A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #9254  by Striker
 Tue Oct 18, 2011 6:21 pm
Anyone got a sample? :>
 #9261  by EP_X0FF
 Wed Oct 19, 2011 1:32 am
Two drivers in attach. C-Media Electronics Incorporation certificate is revoked.
Attachments
pass: malware
(27.84 KiB) Downloaded 233 times
 #9267  by shaheen
 Wed Oct 19, 2011 5:32 am
Wonder if any one has a dropper for it?
 #9271  by frank_boldewin
 Wed Oct 19, 2011 10:20 am
i don't have a dropper only several files from an infected box, but i'm not allowed to share currently.

from what i've seen so far it doesn't contain PLC code. it's more a keylogger, but the codebase and several techniques are very similar to stuxnet code.
if you are lucky and get all needed files you have to prepare your box a little to make it working.

cmi4432.sys and jminet7.sys drivers contain the same code. difference is that one is signed and the other one not.

driver installs a loadimage callback and injects 4 payloads into services.exe stored in PNF files.

there is also a fake lsass.exe, which does the keyboard hooking (WH_KEYBOARD hook).
*.pnf files need to be in %systemroot%\inf

if the driver gets loaded it decryts the pnf files from this directory.
if you wanna analyse the drivers with windbg you first have to bypass the
KDDEBUGGERENABLED check at the beginning of the code.

in order to work properly the drivers need the registry entry:

"FILTER"=hex:a0,35,58,da,32,ee,d5,01,c0,15,8b,1f,4b,5c,d1,a1,0b,8b,e7,85,1c,7f,\
6e,f2,ef,31,6a,18,3c,80,78,c7,d4,c5,50,90,7a,78,66,9d,6b,93,00,a1,f5,3d,26,\
ce,cb,1c,1e,45,b0,ff,a0,dd,c0,a3,e8,58,31,0c,b2,a1,dd,11,37,ba,aa,1e,66,d3,\
1f,b4,2f,e1,7c,eb,b6,a2,58,a0,25,62,77,b5,4c,d3,79,02,07,be,8f,bb,57,43,7c,\
43,b5,d0,67,25,19,10,27,67,a5,15,38,9f,43

all other parameters are straight forward.

the FILTER registry string decrypts to some unicode string information:

services.exe
\SystemRoot\inf\cmi4432.PNF

the pnf files decrypts payload injected into services.exe

md5sums of files i got are:

0a566b1616c8afeef214372b1a0580c7
4541e850a228eb69fd0f0e924624b245
e8d6b4dadb96ddb58775e6c85b10b6cc
0eecd17c6c215b358b7b872b74bfd800
9749d38ae9b9ddd81b50aad679ee87ec
b4ac366e24204d821376653279cbad86
94c4ef91dfcd0c53a96fdc387f9f9c35
 #9313  by EP_X0FF
 Thu Oct 20, 2011 1:01 pm
Blaze wrote:Dropper attached.
This isn't a dropper. This is another recompiled driver.
 #9316  by rkhunter
 Thu Oct 20, 2011 2:34 pm
EP_X0FF wrote:
Blaze wrote:Dropper attached.
This isn't a dropper. This is another recompiled driver.
According to the imports, it is focused on the injection in processes. KdDebuggerEnabled checking also present.
 #9329  by CloneRanger
 Fri Oct 21, 2011 12:29 am
If someone supplies me with the Full install, i'll test it against my Security software ;) And post the results :)

TIA