A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #21063  by forty-six
 Fri Oct 04, 2013 4:26 am
@ MountFranklin

You can download below:
Code: Select all
https://zeustracker.abuse.ch/monitor.php?host=2.133.128.98
@ Xy Looks like ZT disagree with you. Citadel ?! ha.
 #21071  by Xylitol
 Fri Oct 04, 2013 11:11 am
it would be not the first time that zeus tracker have wrong with IceIX http://www.kernelmode.info/forum/viewto ... 297#p19297
see the dump in attach, do this look citadel for you ?
this is IceIX v1.2.5
from the config:
Code: Select all
http://2.133.128.98/backup.exe
http://2.133.128.98/iUGwy2mK/gd5ff7c07e7b3c8a5f4cefe7eb.php
http://resellermerkezi.com/admin/f1dc5.php?a3319b70f4fbd=true
http://133.242.120.203/rico/d4b65f81ff9521458fe.php?r5e6c98722b0ds=true
http://www.chuanhoesda.org.sg/Original/f7058ba892fe.php?aab4155d8893f808944d94q=true
http://indodms.com/includes/a857652b9867cedf9b.php?d724c864d6b41093d572434c=true
http://biangkerox.org/lastchance.php?active=true
http://tourguide.com.sg/andy/ad0ba2658.php?b9=true
http://2.133.128.98/dI3aqwjtz.php?ek23jaiw823pz5ngjduyw=true
http://corosanteusebio.it/images/e7a.php?c99bb5a2a314601=true
http://rapid7.com/db/modules/extra.php?woi23ksdnO2s2t=true
http://mestericafarafrica.ro/icon/e6941b796699fe5c128e8180bg7xji.php?a6ea73491b4495a2f6577f2bb4=true
http://business-leap.com/Uppladdat%20from%20VG/ef3bcbcbbaf8b5a5.php?fff96d6063aa60ed58=true
http://82.200.204.155/tmp/data.bin
Attachments
infected
(93.54 KiB) Downloaded 61 times
 #21072  by patriq
 Fri Oct 04, 2013 1:08 pm
Xylitol wrote:it would be not the first time that zeus tracker have wrong with IceIX http://www.kernelmode.info/forum/viewto ... 297#p19297
see the dump in attach, do this look citadel for you ?
this is IceIX v1.2.5
from the config:
Code: Select all
...
http://rapid7.com/db/modules/extra.php?woi23ksdnO2s2t=true
...

I wonder what its looking for with that rapid7 url ?
 #21074  by forty-six
 Fri Oct 04, 2013 1:41 pm
@Xy I was joking you. Post Meaning: Think they need your help! We both know no way Citadel. Apologies for not clarify.
 #21082  by MountFranklin
 Sat Oct 05, 2013 1:01 am
Hello guys,

Apologies for asking you this but I have tried everything I know to make this sample completely run on my sandbox (it seems just terminates)but, for some reason, i was not able to (no communication attempts to c&c). my guess is that there is some run-time checks that needs to be patched. Would you guys able to help me or lead me to the right direction? The idea is to force it run and probably manually provide the encrypted config and let the sandbox machine be infected. By doing so, we would have access to injected code in the browser. Hope this make sense.

Thanks again.
Regards,
 #21084  by MountFranklin
 Sat Oct 05, 2013 1:03 pm
By the way, I forgot to thank forty-six for leading me to the config file. Thank you.
Also, thanks to Xylitol and the rest of the community helping us newbies.

More power to you guys!
regards,
 #21121  by EP_X0FF
 Tue Oct 08, 2013 3:57 pm
MountFranklin wrote:Hello guys,

Apologies for asking you this but I have tried everything I know to make this sample completely run on my sandbox (it seems just terminates)but, for some reason, i was not able to (no communication attempts to c&c). my guess is that there is some run-time checks that needs to be patched. Would you guys able to help me or lead me to the right direction? The idea is to force it run and probably manually provide the encrypted config and let the sandbox machine be infected. By doing so, we would have access to injected code in the browser. Hope this make sense.

Thanks again.
Regards,

Perhaps this is detection of something on crypter level. Unpack it then it should work fine.

