[Xylitol]

Hello,
For those who are interested i run a little zbot tracker here: http://cybercrime-tracker.net/zbox.php
It can proceed Citadel, Zeus 2.x and Ice IX, other exotic variants such as zeus gameover aren't supported due to the amount of work and the technicity to extract config.
For the background it's a Cuckoo sandbox with Volatility and the plugin ZbotScan hosted on a OVH Kimsufi.
The tracker is auto-feeded from various free malware feeds (malekal, vx.vault, abuse.ch, malwr, etc..) samples are flushed after being proceded/reported on VirusTotal, sometime it freeze but well... already 1340 samples got analysed.
For the submission form, after someone submit a sample, the sample isn't processed automatically, i add them manually to Cuckoo.

If you want an example of work, this sample from today here: https://zeustracker.abuse.ch/monitor.ph ... home.co.kr
Reported on VT as:

Code: Select all

Malware family ZEUS
MD5 b73aa307e8c2328f6a7dfde1a1f024fc
Version 2.0.8.9
RC4 Keystream 3c6b43ba42ddf8bdeb01e1c2dcea464ccadb2b982287ef3e091c4a034eb868d9955b29b04b8d400e589d7f242533d071776cb3af6fd8c36072d27693be2fb5bb92f455fbcbb9068f044f309cdec9863d521537a094051e2e5a12822ac7618cc4f91f97bfe29b351623e627e0d6498e0d1199a4ae136581e908a2f051636a2cccb707f3ad321aaa9ed48a757ef5a39fd3595490701b84ed83bcc8dfac475e5328c64164e821a95d38ab56b6c56d191d50780c6210b173d167da5fce172674001485d53145e720fe69b2393b3feea8faf2a14879ecf1e45791e3022d967b6ea78066cffd8bf7a57c8988c03ab44436fc0b4d9a0fcd5ce5d7340aff18c17df67aa6
gate.php URLs	
URLs http://neorandom.dothome.co.kr/ch/images/youtube/pics.bin

full infos:

Code: Select all

{
    "_id" : ObjectId("5347c85fa47c202369897125"),
    "zbotscan" : {
        "zbotscan" : {
            "data" : {
                "injected_process" : {
                    "malware_zbot" : "ZEUS",
                    "process_name" : "explorer.exe",
                    "computer_identifier" : "COMPUTER_1_7875768F1E829C61",
                    "process_id" : 1500,
                    "process_address" : "31457280",
                    "zbot_version" : " 2.0.8.9",
                    "executable" : "Inpi\\hace.exe",
                    "config_rc4_keystream_plaintext" : "3c6b43ba42ddf8bdeb01e1c2dcea464ccadb2b982287ef3e091c4a034eb868d9955b29b04b8d400e589d7f242533d071776cb3af6fd8c36072d27693be2fb5bb92f455fbcbb9068f044f309cdec9863d521537a094051e2e5a12822ac7618cc4f91f97bfe29b351623e627e0d6498e0d1199a4ae136581e908a2f051636a2cccb707f3ad321aaa9ed48a757ef5a39fd3595490701b84ed83bcc8dfac475e5328c64164e821a95d38ab56b6c56d191d50780c6210b173d167da5fce172674001485d53145e720fe69b2393b3feea8faf2a14879ecf1e45791e3022d967b6ea78066cffd8bf7a57c8988c03ab44436fc0b4d9a0fcd5ce5d7340aff18c17df67aa6",
                    "data_file" : "Toata\\niizc.uwk",
                    "mutant_key" : "3104715416",
                    "xor_key" : "1370719834",
                    "urls" : [ 
                        "http://neorandom.dothome.co.kr/ch/images/youtube/pics.bin"
                    ],
                    "registry" : "{'Value3': 'Yxtoacz', 'key_path': 'HKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\Ixpu', 'Value1': 'Xygut', 'Value2': 'Pyxytuvao'}"
                }
            },
            "config" : {}
        }
    }
}

On a Citadel:

Code: Select all

Malware family CITADEL
MD5 3ed3bf51ce7c9879d694179dadf10fd3
Version 1.3.5.1
RC4 Keystream 0aea2e24deed2867011acc6c76c0865c27351f1902d3a1912a443bd6b93f250f8b5e534ea8be5705f1a53e8b1455433f4a842dcea06e804af06394c7e4864b266fa126e7a29068ab8d5fb56a070e27235854003da39a75b6aa0905b133fff0805b945e7f9d04c24f1fd8c50092ac04e2fb613659c2d173de9b91c6551c1ba634508c10e342390ff07f647020b374bb2ec743b16898ab9654f2e2c927f94fc06fd0e38b32514661d84534b8b8c32f41754ed7783a6b9545d41382b739ec77fd74dde8dfcbb2c1325e11fc19f9296281cf196caca8938ad977e99f203ec6b874b783adf91f10bafc14db97d26bd9e7089bf6bc9ef7e67148187a80f787faeb0ee1
URLs	http://coryaiken3948.esy.es/citadel/file.php|file=config.dll
http://coryaiken3948.esy.es/citadel/file.php|file=config.dll

full infos:

Code: Select all

{
    "_id" : ObjectId("5347c968a47c2025538971c2"),
    "zbotscan" : {
        "zbotscan" : {
            "data" : {
                "injected_process" : {
                    "xor_key" : "0",
                    "executable" : "Cyeq\\xiyz.exe",
                    "comm_rc4_key_plaintext" : "8be6865a19524bb34ad8ba9b7e38b0251ad264ea71775dd2375bb42f606926c6c95f78e9ba66e66502d73a501785be4ffe92fd4ad1fa98a73cbd79dbcb9844ec6ed56a8f7226b515a46b80b16d2291b5a20a36752cc25c0f7c8697c1e387a285821ca3c20ef7f87b7bebf0a9945d089df9f1a61774beceaf0c29c2a591400edc3f349d3c4f2b54e71ee1cd81681dc1c7ce39414d214662b91bedfa4489fcbc47a6d339bb18ef5f11acd4def68f81a837fd438826f63077695195d73d560553fddc8c0966e20429dd0120181831e0ec7711785109e9f53da39614bf5ccfdfc7aa09ecd6a0033d8c78442858ad279cc4387a9ac0b21261438c0b5ecb0a9f2a6f27",
                    "aes_key" : "9F474B22BDBEAAB6EF0758DC35ECD704",
                    "config_rc4_keystream_plaintext" : "0aea2e24deed2867011acc6c76c0865c27351f1902d3a1912a443bd6b93f250f8b5e534ea8be5705f1a53e8b1455433f4a842dcea06e804af06394c7e4864b266fa126e7a29068ab8d5fb56a070e27235854003da39a75b6aa0905b133fff0805b945e7f9d04c24f1fd8c50092ac04e2fb613659c2d173de9b91c6551c1ba634508c10e342390ff07f647020b374bb2ec743b16898ab9654f2e2c927f94fc06fd0e38b32514661d84534b8b8c32f41754ed7783a6b9545d41382b739ec77fd74dde8dfcbb2c1325e11fc19f9296281cf196caca8938ad977e99f203ec6b874b783adf91f10bafc14db97d26bd9e7089bf6bc9ef7e67148187a80f787faeb0ee1",
                    "malware_zbot" : "CITADEL",
                    "process_name" : "explorer.exe",
                    "mutant_key" : "2037936473",
                    "computer_identifier" : "COMPUTER_1_7875768F1E829C61",
                    "aes_xor_key" : "FCA4C13246F5C8ABD0C5CFDC7350AB42",
                    "process_id" : 1500,
                    "process_address" : "34865152",
                    "login_key" : "C1F20D2340B519056A7D89B7DF4B0FFF",
                    "urls" : [ 
                        "http://coryaiken3948.esy.es/citadel/file.php|file=config.dll", 
                        "http://coryaiken3948.esy.es/citadel/file.php|file=config.dll"
                    ],
                    "zbot_version" : " 1.3.5.1",
                    "registry" : "{'Value3': 'Ceilvuwy', 'key_path': 'HKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\Irty', 'Value1': 'Yxebaryta', 'Value2': 'Posao'}"
                }
            },
            "config" : {}
        }
    }
}

An RSS feed is also available here: http://cybercrime-tracker.net/zbox_rss.php

[Xylitol]

Hello,
2000+ Zbot successfully treated and just reached 1k samples of Citadel 1.3.5.1 today.

[rnd.usr]

Awesome job Xyli!

btw, the link for ZbotScan plugin is: https://github.com/INTECOCERT/volatilit ... botscan.py - Or are you using a modified version of the plugin?(because your link points to Google Code)

[Xylitol]

Hi, yes it's this one

[Xylitol]

Introducing Atmos tracker, with the tool of cert-jp as engine http://cybercrime-tracker.net/ccam.php

[Xylitol]

Did a better aggregation for ccam, e.g of report:

Code: Select all

Sample: 8abde153e37596ca8dfc8bc723738daa32f483ef
SHA256: 747218f22caaddc61bec92149527a1a3dbd59a6711235254ea8519586e5ac0a2
Request: Tayuya [2016/09/25 - 11:09:43]
Callback: wegas.info
Gate: https://wegas.info/wp-rss/filetype.php|file=eaa19825b.xml
Decryptor logs:

DEBUG:root:[*] get base config & several params
DEBUG:root:[*] found base config at RVA:0x000059b0, RA:0x000059b0
DEBUG:root:[*] found login key: 3533334439323236453443314345304139383135444245423139323335414534
DEBUG:root:[*] use RC4 key at (base config + 0x00000157)
DEBUG:root:[*] found following xor key for AES plus:
DEBUG:root:[62, 74, 187, 1, 132, 27, 178, 152, 18, 43, 181, 239, 177, 190, 209, 113]
DEBUG:root:[*] found RC4 salt: 0xF2C9CDEF
DEBUG:root:[*] found xor key using after Visual Decrypt: 0xF2C9CDEF
DEBUG:root:C&C found:
DEBUG:root:['http://cctodaymyssfg.info/wp-rss/filetype.php|file=eaa19825b.xml', 'https://wegas.info/wp-rss/filetype.php|file=eaa19825b.xml', 'http://cctoday.info/wp-rss/filetype.php|file=eaa19825b.xml']
DEBUG:root:[*] try to unpack
DEBUG:root:[*] decrypt data using following key:
DEBUG:root:[43, 12, 4, 12, 214, 55, 99, 39, 188, 14, 84, 187, 217, 86, 134, 32, 152, 188, 180, 116, 194, 62, 151, 50, 18, 177, 63, 208, 61, 141, 155, 209, 59, 119, 137, 53, 68, 218, 113, 51, 91, 215, 28, 98, 113, 0, 187, 126, 240, 254, 238, 56, 211, 160, 120, 40, 87, 253, 215, 162, 17, 121, 80, 130, 78, 132, 90, 44, 107, 94, 81, 197, 36, 223, 5, 3, 120, 7, 131, 140, 38, 148, 216, 201, 124, 246, 226, 41, 219, 199, 202, 125, 115, 168, 66, 230, 206, 224, 213, 177, 119, 217, 201, 210, 33, 174, 176, 207, 248, 85, 103, 14, 233, 66, 104, 115, 23, 32, 68, 176, 40, 156, 212, 213, 53, 238, 124, 202, 81, 249, 230, 243, 12, 237, 88, 158, 137, 17, 199, 83, 195, 113, 166, 24, 24, 179, 234, 7, 167, 60, 46, 101, 184, 150, 114, 94, 157, 95, 210, 231, 31, 11, 211, 227, 45, 116, 21, 222, 163, 230, 129, 72, 105, 104, 101, 11, 149, 47, 207, 229, 16, 102, 253, 220, 98, 54, 144, 66, 48, 3, 203, 18, 224, 90, 225, 191, 218, 117, 85, 100, 159, 133, 22, 132, 56, 193, 235, 169, 147, 126, 67, 52, 82, 205, 251, 148, 181, 31, 136, 34, 133, 71, 183, 171, 104, 209, 123, 70, 60, 163, 72, 195, 88, 2, 236, 80, 252, 112, 172, 89, 47, 25, 140, 5, 34, 191, 191, 38, 175, 222, 196, 147, 134, 57, 126, 33]
DEBUG:root:[*] try to AES+ decryption
DEBUG:root:[*] use following AES key:
DEBUG:root:[140, 223, 50, 115, 212, 0, 66, 171, 92, 11, 112, 191, 75, 158, 215, 183]

Report:

{'login_key_hexed': '3533334439323236453443314345304139383135444245423139323335414534', 'base_key': {'y': 104, 'x': 82, 'state': [43, 217, 152, 61, 140, 215, 195, 229, 14, 238, 126, 99, 184, 172, 23, 167, 12, 188, 180, 116, 194, 62, 151, 50, 18, 177, 63, 208, 12, 141, 155, 209, 59, 119, 137, 53, 68, 218, 113, 51, 91, 55, 28, 98, 113, 0, 187, 126, 240, 254, 238, 56, 211, 160, 120, 40, 87, 253, 215, 162, 17, 121, 80, 130, 78, 132, 90, 44, 107, 94, 81, 197, 36, 223, 5, 3, 120, 7, 131, 140, 38, 148, 216, 201, 124, 246, 226, 41, 219, 199, 202, 125, 115, 168, 66, 230, 206, 224, 213, 177, 119, 217, 201, 210, 33, 174, 176, 207, 248, 85, 103, 188, 233, 66, 104, 115, 134, 32, 68, 176, 40, 156, 212, 213, 53, 14, 124, 202, 81, 249, 230, 243, 12, 237, 88, 158, 137, 17, 199, 83, 187, 113, 166, 24, 24, 179, 234, 7, 32, 60, 46, 101, 4, 150, 114, 94, 157, 95, 210, 231, 31, 11, 211, 227, 45, 116, 21, 222, 163, 230, 129, 72, 105, 104, 101, 11, 149, 47, 207, 39, 16, 102, 253, 220, 98, 54, 144, 66, 48, 3, 203, 18, 224, 90, 225, 191, 218, 117, 85, 100, 159, 133, 22, 132, 56, 193, 235, 169, 147, 84, 67, 52, 82, 205, 251, 148, 181, 31, 136, 34, 133, 71, 183, 171, 104, 209, 123, 70, 60, 163, 72, 195, 88, 2, 236, 80, 252, 112, 86, 89, 47, 25, 214, 5, 34, 191, 191, 38, 175, 222, 196, 147, 134, 57, 126, 33], 'z': 116}, 'xor_key': '>J\xbb\x01\x84\x1b\xb2\x98\x12+\xb5\xef\xb1\xbe\xd1q', 'urls': ['http://cctodaymyssfg.info/wp-rss/filetype.php|file=eaa19825b.xml', 'https://wegas.info/wp-rss/filetype.php|file=eaa19825b.xml', 'http://cctoday.info/wp-rss/filetype.php|file=eaa19825b.xml'], 'base_config_hexed': '1779e613a165c3d68a57206525ea7d55876e33a28be1a245191b8b04a748bb8eff9beac74341e2612f94e4ac9f9247af518d6277eb23acaf407122687474703a2f2f6363746f6461796d79737366672e696e666f2f77702d7273732f66696c65747970652e7068707c66696c653d6561613139383235622e786d6c000000000000000000000000000000000000000000000000000000000000000000000000005e728f5a04913d73939b38700e17421edc5e99d5cb971a0654e6ac1421e1dc6504000100eae533b948ea08d27439de457f30ed7802972f8f5fd2c340495b90e387702ac9f409f9cfcb0d983321c57ba6b391d5a2e2dab8fdfc477ebfbd346931166086363c000000a46eb0391ea46269ffe917fb7449fd78b4ada7368552b074017aa1a614000a005c731a8c72bcdbb7eca07c2cbfcc46270d6d0450a79facd7d12842c24566fa867a869dd525f72db8011eccddcb4cda2b0c040cd6376327bc0e54bbd956862098bcb474c23e973212b13fd03d8d9bd13b77893544da71335bd71c627100bb7ef0feee38d3a0782857fdd7a2117950824e845a2c6b5e51c524df05037807838c2694d8c97cf6e229dbc7ca7d73a842e6cee0d5b177d9c9d221aeb0cff855670ee9426873172044b0289cd4d535ee7cca51f9e6f30ced589e8911c753c371a61818b3ea07a73c2e65b896725e9d5fd2e71f0bd3e32d7415dea3e681486968650b952fcfe51066fddc623690423003cb12e05ae1bfda7555649f85168438c1eba9937e433452cdfb94b51f88228547b7ab68d17b463ca348c35802ec50fc70ac592f198c0522bfbf26afdec49386397e215268747470733a2f2f77656761732e696e666f2f77702d7273732f66696c65747970652e7068707c66696c653d6561613139383235622e786d6c003e8cafcdcfe8b2c911bd9ffad8a189b865e159da891514e20ef85c7452773a0d35081af1353d1765d899791f4ba27cfb483754ef3c246d41aaf4f7f7ca07a29077e4a6f148cf07a2fc9f173a1bca3c18dac2f3543f8415f5876d5a65c5501b22cbc75cb54dc609e84476803491400800000040f2da5c94676d0c8ba4897d2c2bfa5942268f4aa69f79c665006100610031003900380032003500620000005e13cd43632a5581642f6339d4618fb895a379260374f7163321735b7c398e1d3742092dc4aae696ce01ca75cf65a60ad63d960e882a0a47643a235b4c5f60e2412079be6f8f8baf697b7622030001008bb94b72dab7d4928cb0fc200bf71b280416e49f6bbf8cf5bf062fe98fce6fa13d815efa02059e1d32000000c1e9081a078a1178c024318f570bbc726404b03773fc974d07faaf10de53499b771d6fddd2e5c9f077a5c2a5b9f0e6643c708e33b592c014f180519419504ca1347a989ced90d4af962986616e1f75671ffa53bd8bab9ff6c87ecad14b50000000eaca7de1f1fa5e289ac6e9fdfe3125168a45ff7eaffe9c95db63ee59a9f685e3554ea8347203a532dfca65eef7e1432808ae1e1506a3ad608164136ed52cb4e6a16d460a000500bee0dafeca704f6c5e5cd445d91956d22f57156a3236034010b76c7f1d70dc99d3853edb17d34146be687474703a2f2f6363746f6461792e696e666f2f77702d7273732f66696c65747970652e7068707c66696c653d6561613139383235622e786d6c000000000000000000000000000000000000000000000000000000000000000000000000000000000000005a4a42af56c8b0ee4638e214de8bd3c2917b25a1b21f6699dabd934489dfdaa210a9a40eae69d370f97048b57f21a97cae47', 'salt': '\xef\xcd\xc9\xf2'}

if anyone is looking for sample download access, just drop me a pm.

[Xylitol]

CCAM inner workings: https://www.youtube.com/watch?v=zoVPAnB1gmI