[Jaxryley]

Very similar to those microjoin exploits?

Drops the rogue AV Security Suite.

Buster Sandbox Analyzer:

Detailed report of suspicious malware actions:

Created a service named: (null)
Created an event named: 324dbd2d
Created an event named: 56e302a3
Created an event named: 86405872
Created an event named: 998b6f2f
Created an event named: Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwWriterEvent
Created process: (null),"C:\Users\Administrator\AppData\Local\Temp\p2hhr.bat" "C:\Users\Administrator\AppData\Local\Temp\ufdqen.exe",C:\Users\Administrator\Desktop
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\1050127551.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\1102231642.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\1192087800.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\avp32.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\bxdq.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\cmtxmnqu.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\debug.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\gdi32.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\ghycsri.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\hexdump.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\iexplorer.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\install.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\lk1cas.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\login.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\lpyh.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\lsass.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\mbmcqem.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\mdm.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\notepad.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\nvsvc32.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\pbidwr.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\setup.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\taskmgr.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\tlsf.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\ufdqen.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\vduf.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\vnwcnulw.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\win16.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\winlogon.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\xjyu11xj.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\xtxhsr7mfwht2.exe,(null)
Created process: (null),explorer.exe,(null)
Created process: (null),Regsvr32.exe /s C:\Windows\system32\zwi5b65r.dll,(null)
Created process: (null),rundll32.exe "C:\Users\Administrator\AppData\Local\gat310.dll",iep,(null)
Created process: (null),rundll32.exe "C:\Users\Administrator\AppData\Local\gat310.dll",Startup,(null)
Created process: (null),rundll32.exe "C:\Users\Administrator\AppData\Local\uxigazixoci.dll",l,(null)
Created process: C:\Windows\system32\cmd.exe,"C:\Windows\system32\cmd.exe" /c del C:\Users\ADMINI~1\AppData\Local\Temp\mbmcqem.exe > nul,C:\Users\Administrator\Desktop
Created process: C:\Windows\system32\cmd.exe,"C:\Windows\system32\cmd.exe" /c del C:\Users\ADMINI~1\Desktop\keygen.exe > nul,C:\Users\Administrator\Desktop
Created process: H:\Sandbox\Administrator\Testings\user\current\AppData\Local\Temp\pbidwr.exe,C:\Users\ADMINI~1\AppData\Local\Temp\pbidwr.exe,C:\Users\Administrator\Desktop
Defined file type copied to Windows folder: C:\WINDOWS\SYSTEM32\zwi5b65r.dll
Defined file type created: C:\IO.SYS
Defined file type created: C:\MSDOS.SYS
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\{E1E713CA-325D-4120-B9A3-E9DDFCB0F77F}\chrome.manifest
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\{E1E713CA-325D-4120-B9A3-E9DDFCB0F77F}\chrome\content\_cfg.js
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\gat310.dll
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\1102231642.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\1192087800.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\avp32.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\bxdq.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\cmtxmnqu.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\debug.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\gdi32.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\ghycsri.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\hexdump.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\iexplorer.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\install.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\lk1cas.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\lkbvf.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\login.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\lpyh.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\lsass.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\mdm.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\notepad.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\nvsvc32.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\p2hhr.bat
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\pbidwr.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\setup.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\taskmgr.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\tlsf.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\ufdqen.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\vduf.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\win16.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\winlogon.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\xjyu11xj.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\xtxhsr7mfwht2.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\uxigazixoci.dll
Defined file type created: C:\Users\Administrator\AppData\Desktop\keygen.exe
Defined registry AutoStart location added or modified: machine\software\microsoft\Windows\CurrentVersion\Run\Kwoxesewer = rundll32.exe "C:\Users\Administrator\AppData\Local\uxigazixoci.dll",Startup
Defined registry AutoStart location added or modified: machine\software\Policies\Microsoft\Windows NT\SystemRestore\DisableSR = 01000000
Defined registry AutoStart location added or modified: machine\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations = \??\C:\Users\ADMINI~1\AppData\Local\Temp\15093897.tmp
Defined registry AutoStart location added or modified: machine\System\CurrentControlSet\Services\2303011160\ImagePath = C:\Windows\system32\drivers\2303011160.sys
Defined registry AutoStart location added or modified: machine\System\CurrentControlSet\Services\2303011160\Type = 01000000
Defined registry AutoStart location added or modified: machine\System\CurrentControlSet\Services\SbieSvc\SandboxedServices = *303011160
Defined registry AutoStart location added or modified: user\current\software\Microsoft\Internet Explorer\Toolbar\Locked = 01000000
