GenericKDZ.19645
McAfee                   : PWS-Zbot-FAQD!0D2AF51B2813
Malwarebytes             : Backdoor.Bot.ST
Rising                   : Win32.Asim.a
Panda                    : Trj/CI.A
Fortinet                 : W32/Zbot.LVXS!tr
ESET-NOD32               : Win32/Wigon.PH
Emsisoft                 : Trojan.Win32.Zbot (A)
Comodo                   : UnclassifiedMalware
Is not zbot family (many of AV mentioned as zbot..) for sure since the registry & drops is different, like]
(1)autorun:
Code: Select all
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\xoxkycomvoly(RANDOM)
 →"C:\Documents and Settings\User\xoxkycomvoly.exe"
↑(2)was a different self copy command result:
Code: Select all
CopyFileA{
   lpExistingFileName: "c:\test\sample.exe",
   lpNewFileName: "C:\Documents and Settings\User\xoxkycomvoly.exe", (RANDOM)
   bFailIfExists: 0x0 }
(3) different batch code too....
Code: Select all
:repeat
del %s
if exist %s goto :repeat
del %%0
My question is: Anyone know the right malware name of this one?
So I decided to take a look myself to find the sample sending massive spams, pleased see the below details to answer the question of malware name:
Image
Image
Image
It aftered this MTA relay:
Code: Select all
smtp.compuserve.com
mail.airmail.net
smtp.directcon.net
smtp.sbcglobal.yahoo.com
smtp.mail.yahoo.com
smtp.live.com
By using these domains to spoof senders:
Code: Select all
reactionsearch.com
picsnet.com
mville.edu
oakwood.org
intelnet.net.gt
optonline.net
cox.net
pga.com
rcn.com
vampirefreaks.com
tiscali.co.uk
msu.edu
freenet.de
bluewin.ch
o2.pl
cfl.rr.com
worldnetatt.net
uakron.edu
comcast.net
centrum.cz
axelero.hu
aon.at
oakland.edu
ukr.net
posten.se
talstar.com
cnet.com
emailmsn.com
yahoo.com.hk
vodafone.nl
zoomtown.com
otakumail.com
netsync.net
grar.com
stc.com.sa
col.com
gallatinriver.net
worldonline.co.uk
aruba.it
bluewin.com
zoomnet.net
gcsu.edu
amazon.com
microtek.com
voicestream.com
tellmeimcute.com
bmw.com
backaviation.com
oregonstate.edu
earthlink.net
cablelan.net
floodcity.net
uplink.net
mindspring.com
clarksville.com
dr.com
shmais.com
sexstories.com
cwnet.com
chickensys.com
gravityboard.com
happyhippo.com
midway.edu
oakwood.org
intelnet.net.gt
blackplanet.com
tampabay.rr.com
gmx.net
juno.com
vampirefreaks.com
canada.com
worldnetatt.net
beeone.de
idea.com
boardermail.com
arcor.de
verizonwireless.com
mediom.com
iw.com
passagen.se
iupui.edu
ufl.edu
jwu.edu
uga.edu
music.com
accountant.com
ministryofsound.net
the-beach.net
metallica.com
vodafone.com
zdnetmail.com
hoymail.com
iwon.com
accessus.net
cbunited.com
pchome.com.tw
kazza.com
cytanet.com.cy
frisurf.no
parrotcay.como.bz
willinet.net
claranet.fr
kw.com
caixa.gov.br
frostburg.edu
intuit.com
actuslendlease.com
rowdee.com
vodafone.nl
feton.net
wcsu.edu
ricochet.com
embarqmail.com
allstream.net
mynet.com
kcrr.com
south.net
ig.com.br
atkearney.com
colorado.edu
zoomnet.net
creighton.edu
amazon.com
mvts.com
potamkinmitsubishi.com
lansdownecollege.com
mania.com
marchmail.com
anetsbuys.com
yatroo.com
bassettfurniture.com
machlink.com
nccn.net
floodcity.net
maui.net
earthlink.com
doctor.com
mexico.com
sexstories.com
penn.com
aussiestockforums.com
bendcable.com
ipeg.com
mediom.com
free.fr
ufl.edu
www.aol.com
hotmale.com
cox.com
ministryofsound.net
stargate.net
orange.pl
mzsg.at
imaginet.com
charter.com
pandora.be
iwon.com
windstream.net
oakland.edu
suscom.net
metrocast.net
migente.com
erzt.com
willinet.net
claranet.fr
kw.com
rockford.edu
emailmsn.com
uymail.com
xtra.co.nz
brettlarson.com
badactor.us
stc.com.sa
t-mobel.com
yahoo.com.cn
gatespeed.com
itexas.net
yahoo.com.tw
diamondcpu.com
vail.com
clear.net.nz
gallatinriver.net
ia.telecom.net
idealcollectables.com
number1.net
agilent.com
in.com
windermere.com
mts.net
sscomputing.com
primeline.com
indosat.com
lansdownecollege.com
springsips.com
tellmeimcute.com
chataddict.com
expn.com
earthlink.net
surfglobal.net
↑These data is written clearly after I unpack (whatever the name of method is) the binary.

