A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #24653  by Patrick
 Thu Dec 18, 2014 1:24 pm
hx1997 wrote:
Patrick wrote:Thanks for the quick reply.

Unless I am blind though, or unless one (or many) of those hashes are the same, just differently packaged, etc, neither db405ad775ac887a337b02ea8b07fddc or 01c2f321b6bfdb9473c079b0797567ba are included in that sample.

https://www.us-cert.gov/ncas/alerts/TA14-329A
Unusual stage 1 files apparently compiled from various public source codes merged with malicious code:

01c2f321b6bfdb9473c079b0797567ba

47d0e8f9d7a6429920329207a32ecc2e

744c07e886497f7b68f6f7fe57b7ab54

db405ad775ac887a337b02ea8b07fddc
db405ad775ac887a337b02ea8b07fddc and 01c2f321b6bfdb9473c079b0797567ba are MD5 hashes. 225e9596de85ca7b1025d6e444f6a01aa6507feef213f4d2e20da9e7d5d8e430 and 392f32241cd3448c7a435935f2ff0d2cdc609dda81dd4946b1c977d25134e96e are their equivalent SHA256 hashes respectively, which are both included in that sample. Thought you'd know that, they're the same files with hashes of different algorithms.
Wow, I feel like an idiot. My explorer window wasn't wide enough so I thought they were just MD5 hashes and not SHA256. Embarrassing.

Thanks a lot for clearing that up.
 #24655  by nullandnull
 Thu Dec 18, 2014 5:15 pm
Hello,

I got PMed about the 'CraP' tag location.I don't have enough activity on the forum to respond directly. The address can be found at 0x001859D in db405ad775ac887a337b02ea8b07fddc.
Code: Select all
INIT:0001859D                 push    'CraP'          ; Tag
INIT:000185A2                 push    20h             ; NumberOfBytes
INIT:000185A4                 push    edi             ; PoolType
INIT:000185A5                 call    ds:ExAllocatePoolWithTag
Cheers.
 #24931  by kerneldriver
 Tue Jan 13, 2015 3:54 pm
EP_X0FF wrote:Reconstructed from memory dump Regin driver mentioned in above article..
please, could you report the original file's md5 and the command you used to run it? When I tried through rundll32 I could not insert a valid exported function number because there are not exported functions in my samples. If I change the extension in ".sys" and try to load the file with "sc", like I normally can do with kernel drivers, I get the following error:
[SC] StartService FAILED 170:

The requested resource is in use.
 #24934  by EP_X0FF
 Tue Jan 13, 2015 4:13 pm
kerneldriver wrote:
EP_X0FF wrote:Reconstructed from memory dump Regin driver mentioned in above article..
please, could you report the original file's md5 and the command you used to run it? When I tried through rundll32 I could not insert a valid exported function number because there are not exported functions in my samples. If I change the extension in ".sys" and try to load the file with "sc", like I normally can do with kernel drivers, I get the following error:
[SC] StartService FAILED 170:

The requested resource is in use.
Of course it won't work. You didn't read what I written.
Reconstructed from memory dump Regin driver mentioned in above article.

You still can't run it, but you can disassemble it and do static analysis -> all structure recovered.
 #24955  by kerneldriver
 Thu Jan 15, 2015 11:30 am
Actually I understood you took the memory dump after having launched the sample. It is not clear what you mean with "you still can't run it" because I take memory dumps while I run the application. Of course, the dump not always is runnable, but to have a dump I have to run something. So my question is about running the original sample (not the dump), DB405AD775AC887A337B02EA8B07FDDC
 #24957  by EP_X0FF
 Thu Jan 15, 2015 3:33 pm
kerneldriver wrote:Actually I understood you took the memory dump after having launched the sample
No you don't understand again. Is it sort of trend or you cannot into reading?

This file is from article mentioned hash, recovered by simple inserting MZPE structure. That is all. It is still dump full of initialized data and discarded code. Not possible to run but possible to look in the disassembler. Now it is clean enough? This thread is overall a candidate to the Trashcan, where this malware should be from the beginning of this idiotic PR campaign.

A guy from unknown organization came up to the Regin infected computer, started some tool and dumped memory, maybe all system memory to the disk. Next it found Regin driver regions (it is simple because this lol-i-don't-know what MARKS it after zeroing memory that describes MZ stub and PE header of file - probably simple memset at driver entry). So it cutted the bytes to the file, including mark signature and SURPRISE(!) sent it to the Virustotal. ROFL. What the fucking point of that was - is unknown. Next this trash from VT came up to the number of mass media idiotic blogposts - where other home made analysts found extremely stealth IRQL checks inside. Comedy section idiotism.