Defined registry AutoStart location added or modified: user\current\software\Microsoft\Windows\CurrentVersion\Run\haw389r7uifhdfigdhudf = C:\Users\Administrator\AppData\Local\Temp\xjyu11xj.exe
Defined registry AutoStart location added or modified: user\current\software\Microsoft\Windows\CurrentVersion\Run\hsfio38fiosfh398rfisjhkdsfd = C:\Users\Administrator\AppData\Local\Temp\setup.exe
Defined registry AutoStart location added or modified: user\current\software\Microsoft\Windows\CurrentVersion\Run\Hsusoyuy = rundll32.exe "C:\Users\Administrator\AppData\Local\gat310.dll",Startup
Detected backdoor listening on port: 0
Detected keylogger functionality
Detected process privilege elevation
Disable registry tools: user\current\software\microsoft\windows\currentversion\policies\system\disableregistrytools = 01000000
Enumerated running processes
Hide file extension for known file types: user\current\software\microsoft\windows\currentversion\explorer\advanced\hidefileext = 01000000
Hide file from user: C:\IO.SYS
Hide file from user: C:\MSDOS.SYS
IE settings change: user\current\software\microsoft\internet explorer\main\windowssearch\version = ws not installed
Internet connection: C:\Program Files\Mozilla Firefox\firefox.exe Connects to "199.7.51.72" on port 80 (TCP - HTTP).
Internet connection: C:\Program Files\Mozilla Firefox\firefox.exe Connects to "63.245.213.91" on port 443 (TCP - HTTPS).
Internet connection: C:\Users\Administrator\Desktop\keygen.exe Connects to "195.2.252.14" on port 80 (TCP - HTTP).
Internet connection: C:\Users\Administrator\Desktop\keygen.exe Connects to "68.178.232.99" on port 80 (TCP - HTTP).
Internet connection: H:\Sandbox\Administrator\Testings\user\current\AppData\Local\Temp\taskmgr.exe Connects to "85.17.239.43" on port 80 (TCP - HTTP).
Internet connection: H:\Sandbox\Administrator\Testings\user\current\AppData\Local\Temp\ufdqen.exe Connects to "94.75.233.241" on port 80 (TCP - HTTP).
Internet connection: H:\Sandbox\Administrator\Testings\user\current\AppData\Local\Temp\vnwcnulw.exe Connects to "204.45.118.250" on port 80 (TCP - HTTP).
Internet connection: H:\Sandbox\Administrator\Testings\user\current\AppData\Local\Temp\vnwcnulw.exe Connects to "64.120.144.69" on port 80 (TCP - HTTP).
Listed all entry names in a remote access phone book
Opened a service named: 1394ohci
Opened a service named: AcpiPmi
Opened a service named: adp94xx
Opened a service named: adpahci
Opened a service named: adpu320
Opened a service named: agp440
Opened a service named: aic78xx
Opened a service named: aliide
Opened a service named: amdagp
Opened a service named: amdide
Opened a service named: AmdK8
Opened a service named: AmdPPM
Opened a service named: amdsata
Opened a service named: amdsbs
Opened a service named: AppID
Opened a service named: arc
Opened a service named: arcsas
Opened a service named: AsyncMac
Opened a service named: AudioSrv
Opened a service named: b06bdrv
Opened a service named: b57nd60x
Opened a service named: BrFiltLo
Opened a service named: BrFiltUp
Opened a service named: Brserid
Opened a service named: BrSerWdm
Opened a service named: BrUsbMdm
Opened a service named: BrUsbSer
Opened a service named: BTHMODEM
Opened a service named: cdfs
Opened a service named: circlass
Opened a service named: CmBatt
Opened a service named: cmdide
Opened a service named: Compbatt
Opened a service named: crcdisk
Opened a service named: Csc
Opened a service named: CscService
Opened a service named: drmkaud
Opened a service named: ebdrv
Opened a service named: elxstor
Opened a service named: ErrDev
Opened a service named: exfat
Opened a service named: Filetrace
Opened a service named: FsDepends
Opened a service named: gagp30kx
Opened a service named: hcw85cir
Opened a service named: HidBatt
Opened a service named: HidBth
Opened a service named: HidIr
Opened a service named: HpSAMD
Opened a service named: iaStorV
Opened a service named: iirsp
Opened a service named: intelide
Opened a service named: IpFilterDriver
Opened a service named: IPMIDRV
Opened a service named: IPNAT
Opened a service named: IRENUM
Opened a service named: isapnp
Opened a service named: iScsiPrt
Opened a service named: kbdhid
Opened a service named: LanmanServer
Opened a service named: LSI_FC
Opened a service named: LSI_SAS
Opened a service named: LSI_SAS2
Opened a service named: LSI_SCSI
Opened a service named: megasas
Opened a service named: MegaSR
Opened a service named: Modem
Opened a service named: mpio
Opened a service named: mpsdrv
Opened a service named: MRxDAV
Opened a service named: msahci
Opened a service named: msdsm
Opened a service named: mshidkmdf
Opened a service named: MSKSSRV
Opened a service named: MSPCLOCK
Opened a service named: MSPQM
Opened a service named: MsRPC
Opened a service named: MSTEE
Opened a service named: MTConfig
Opened a service named: NativeWifiP
Opened a service named: NdisCap
Opened a service named: Ndisuio
Opened a service named: nfrd960
Opened a service named: nv_agp
Opened a service named: nvraid
Opened a service named: nvstor
Opened a service named: ohci1394
Opened a service named: Parport
Opened a service named: Parvdm
Opened a service named: pcmcia
Opened a service named: Processor
Opened a service named: ql2300
Opened a service named: ql40xx
Opened a service named: QWAVEdrv
Opened a service named: RasAcd
Opened a service named: rasman
Opened a service named: RDPDR
Opened a service named: RDPWD
Opened a service named: s3cap
Opened a service named: sbp2port
Opened a service named: scfilter
Opened a service named: Sens
Opened a service named: sermouse
Opened a service named: sffdisk
Opened a service named: sffp_mmc
Opened a service named: sffp_sd
Opened a service named: sfloppy
Opened a service named: sisagp
Opened a service named: SiSRaid2
Opened a service named: SiSRaid4
Opened a service named: Smb
Opened a service named: stexstor
Opened a service named: storvsc
Opened a service named: TCPIP6
Opened a service named: TDPIPE
Opened a service named: TDTCP
Opened a service named: tssecsrv
Opened a service named: uagp35
Opened a service named: udfs
Opened a service named: uliagpkx
Opened a service named: UmPass
Opened a service named: usbccgp
Opened a service named: usbcir
Opened a service named: usbohci
Opened a service named: usbprint
Opened a service named: USBSTOR
Opened a service named: vga
Opened a service named: vhdmp
Opened a service named: viaagp
Opened a service named: ViaC7
Opened a service named: viaide
Opened a service named: vmbus
Opened a service named: VMBusHID
Opened a service named: vsmraid
Opened a service named: vwifibus
Opened a service named: WacomPen
Opened a service named: WANARP
Opened a service named: Wd
Opened a service named: WIMMount
Opened a service named: WmiAcpi
Opened a service named: ws2ifsl
Opened a service named: WudfPf
Query DNS: 0001167963.aee5d837.04 712E4A748E7B4DC1B02634E8BF953CA5.n.empty.19.empty.6_1._t_i.3000.keygen_exe.163.rc2.a4h9uploading.com
Query DNS: acromd.com
Query DNS: addons.mozilla.org
Query DNS: cacrazy.com
Query DNS: daporch.com
Query DNS: evsecure-ocsp.verisign.com
Query DNS: ocsp.verisign.com
Query DNS: perscrt.com

