A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #21900  by Xylitol
 Wed Jan 08, 2014 3:19 pm
Attachments
infected
(14.69 KiB) Downloaded 65 times
 #21913  by teddybear
 Fri Jan 10, 2014 11:54 am
Apparently Zeus sample with zero AV detection at the time of posting:
https://www.virustotal.com/en/file/78b7 ... /analysis/
https://malwr.com/analysis/NThkM2JmYjRk ... gwNjVkNTI/
Code: Select all
78b700e52585776346441eabbf92ee474fcf7b5d71bd01a8eed69f5453abf7ee
hxxps://trudeausociety.com/images/img_silde/themes/classic/pdf.exe
hxxps://pejlain.se/image/templates/pdf.exe
Attachments
 #22087  by Xylitol
 Thu Jan 30, 2014 11:53 am
https://zeustracker.abuse.ch/monitor.ph ... 39.140.114
https://www.virustotal.com/en/file/a734 ... 391082771/
rc4:
Code: Select all
04 00 00 00 0A 00 00 00 00 00 00 00 10 EF 46 BA BC 7D E9 05 CF C8 60 E5 08 5E CD B8 49 52 2A 8A F5 2F C3 8F 3A E7 A3 6A 32 B9 6E D2 1D CD 9F A9 E8 E2 5C 26 D2 05 FF 4C E0 BC 91 9E 7C 4C 94 48 94 AE C8 6E 46 AB 37 22 A6 17 A6 BC 84 68 F1 6C 10 C6 39 02 56 6D 0E 20 F0 7A A8 9C 4E AA 2F E0 5E 6C 16 E2 08 01 18 C2 F8 7B B0 5E 4F 4D 77 A1 11 21 61 43 19 20 79 81 E1 5B C9 DF 36 90 E9 59 27 B1 88 1A 3E 91 F1 9B DF CA 38 44 C2 97 F2 C7 E5 26 7A DD DB B7 8B 46 04 7D B3 02 26 FA 85 35 C3 DC FF E8 18 6B 74 AE 1C 16 C7 AC 57 3C 14 A9 94 E0 EB 41 8C 8B 9F EF 90 9D 58 43 21 14 96 72 64 EC 6E 09 84 1B 6E A0 39 CD 22 66 88 44 D4 47 37 7B A5 B6 84 09 DD AA 17 47 80 E6 34 B5 22 7E 35 9A FB 97 38 EB 3E 6E 15 6E A7 9C 93 1F 53 98 DB D3 D5 7D 2C 1B 86 0D D1 6B 1C F6 57 3C 14 A9 94 E0 EB 41 8C 8B 9F EF 90 9D 58 43 1E 34 65 23 45 02 69 26 C3 FA E6 76 0D 35 14 4D E5 4B 15 DB 5B 36 0C 05 86 F8 8F 50 CE CF F2 3B 96 CD 65 28 BE 7D 19 DE DD CE 83 55 48 37 7D 6B 85 8A 0E D5 28 B0 7C F6 63 B3 9A 8B 95 F9 FE 3E 6A E0 5D FC AD 3A 72 23 4B 03 E6 7D F6 4A 64 B5 5C 85 CB 63 C7 DA 2F DF E6 39 94 5E BD 49 82 C8 5C 3A 77 FD 9B 5F E4 BC 21 E3 BB 81 5B 70 16 96 0F 75 5A C6 C7 65 93 41 BA BC 5F 3D 7A 93 AD 17 FC FB F2 4E C8 10 C9 87 7D D9 CC 7C C0 2F F2 2A 10 EF 46 BA BC 7D E9 05 CF C8 60 E5 08 5E CD B8 8C 53 5D 93 A3 4A 02 3C 19 D5 DB 85 03 03 C9 98 77 E8 9F CD F9 41 32 6F 36 5B B4 C3 F5 30 3D 46 4A D3 AB 37 0C 0F AC 55 8A 4B 19 EA 7A B1 86 08 32 90 17 13 1B FE 95 7F 62 C1 C0 DB F0 70 E7 0F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Attachments
infected
(165.29 KiB) Downloaded 65 times
 #22102  by RageMachine
 Fri Jan 31, 2014 4:21 pm
https://www.virustotal.com/en/file/080c ... /analysis/
PWS:Win32/Zbot

I was wondering if someone could help give me some pointers to unpacking this, as I cannot seem to get it to run to OEP without crashing(or perhaps the binary is damaged?)

I was able to ascertain that it was packed with Mystic Compressor and the only tutorial online I found mentioned no anti-debug protections, however, this one does have some. After a few decryption routines it makes calls to CheckRemoteDebugger and also has several areas where it issues INT 3 interrupts to trap to debugger, however, the first one works by passing the exception down to the application. The following appear to use EAX as a pointer to the PEB to check for BeingDebugged, i was able to pass that area which is about 3-4 INT 3 calls. after it issues a lot of GetProcAddress and virtualallocex a lot to start unpacking some more parts of the application, but shortly after I end up on a 1 line instruction and it crashes since a data section follows (it honestly looks like it jumps into the middle of nowhere)

I'm still pretty new but im working hard at this, so any help appreciated.
Attachments
infected
(198.22 KiB) Downloaded 52 times
 #22127  by SomeUnusedName
 Mon Feb 03, 2014 10:10 am
RageMachine wrote:I'm still pretty new but im working hard at this, so any help appreciated.
Honestly, the easiest way is to use plugins for the anti-debug stuff - either StrongOD or Olly PhantOm. Malware uses so many different packers, it's a waste of time trying to understand each of them. Initially, unpacking binaries without plugins is fine though, as you'll have to learn what anti-debug measures there are and how to circumvent them.

