A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #11437  by onthar
 Sun Feb 05, 2012 12:12 am
Trojan-downloader, size - 12,1 kb
Interesting thing is autocrypting every few minutes.
I have found this links:
hxxp://66.96.212.149/files/16
hxxp://66.96.212.149/files/17
hxxp://66.96.212.149/files/18
hxxp://66.96.212.149/files/19
hxxp://66.96.212.149/files/25
hxxp://66.96.212.149/files/30
hxxp://66.96.212.149/files/31
And load them into Xylitol's MAD (awesome tool!). Hundred different samples were gathered in about ten minutes.
Anitivirus analysis: https://www.virustotal.com/file/f5f0693 ... 328398367/
Microsoft review: http://www.microsoft.com/security/porta ... FDrstwex.A
This ip in malc0de database: http://malc0de.com/database/index.php?s ... .149&IP=on

Every file downloads different malwares from internet.
For example:
This file 19.exe (b4c4f8c1f4c3d012a836c92a50048e05) downloads some variant of ZeroAccess rootkit, Pakes ddos-bot and several other trojans:
https://www.virustotal.com/file/829a1c6 ... 328400103/
https://www.virustotal.com/file/7a0ec73 ... 328400189/
Report generated with Buster Sandbox Analyzer 1.49 at 23:50:02 on 04/02/2012

[ General information ]
* File name: c:\sndbx\19.exe
* File length: 12416 bytes
* File signature (PEiD): UPolyX v0.5 *
* File signature (Exeinfo): *** Unknown EXE - standard Compiler section
* File type: EXE
* TLS hooks: NO
* File entropy: 3.27466 (40.9332%)
* ssdeep signature: 96:cfYI33fjsVWUbxCqUr8SzLTZ3JZc71yQtQKQYQ:cfL3RUbevNo7MQjQYQ
* Digital signature: Unsigned
* MD5 hash: b4c4f8c1f4c3d012a836c92a50048e05
* SHA1 hash: 0f44c6d654c471a628e96712dc7dd5f010b7a566
* VirusTotal detections from 2012-01-26 12:41:41 UTC :
No detections found

