A forum for reverse engineering, OS internals and malware analysis 

WinNT/Phase - fileless trojan

Forum for analysis and discussion about malware.

Re: WinNT/Phase - fileless trojan

 #24614  by EP_X0FF
 Mon Dec 15, 2014 12:30 pm
grum wrote:anybody have panel it's?
Let me predict what you will do with this panel if you manage to get it. The most worst scenario as in most cases the worst things are always becoming true.

Hexedit one of already available bots to point on your own C&C panel, setup your tasks, crypt dropper (with something that will not broke it functionality - it would be required and itself broken for XP DEP) and push it from one of your available EK.

How do you think is it complete true or just partial?

Re: WinNT/Phase - fileless trojan

 #24632  by Munsta
 Tue Dec 16, 2014 10:40 pm
EP_X0FF wrote:
grum wrote:anybody have panel it's?
Let me predict what you will do with this panel if you manage to get it. The most worst scenario as in most cases the worst things are always becoming true.

Hexedit one of already available bots to point on your own C&C panel, setup your tasks, crypt dropper (with something that will not broke it functionality - it would be required and itself broken for XP DEP) and push it from one of your available EK.

How do you think is it complete true or just partial?

He doesnt have to hex it, he can install module to patch it on runtime, I think Phase malkit supports persistent modules (check ss from MalwareTech)

Re: WinNT/Phase - fileless trojan

 #24706  by Xylitol
 Mon Dec 22, 2014 1:32 pm
grum wrote:anybody have panel it's?
Have, but not for you.

Here is 20 samples that i've collected via yara
d1446326bf1c69ea9df6e65bd472f358 • 21/56
5767b9bf9cb6f2b5259f29dd8b873e36 • 33/55
6f53d3cd1acb7541bcc7399c4af001b1 • 21/56
d2ed20b1996e7e5bad2b91fd255732ef • 19/53
4ec84f1aa91e4cdc12118002244ca582 • 22/56
fc586c3ec37e51668e905d0acfc913f6 • 21/56
ace0a059dc2264c847d4e6c91f829dfd • 21/56
f89b4e626c7a81544ca7395be3262cf6 • 31/56
ef69575e14fa965380242db26675d2df • 33/56
eb9b56d829c3951b6e9cb5e4a651f7c8 • 18/53
f01c1ea73e968c2309391dcf3f0a2848 • 31/56
6ce0bb4cd86295f915160d7207a07a47 • 30/55
e4574fbc1014d27e1b6906bfc5351e0e • 31/55
1f3e808a3ccd981f3e61de227dae93b8 • 21/56
fe5dfa53204a65eca741ceab352c3b00 • 28/56
19fa3927577571c51428f6eee2b5f52f • 20/55
20e3a9ec396ad8b57a36ea3c6b9f151a • 20/54
f8ffcab3324561598ce5c375c07066be • 31/56
12dccdec47928e5298055996415a94f2 • 30/55
a10f84153dba7b73980f0ff50d8cc8e6 • 28/55

Some related domains ~ (not a full list of bellow samples)
Code: Select all
• dns: 1 ›› ip: 5.199.167.122 - adress: 654ANDRO.NET
• dns: 1 ›› ip: 46.151.52.17 - adress: BLOG.L0C4LH0ST.PW
• dns: 2 ›› ip: 104.28.16.82 - adress: JRAT.SE
• dns: 1 ›› ip: 162.252.240.184 - adress: SKOJA.RU
• dns: 1 ›› ip: 162.222.214.65 - adress: PHASESUPPORT.COM
• dns: 1 ›› ip: 94.102.63.148 - adress: VCV.NO-IP.BIZ
• dns: 1 ›› ip: 5.100.156.61 - adress: BZ-BZ.BZ
• dns: 1 ›› ip: 149.154.64.31 - adress: YADRUW.COM
• dns: 1 ›› ip: 94.102.51.169 - adress: EKHGE35UF5.PW
• dns: 1 ›› ip: 198.52.160.45 - adress: NGDATA.ORG
• dns: 1 ›› ip: 198.52.160.45 - adress: JBCOMPANY.ORG
• dns: 1 ›› ip: 188.68.250.164 - adress: NORTONCENTER.NET
Tracking this botnet is relatively easy, and as i've already say many time on twitter:
Image
.htaccess with a deny from cybercrime-tracker.net ain't gonna help you, resistance is futile ;)
Attachments
infected
(2.36 MiB) Downloaded 103 times

Re: WinNT/Phase - fileless trojan

 #24711  by EP_X0FF
 Mon Dec 22, 2014 5:09 pm
malwarelabs wrote:Panel source code (from http://198.52.160.45/phase )
attahed
I'm kinda surprised we are in the list just after Microsoft
deny from kernelmode.info
Actually author of this crapware should at least give us some little respect simple because he stole all the Poweliks idea/bins from our site.

Re: WinNT/Phase - fileless trojan

 #24717  by EP_X0FF
 Tue Dec 23, 2014 9:06 am
Anyway I don't see sense in that. We do not run any crawlers here. That deny list is one of the most dumbest things I ever saw.

Re: WinNT/Phase - fileless trojan

 #24734  by uCares
 Wed Dec 24, 2014 12:37 pm
Some CP from provided samples :
Code: Select all
198.52.160.45/gate.php
654andro.net/phase/gate.php
avastsupport.net/secure/gate.php
blog.l0c4lh0st.pw/dhrgbv/mysql.php
blog.l0c4lh0st.pw/kjvg/gate.php
bz-bz.bz/3Vg6G4ULcCzAbbbdnXZLXjdw3QzamGkNCVV/gate.php
ekhge35uf5.pw/pae/gate.php
fedren.com/json/json.php
i8xyz5tkuf.pw/pae/gate.php
jbcompany.org/gate.php
jrat.se/hemliga/porten.php
ngdata.org/gate.php
nortoncenter.net/secure/gate.php
phasesupport.com/pos/gate.php
ptah.vdsinside.com/dhrgbv/mysql.php
ptah.vdsinside.com/kjvg/gate.php
skoja.ru/hemliga/porten.php
telemetric.pw/Vp845Z5SapkLjURRmEGaaR8Sv4vDSRHjSy/gate.php
vcv.no-ip.biz/gate.php
wutudo.su/hemliga/porten.php
yadruw.com/json/json.php
 Return to “Malware”