[Quads]

Here is a Trojan Tracur variation attached, if people want to play.

Quads

[EP_X0FF]

Hello,

late reply, but anyway.

Extracts payload dll named avtapi32.dll to %systemroot%\system32 folder and registers it as BHO.

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

{E0D4D66C-EF0B-43B9-A4D6-4F97C292C8Aa} Dynamic Link Run Time Library (VCL MT) (Not verified) Inprise Corporation c:\windows\system32\avtapi32.dll

Since it's BHO, it loads together with IE for example.
Payload packed with UPX 3.04 + cryptor.
Unpacked dll readable strings.

CLSID\{%s} XMLHTTP_UUID_Default Software\Microsoft\Internet Explorer\Main %s\Software\Microsoft\Internet Explorer\Main Both ThreadingModel InprocServer32
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects bad cast {%s} SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{%s}
^(http*://)([^/\?]*\.|)ask\.com(|\.[a-z\.]{2,10})(/.*\?)(.*&|)q=([^&]+).*$ ^(http*://)([^/\?]*\.|)search\.netscape\.com(|\.[a-z\.]{2,10})(/.*\?)(.*&|)query=([^&]+).*$
^(http*://)([^/\?]*\.|)snap\.com(|\.[a-z\.]{2,10})(/.*\?)(.*&|)query=([^&]+).*$ ^(http*://)([^/\?]*\.|)hotbot\.com(|\.[a-z\.]{2,10})(/.*\?)(.*&|)query=([^&]+).*$
^(http*://)([^/\?]*\.|)gigablast\.com(|\.[a-z\.]{2,10})(/.*\?)(.*&|)q=([^&]+).*$ (http*[:%3A]+//)([^/\?]*\.|)alltheweb\.com(|\.[a-z\.]{2,10})(/.*\?)(.*&|)q=([^&]+).*$
(http*[:%3A]+//)([^/\?]*\.|)altavista\.com(|\.[a-z\.]{2,10})(/.*\?)(.*&|)q=([^&]+).*$ ^(http*://)([^/\?]*\.|)search\.netscape\.com(|\.[a-z\.]{2,10})(/.*)+?(.*&|)q=([^&]+).*$
^(http*://)([^/\?]*\.|)search\.lycos\.com(|\.[a-z\.]{2,10})(/.*\?)(.*&|)query=([^&]+).*$ ^(http*://)([^/\?]*\.|)search\.aol\.com(|\.[a-z\.]{2,10})(/.*)+?(.*&|)query=([^&]+).*$
^(http[s]*://)([^/\?]*\.|)bing\.com(|\.[a-z\.]{2,10})(/.*\?)(.*&|)q=([^&]+).*$ (http[s]*://)([^/\?]*\.|)search\.yahoo\.com(|\.[a-z\.]{2,10})(/.*\?)(.*&|)p=([^&]+).*$
^(http[s]*://)([^/\?]*\.|)google(|\.[a-z\.]{2,10})(/.*#)(.*&|)q=([^&]+).*$ ^(http[s]*://)([^/\?]*\.|)google(|\.[a-z\.]{2,10})(/.*\?)(.*&|)q=([^&]+).*$
Referer: %s %s?q=dummy&%s%s Ђ°†Z vector<T> too long И°†Z invalid vector<T> subscript %x _ s e l f
Referer: %%%2x + .tmp %08x c:\ 0±эY x±†Z & adurl= localhost/search about::blank search_query= youtube.com/results ask.com snap.com
hotbot.com gigablast.com alltheweb.com altavista.com search.lycos.com bing.com search.netscape.com query= search.aol.com p= search.yahoo.com /images?
/videosearch? /news? /maps? /preferences? /advanced_search? /search? q= google. about:blank vimeo. video.google. facebook. tube. myspace. wikipedia.
127.0.0.1:4664 Control URL: [%s]
none &t=direct %s?q=%s&su=%s&%s&z=%s po-link po-unselected A a /setprefs\?sig=[A-Za-z0-9_]+=&suggon=2&prev= р?%ul
^(http[s]*://)([^/\?]*\.|)facebook\.com(|\.[a-z\.]{2,10})(/campaign/redirect.php.*)$ ^(http[s]*://)([^/\?]*\.|)ard\.yahoo\.com(|\.[a-z\.]{2,10})(/.*)$
^(http[s]*://)([^/\?]*\.|)g\.msn\.com(|\.[a-z\.]{2,10})(/.*)$ ^(http[s]*://)([^/\?]*\.|)ad\.doubleclick\.net(|\.[a-z\.]{2,10})(/click.*)$
^(http[s]*://)([^/\?]*\.|)googleads\.g\.doubleclick\.net(|\.[a-z\.]{2,10})(/aclk.*)$ Software\%s\CLSID %s\Software\%s\CLSID CLSID\ Software\ \CLSID aid:200
SOFTWARE\Classes\.fsharproj\PersistentHandler %d Version 0 (null) u=%s&a=%s&i=%s&s=%s
num alpha cntrl digit graph lower print punct space upper xdigit

Payload dll also contains 3 embedded files, one of it - ZIP archive (see attach, no pass).

Others:

pref("extensions.xulcache.PLEASE_DONT_TOUCH.u", "%s");
pref("extensions.xulcache.PLEASE_DONT_TOUCH.a", "%s");
pref("extensions.xulcache.PLEASE_DONT_TOUCH.i", "%s");
pref("extensions.xulcache.PLEASE_DONT_TOUCH.s", "%s");

content xulcache jar:chrome/xulcache.jar!/content/
overlay chrome://browser/content/browser.xul chrome://xulcache/content/overlay.xul

<?xml version="1.0"?>
<RDF xmlns="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:em="http://www.mozilla.org/2004/em-rdf#">
<Description about="urn:mozilla:install-manifest">
<em:name>XUL Cache</em:name>
<em:id>%s</em:id>
<em:version>1.0</em:version>
<em:creator>Canonical Ltd.</em:creator>
<em:description>XUL cache support for firefox extensions/plugins.</em:description>
<em:type>2</em:type>
<em:hidden>true</em:hidden>
<em:targetApplication>
<Description>
<em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
<em:minVersion>1.5</em:minVersion>
<em:maxVersion>4.*</em:maxVersion>
</Description>
</em:targetApplication>
</Description>
</RDF>

Payload - downloader.

[fatdcuk]

Gee half an install :lol:

Current online installers

Code: Select all

http://91.217.153.48/stat/poxl1.php
http://91.217.153.48/stat/poxl2.php
http://91.217.153.48/stat/poxl3.php
http://91.217.153.48/stat/poxl4.php

Try one of those EP and to get the full Tracur install ;)
http://www.virustotal.com/file-scan/rep ... 1288837308

[fatdcuk]

Looks like they now using Facebook to search out new installs.

Updated and modified install.>>no P2P component + new install patterns away from %SYSDIR% and specific to existing application folders.

Dropper
http://www.virustotal.com/file-scan/rep ... 1317125017

Dropped MZ's attached
http://www.virustotal.com/file-scan/rep ... 1317052211
http://www.virustotal.com/file-scan/rep ... 1317012970
http://www.virustotal.com/file-scan/rep ... 1316980985
http://www.virustotal.com/file-scan/rep ... 1317088211

[Neurofunk]

Sucpicious DLL file I came across on a users machine it currently has a 1/42 detection on VirusTotal (2 days after I uploaded it to VT originally), not sure what threat it is tied to but it launches 2 IExplore processes in the background and starts itself using Rundll32 and a key in HKEY_USERS instead of using HKLM or HKCU.

Virus Total Link
Detection Ratio: 1/42