A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #5258  by Eric_71
 Tue Mar 01, 2011 7:38 pm
[main]
version=0.03
aid=30185
sid=0
builddate=351
rnd=1390067357
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://lo4undreyk.com/;hxxps://sh01cilewk.com/;hxxps://cap01tchaa.com/;hxxps://kur1k0nona.com/;hxxps://u101mnay2k.com/
wsrv=hxxp://gnarenyawr.com/;hxxp://rinderwayr.com/;hxxp://jukdoout0.com/;hxxp://swltcho0.com/;hxxp://ranmjyuke.com/
psrv=hxxp://crj71ki813ck.com/
version=0.15
 #5318  by gjf
 Fri Mar 04, 2011 9:45 pm
kareldjag/michk wrote:Certainly a Kav fan:)
Nope :)
I offer my gratitude to Michael Hale Ligh, one of the authors of the excellent Malware Analysts Cookbook
Just because I have read it I can state that this guy just trying to be a pro according to this book. All the same scenarios, all the same tools and a lot of non-systematic work because of absence of every day practice :) Anyway it is quite good practical part for above mentioned book.
I used a tool Michael wrote called tdlcopy.exe that he was kind enough to share.
That is quite interesting, because I did not find such a tool in Internet. Maybe present for the best student? ;)
 #5321  by gigaz
 Sat Mar 05, 2011 10:22 am
http://www.virustotal.com/file-scan/rep ... 1299319912
Code: Select all
[main]
version=0.03
aid=30020
sid=0
builddate=351
rnd=1614895754
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://lo4undreyk.com/;hxxps://sh01cilewk.com/;hxxps://cap01tchaa.com/;hxxps://kur1k0nona.com/;hxxps://u101mnay2k.com/
wsrv=hxxp://gnarenyawr.com/;hxxp://rinderwayr.com/;hxxp://jukdoout0.com/;hxxp://swltcho0.com/;hxxp://ranmjyuke.com/
psrv=hxxp://crj71ki813ck.com/
version=0.15
Attachments
pass= infected
(118.83 KiB) Downloaded 63 times
 #5381  by EP_X0FF
 Wed Mar 09, 2011 12:17 pm
markusg wrote:30185c.exe
http://www.virustotal.com/file-scan/rep ... 1299595629
[main]
version=0.03
aid=30185
sid=0
builddate=351
rnd=299502267
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://lo4undreyk.com/;hxxps://sh01cilewk.com/;hxxps://cap01tchaa.com/;hxxps://kur1k0nona.com/;hxxps://u101mnay2k.com/
wsrv=hxxp://gnarenyawr.com/;hxxp://rinderwayr.com/;hxxp://jukdoout0.com/;hxxp://swltcho0.com/;hxxp://ranmjyuke.com/
psrv=hxxp://crj71ki813ck.com/
version=0.15
All in attach.
Attachments
pass: malware
(184.35 KiB) Downloaded 65 times
 #5454  by Fabian Wosar
 Sun Mar 13, 2011 5:38 pm
Attached is a sample that uses an installation method that at least I haven't seen before in TDL-4. Installation works like this:
  • Renames itself into %TEMP% folder using a seemingly random name.
  • Imports several MSI APIs (MsiInstallProductA, MsiCloseAllHandles, MsiEnableLogA, MsiSetInternalUI) dynamically and by ordinal and drops MSI file with random name inside the %TEMP% folder.
  • The dropper then sets MsiSetInternalUI to INSTALLUILEVEL_NONE to make the installation silent and calls MsiInstallProductA with the dropped package.
  • The MSI package essentially installs a file called DllDropper.dll to the user's %AppData% directory and tries to register it as a COM DLL.
  • In order to register it a new MSIEXEC.EXE process gets started that loads the DLL which may fool some HIPSes or tricks the user into allowing the installation.
  • After DllMain ran and the rootkit was installed MSIEXEC.EXE tries to call DllRegisterService which doesn't exist. This will essentially cause the installation to fail which causes a rollback of all changes (-> DllDropper.dll gets removed).
  • The dropper then removes the MSI file and deletes itself using a ShellExecute call ("cmd /c del ...").
Other than that the rookit appears to be pretty much the same. The attached package includes all dropped files as well as the TDL-4 storage and the original sample.

Detection:
http://www.virustotal.com/file-scan/rep ... 1300035988

Config:
Code: Select all
[main]
version=0.03
aid=50044
sid=0
builddate=351
rnd=436374069
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=https://i0m71gmak01.com/;https://0imh17agcla.com/;https://jna0-0akq8x.com/
wsrv=http://u-a-d-1come.com/;http://z0a-adotcom.com/;http://61zra71kf-a.com/
psrv=http://amazeyapcell.com/;http://8hqka--acom.com/
version=0.169
bsh=d8fd097db3162eb93fdfcace6035fd60900f921d
Last but not least: Don't use a software breakpoint on MsiInstallProductA during reversing. There is a check that checks the function's entry point for hooks and software breakpoints and will simply cause the dropper exit if one is found. Use a hardware breakpoint instead.

Have fun :).
Attachments
Password: "infected"
(365.18 KiB) Downloaded 75 times
  • 1
  • 36
  • 37
  • 38
  • 39
  • 40
  • 60