Some captured SMTP sent logs:
Code: Select all
19:58:16.6989801 ->  65.55.96.11:smtp","SUCCESS"
19:59:03.0738552 ->  www2.windstream.net:smtp","SUCCESS"
19:59:03.0739711 ->  www.freenet.de:smtp","SUCCESS"
19:59:03.0740055 ->  67-208-33-32.neospire.net:smtp","SUCCESS"
19:59:03.1832375 ->  208.73.210.29:smtp","SUCCESS"
19:59:03.1833775 ->  web1.gcsu.edu:smtp","SUCCESS"
19:59:03.1834395 ->  searchportal.information.com:smtp","SUCCESS"
19:59:03.1834970 ->  176.32.98.166:smtp","SUCCESS"
19:59:09.0894742 ->  www2.windstream.net:smtp","SUCCESS"
19:59:09.0896164 ->  www.freenet.de:smtp","SUCCESS"
19:59:09.0896742 ->  67-208-33-32.neospire.net:smtp","SUCCESS"
19:59:09.1988465 ->  208.73.210.29:smtp","SUCCESS"
19:59:09.1989401 ->  web1.gcsu.edu:smtp","SUCCESS"
It has the botnet communication with HTTP & SSL, the SSL is for the handshake:
Image
While HTTP is used to Poke and Received spam relay information:
Image
Image
and "a lot" of POST like below...
Image
Which retrieving the HTML data:
Image
Which when I saved and opened it it was the captcha of the TDS redirector:
Image
Looking forward to receive any comments & advice on names. Rgds.
 #19503  by EP_X0FF
 Fri May 31, 2013 3:54 am
So maybe you will attach sample.exe?
 #19508  by unixfreaxjp
 Fri May 31, 2013 7:33 am
EP_X0FF wrote:Sample.exe is Win32/Cutwail
See attach for decrypted.
https://www.virustotal.com/en/file/5f8f ... 369975489/
Posts moved.
Copy that! Thank you for confirming, friend. Now updating all related reports.
Now we know that this malvertisement campaign sent PWS Trojan, Zbot Banking Trojan and Cutwail.
I'll post additional info after wacking the C2, let's pull as much evidence available.
 #19513  by PX5
 Fri May 31, 2013 1:52 pm
Hmmmmm, seems my monday is happening 5 days in a row this week, please ignore this post. :(
 #19517  by rough_spear
 Sat Jun 01, 2013 5:15 am
EP_X0FF wrote:
rough_spear wrote:Hi All,

two more cutwail samples.

MD5 - 357423154CF2DEB27CEA8219633158CA

https://www.virustotal.com/en/file/14ae ... /analysis/

MD5 - F76D105EAF3E29CCF817EB5E0D83A221

https://www.virustotal.com/en/file/c5df ... /analysis/

Regards,

rough_spear. ;)
Your attachement is missing.
Sorry guys here is the attachment. :oops:

rough_spear.
Attachments
password - infected.
(65.99 KiB) Downloaded 89 times