upass Kit (alias Worm:Win32/Rombrast)

#14433 by leeno
Wed Jul 04, 2012 6:37 pm

Attached is the file . Lets analysis this ..

Username

leeno

Posts

45

Joined

Wed Apr 11, 2012 10:19 am

Re: upass Kit malware sample : antivm

#14437 by Xylitol
Wed Jul 04, 2012 9:28 pm

Upas advert:

VT Scan: https://www.virustotal.com/file/1e87d2c ... 341437412/

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Re: upass Kit malware sample : antivm

#14462 by EP_X0FF
Fri Jul 06, 2012 3:07 am

What kind of antivm you found inside? As for me it is primitive mass injector with mass installed ring3 hooks it uses for hiding, including hiding copy of explorer.exe

[1184]explorer.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - RelativeJump 0x7C90D250-->01EF429C [unknown_code_page]
[1184]explorer.exe-->ntdll.dll-->NtEnumerateValueKey, Type: Inline - RelativeJump 0x7C90D2D0-->01EF4750 [unknown_code_page]
[1184]explorer.exe-->ntdll.dll-->NtOpenProcess, Type: Inline - RelativeJump 0x7C90D5E0-->01EF41D3 [unknown_code_page]
[1184]explorer.exe-->ntdll.dll-->NtQueryDirectoryFile, Type: Inline - RelativeJump 0x7C90D750-->01EF47E2 [unknown_code_page]
[1184]explorer.exe-->ntdll.dll-->NtQuerySystemInformation, Type: Inline - RelativeJump 0x7C90D910-->01EF44B0 [unknown_code_page]
[1184]explorer.exe-->ntdll.dll-->NtResumeThread, Type: Inline - RelativeJump 0x7C90DB20-->01EF41FE [unknown_code_page]
[1184]explorer.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - RelativeJump 0x7C90DC40-->01EF4518 [unknown_code_page]
[1184]explorer.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - RelativeJump 0x7C90DDB0-->01EF437D [unknown_code_page]
[1184]explorer.exe-->ntdll.dll-->NtWriteFile, Type: Inline - RelativeJump 0x7C90DF60-->01EF45E4 [unknown_code_page]

Code: Select all

7C90D2D0:    E97B745085                jmp 01E14750h
7C90D2D5:    BA0003FE7F                mov edx, 7FFE0300h
7C90D2DA:    FF12                      call [edx]
7C90D2DC:    C21800                    retn 0018h

Boring crap, SpyEye was better.

Code: Select all

GetVolumeInformationW(&RootPathName, 0, 0, &VolumeSerialNumber, 0, 0, 0, 0);
if ( VolumeSerialNumber == 0xCD1A40 || sub_402999() == 1 )
{
      MessageBoxA(0, "Think with your dipstick, Jimmy!", "ERROR_BRAIN_TOO_SMALL", 0x10u);
      ExitProcess('dumb');
}

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: upass Kit (alias Worm:Win32/Rombrast)

#14479 by leeno
Fri Jul 06, 2012 2:20 pm

Attached is the file . Lets analysis this ..

Attachments

test.rar

infected
(68.7 KiB) Downloaded 66 times

Username

leeno

Posts

45

Joined

Wed Apr 11, 2012 10:19 am

Re: upass Kit (alias Worm:Win32/Rombrast)

#14481 by leeno
Fri Jul 06, 2012 2:32 pm

leeno wrote:Attached is the file . Lets analysis this ..

more upass samples

Attachments

34616354e62b757b9339a2a99cc58e60.rar

pass:infected
(33.17 KiB) Downloaded 62 times

Username

leeno

Posts

45

Joined

Wed Apr 11, 2012 10:19 am

Re: upass Kit (alias Worm:Win32/Rombrast)

#14482 by leeno
Fri Jul 06, 2012 2:34 pm

leeno wrote:
leeno wrote:Attached is the file . Lets analysis this ..
more upass samples

Attachments

b652aa1419f3d3644149656874f8bd89.rar

pass: infected
(43.92 KiB) Downloaded 62 times

Username

leeno

Posts

45

Joined

Wed Apr 11, 2012 10:19 am

Re: upass Kit (alias Worm:Win32/Rombrast)

#14484 by leeno
Fri Jul 06, 2012 2:56 pm

leeno wrote:
leeno wrote:
leeno wrote:Attached is the file . Lets analysis this ..
more upass samples

Attachments

3200007c2d3e3347433ccd75d0ab7dbb.rar

pass:infected
(43.97 KiB) Downloaded 59 times

Username

leeno

Posts

45

Joined

Wed Apr 11, 2012 10:19 am

Worm:Win32/Rombrast Variant

#14519 by leeno
Sun Jul 08, 2012 3:56 pm

Variant attached

Attachments

0caea99c4d7e2b22308f4daf6b83dca3.rar

pass:infected
(80.45 KiB) Downloaded 62 times

Username

leeno

Posts

45

Joined

Wed Apr 11, 2012 10:19 am