A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #24439  by EP_X0FF
 Thu Nov 27, 2014 6:02 am
Patrick wrote: 'top-tier' or 'the most sophisticated'.
Where the threat level strickly depends on how much money they received from customers. Authors of the Intercept "great" article proclaimed there will be more "revelations". So more IRQL levels to checks, more "ddk" tags to discover and more overall "stealth" to uncover. I would rather interested to hear not any "new" articles from them, but a deep independent look on their own financial information. I think they got rich in a few months before. Morgan Marquis-Boire, Claudio Guarnieri, Ryan Gallagher - how much do they get paid to become "APT whores"? (just curious, maybe it worth it) :) If in case of Turla campaign customer was pretty much clear from the beginning (one of it contractors was painting fake Excel Turla distribution diagrams for their later report), in this case campaign customer maybe quite from the opposite side or its more difficult and this intended to be playing on the overall media hysteria.
 #24495  by nullandnull
 Mon Dec 01, 2014 10:57 pm
Code: Select all
push    'CraP'          ; Tag
push    20h             ; NumberOfBytes
push    edi             ; PoolType
call    ds:ExAllocatePoolWithTag
via DB405AD775AC887A337B02EA8B07FDDC

I bet the authors are sad none of the AVs have posted their "CraP" pool tag in an analysis yet. It made me laugh the first time I saw it. Does anyone have a copy of the 64 bit samples (d446b1ed24dad48311f287f3c65aeb80 & de3547375fbf5f4cb4b14d53f413c503)? They haven't been uploaded to VT and they aren't in any of the attached files.
 #24497  by EP_X0FF
 Tue Dec 02, 2014 4:23 am
What do you expect to find there? Another dump full of bullshit?
 #24509  by rad
 Wed Dec 03, 2014 8:18 am
does anybody have the payloads which are mentioned as stage 4 or 5?

Stage 4 32 bit:
1e4076caa08e41a5befc52efd74819ea
68297fde98e9c0c29cecc0ebf38bde95
6cf5dc32e1f6959e7354e85101ec219a
885dcd517faf9fac655b8da66315462d
a1d727340158ec0af81a845abd3963c1
Stage 4 64 bit:
de3547375fbf5f4cb4b14d53f413c503

these are from kaspersky's report i guess
http://securelist.com/files/2014/11/Kas ... rm_eng.pdf
 #24647  by Patrick
 Thu Dec 18, 2014 6:37 am
Any samples of the stage 1 loader, perhaps db405ad775ac887a337b02ea8b07fddc or 01c2f321b6bfdb9473c079b0797567ba?
 #24650  by Patrick
 Thu Dec 18, 2014 12:19 pm
hx1997 wrote:
Patrick wrote:Any samples of the stage 1 loader, perhaps db405ad775ac887a337b02ea8b07fddc or 01c2f321b6bfdb9473c079b0797567ba?
http://www.kernelmode.info/forum/viewto ... 602#p24426
Thanks for the quick reply.

Unless I am blind though, or unless one (or many) of those hashes are the same, just differently packaged, etc, neither db405ad775ac887a337b02ea8b07fddc or 01c2f321b6bfdb9473c079b0797567ba are included in that sample.

https://www.us-cert.gov/ncas/alerts/TA14-329A
Unusual stage 1 files apparently compiled from various public source codes merged with malicious code:

01c2f321b6bfdb9473c079b0797567ba

47d0e8f9d7a6429920329207a32ecc2e

744c07e886497f7b68f6f7fe57b7ab54

db405ad775ac887a337b02ea8b07fddc
 #24652  by hx1997
 Thu Dec 18, 2014 12:58 pm
Patrick wrote:Thanks for the quick reply.

Unless I am blind though, or unless one (or many) of those hashes are the same, just differently packaged, etc, neither db405ad775ac887a337b02ea8b07fddc or 01c2f321b6bfdb9473c079b0797567ba are included in that sample.

https://www.us-cert.gov/ncas/alerts/TA14-329A
Unusual stage 1 files apparently compiled from various public source codes merged with malicious code:

01c2f321b6bfdb9473c079b0797567ba

47d0e8f9d7a6429920329207a32ecc2e

744c07e886497f7b68f6f7fe57b7ab54

db405ad775ac887a337b02ea8b07fddc
db405ad775ac887a337b02ea8b07fddc and 01c2f321b6bfdb9473c079b0797567ba are MD5 hashes. 225e9596de85ca7b1025d6e444f6a01aa6507feef213f4d2e20da9e7d5d8e430 and 392f32241cd3448c7a435935f2ff0d2cdc609dda81dd4946b1c977d25134e96e are their equivalent SHA256 hashes respectively, which are both included in that sample. Thought you'd know that, they're the same files with hashes of different algorithms.