Hi folks,
here are two fresh samples from beginning of September which aren't crypted. They look like some test samples, because they have "-testldr" command line switch among other things. Samples also contain two small embedded dlls (x86/64) which seem to deal with certificate related stuff. Haven't looked at it in detail, because I am currently analyzing some more interesting malware samples. Anyway, the samples are very reversing friendly...
List of strings from main dll:
Code: Select alluser32.dll
{66379400-67a1-468d-a692-6a3cfbee8ac5}
{66379400-67a1-468d-a692-6a3cfbee8ac5}
{66379400-67a1-468d-a692-6a3cfbee8ac5}
{66379400-67a1-468d-a692-6a3cfbee8ac5}
%d-%08x-%08x
IsWow64Process
ExitProcess
kernel32.dll
.detour
dbghelp.dll
ImagehlpApiVersionEx
SymInitialize
SymSetOptions
SymGetOptions
SymLoadModule64
SymGetModuleInfo64
SymFromName
.detour
testldr
vendor_id
LdrGetProcedureAddress
NTDLL.DLL
LoadLibraryExW
KERNEL32
LoadLibraryExW
KERNELBASE
GetProcAddress
KERNEL32
GetProcAddress
KERNELBASE
.text
Error
DataWriteFailed
BadStatusCode
ResponseReadFailed
CrackUrlFailed
PartialResponse
unknown error
RtlComputeCrc32
crackme
GetNativeSystemInfo
kernel32.dll
{%d}-{%s}
S:(ML;;NW;;;LW)
unstable_%d
D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)
vendor_id
127.0.0.1
scheduler_%s
vendor_id
S:(ML;;NW;;;LW)
D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)
scheduler_%d
standalonemtm
vendor_id
mainprocessoverride
RandomListenPortBase
/rpersist2/%d
/rpersist3/%d
NTDLL.DLL
LdrLoadDll
LdrGetProcedureAddress
ZwProtectVirtualMemory
LdrLoadDll
NTDLL.DLL
LdrGetProcedureAddress
NTDLL.DLL
ZwProtectVirtualMemory
NTDLL.DLL
LdrLoadDll
NTDLL.DLL
kernelbase
CreateRemoteThread
kernelbase
RtlCreateUserThread
NTDLL.DLL
RtlCreateUserThread
NTDLL.DLL
RtlDecompressBuffer
ntdll.dll
ZwWow64QueryInformationProcess64
NTDLL.DLL
VirtualQuery
KERNEL32.DLL
IsWow64Process
KERNEL32.DLL
Wow64EnableWow64FsRedirection
KERNEL32.DLL
LoadLibraryA
KERNEL32.DLL
ZwWow64ReadVirtualMemory64
NTDLL.DLL
NTDLL.DLL
ZwWow64QueryInformationProcess64
ZwGetContextThread
NTDLL.DLL
ZwSetContextThread
NTDLL.DLL
ZwMapViewOfSection
NTDLL.DLL
ZwUnmapViewOfSection
NTDLL.DLL
LoadLibraryA
KERNEL32.DLL
KERNEL32.DLL
LoadLibraryW
FreeLibrary
ping localhost -n 10 > nul
del %%0
attrib -r -s -h %%1
del %%1
if exist %%1 goto %u
del %%0
%02u-%02u-%02u %02u:%02u:%02u
SystemFunction036
advapi32.dll
UuidCreateSequential
RPCRT4.dll
BOCHS
INTEL - 6040000
FTNT-1
prleth.sys
hgfs.sys
vmhgfs.sys
dbghelp.dll
sbiedll.dll
CurrentUser
Sandbox
SANDBOX
7SILVIA
SystemBiosVersion
HARDWARE\DESCRIPTION\System
VideoBiosVersion
HARDWARE\DESCRIPTION\System
VirtualBox
SystemBiosVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
55274-640-2673064-23950
76487-644-3177037-23510
76487-337-8429955-22614
dropper_dll_service.dll
ServiceHandler
ServiceMain
StrCmpIW
StrStrIA
StrCatW
StrStrIW
StrRChrW
StrStrA
StrDupW
StrCpyW
StrCpyNW
SHLWAPI.dll
GetProcessImageFileNameA
PSAPI.DLL
RtlRandom
_strupr
NtMapViewOfSection
RtlNtStatusToDosError
NtUnmapViewOfSection
NtCreateSection
ZwClose
ZwOpenProcess
ZwOpenProcessToken
ZwQueryInformationToken
NtQuerySystemInformation
strrchr
strchr
