A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #14256  by EP_X0FF
 Mon Jun 25, 2012 11:06 am
Tigzy wrote:Yes, that's a .net binary, but why "protected"? By this, I understand either packed or protected with rootkit functionalities
Crypter.
 #14264  by EP_X0FF
 Mon Jun 25, 2012 2:02 pm
markusg wrote:SHA256:
ee45297630678b7c628411ab133e23559e9867feb7f1277efada39f41a94d100
File name:
ALIAS.exe
https://www.virustotal.com/file/ee45297 ... 340631497/
Same as http://www.kernelmode.info/forum/viewto ... 234#p14234
Simple fresh dropper crypt. Posts moved.
 #14304  by rkhunter
 Tue Jun 26, 2012 6:33 pm
rkhunter wrote: youtube.ex1
MD5: c4a946cc851e2ee6407c2c8c9680cf18
SHA1: ae641cb785644297f7bb34ea58e19fc826f1132a
Regards to this dropper.
By behaviour is identical to http://www.kernelmode.info/forum/viewto ... 250#p12577 (hijack ptr at DR0 dev)
It forged driver, for example, with compared of rtk32 that posted above and infected driver (afd.sys)
Image

Payload in c:\WINDOWS\$NtUninstallKB65041$
Attribute: #8
Type: 0xC0 $(REPARSE_POINT)
Length: 0xA0
Resident flag: resident
Name length: 0x0
Name offset: 0x0
Flags: 0x0
Instance (id): 0x8
Body length: 0x82
Body offset (from attr record): 0x18
Resident flag: 0x0
Dll1, cutted from driver (in attach):
MD5: 1eba1d6ff5ac83ed0020bf6a2096ba77
SHA1: 344c1f1e88b8e4ec3244078d06dc506ebbe493d7

21/42 https://www.virustotal.com/file/d588629 ... /analysis/
(already was on VT)
Trojan:Win32/Sirefef.AB
\.\globalroot\systemroot\system32\mswsock.dll
WSPStartup
\\.\%08x\U\80000032.@
ntdll.dll
VirtualAlloc
LoadLibraryA
LoadLibraryW
GetProcAddress
FreeLibrary
VirtualFree
KERNEL32.dll
MD5Init
MD5Update
MD5Final
ADVAPI32.dll
INBR64.dll
AcceptEx
\\?\globalroot\systemroot\system32\mswsock.AcceptEx
GetAcceptExSockaddrs
\\?\globalroot\systemroot\system32\mswsock.GetAcceptExSockaddrs
NSPStartup
\\?\globalroot\systemroot\system32\mswsock.NSPStartup
TransmitFile
\\?\globalroot\systemroot\system32\mswsock.TransmitFile
WSPStartup
getnetbyname
\\?\globalroot\systemroot\system32\mswsock.getnetbyname
inet_network
\\?\globalroot\systemroot\system32\mswsock.inet_network
Dll2, cutted from driver (in attach):
MD5: 0c6082d7275f8741dad54fd5b4af3002
SHA1: 34d0a49fb2499f354bba3f7ca76c2632a6ecd73e

19/42 https://www.virustotal.com/file/11e2426 ... 340734459/
(first upload)
Trojan:Win32/Sirefef.P
\BaseNamedObjects\Restricted\{A3D35150-6823-4462-8C6E-7417FF841D79}
\BaseNamedObjects\Restricted\{A3D35150-6823-4462-8C6E-7417FF841D77}
\systemroot
\\.\%08x\U\%08x.@
\??\%08x\@
\??\%08x\U
????????.@
%08x.@
%08x.$
%08x.~
Microsoft Base Cryptographic Provider v1.0
RtlExitUserThread
ZwOpenFile
ZwQueryVolumeInformationFile
ZwClose
RtlImageNtHeader
MSWSOCK.dll
WSASocketW
WSAIoctl
WSARecv
WSASend
WSASendTo
WSARecvFrom
WS2_32.dll
Forged afd.sys in attach.
MD5: fd8a2b2d947bb792065f39a23b4757da
SHA1: 00f1aeac9703762601e7b0017ea701947b14dc7e


Image
Attachments
pass:infected
(75.08 KiB) Downloaded 60 times
pass:infected
(10.37 KiB) Downloaded 58 times
pass:infected
(1.62 KiB) Downloaded 60 times
  • 1
  • 31
  • 32
  • 33
  • 34
  • 35
  • 38