A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #8690  by EP_X0FF
 Thu Sep 22, 2011 6:42 am
icr wrote:Some more TDSS programs(renamed *._exe)
D8F03E7D476481D5922265E73362B316 (file drops two more files)
b7b33895bb09802c1c4bf860a0ca57e2 packed with Lighty Compressor known to be predecessor of Mystic Compressor.
Uses KnownDlls msvcrt trick, works like autorun worm, which is capable with spreading through all available drives including shared network drives.

Example of autorun.inf below
Code: Select all
[autorun]
;vcelsszvunxhrouhmvnoyteugkoicyszimtrnxudfnhvucxczujhxypbwsfdfkwwobkdydbjcpawdtlrupwyxqvqeudlwzpnlryxh
shellexecute="RECYCLER\S-8-5-67-100031458-100012049-100019303-9647.com z:\"
;zxadjjckzknxmgvzfrewnafwcpnjmgjijhveoyazomagtvlooknesrqq
shell\Open\command="RECYCLER\S-8-5-67-100031458-100012049-100019303-9647.com z:\"
;mieeucarfxmpwzrdfabvqtxxpkngangv
shell=Open
68cd276d5a6fefdef3f36abaec4e7ff7 - Nullsoft uninstaller, simulating uninstalling of the UNICCodec "codec", not malware

7c205ef7013b2c69ea4ed6fe8c8ab48f TDL2
2443fd7af22f6fe726b1f7e579aa57d9 TDL2
fbd379b7f107d3180cbbca702dc72c99 TDL2
ytasfw y t a s f w \ m o d u l e s \ m a i n \ i n j e c t o r \ d e l e t e \ c o n n e c t i o n s \systemroot\system32 %s\%s%s%s \\?\globalroot \??\ \ winlogon.exe * svchost.exe ytasfwcmd.dll % S * \ K E R N E L 3 2 . D L L LoadLibraryExA F i l e \ r e g i s t r y \ m a c h i n e \ s e c u r i t y \ p o l i c y \ p o l a c d m s i n s t a l l d a t e \ r e g i s t r y \ m a c h i n e \ s o f t w a r e \ m i c r o s o f t \ w i n d o w s n t \ c u r r e n t v e r s i o n %X%X%X%X a i d s i d % d . % d . % d . % d \ F i l e S y s t e m \ F l t M g r * \ S Y S T E M 3 2 \ N T O S K R N L . E X E * \ S Y S T E M 3 2 \ N T K R N L P A . E X E * \ S Y S T E M 3 2 \ C O N F I G \ S Y S T E M * \ S Y S T E M 3 2 \ C O N F I G \ S O F T W A R E chkdsk.exe \systemroot\system32\ytasfwcmd.dll s v c h o s t . e x e \ r e g i s t r y \ M A C H I N E \ S Y S T E M \ C u r r e n t C o n t r o l S e t \ C o n t r o l \ S e r v i c e G r o u p O r d e r L i s t % s \ % s G r o u p S t a r t S y s t e m %S \ r e g i s t r y \ M A C H I N E \ S Y S T E M \ C u r r e n t C o n t r o l S e t \ S e r v i c e s s t a r t t y p e i m a g e p a t h file system g r o u p \ r e g i s t r y \ m a c h i n e \ s y s t e m \ c u r r e n t c o n t r o l s e t \ e n u m \ r o o t \ l e g a c y _ \ 0 0 0 0 \ c o n t r o l \ 0 0 0 0 \ e n u m % . * s % s % S \systemroot\system32\drivers\ytasfwrk.sys \ s y s t e m r o o t \ d e v i c e \ h a r d d i s k % d d e v i c e p a r t i t i o n \ f i l e s y s t e m \ f a s t f a t \ f i l e s y s t e m \ n t f s \ d r i v e r \ t c p i p \ d r i v e r \ f t d i s k \ d r i v e r \ d i s k \ d r i v e r \ v o l s n a p \ d r i v e r \ p a r t m g r \ f i l e s y s t e m \ r a w \ d r i v e r \ a t a p i \ d r i v e r \ d m i o \ d r i v e r \ e c a c h e \ d r i v e r \ f v e v o l \ d r i v e r \ v o l m g r \ f i l e s y s t e m \ f l t m g r \ d r i v e r \ d i s k p e r f \ d r i v e r \ m o u n t m g r \ d r i v e r \ a c p i classpnp.sys ataport.sys scsiport.sys storport.sys hal.dll IofCompleteRequest IofCallDriver ZwSaveKey ZwSaveKeyEx ZwEnumerateKey ZwFlushInstructionCache System k e r n e l 3 2 . d l l TDL2 Loaded
* \ y t a s f w * * \ T E M P \ y t a s f w * %.*S \ s y s t e m r o o t \ s y s t e m 3 2 \ % S KeServiceDescriptorTable
b3f6a1649ab556ec00f71c116b1a9c84 part of TDL2 (binary trash)

ecf01929d41c2dde974168e0867c2f0d

TDL3
[main]
quote=Everybody's a jerk. You, me, this jerk. That's just my philosophy
version=3.273
botid=3f1b98c6-07dd-4f7d-a650-30bb6f39b0a3
affid=20376
subid=0
installdate=22.9.2011 6:53:33
builddate=2.4.2010 21:29:8
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=hxxps://zz87jhfda88.com/;hxxps://91.212.226.65/;hxxps://19js810300z.com/;hxxps://01n02n4cx00.cc/
wspservers=hxxp://30xc1cjh91.com/;hxxp://j00k877x.cc/;hxxp://m01n83kjf7.com/
popupservers=hxxp://clkh71yhks66.com/
version=3.741
d99308c180d3725dd95663bb14144014