_vsnwprintf
ntdll.dll
CreateEnvironmentBlock
DestroyEnvironmentBlock
GetProfilesDirectoryW
USERENV.dll
WS2_32.dll
WinHttpCloseHandle
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpOpen
WinHttpSetTimeouts
WinHttpConnect
WinHttpOpenRequest
WinHttpSetOption
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpQueryHeaders
WINHTTP.dll
LoadLibraryA
GlobalFindAtomA
FindAtomA
HeapAlloc
lstrlenW
GetProcessHeap
HeapFree
CreateFileW
CloseHandle
CreateEventW
WaitForMultipleObjects
ReadFile
SetEvent
OpenProcess
ProcessIdToSessionId
GetLastError
GetProcessTimes
CreateMutexA
GetProcAddress
GetModuleHandleW
GetCurrentProcess
Sleep
ExpandEnvironmentStringsW
CreateProcessW
TerminateProcess
CreateThread
DeleteAtom
FindAtomW
ExitThread
AddAtomW
lstrlenA
WaitForSingleObject
GetCurrentProcessId
ExitProcess
GetModuleHandleA
VirtualProtect
VirtualAlloc
CreateMutexW
GetTickCount
GetCommandLineA
GetModuleFileNameW
SetEnvironmentVariableA
MultiByteToWideChar
lstrcpyA
GetSystemDirectoryW
lstrcatW
FindFirstFileW
FindNextFileW
FindClose
GetEnvironmentVariableA
GlobalMemoryStatusEx
GetSystemInfo
GlobalAlloc
LocalFree
GlobalFree
CreateEventA
TerminateThread
GetEnvironmentVariableW
SetEnvironmentVariableW
GetFileSize
SetFilePointer
WriteFile
SetEndOfFile
lstrcpyW
GetComputerNameA
WideCharToMultiByte
GetVersion
GetComputerNameW
CreateRemoteThread
GetExitCodeThread
GetShortPathNameW
lstrcmpA
VirtualFree
lstrcmpiA
FileTimeToSystemTime
HeapReAlloc
LocalAlloc
lstrcmpW
CreateFileMappingW
MapViewOfFile
OpenFileMappingW
UnmapViewOfFile
GetSystemTimeAsFileTime
SystemTimeToTzSpecificLocalTime
GetFileAttributesW
GetFileAttributesA
lstrcatA
GetWindowsDirectoryA
KERNEL32.dll
wsprintfW
wsprintfA
GetShellWindow
GetWindowThreadProcessId
GetForegroundWindow
USER32.dll
RegCreateKeyExW
RegSetValueExW
RegCloseKey
RegOpenKeyW
OpenProcessToken
GetTokenInformation
LookupAccountSidW
DuplicateTokenEx
SetTokenInformation
AllocateAndInitializeSid
GetLengthSid
FreeSid
CreateProcessAsUserW
GetUserNameW
RegQueryValueExW
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
CheckTokenMembership
CreateWellKnownSid
GetSidSubAuthorityCount
GetSidSubAuthority
ConvertStringSecurityDescriptorToSecurityDescriptorA
RegOpenKeyExW
RegDeleteValueW
SetServiceStatus
RegisterServiceCtrlHandlerW
OpenSCManagerW
CreateServiceW
ChangeServiceConfig2W
RegCreateKeyW
StartServiceW
DeleteService
CloseServiceHandle
SetEntriesInAclW
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
SetFileSecurityW
LookupPrivilegeValueW
AdjustTokenPrivileges
ConvertSidToStringSidW
RegCreateKeyA
GetUserNameA
ADVAPI32.dll
ShellExecuteExW
SHELL32.dll
CoInitializeEx
CoUninitialize
CoCreateInstance
CoInitialize
CoTaskMemFree
ole32.dll
_allshl
_aullshr
memcpy
memset
Shell
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
SESSION:\\%s\%s\%d
kernel32
SeCreateTokenPrivilege
SeAssignPrimaryTokenPrivilege
SeLockMemoryPrivilege
SeIncreaseQuotaPrivilege
SeUnsolicitedInputPrivilege
SeMachineAccountPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeCreatePagefilePrivilege
SeCreatePermanentPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeChangeNotifyPrivilege
