A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #15588  by SeT[X]
 Sun Sep 16, 2012 12:04 am
Hello,
I've receive this sample:
MD5: a393c059e5269784b58ee1742f50555a
SHA1: f819821e158fb4aee7f7c2cd824988504134355a
SHA256: 5ff4b976bdb3fee6a28102e31fd887dc966ce7879043c62e5d68f89d3ef16c96
https://www.virustotal.com/file/5ff4b97 ... /analysis/

I don't how I can atach the file here, but if anyone want it, I'll send it via email.

The binary seams to be crypted/packed with Small polymorphic crypter, but I can't unpacked it, can someone help me to unpack it please.
I have sea some anti debuggin implementations, but there are somthing more, and I don't sea it.
Help please.
Thanks in advance.
 #15595  by Win32:Virut
 Sun Sep 16, 2012 7:58 am
SeT[X] wrote:Hello,
I've receive this sample:
MD5: a393c059e5269784b58ee1742f50555a
SHA1: f819821e158fb4aee7f7c2cd824988504134355a
SHA256: 5ff4b976bdb3fee6a28102e31fd887dc966ce7879043c62e5d68f89d3ef16c96
https://www.virustotal.com/file/5ff4b97 ... /analysis/

I don't how I can atach the file here, but if anyone want it, I'll send it via email.

The binary seams to be crypted/packed with Small polymorphic crypter, but I can't unpacked it, can someone help me to unpack it please.
I have sea some anti debuggin implementations, but there are somthing more, and I don't sea it.
Help please.
Thanks in advance.

Please compress this file with password "infected" and attach using:
Image
Image
 #15598  by SeT[X]
 Sun Sep 16, 2012 8:50 am
Win32:Virut wrote:
SeT[X] wrote:Hello,
I've receive this sample:
MD5: a393c059e5269784b58ee1742f50555a
SHA1: f819821e158fb4aee7f7c2cd824988504134355a
SHA256: 5ff4b976bdb3fee6a28102e31fd887dc966ce7879043c62e5d68f89d3ef16c96
https://www.virustotal.com/file/5ff4b97 ... /analysis/

I don't how I can atach the file here, but if anyone want it, I'll send it via email.

The binary seams to be crypted/packed with Small polymorphic crypter, but I can't unpacked it, can someone help me to unpack it please.
I have sea some anti debuggin implementations, but there are somthing more, and I don't sea it.
Help please.
Thanks in advance.
Thanks, this is it.
Attachments
(33.75 KiB) Downloaded 101 times
 #16231  by moriarty
 Tue Oct 23, 2012 4:23 pm
Hi first post here,

Thanks for the sample attached above. The crypter used for this is not hard at all to unpack. Heck, I managed to do it, without even setting any anti-debug options.
Once the crypter layer has been bypassed, its the same old Andromeda binary. When you see OpenMutex with 'lol' as a parameter, thats the original Gamarue/Andro binary.
 #17769  by unixfreaxjp
 Sun Jan 20, 2013 8:19 am
I saw a double infectionwhich utilize the Trojan/Andromeda.
Nature of infection: t was served in Apache's infector od Blackhole v2.1
The double payloads downloaded via a faking Java u11 updater.
Infection related data in the below details:
Code: Select all
Redirector: digitalcurrencyreport.com (109.163.230.125)
Exploit kit: http://mongif.biz/assumed/timing_borrows.php (46.166.169.179) 
Cnc: wordpress.serveblog.net:3360 (46.253.180.35)
Set of samples captured: (info.exe = Trojan/Andromeda)
Image
The info.exe is trojan/Andromeda. It drops itself:
Image
Making registry autorun:
Code: Select all
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched: "C:\Documents and Settings\All Users\svchost.exe"
 
Self injection to other process:
Image
And opening TCP/IP:Port 0.0.0.0:8000 as backdoor:
Image
Anti-VM trace, Fake JavaUpdate traces also detected in memory:
Image
Although many AV products mentioned it as downloader, I run it for 12 hrs with capturing network traffic, other than backdoor at 0.0.0.0:8000 this trojan doesn't do downloads, or at least not yet.