Another thing: The sample you are working on is a hardware-bound clickfraud Zeus. The OEP is 42B00B, but this is only a stub that decrypts the "actual" Zeus based on your volume mount point name or something, I forgot. Basically, you will not find the actual binary you're interested in unless it's running on the computer it was created on. Maybe you have the dropper for that binary?
 #22131  by RageMachine
 Mon Feb 03, 2014 4:30 pm
SomeUnusedName wrote:
RageMachine wrote:I'm still pretty new but im working hard at this, so any help appreciated.
Honestly, the easiest way is to use plugins for the anti-debug stuff - either StrongOD or Olly PhantOm. Malware uses so many different packers, it's a waste of time trying to understand each of them. Initially, unpacking binaries without plugins is fine though, as you'll have to learn what anti-debug measures there are and how to circumvent them.

Another thing: The sample you are working on is a hardware-bound clickfraud Zeus. The OEP is 42B00B, but this is only a stub that decrypts the "actual" Zeus based on your volume mount point name or something, I forgot. Basically, you will not find the actual binary you're interested in unless it's running on the computer it was created on. Maybe you have the dropper for that binary?
I see! Thanks for letting me know, I don't have a dropper but I knew I should have hit the OEP. And yes, I am using some plugins for Olly, i cannot get Phant0m to show up in the plugin list but I do have StrongOD, in addition to IDA's Stealth plugin. I do want to learn a bit more about packers, though, for my own sake of being familiar with them and this helped me alot (understanding some of the measures it took). In the future what I usually try to do is static analysis followed by either a sandboxed dump & fix with BSA or trying to find the OEP by hand rather than rely too much on automatic unpackers or pre-unpacked samples. I was hoping this one would work out but Ill have to find another, since im also testing out using local Vm's with Apgate&InetSim, as well as fiddler, to look at traffic. I know enough about windows internals now that i guess this is my 'next step'. Thank you for the guidance! I'm hoping to get as good as other members here within 1 year so i'm really pushing
 #22306  by g0r_
 Wed Feb 26, 2014 2:55 am
Some service with couple of C2's - only one with sample at moment.
Code: Select all
hxxp://89.33.0.199/service/ay/js/
hxxp://89.33.0.199/service/ay/nay.exe
hxxp://89.33.0.199/service/ay/js/gate.php
hxxp://89.33.0.199/service/ay/js/config.bin
hxxp://89.33.0.199/service/ay/js/cp.php?m=login
hxxp://89.33.0.199/service/ay/js/_reports/

md5:  be0fd3c79a55542364f04fe2177551c9
sha1: 5508552ea669378f4c9920e6a80da1fc3600aff3

https://malwr.com/analysis/OGE4YTY4NDk1NmQ5NDlhNWE5MzY5YTBlMTA2NDRjYWQ/
Attachments
pass: infected
(346.84 KiB) Downloaded 66 times
 #22310  by comak
 Wed Feb 26, 2014 11:05 am
rc4:
Code: Select all
18 3f 76 ba 28 9d 1f 84 ed 6f da 17 a1 51 4d 48 ec 43 89 22 27 2e a9 df c5 57 71 e6 e3 4a f8 75 f6 ca 69 35 29 1a 59 87 82 3b 23 04 e0 86 45 4b 70 1b 8b 37 21 19 db ad cf 25 93 47 1d 64 fd b5 68 15 07 91 aa b9 0a 67 6c b4 ee bd a7 
d7 0f 62 ff 02 b0 a2 2c ae c6 e1 94 5b 72 5d 85 92 c7 98 60 d9 9c 3a 9a 80 e9 ac 56 d0 24 7b fe 11 ab fa 4e d2 73 00 39 53 83 5a d4 e4 4c e7 14 33 8c 13 66 09 e8 3c c4 99 d8 b1 41 b6 0d a8 9b a0 34 c3 44 2f 1c 78 3d 97 c8 01 ea bf 
b2 2d 40 ce 32 a4 a5 5c c2 2b cc 7c 38 5e 5f 49 0c ef 10 f2 0b b8 4f 7e a6 d1 0e 36 55 8d af fc 88 6e f3 d3 7d a3 bc 05 54 eb 9f 61 d5 cd 31 20 90 bb c0 77 f0 46 42 16 26 9e e5 96 8a 6d 30 08 f7 f1 58 b3 cb 7a de 6a d6 52 3e f5 65 
63 06 95 81 1e 03 fb 6b dd 74 8f c1 c9 e2 dc 2a 79 12 b7 7f f4 50 8e f9 be 00 00
cfg attached
Attachments
pass: infected
(15.09 KiB) Downloaded 73 times
  • 1
  • 21
  • 22
  • 23
  • 24
  • 25
  • 29