SeRemoteShutdownPrivilege
SeUndockPrivilege
SeSyncAgentPrivilege
SeEnableDelegationPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeTrustedCredManAccessPrivilege
SeRelabelPrivilege
SeIncreaseWorkingSetPrivilege
SeTimeZonePrivilege
SeCreateSymbolicLinkPrivilege
winsta0\default
svchost.exe
%SystemRoot%\system32\svchost.exe
rundll32
%SystemRoot%\system32\svchost.exe
ServiceEntryPointThread
SiInstallAndStartServiceThread
Range: bytes=%d-
2NTDLL.DLL
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0
\*.exe
Local\
Local\
ProcessorNameString
Hardware\DESCRIPTION\System\CentralProcessor\0
vendor_id
USERNAME
UNKNOW
%windir%\system32\cmd.exe
/c "start %s"
runas
{%08X%04X%04X%04X%08X%04X}
%08X%04X%04X%04X%08X%04X
WinHTTP Example/1.0
login.live.com
twitter.com
%s_%i.dll
%s.dll
y%lu.bat
%lu.bat
Software
Software\AppDataLow
binaryImage%d
%s_%d
%s_%d
binaryImage%d
%s_%d
EventSubsystem
systemprofile
%%SystemRoot%%\System32\svchost.exe -k %s
SYSTEM\CurrentControlSet\Services\%s
Parameters
ServiceDll
DLLPATH
FUNCTIONNAME
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
"%DLLPATH%", %FUNCTIONNAME%
%APPDATA%\Microsoft\Internet Explorer\
%APPDATA%\
%SystemRoot%\SysWOW64\rundll32.exe
%SystemRoot%\System32\rundll32.exe
%SystemRoot%\System32\
SeDebugPrivilege
S-1-5-18
abcdefghijklmnopqrstuvwxyz
%USERDOMAIN%
%COMPUTERNAME%
%s\%s
dll",
rundll32.exe
SeShutdownPrivilege
AppData\Local\Temp
Local Settings\Temp
%s\%s\%s
%SystemRoot%\Temp
%TEMP%\uqjckeguhl.tmp
\Device\Afd
\Device\Afd
wszDllNameSharedSection
List of strings from embedded dlls:
Code: Select allCertGetCertificateChain
crypt32.dll
CertVerifyCertificateChainPolicy
ntdll.dll
NtQuerySystemInformation
NtQueryObject
nss3.dll
CERT_GetDefaultCertDB
CERT_ImportCerts
CERT_ChangeCertTrust
CERT_DecodeCertFromPackage
CERT_DecodeTrustString
TCu,Cu,Tu
ws2_32.dll
WPUCloseEvent
WPUCloseSocketHandle
WPUCreateEvent
WPUCreateSocketHandle
WPUFDIsSet
WPUGetProviderPath
WPUModifyIFSHandle
WPUPostMessage
WPUQueryBlockingCallback
WPUQuerySocketHandleContext
WPUQueueApc
WPUResetEvent
WPUSetEvent
WPUOpenCurrentThread
WPUCloseThread
WSPStartup
mswsock.dll
StrStrIW
PathRemoveExtensionW
SHLWAPI.dll
CertOpenStore
CertGetIntendedKeyUsage
CertCloseStore
CertGetNameStringA
CertGetCertificateContextProperty
CertEnumCertificatesInStore
CRYPT32.dll
WSCGetProviderPath
WSAEnumProtocolsW
WSAIoctl
WS2_32.dll
malloc
_strupr
msvcrt.dll
GetLastError
SetLastError
ResumeThread
GetThreadContext
SetThreadContext
VirtualQuery
GetCurrentProcess
GetCurrentThread
FlushInstructionCache
VirtualAlloc
VirtualProtect
GetCurrentThreadId
SuspendThread
CloseHandle
GetProcAddress
LoadLibraryA
HeapAlloc
HeapFree
GetProcessHeap
GetCurrentProcessId
Sleep
LocalFree
CreateThread
LocalAlloc
lstrlenA
GetModuleFileNameA
LoadLibraryW
GetModuleHandleA
ExpandEnvironmentStringsW
KERNEL32.dll
memcpy
memset
Main dlls:
https://virustotal.com/en/file/bf577993 ... /analysis/
https://virustotal.com/en/file/051134ba ... /analysis/
Certificate related dlls:
https://virustotal.com/en/file/3a1c2334 ... /analysis/
https://virustotal.com/en/file/c80543d9 ... /analysis/
https://virustotal.com/en/file/497b28ce ... /analysis/
