A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #24011  by EP_X0FF
 Mon Sep 29, 2014 10:39 pm
Interesting part of it seems to be able to create native usermode threads with CSRSS self notification plus it have a piece of x64 code in win32 loader, so I think it will work for x64 too.

5ff4f9c65e5e14db4cda736a374236fe_0b249f61a58aa5a1f8b01c4ea866b1c6 unpacked in attach.
https://www.virustotal.com/en/file/755e ... 412030155/

sup dlls mentioned above x86-x64 in attach
Attachments
pass: infected
(5.23 KiB) Downloaded 107 times
pass: infected
(47.88 KiB) Downloaded 115 times
 #24502  by kloent
 Tue Dec 02, 2014 2:30 pm
One more from Angler EK.
Attachments
pass: infected
(48.18 KiB) Downloaded 124 times
 #24582  by Munsta
 Thu Dec 11, 2014 9:07 pm
create native usermode threads with CSRSS self notification
This means that it has ring0 component and it is creating new thread in the Windows fashion instead of some APC shellcode injection to usermode?
 #24583  by EP_X0FF
 Fri Dec 12, 2014 4:42 am
Munsta wrote:
create native usermode threads with CSRSS self notification
This means that it has ring0 component and it is creating new thread in the Windows fashion instead of some APC shellcode injection to usermode?
There are no ring0 components. You do not understand the post. See @1000736B in unp.dmp -> NtCreateThread -> CsrClientCallServer.
 #24587  by Munsta
 Fri Dec 12, 2014 1:17 pm
EP_X0FF wrote: There are no ring0 components. You do not understand the post. See @1000736B in unp.dmp -> NtCreateThread -> CsrClientCallServer.
Right. Good, I remember now that it was used in some game hack, the tricky part was cross session thread creation, is this the case here? (creating hack thread from different user session via Csr* API and then you switch users to play the game :lol: )
 #24795  by EP_X0FF
 Fri Jan 02, 2015 8:25 am
Few samples of dropped Bedep components. Samples courtesy of Cody Johnston.

dpwsocksx_fake.dll
trksvr_fake.dll

both contain inside Win32/Bedep downloader.

bedep_stage2.dll extracted from them.

To manually extract payload - set break on RtlDecompressBuffer.
Attachments
pass: infected
(329.25 KiB) Downloaded 104 times
 #26283  by Blaze
 Tue Jul 14, 2015 1:44 pm
Dropped Bedep x64 component. (hides as ipsecsnp.dll)
Attachments
(192.9 KiB) Downloaded 59 times