[ Changes to filesystem ]
* Creates file C:\WINDOWS\system32\dll.dll
File length: 28160 bytes
File signature (PEiD): Borland Delphi DLL
File signature (Exeinfo): Borland Delphi ( 2.0 - 7.0 ) 1992 - http://www.borland.com
File type: DLL
TLS hooks: NO
File entropy: 6.31469 (78.9336%)
ssdeep signature: 768:lKSQquTP0GQA7tR6RNk0H62SorJa+Xkfy5nUvzzQkIHg:/QquTP0GQj/k0a9or3XtnUv3Qy
Digital signature: Unsigned
MD5 hash: 08f3204e393afad8054658611940b7f6
SHA1 hash: 605cc5a03e5d5681bf846ec449ac063e33f46191
VirusTotal detections from 2012-01-26 12:41:41 UTC :
No detections found
* Creates file C:\WINDOWS\system32\mdhcp32.dll
File length: 50688 bytes
File signature (PEiD): Borland Delphi DLL
File signature (Exeinfo): Borland Delphi ( 2.0 - 7.0 ) 1992 - http://www.borland.com
File type: DLL
TLS hooks: NO
File entropy: 7.42494 (92.8118%)
ssdeep signature: 768:syUqhmQIIsDIrMVsGSp2xOWR1k8+87dMo7ngVJemNfwq2p1fwQDe2R/xIANj6B3X:rUqhmQrPrTZp2bkBI62QJ7Nfu8U2S6B
Digital signature: Unsigned
MD5 hash: e0a4f7efc8a0c20eb5b605f745aaf4ca
SHA1 hash: 948ad452a9e374503149ecf80ff0be7b75d54a9c
VirusTotal detections from 2012-01-26 12:41:41 UTC :
No detections found
* Creates file C:\WINDOWS\system32\shimg.dll
File length: 295042 bytes
File type: Unknown
MD5 hash: 1299bd7f24cb221b0b09d178405ce54f
SHA1 hash: cfb72f40929125c63f45752c4a35637608b63fcd
* Creates file C:\Documents and Settings\1\Application Data\pny\pnd.exe
File length: 32768 bytes
File signature (PEiD): UPX 0.89.6 - 1.02 / 1.05 - 2.90 -> Markus & Laszlo
File signature (Exeinfo): UPX 0.89 - 3.xx -> Markus & Laszlo ver. [ 3.03 ] <- info from file. ( sign like UPX packer )
File type: EXE
TLS hooks: NO
File entropy: 7.61013 (95.1267%)
ssdeep signature: 768:ZESxTZ9hB8Vsqey5nM2k9qXzPAfIBOiANbXJTg:ZRgVsqVzUIIfNbZ8
Digital signature: Unsigned
MD5 hash: 479ef472e36c4925f80599af6ae32747
SHA1 hash: db7b0dd88444a233e4f715db645f161facd5d2f2
VirusTotal detections from 2012-01-26 12:41:41 UTC :
No detections found
* Creates hidden folder C:\Documents and Settings\1\Local Settings\Application Data\1f8c7866
* Creates file (hidden) C:\Documents and Settings\1\Local Settings\Application Data\1f8c7866\@
File length: 2048 bytes
File type: Unknown
MD5 hash: 64b099c0de44f246595e5da584eb936d
SHA1 hash: 6c4642c84ab932ebdcd118169c94e91dad5fc690
* Creates file (hidden) C:\Documents and Settings\1\Local Settings\Application Data\1f8c7866\X
File length: 54784 bytes
File signature (PEiD): Aspack v2.12 -> http://www.aspack.com *
File type: EXE
TLS hooks: NO
File entropy: 7.64859 (95.6074%)
ssdeep signature: 1536:USrjjb8InkrfBFr8u6ZmeZ8whXCClFPX+fuxi4yl:/XjbJkrZcbywlCrfKXy
Digital signature: Unsigned
MD5 hash: 1589c1f9b0e91420019e0f7ba0ba4c96
SHA1 hash: 89b93504d1faeaa44441e595a3cbadd12face56b
VirusTotal detections from 2012-01-26 12:41:41 UTC :
No detections found

* Creates file C:\Documents and Settings\1\Local Settings\Temp\2w31C.tmp
File length: 370176 bytes
File signature (PEiD): Borland Delphi 6.0 - 7.0
File signature (Exeinfo): Borland Delphi ( 2.0 - 7.0 ) 1992 - http://www.borland.com
File type: EXE
TLS hooks: NO
File entropy: 7.93257 (99.1572%)
ssdeep signature: 6144:HGXpBkDKYQCdaTZsMNh7KEKtX2sIxIxv2ULyLY0Miz03SX17TFu0ILBrXakx/vKx:0pyXETrNxKhm5WvzyLY0HzIIFIVxb/85
Digital signature: Unsigned
MD5 hash: 8c1f4e1a365e05e338a1faafe79a601e
SHA1 hash: 9948895af266a1eefcda2ca8fe6c7d8308c27422
VirusTotal detections from 2012-01-26 12:41:41 UTC :
No detections found
* Creates file C:\Documents and Settings\1\Local Settings\Temp\2w31D.tmp
File length: 32768 bytes
File signature (PEiD): UPX 0.89.6 - 1.02 / 1.05 - 2.90 -> Markus & Laszlo
File signature (Exeinfo): UPX 0.89 - 3.xx -> Markus & Laszlo ver. [ 3.03 ] <- info from file. ( sign like UPX packer )
File type: EXE
TLS hooks: NO
File entropy: 7.61013 (95.1267%)
ssdeep signature: 768:ZESxTZ9hB8Vsqey5nM2k9qXzPAfIBOiANbXJTg:ZRgVsqVzUIIfNbZ8
Digital signature: Unsigned
MD5 hash: 479ef472e36c4925f80599af6ae32747
SHA1 hash: db7b0dd88444a233e4f715db645f161facd5d2f2
VirusTotal detections from 2012-01-26 12:41:41 UTC :
No detections found
* Creates file C:\Documents and Settings\1\Local Settings\Temp\2w31E.tmp
File length: 46592 bytes
File signature (PEiD): Borland Delphi 6.0 - 7.0
File signature (Exeinfo): Borland Delphi ( 2.0 - 7.0 ) 1992 - http://www.borland.com
File type: EXE
TLS hooks: NO
File entropy: 7.57525 (94.6906%)
ssdeep signature: 768:0tiYq8QWTsJUidpt9zPPKjqcV3COgW0aGTibY6NEuqU/LjigqHRFz6zZG9U3sSo8:9Yq8QRJLdpi90nObYLs/igORFz2gU
Digital signature: Unsigned
MD5 hash: 39abf48c672346eaa6128df26e28d198
SHA1 hash: af470469871055989148e6ea246107b2b1ea5f8c
VirusTotal detections from 2012-01-26 12:41:41 UTC :
No detections found