Set bp on VirtualAllocEx/VirtualFreeEx or NtAllocateVirtualMemory/NtFreeVirtualMemory (just more work with filtering calls from kernel32 by stack). While decryption firstly this crypter allocates huge memory ERW block, copies original body to it and proceed to next stage. Second stage performs XPXAXCXK (aka XPACK popular malware packer) unpacking. It again allocates new portion of memory, copies *real* packed by XPACK bot binary to it, allocates temp memory buffer again, decrypts it and here you will catch it. Decrypted bot in attach. As I said works fine here, injected in explorer and attempts to connect the internet, other classical zeus activities in place.

https://www.virustotal.com/en/file/1747 ... 381247721/
Code: Select all
[1188]explorer.exe-->ntdll.dll-->NtCreateThread, Type: Inline - RelativeJump 0x7C90D190-->028BB626 [unknown_code_page]
[1188]explorer.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C9163A3-->028BB80C [unknown_code_page]
[1188]explorer.exe-->kernel32.dll-->GetFileAttributesExW, Type: Inline - RelativeJump 0x7C811185-->028BB8E6 [unknown_code_page]
[1188]explorer.exe-->user32.dll-->ReleaseDC, Type: Inline - RelativeJump 0x7E36869D-->028AC925 [unknown_code_page]
[1188]explorer.exe-->user32.dll-->GetDC, Type: Inline - RelativeJump 0x7E3686C7-->028AC8A7 [unknown_code_page]
[1188]explorer.exe-->user32.dll-->TranslateMessage, Type: Inline - RelativeJump 0x7E368BF6-->028A71D2 [unknown_code_page]
[1188]explorer.exe-->user32.dll-->GetWindowDC, Type: Inline - RelativeJump 0x7E369021-->028AC8E6 [unknown_code_page]
[1188]explorer.exe-->user32.dll-->GetMessageW, Type: Inline - RelativeJump 0x7E3691C6-->028B3040 [unknown_code_page]
[1188]explorer.exe-->user32.dll-->PeekMessageW, Type: Inline - RelativeJump 0x7E36929B-->028B3090 [unknown_code_page]
[1188]explorer.exe-->user32.dll-->GetCapture, Type: Inline - RelativeJump 0x7E3694DA-->028B2FA1 [unknown_code_page]
[1188]explorer.exe-->user32.dll-->RegisterClassW, Type: Inline - RelativeJump 0x7E36A39A-->028B4D2A [unknown_code_page]
[1188]explorer.exe-->user32.dll-->RegisterClassExW, Type: Inline - RelativeJump 0x7E36AF7F-->028B4DC4 [unknown_code_page]
[1188]explorer.exe-->user32.dll-->OpenInputDesktop, Type: Inline - RelativeJump 0x7E36ECA3-->028B49B8 [unknown_code_page]
[1188]explorer.exe-->user32.dll-->SwitchDesktop, Type: Inline - RelativeJump 0x7E36FE6E-->028B4A08 [unknown_code_page]
[1188]explorer.exe-->user32.dll-->DefDlgProcW, Type: Inline - RelativeJump 0x7E373D3A-->028B4AB2 [unknown_code_page]
[1188]explorer.exe-->user32.dll-->GetMessageA, Type: Inline - RelativeJump 0x7E37772B-->028B3068 [unknown_code_page]
[1188]explorer.exe-->user32.dll-->RegisterClassExA, Type: Inline - RelativeJump 0x7E377C39-->028B4E16 [unknown_code_page]
[1188]explorer.exe-->user32.dll-->DefWindowProcW, Type: Inline - RelativeJump 0x7E378D20-->028B4A26 [unknown_code_page]
[1188]explorer.exe-->user32.dll-->BeginPaint, Type: Inline - RelativeJump 0x7E378FE9-->028AC79C [unknown_code_page]
[1188]explorer.exe-->user32.dll-->EndPaint, Type: Inline - RelativeJump 0x7E378FFD-->028AC80C [unknown_code_page]
[1188]explorer.exe-->user32.dll-->GetCursorPos, Type: Inline - RelativeJump 0x7E37974E-->028B2E73 [unknown_code_page]
[1188]explorer.exe-->user32.dll-->GetMessagePos, Type: Inline - RelativeJump 0x7E37996C-->028B2E41 [unknown_code_page]
[1188]explorer.exe-->user32.dll-->CallWindowProcW, Type: Inline - RelativeJump 0x7E37A01E-->028B4C5C [unknown_code_page]
[1188]explorer.exe-->user32.dll-->PeekMessageA, Type: Inline - RelativeJump 0x7E37A340-->028B30BB [unknown_code_page]
[1188]explorer.exe-->user32.dll-->GetUpdateRect, Type: Inline - RelativeJump 0x7E37A8C9-->028AC965 [unknown_code_page]