TDL3 original, z00clicker variant
[main]
botid=2F0C4FFA32EAC01665D637A84D3555BD
date=10674960
[injector]
iexplore.exe=z00clicker.dll
firefox.exe=z00clicker.dll
safari.exe=z00clicker.dll
cb91b8695d3990b5b5eae8a714bd357e

TDL4
[main]
version=0.03
aid=66671
sid=0
builddate=351
installdate=22.9.2011 7:5:36
rnd=2956339178
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://lo4undreyk.com/;hxxps://sh01cilewk.com/;hxxps://cap01tchaa.com/;hxxps://kur1k0nona.com/;hxxps://u101mnay2k.com/
wsrv=hxxp://gnarenyawr.com/;hxxp://rinderwayr.com/;hxxp://jukdoout0.com/;hxxp://swltcho0.com/;hxxp://ranmjyuke.com/
psrv=hxxp://crj71ki813ck.com/
version=0.31
 #10367  by EP_X0FF
 Wed Dec 14, 2011 4:54 pm
NarfBang wrote:Fresh TDSS

Enjoy!
"Best before" expired long time ago. This is TDL3 and it was born 8.5.2010 8:41:2
Code: Select all
[main]
quote=You people voted for Hubert Humphrey, and you killed Jesus
version=3.273
botid=3f1b98c6-07dd-4f7d-a650-30bb6f39b0a3
affid=20731
subid=0
installdate=14.12.2011 15:53:21
builddate=8.5.2010 8:41:2
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=hxxps://li1i16b0.com/;hxxps://19js810300z.com/;hxxps://lj1i16b0.com/;hxxps://zz87jhfda88.com/;hxxps://n16fa53.com/;hxxps://01n02n4cx00.cc/
wspservers=hxxp://7gafd33ja90a.com/;hxxp://n1mo661s6cx0.com/;hxxp://30xc1cjh91.com/;hxxp://j00k877x.cc/;hxxp://m01n83kjf7.com/
popupservers=hxxp
version=3.741
  
Posts moved.
 #18698  by EP_X0FF
 Tue Mar 26, 2013 2:51 pm
Some necroposting.

Attached one of TDL3 last builds I've today while scanning garbage. It config was the following:
Code: Select all
[main]
version=3.273
quote=Everybody's a jerk. You, me, this jerk. That's just my philosophy
botid=6534d311-6b71-4414-8a6d-a9cb7b8e9164
affid=20419
subid=0
builddate=15.8.2010 13:44:45
rnd=1645522239
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://nichtadden.in/;https://91.212.226.67/;https://li1i16b0.com/;https://zz87jhfda88.com/;
https://n16fa53.com/;https://01n02n4cx00.cc/;https://lj1i16b0.com/
wspservers=http://zl00zxcv1.com/;http://zloozxcv1.com/;http://71ha6dl01.com/;http://axjau710h.com/;
http://rf9akjgh716zzl.com/;http://dsg1tsga64aa17.com/;http://l1i1e3e3oo8as0.com/;http://7gafd33ja90a.com/;http://n1mo661s6cx0.com/
popupservers=http://clkh71yhks66.com/
version=3.941
  
SHA256: e344108c88e66cf449afa5de29ae0cd790be9afb45d057a335c4414e1b1452c5
SHA1: b8cd790add8e42af8a34cbe062a7b15c077a2f9a
MD5: 085b51e3b2371c44abc1b581e0ec29c8

https://www.virustotal.com/en/file/e344 ... /analysis/
Attachments
pass: malware
(82.75 KiB) Downloaded 87 times
 #18788  by EP_X0FF
 Mon Apr 01, 2013 10:55 am
Three more TDL3 clones (Win32/Alureon.EC)

SHA256: 99f5b5fae1be388c35c9661f3609c92d3ba982601a3ecff0270327b568329c1b
SHA1: 183e97e42a981ab0f4eb1b0c2eb2b75399174adb
MD5: 08873476f5db62303a4c3f7ca8fb2dde

https://www.virustotal.com/en/file/99f5 ... /analysis/

SHA256: e871b360470ad0a61eadb3d763867c5872e602ed26036fdb547543d016024318
SHA1: 1615f6a74fe32bdcbd7b7576fffb7fcfb281715c
MD5: 0833b3e256a5b6e0cb1db2140e5873da

https://www.virustotal.com/en/file/e871 ... /analysis/


SHA256: 8384d79f96974601f75f74c98a52ef36f92ab89c9cf565bf46b79baebdc07340
SHA1: 98e30a235deda7f6db9e6ae8f2a6f3493facbcca
MD5: 0564bd714d9900b512b71b83664de57a

https://www.virustotal.com/en/file/8384 ... /analysis/
Attachments
pass: infected
(417.73 KiB) Downloaded 89 times
 #19311  by EP_X0FF
 Fri May 17, 2013 2:46 pm
TDL3 clones from the same group, distributing this TDL4 clones. Rootkit sometimes not installing - stucks at spoolsv stage and can't decrypt section with payload. Few droppers + few tdlcmd.dll's attached.

SHA1
Code: Select all
830d384d5ddd36a0d30eeb00c08b27792fb80c8a
a59b44f3125d3928f6c8e785bbe49cd87478642e
e840e274fb1e7f8a9dfcb12c92686a558f37f229
ee8cef6831f7ae1182413d7151cbbfad3bd26d73
https://www.virustotal.com/en/file/e2f9 ... /analysis/
https://www.virustotal.com/en/file/4dab ... /analysis/
https://www.virustotal.com/en/file/2843 ... /analysis/
https://www.virustotal.com/en/file/32b1 ... /analysis/
Attachments
pass: infected
(133.92 KiB) Downloaded 71 times
pass: infected
(523.9 KiB) Downloaded 69 times
  • 1
  • 36
  • 37
  • 38
  • 39
  • 40