A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #18758  by p4r4n0id
 Fri Mar 29, 2013 5:52 pm
Ransomware - Kovter : looking at your bowsing history for more credibility (by kafeine)

http://malware.dontneedcoffee.com/2013/ ... -your.html

MD5: 19561b33793dcb865eae56575a899ce8

Sample grabbed from post!
Attachments
pwd: infected
(116.42 KiB) Downloaded 181 times
 #18764  by EP_X0FF
 Sat Mar 30, 2013 5:28 am
Decrypted attached. Sample contain fun AV blacklist.
Attachments
pass: malware
(74.05 KiB) Downloaded 131 times
 #18765  by p4r4n0id
 Sat Mar 30, 2013 8:25 am
EP_X0FF wrote:Decrypted attached. Sample contain fun AV blacklist.
Was not sure if to open a new topic for this one :)
 #18766  by EP_X0FF
 Sat Mar 30, 2013 8:29 am
p4r4n0id wrote:
EP_X0FF wrote:Decrypted attached. Sample contain fun AV blacklist.
Was not sure if to open a new topic for this one :)
Well it comes from the same group doing this ransom http://www.kernelmode.info/forum/viewto ... 3&start=40 and some others. Anyway it completely different in comparison.
 #19398  by EP_X0FF
 Fri May 24, 2013 3:44 am
original
https://www.virustotal.com/en/file/ee94 ... /analysis/

unpacked (UPX[scrambler or crypter], idgaf->Dynamic Drop->UPX->Borland Delphi 6-7 without VCL)
https://www.virustotal.com/en/file/dc62 ... /analysis/

Sample contains AV blacklist
Code: Select all
CODE:00425314 00000018 unicode bdagent.exe    
CODE:00425330 00000016 unicode vsserv.exe     
CODE:0042534C 0000001C unicode BullGuard.exe  
CODE:004253BC 00000016 unicode op_mon.exe     
CODE:004253D8 00000014 unicode avcom.exe      
CODE:004253F0 00000016 unicode tptray.exe     
CODE:00425428 00000010 unicode cfp.exe        
CODE:0042543C 0000001A unicode cmdagent.exe   
CODE:0042545C 00000016 unicode CLPSLS.exe     
CODE:00425478 0000001A unicode dwengine.exe   
CODE:00425498 0000001C unicode dwservice.exe  
CODE:004254B8 00000020 unicode spideragent.exe
and Duqu/Andromeda injection code, malware is WOW64 compatible. The build has been cleaned from original to eradicate some AV detections.

C&C at freons.tk
Lockscreen at hxxp://freons.tk//page/back.jpg
Attachments
pass: infected
(196.55 KiB) Downloaded 123 times
 #19481  by EP_X0FF
 Thu May 30, 2013 8:57 am
6 Kovter droppers.

SHA1
Code: Select all
02341b3c04b1ccc053df196cf34571543d287da9
2060e07809876514ac7cd1fcb9be6d693766fbb6
38daa900c2f7ca07b7c86fe450bf0dbbac653a45
5c27ab7871f9f6119570b609185efac511c8e920
69375fb214ba5de010b16a426d9921ba801924de
de6f8d3b49210dbe12c97dc796ceba7ce2e84d60
Attachments
pass: infected
(744.82 KiB) Downloaded 107 times
 #19838  by EP_X0FF
 Thu Jun 27, 2013 1:00 pm
Second version with anti-forensic features on board against homemade virus analysts who are living mostly in 200x and 199x years. Coder of this sample did good job with reporting events - leaving all sensitive strings in code, making it much more readable. Thanks.

We are starting with
Code: Select all
i:\MySoft\project Locker\optimize orig Binary\kol\err.pas
@0040D1F4 GlobalAntiForensics procedure
@0040CC18 AntiVMWare -> VMX backdoor
@0040CC9C AntiVMWareEx -> rdstc calculating ticks between instructions, > 200? Vmware detected. (I have a bad news for malware writers who copy-paste this for years)
@0040CCB0 AntiVirtualBox -> NtQuerySystemInformation(SystemProcessesAndThreads) -> VBoxService.exe
@0040CD88 AntiVirtualPC -> by invalid instruction
@0040CCEC AntiSandboxie -> by GetModuleHandle("sbiedll.dll")
@0040CD10 AntiThreadExpert -> script-kiddie author mean AntiThreatExpert. By GetModuleHandle("dbghelp.dll")
@0040CDA0 AntiWireshark -> NtQuerySystemInformation(SystemProcessesAndThreads) -> wireshark.exe
@0040CDD8 AntiJoeBox -> same as previous, by "joeboxserver.exe" and "joeboxcontrol.exe" process names
AntiRFP (RegMon @0040CE50, FileMon @0040CE84, ProcMon @0040CEB8)
@0040CF84 AntiAllDebugger -> IsDebuggerPresent and same directly from PEB flag.
@0040CFA0 AntiOllyDbg -> part of previous (blind copy-paste)
@0040D058 AntiSoftIce -> by device symbolic links, hello from 200x
@0040D0CC AntiSyserDebugger -> by device symbolic links
@0040D12C AntiTrwDebugger -> by CreateFile, hello from 199x
@0040CD34 AntiVirtualMachine -> sldt instruction, I have a bad news for ransom author
@0040D14C AntiSunbeltSandboxie -> GetModuleHandle("api_log.dll"), GetModuleHandle("dir_watch.dll")

Collection of primitive and out-of-date methods created by mindless copy-paste.