A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #18276  by TwinHeadedEagle
 Wed Feb 20, 2013 3:11 pm
OK, I cleaned computer of user that opened the thread about this malware

Malware drops at following location
Code: Select all
c:\progra~2\locals~1\temp\msoppo.exe
Creating following reg key
Code: Select all
[HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 
"0"="c:\progra~2\locals~1\temp\msoppo.exe"
Here is the VT report

https://www.virustotal.com/en/file/21b0 ... 361372494/

Attaching sample
Attachments
pass: infected
(43.91 KiB) Downloaded 70 times
 #18281  by Userbased
 Wed Feb 20, 2013 4:58 pm
msoppo.exe attempts to connect to the following domains:
Code: Select all
xdqzpbcgrvkj.ru 
anam0rph.su 
orzdwjtvmein.in 
ygiudewsqhct.in 
bdcrqgonzmwuehky.nl 
somicrososoft.ru
The only one that currently resolves is somicrososoft.ru, where it connects to /in.php. It is a sample of andromeda 2.06. PCAP file is attached.
Attachments
(3.81 KiB) Downloaded 77 times
 #18286  by aaSSfxxx
 Thu Feb 21, 2013 10:01 am
I think pcap traffic is a little bit useless for andromeda, since the bot traffic is encrypted (with the bot key).

The bot key is stored with url list, and I wrote some tools (in python 2) which allow to extract andromeda config from an unpacked sample and query c&c co get stuff dropped by andromeda (in attach).

I also attached unpacked andromeda sample for people who doesn't want to fight against XPXAXCXK.

Virustotal (unpacked): https://www.virustotal.com/fr/file/d37d ... /analysis/

Virustotal (msoppo.exe): https://www.virustotal.com/fr/file/21b0 ... /analysis/
Attachments
no password (python tools)
(3.91 KiB) Downloaded 93 times
infected
(12.84 KiB) Downloaded 89 times
 #18318  by grum
 Sat Feb 23, 2013 4:12 pm
:) maybe help me code tools for brute force C&C server login and pass very fast, real try with THydra but bad and can't crack it's

i need tools code in php or asm or perl maybe python or ruby, hope all can help!
 #18321  by Xylitol
 Sun Feb 24, 2013 9:13 am
grum wrote::) maybe help me code tools for brute force C&C server login and pass very fast, real try with THydra but bad and can't crack it's

i need tools code in php or asm or perl maybe python or ruby, hope all can help!
hydra can do it, you just don't know how to use it.
 #18461  by EP_X0FF
 Thu Mar 07, 2013 6:06 am
grum wrote:THydra last and bruteforce can help?
What kind of answer do you expect?

Yes, bruteforce can do it. No, we don't do it for you - do it yourself.
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7
  • 13