A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #20072  by unixfreaxjp
 Fri Jul 12, 2013 5:54 pm
The botnet looks down, thks to all.
1. GetUserNameA -> UserName
2. LookupAccountNameA for UserName -> SID
3. Get "InstallDate" from "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion" -> InstallDate
4. Buffer = SID + InstallDate + UserName
5. MD5(Buffer)
Result: 5F1616138920D0313952D7FFC480B759

5F161613 it's first part of MD5
↑ Very important information. Thank you.
 #20192  by EX!
 Mon Jul 22, 2013 4:16 pm
Kuluoz


Image


Image


Malware Site Link: hxxp://samouchitel.com.ua/img/info.php?info=fkMWRyMw8sZV4ceLKdR61A==
Attachments
password = infected
(40.37 KiB) Downloaded 81 times
 #20617  by inf0secguy0
 Wed Aug 28, 2013 3:33 am
So I understand the method to decrypt the GET requests, using the first 8 chars as a key for the RC4. I'm OK with how the ID is being MD5'd, but can anyone help out with how the IP list is being encrypted. I've attempted to decrypt the IP list file (i.e. /index.php?r=gate/getipslist&id=*) using the same RC4 method, but I am not getting anywhere. Apologies if this is a newbie question but can anyone point me in the right direction?
 #21097  by Win32:Virut
 Mon Oct 07, 2013 3:26 pm
MD5: 727b8ed7c51734eafdee691431a15e6d
File size: 42.0 KB ( 43008 bytes )
File name: VoiceMail.exe
File type: Win32 EXE
Detection ratio: 10 / 48
Analysis date: 2013-10-07 15:19:43 UTC ( 0 minutes ago )
https://www.virustotal.com/en/file/8760 ... 381159183/
http://camas.comodo.com/cgi-bin/submit? ... 9d492addde
Attachments
(37.19 KiB) Downloaded 72 times
 #21385  by unixfreaxjp
 Wed Nov 13, 2013 6:17 am
MD5: 727b8ed7c51734eafdee691431a15e6d
File size: 42.0 KB ( 43008 bytes )
File name: VoiceMail.exe
New botnet version. Summary:
Code: Select all
1. New POST wrapped with md5 hash seeded to per infected PC.
2. BotID is not changed. Posted URL is the same.
3. CNC data was downloaded file in data.bin. Additionally the key.bin.
4. New encryption detected. 
5. HTTPS request was communing up, Microsoft Crypto libs is used.
All details were posted here by StopMalvertising: http://stopmalvertising.com/malware-rep ... cheme.html
Additionally my reverse pad is here: http://pastebin.com/B3X3k9My
Samples attached
Image
*) The sample was found by StopMalvertising
Attachments
pwd: infected
(131.57 KiB) Downloaded 80 times
 #21776  by forty-six
 Mon Dec 23, 2013 2:30 pm
Confirmed
Code: Select all
.txt
open
Software
"For base!!!!!"
"For base!!!!!"
"For base!!!!!"
"For base!!!!!"
Software\
"For base!!!!!"
"For base!!!!!"
"For base!!!!!"
http://%[^:]:%d/%s
*/*
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0"
POST
"Content-Type: application/x-www-form-urlencoded"
svchost.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
ntdll.dll
NtQueryInformationProcess
NtReadVirtualMemory
exkfK0CE
"For base!!!!!"
%1024[^=]=%1024[^;]
"For base!!!!!"
"For base!!!!!"
%1024[^=]=%1024[^;]
data
task
type
idl
run
rem
rdl
autorun
red
upd
src
name
ips
ntdll.dll
_stricmp
strcat
strlen
strcpy
sprintf
sscanf
memset
memcpy
NtQueryInformationProcess
ZwReadVirtualMemory
ZwMapViewOfSection
NtCreateSection
ZwUnmapViewOfSection
ZwResumeThread
pvJJrlhN
"Microsoft Base Cryptographic Provider v1.0"
.exe
2212r
rO6MK0BDEv
<knock><id>%s</id><group>%s</group><src>%d</src><transport>%d</transport><time>%d</time><version>%d</version><status>%d</status
/index.php?r=gate
.exe
Software\
%[^:]:%d
Software\
Software\Microsoft\Windows\CurrentVersion\Run
3)6{
>`IsWow64Process
kernel32
"%d.%d x%d"
WQL
antivirus0
ROOT\SecurityCenter
ROOT\SecurityCenter2
"SELECT * FROM AntiVirusProduct"
displayName
none
firewall0
ROOT\SecurityCenter
ROOT\SecurityCenter2
"SELECT * FROM FirewallProduct"
displayName
none
wireshark.exe
Tfrmrpcap
iptools.exe
"Iris - Version 5.59"
ProcessLasso_Notification_Class
TSystemExplorerTrayForm.UnicodeClass
PROCMON_WINDOW_CLASS
PROCEXPL
WdcWindow
ProcessHacker
99929D61-1338-48B1-9433-D42A1D94F0D2-x64
99929D61-1338-48B1-9433-D42A1D94F0D2-x32
99929D61-1338-48B1-9433-D42A1D94F0D2
Dumper
Dumper64
APISpy32Class
VMwareDragDetWndClass
VMwareSwitchUserControlClass
vmtoolsd.exe
prl_cc.exe
prl_tools.exe
SharedIntApp.exe
VBoxTray.exe
VBoxService.exe
vmusrvc.exe
vmsrvc.exe
