A forum for reverse engineering, OS internals and malware analysis 

Win32/Kelihos (+Waledac downloader)

Forum for analysis and discussion about malware.

Re: Backdoor:Win32/Kelihos

 #17693  by rough_spear
 Sat Jan 12, 2013 7:20 pm
Hi All,

one Kelihos sample file.

VT Link - https://www.virustotal.com/file/bcacfe2 ... 358017225/

SHA256: bcacfe282e96c71301491e15aef3b8fabc50ccdfac777502e4aa36ffa8f7a991
SHA1: 26585c28a032a68222c6cbbc304bdab2a33266f0
MD5: a9387bd562be28a18237b0cccb5acb90

Regards,

rough_spear. ;)
Attachments
password - infected.
(774.85 KiB) Downloaded 90 times

Re: Backdoor:Win32/Kelihos

 #17699  by R136a1
 Sun Jan 13, 2013 11:47 am
Fresh Kelihos Downloader: https://www.virustotal.com/file/7bcce4a ... /analysis/

MD5: 4fbddeb0acc378b93c7d8d1abc7e067c
SHA1: 28bebb04df75e2aca0824123ca2d7ecf639fcd7b

Autorun: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run as SonyAgent

The Downloader installs (signed) WinPcap Driver (npf.sys) and uses it for communication with C&C server (See: https://www.winpcap.org/docs/docs_40_2/ ... _code.html + https://www.winpcap.org/docs/docs_41b5/ ... ioctl.html). This way it circumvents driver signing on Windows 64-bit, AV detection of custom driver and can use a covert channel for communication. It downloads the following file from gehxehib.ru (h**p://gehxehib.ru/keybex3.exe):

keybex3.exe (attached)
MD5: DA938135BB95E69CF3350FA9018B0085

Keybex3.exe is an information gathering and spambot tool.

Be careful: keybex3.exe infects USB Sticks (nothing new, but noteworthy). It creates a .lnk file in USB Storage and then copies itself as "game.exe" into it. Thereafter it sets game.exe attribute to "hidden", so you only see the Link file named "Shortcut to game". If you open the Link file, you actually start the game.exe file.
The Link file has the following parameters:

C:\WINDOWS\system32\cmd.exe F/c "start %cd%\game.exe"


Google search term for more Kelihos samples: "site:virustotal.com keybex3.exe npf.sys"
Attachments
pass: infected
(741.07 KiB) Downloaded 108 times

Re: Win32/Kelihos

 #19021  by unixfreaxjp
 Sun Apr 21, 2013 9:40 am
US incident of Boston/Waco/Texas was used for Kelihos botnet malvertisement.
Below is the clear big picture of the infection:
Image
Analysis of spam used, all using open relay MTA:
Image
Reference of running infection (graph):
Image
or
Image
Not a promotion but I took 14hrs non stop to analyze and write it here, so pls see if you want to have more reference/info: HERE
The sample is as per picture below:
Image
Sample's hashes:
Code: Select all
2013/04/20  13:51  13,239 492.jar      4dc7500eaec309ff784149e71c0c005d
2013/04/20  15:01  47,256 aeraetk.exe  fc476c4b8653f12e041b8ac8b4e0af8b
2013/04/20  18:50  32,256 clicka.exe   f842cbd8e80bdb20d23befda68ebd0c6
2013/04/20  13:51  13,239 dp4.jar      4dc7500eaec309ff784149e71c0c005d
2013/04/20  18:52 815,616 game.exe     de31ba7f73743c461deca7e581b1db42
2013/04/20  15:57 816,128 newbos3.exe  eea68bb70a1f186112286cba9c3e5271
2013/04/20  13:35     800 news.html    3991f5494d24426712a96cf4c79341b8
2013/04/20  18:50  48,280 psaopt.exe   b454175a3bd4fca65a56c65d54a4bca1
2013/04/20  18:50 815,616 temp22.exe   b1d96baaa91fde31f78387454c377cae
2013/04/20  18:50 815,616 temp43.exe   de31ba7f73743c461deca7e581b1db42
2013/04/20  18:50 815,616 temp72.exe   cf90325492e65913ea58d83a7aef2391
2013/04/20  18:50 815,616 temp74.exe   ed575b987a1de74a71f8afe0cd3ee21c
2013/04/20  13:46     202 wesq.html    482cc64c0383ff054b7745b52f6eda25
2013/04/20  15:01  32,768 xywewey.exe  59320fde47334183fc54659dc03a7f38
The download of samples is HERE
Top Ranking of Spam Landing IP per country: (1st level web infector BEFORE RedKits)
Code: Select all
1. Ukraine
2. Bulgaria
3. Russia
4. Serbia
5. Latvia
#MalwareMustDie! @unixfreaxjp
  • 1
  • 2
  • 3
  • 4
  • 5
  • 10
 Return to “Malware”