Risk evaluation result: High

[Jaxryley]

What droppers I could grab:

Droppers.rar

Pass:
infected
(969.02 KiB) Downloaded 86 times

[xqrzd]

It nearly froze my vm and crashed it several times... Shitkit is a good name for it.

[Quads]

A lot of the files downloaded are detected /blocked as "W32.Spybot.Worm"

Quads

[Elite]

I submitted the dropper to Microsoft on the day that I discovered this one. They added a definition for the dropper about 2 hours later.

However, after the signature update, MSE did an exceptionally shitty job at detecting and removing the payload. It didn't even detect the primary rootkit driver, even though the file is visible on disk. I extracted the driver from the disk and scanned, still nothing. Submitted the driver a few days ago and they're still "processing" it.

Secondly, this bot actually drops three drivers:
ngoirye.sys in C:\WINDOWS\system32\drivers - 767KB (LOL), and locked for read access on disk. This is main driver. No detection...
srenum.sys in C:\WINDOWS\system32\drivers. Don't remember filesize. Very similar name to "serenum.sys", MS driver for serial port enumeration. I don't recall this driver being hidden either. MSE had detection for this driver even before dropper submittal.
ndisrd.sys in C:\WINDOWS\system32\drivers - 20KB. This driver doesn't appear malicious, and acts as some kind of packet filter.

The rest of the usermode garbage in C:\Documents and Settings\[current user]\Temp has various detection rates.

I gotta say, MSE has been taking their sweet ass time to analyze the 8 or so files I submitted from the payload to them. Kaspersky would've added every single one of them to the database in about 10 minutes.

Also, this infection disables regedit and breaks some explorer.exe stuff to prevent user from getting into Folder Options to turn "Show Hidden Files and Folders" back on. It was on, and the infection turned it off and literally deleted Folder Options from the menu in Explorer and Control Panel.

Really messy.

Attached ngoirye.sys and ndisrd.sys in RAR.

[Elite]

ngoirye.sys - http://www.virustotal.com/file-scan/rep ... 1282856138

ndisrd.sys, which isn't malicious after all - http://www.virustotal.com/file-scan/rep ... 1282856116

[Jaxryley]

Hi Elite, may I ask how or what you used to extract the driver?

The .sys files can't install via Sandboxie but do install via VM.

[Elite]

I used RkU's copy-file function for the protected driver.

[Jaxryley]

I used RkU's copy-file function for the protected driver.

Great, thanks for sharing Elite.

[Elite]

MS finally detects locked driver.

About time...