SYSTEM\CurrentControlSet\services\Disk\Enum
VMware
PTLTD
Virtual
HARDWARE\DESCRIPTION\System\BIOS
VMware
SystemProductName
PTLTD
SystemProductName
VMware
SystemManufacturer
PTLTD
SystemManufacturer
HARDWARE\ACPI\DSDT\PTLTD__
SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD&DEV_0774&SUBSYS_040515AD&REV_00
SYSTEM\CurrentControlSet\services\Disk\Enum
SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD&DEV_0774&SUBSYS_074015AD&REV_00
Virtual
SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00
PRLS
HARDWARE\DESCRIPTION\System\BIOS
Virtual
SystemProductName
PRLS
SystemProductName
Virtual
SystemManufacturer
PRLS
SystemManufacturer
SYSTEM\CurrentControlSet\services\Disk\Enum
VBox
HARDWARE\DESCRIPTION\System\BIOS
VBox
SystemProductName
VBox
SystemManufacturer
HARDWARE\ACPI\DSDT\VBOX__
SYSTEM\CurrentControlSet\services\Disk\Enum
AMIBI
HARDWARE\DESCRIPTION\System\BIOS
AMIBI
SystemProductName
AMIBI
SystemManufacturer
SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333&DEV_8811&SUBSYS_00000000&REV_00
HARDWARE\ACPI\DSDT\AMIBI
SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE&DEV_BEEF&SUBSYS_00000000&REV_00
SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00
RtlDecompressBuffer
ntdll.dll
RtlGetCompressionWorkSpaceSize
ntdll.dll
RtlCompressBuffer
ntdll.dll
http://
%[^:]:%d
"You fag!!!!!"
"You fag!!!!!"
"You fag!!!!!"
"You fag!!!!!"
"You fag!!!!!"
"You fag!!!!!"
"You fag!!!!!"
"You fag!!!!!"
"You fag!!!!!"
"You fag!!!!!"
Software
"You fag!!!!!"
"You fag!!!!!"
"You fag!!!!!"
Software\
Software
"For group!!!!!"
"For group!!!!!"
"For group!!!!!"
Software\
"For group!!!!!"
"For group!!!!!"
"For group!!!!!"
"For group!!!!!"
advapi32.dll
MD5Init
MD5Update
MD5Final
"Software\Microsoft\Windows NT\CurrentVersion"
InstallDate
\\.\A:
\\.\A:
bb10bd00-c135-11e2-b7ac-005056c00008
c540500f-c135-11e2-b348-005056c00008
bb10bd00-c135-11e2-b7ac-005056c00008
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
ShowSuperHidden
CabinetWClass
CabinetWClass
K.$
<5IkQ
K.$
K.$
K.$
s1q4
w}v
<5IkQ
<5IkQ
K.$
fKg
Kp>
m7.
QZ:
QZN
m7.
HeapFree
HeapAlloc
loseHandle
WriteFile
CreateFileA
VirtualFree
VirtualAlloc
CreateProcessA
ResumeThread
SetEvent
OpenEventA
WideCharToMultiByte
OpenProcess
GetCurrentProcessId
GetProcAddress
GetModuleHandleA
ReadFile
GetFileInformationByHandle
Sleep
GetSystemTimeAsFileTime
DeleteFileA
GetTickCount
TerminateProcess
GetCurrentProcess
GetLastError
CreateMutexA
HeapCreate
GetVersionExA
CreateThread
LoadLibraryA
GetProcessHeap
CreateEventA
opyFileW
GetVolumeInformationW
FindClose
FindNextFileW
SetFileAttributesW
FindFirstFileW
ExitThread
FindNextChangeNotification
WaitForMultipleObjects
FindFirstChangeNotificationW
DeviceIoControl
CreateFileW
GetLogicalDrives
GetDriveTypeW
GetVolumePathNameW
KERNEL32.dll
FindWindowA
DispatchMessageA
TranslateMessage
GetMessageA
SetWindowLongA
reateWindowExA
RegisterClassExA
DefWindowProcA
GetWindowLongA
PostMessageA
FindWindowExA
USER32.dll
RegCloseKey
RegEnumValueA
RegEnumKeyExA
RegOpenKeyA
RegSetValueExA
RegCreateKeyA
RegDeleteKeyA
CryptDestroyHash
CryptVerifySignatureA
CryptHashData
CryptCreateHash
CryptEncrypt
RegOpenKeyExA
RegDeleteValueA
RegQueryValueExA
CryptAcquireContextA
LookupAccountNameA
GetUserNameA
ADVAPI32.dll
ShellExecuteA
SHGetSpecialFolderPathA
SHELL32.dll
CoCreateInstance
oInitialize
oSetProxyBlanket
ole32.dll
OLEAUT32.dll
WS2_32.dll
nternetCloseHandle
InternetReadFile
ttpSendRequestA
ttpOpenRequestA
nternetConnectA
InternetOpenA
WININET.dll
free
malloc
memset
wcstombs
_wcsicmp
mbstowcs
memcpy
sprintf
calloc
strstr
_wcsdup
MSVCRT.dll
CryptStringToBinaryA
CryptImportPublicKeyInfo
CryptDecodeObjectEx
CRYPT32.dll
dll.dll
Work
RSDS
"C:\Users\DmitryHELL\Documents\SysIQUA\loader_1.4 r\loader_v4\loader_v3\Release\dll.pdb"
"-----BEGIN PUBLIC KEY-----"
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCUAUdLJ1rmxx+bAndp+Cz6+5I
Kmgap2hn2df/UiVglAvvg2US9qbk65ixqw3dGN/9O9B30q5RD+xtZ6gl4ChBquqw
jwxzGTVqJeexn5RHjtFR9lmJMYIwzoc/kMG8e6C/GaS2FCgY8oBpcESVyT2woV7U
00SNFZ88nyVv33z9+wIDAQAB
"-----END PUBLIC KEY-----"
"Unknown ERROR! Please wait and try again later."
jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
"1.0.6, 6-Sept-2010"

Attachments
(76.62 KiB) Downloaded 65 times