[1188]explorer.exe-->user32.dll-->CallWindowProcA, Type: Inline - RelativeJump 0x7E37A97D-->028B4CA5 [unknown_code_page]
[1188]explorer.exe-->user32.dll-->DefWindowProcA, Type: Inline - RelativeJump 0x7E37C17E-->028B4A6C [unknown_code_page]
[1188]explorer.exe-->user32.dll-->SetCapture, Type: Inline - RelativeJump 0x7E37C35E-->028B2EF7 [unknown_code_page]
[1188]explorer.exe-->user32.dll-->ReleaseCapture, Type: Inline - RelativeJump 0x7E37C37A-->028B2F51 [unknown_code_page]
[1188]explorer.exe-->user32.dll-->GetDCEx, Type: Inline - RelativeJump 0x7E37C595-->028AC84C [unknown_code_page]
[1188]explorer.exe-->user32.dll-->RegisterClassA, Type: Inline - RelativeJump 0x7E37EA5E-->028B4D77 [unknown_code_page]
[1188]explorer.exe-->user32.dll-->GetUpdateRgn, Type: Inline - RelativeJump 0x7E37F5EC-->028AC9F8 [unknown_code_page]
[1188]explorer.exe-->user32.dll-->DefFrameProcW, Type: Inline - RelativeJump 0x7E380833-->028B4B3E [unknown_code_page]
[1188]explorer.exe-->user32.dll-->DefMDIChildProcW, Type: Inline - RelativeJump 0x7E380A47-->028B4BD0 [unknown_code_page]
[1188]explorer.exe-->user32.dll-->GetClipboardData, Type: Inline - RelativeJump 0x7E380DBA-->028A733F [unknown_code_page]
[1188]explorer.exe-->user32.dll-->DefDlgProcA, Type: Inline - RelativeJump 0x7E38E577-->028B4AF8 [unknown_code_page]
[1188]explorer.exe-->user32.dll-->DefFrameProcA, Type: Inline - RelativeJump 0x7E39F965-->028B4B87 [unknown_code_page]
[1188]explorer.exe-->user32.dll-->DefMDIChildProcA, Type: Inline - RelativeJump 0x7E39F9B4-->028B4C16 [unknown_code_page]
[1188]explorer.exe-->user32.dll-->SetCursorPos, Type: Inline - RelativeJump 0x7E3A61B3-->028B2EBA [unknown_code_page]
[1188]explorer.exe-->wininet.dll-->InternetCloseHandle, Type: Inline - RelativeJump 0x771B4D8C-->028BE10A [unknown_code_page]
[1188]explorer.exe-->wininet.dll-->HttpSendRequestA, Type: Inline - RelativeJump 0x771B60A1-->028BDF7E [unknown_code_page]
[1188]explorer.exe-->wininet.dll-->HttpQueryInfoA, Type: Inline - RelativeJump 0x771B79C2-->028BE202 [unknown_code_page]
[1188]explorer.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump 0x771B82EA-->028BE14D [unknown_code_page]
[1188]explorer.exe-->wininet.dll-->HttpSendRequestExW, Type: Inline - RelativeJump 0x771BE9C1-->028BDFD2 [unknown_code_page]
[1188]explorer.exe-->wininet.dll-->InternetQueryDataAvailable, Type: Inline - RelativeJump 0x771C89F7-->028BE1D6 [unknown_code_page]
[1188]explorer.exe-->wininet.dll-->InternetReadFileExA, Type: Inline - RelativeJump 0x771E9100-->028BE18C [unknown_code_page]
[1188]explorer.exe-->wininet.dll-->HttpSendRequestW, Type: Inline - RelativeJump 0x77202EBC-->028BDF2A [unknown_code_page]
[1188]explorer.exe-->wininet.dll-->HttpSendRequestExA, Type: Inline - RelativeJump 0x77202FC1-->028BE06E [unknown_code_page]
[1188]explorer.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x71A93E2B-->028A77F9 [unknown_code_page]
[1188]explorer.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71A94C27-->028A7831 [unknown_code_page]
[1188]explorer.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71A968FA-->028A7852 [unknown_code_page]
[1188]explorer.exe-->crypt32.dll-->PFXImportCertStore, Type: Inline - RelativeJump 0x77ADFF8F-->028B4123 [unknown_code_page]
Attachments
pass: infected
(76.48 KiB) Downloaded 77 times
 #21174  by MountFranklin
 Sun Oct 13, 2013 10:30 pm
Thank you very much EP_X0FF! Unpacked binary indeed worked. Though, i am still trying to understand and play with on this sample following your tips, i'm a newbie here... Thanks again!

Regards and more power!
  • 1
  • 18
  • 19
  • 20
  • 21
  • 22
  • 29