It came in pair with calc.exe which I suspect it as the ransomware.
(I am sorry if this thread is not about ransomware, but allow me to wrote as explanation of Andromeda nature of this infection)
After self copied, self deletion and self executable...
Code: Select all
PID: 3140 [PATH]\calc.exe ADDR: 0x87021b
CopyFileA(lpExistingFileName: "[PATH]\calc.exe",
lpNewFileName: "%AppData%\igfx\igfxtray.exe",
bFailIfExists: 0x0)
Image
Image
More registry changes occured:
Code: Select all
----------------------------------
Keys added:
----------------------------------
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{SG16VPH3-6PN7-VTP0-6V64-104BV7F3IRAF}
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.Identifier
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.Identifier\OpenWithList
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\6
----------------------------------
Values added:
----------------------------------
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{SG16VPH3-6PN7-VTP0-6V64-104BV7F3IRAF}\StubPath: ""C:\Documents and Settings\USER\Application Data\igfx\igfxtray.exe""
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run\igfxtray: "C:\Documents and Settings\USER\Application Data\igfx\igfxtray.exe"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\USER\Application Data\igfx\igfxtray.exe: "Pagent Show"
----------------------------------
Values deleted:
----------------------------------
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\14: 30 00 31 00 30 00 2E 00 62 00 6D 00 70 00 00 00 3C 00 32 00 00 00 00 00 00 00 00 00 00 00 30 31 30 2E 6C 6E 6B 00 26 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 30 00 31 00 30 00 2E 00 6C 00 6E 00 6B 00 00 00 16 00 00 00
----------------------------------
Values modified:
----------------------------------
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 02 00 00 00 1E 00 00 00 E0 FD F4 9E 68 F6 CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 02 00 00 00 20 00 00 00 00 65 59 10 6B F6 CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 02 00 00 00 3F 00 00 00 20 49 41 9F 68 F6 CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 02 00 00 00 41 00 00 00 D0 E8 6E 10 6B F6 CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:::{450Q8SON-NQ25-11Q0-98N8-0800361O1103}: 01 00 00 00 06 00 00 00 60 85 99 AA 71 A4 CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:::{450Q8SON-NQ25-11Q0-98N8-0800361O1103}: 02 00 00 00 07 00 00 00 C0 38 E9 E7 6A F6 CD 01
following by the creation of the malicious log file and identification file:
log:
Image
Inside the log:
https://lh3.googleusercontent.com/-SqNC ... 44/014.jpg
Tried to XOR even translate it but no luck, not yet...
Image
Image
(Identifier file was in the pic above registry changes data)
In this ifgxtray.exe memory I saw the CnC information:
Code: Select all
CnC:       
wordpress.serveblog.net:3360
Methods:
           FCONNECT %s:%d HTTP/1.0
           http://%s%s
           GET %s HTTP/1.1
           Host: %s 
           Connection: close
The traffic below is the PoC of this CnC:
Image
It looks detecting the browsers:
Code: Select all
%s\Mozilla\Firefox\profiles.ini
%s\Mozilla\Firefox\%s
%s\Thunderbird\profiles.ini
%s\Thunderbird\%s
%s\Mozilla\SeaMonkey\profiles.ini
%s\Mozilla\SeaMonkey\%s
%s\Opera\Opera\wand.dat
%s\Opera\Opera\profile\wand.dat
And the below looks like credential stealer to me...
Code: Select all
WindowsLive:name=*
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Email
POP3 User
POP3 Server
POP3 Password
IMAP User
IMAP Server
IMAP Password
HTTP User
HTTP Server
HTTP Password
SMTP User
SMTP Server
SMTP Password
%c%c%S
abe2869f-9b47-4cd9-a358-c22904dba7f7
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
index.dat
History
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
%s\Google\Chrome\User Data\Default\Login Data
%s\Chromium\User Data\Default\Login Data
localhost
USERNAME
The below trace looks like the log format..
Code: Select all
%s.Identifier
%Rand%
%d:0:0:%s\%s;
%d:%I64u:0:%s\%s;
%c%I64u
%llu
%s%.2d-%.2d-%.4d
[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
Research Materials/ Samples Download:
The sample I share, here: http://www.mediafire.com/?nbaaur1unj8abim
Please kindly help to register the samples into the known AV products since the detection ratio still too low..
I'm still in the middle of investigating the case, but you can have more information about the -
investigation and additional downloads like PCAP files, memory dumps and others download data of this case in here: http://malwaremustdie.blogspot.jp/2013/ ... kdoor.html
#MalwareMUSTdie
  • 1
  • 2
  • 3
  • 4
  • 5
  • 13