A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #24438  by sysopfb
 Wed Nov 26, 2014 9:20 pm
d0057f9faf043d1da2e9543b9f491a87c49299a1a4d1652159662278af4cdd0e
Active. US banks after you decrypt the config
 #24490  by sicher
 Mon Dec 01, 2014 1:44 pm
Thanks sysopfb!

Did someone ever see this pattern with Vawtrak? (The placeholders are made up and B is size in Bytes):
/channel/{a(2B)}/{b(8B)}/{c(8B)}?id={d(16B)}
 #24494  by Codehook
 Mon Dec 01, 2014 4:23 pm
I've been seeing this sort of pattern in the last few days:
Code: Select all
/data/[0-9]{2}\.php\?i=[0-9]{8}&data=[a-z0-9]{8}&hash=[0-9]{4}
 #26567  by sysopfb
 Thu Aug 20, 2015 2:45 pm
It's back... project 100. Not much appears to of changed, the traffic encoding and config encoding are all the same.

Delivered by Neutrino EK

C2 list:
Code: Select all
gufeef.com
hoohunie.com
tinoofeise.com
nehoom.com
Backconnect:
Code: Select all
91.220.131.66:8080
Attachments
pw: infected
(394.05 KiB) Downloaded 77 times
 #26708  by sicher
 Fri Sep 11, 2015 1:42 pm
Thanks sysopfb. Seems like the backconnect backend still up. Too bad there was no leak of the backconnect backend till now.
 #26860  by sysopfb
 Thu Oct 01, 2015 1:49 pm
New vawtrak loader, uses similar encoding routines as previous vawtrak but the LCG algorithm for psuedo random numbers is BSD(http://rosettacode.org/wiki/Linear_cong ... _generator) and instead of XORing the bytes it subtracts them.
Sample and decoded+decompressed modules are in attachment.

Image
Attachments
pw:infected
(78.59 KiB) Downloaded 65 times
pw:infected
(89.21 KiB) Downloaded 78 times
 #26876  by sicher
 Sat Oct 03, 2015 1:13 pm
Thanks again sysopfb. The LCG before was just a form of rand() from VistualStudio using the seed in first 4 bytes, right? I wonder if they support both encoding forms now for the of migration.
 #26882  by sicher
 Sun Oct 04, 2015 10:16 am
Ah right, I also just saw Mathews twitter post regarding this today.