[ Network services ]
* Connects to "46.251.228.85" on port 8000.
* Connects to "194.60.242.69" on port 80.
* Connects to "188.247.135.210" on port 80.
* Connects to "109.123.114.101" on port 80.
* Connects to "88.85.69.135 (z-1d-c17-d124-135.webazilla.com)" on port 80.
* Connects to "194.8.74.166" on port 80.
* Connects to "205.186.175.209 (ekiaioeqsi.c09.mtsvc.net)" on port 80.
* Connects to "77.109.111.226 (77.109.111.226.static.edpnet.net)" on port 80.
* Connects to "176.9.51.76 (s18.webhost1.ru)" on port 80.

[ Process/window information ]
* Keylogger functionality.
* Enables process privileges.
* Gets user name information.
* Gets system default language ID.
* Gets volume information.
* Gets computer name.
* Creates an event named "wertertew".
* Creates process "C:\DOCUME~1\1\LOCALS~1\Temp\2w31B.tmp,(null),(null)".
* Creates process "C:\DOCUME~1\1\LOCALS~1\Temp\2w31C.tmp,(null),(null)".
* Creates process "C:\DOCUME~1\1\LOCALS~1\Temp\2w31D.tmp,(null),(null)".
* Creates process "C:\DOCUME~1\1\LOCALS~1\Temp\2w31E.tmp,(null),(null)".
* Creates a mutex "CTF.LBES.MutexDefaultS-1-5-21-1078081533-688789844-1060284298-1003".
* Creates a mutex "CTF.Compart.MutexDefaultS-1-5-21-1078081533-688789844-1060284298-1003".
* Creates a mutex "CTF.Asm.MutexDefaultS-1-5-21-1078081533-688789844-1060284298-1003".
* Creates a mutex "CTF.Layouts.MutexDefaultS-1-5-21-1078081533-688789844-1060284298-1003".
* Creates a mutex "CTF.TMD.MutexDefaultS-1-5-21-1078081533-688789844-1060284298-1003".
* Creates a mutex "CTF.TimListCache.FMPDefaultS-1-5-21-1078081533-688789844-1060284298-1003MUTEX.DefaultS-1-5-21-1078081533-688789844-1060284298-1003".
* Enables privilege SeDebugPrivilege.
* Creates process "C:\Documents and Settings\1\Local Settings\Application Data\1f8c7866\X,*5552*96*bc1e7039*69.64.52.10:53,(null)".
* Creates process "C:\WINDOWS\system32\cmd.exe,(null),(null)".
* Creates a mutex "ZonesCounterMutex".
* Creates a mutex "ZonesCacheCounterMutex".
* Creates a mutex "ZonesLockedCacheCounterMutex".
* Creates process "C:\Documents and Settings\1\Application Data\pny\pnd.exe,"C:\Documents and Settings\1\Application Data\pny\pnd.exe" ,C:\sndbx".
* Creates a mutex "_!MSFTHISTORY!_".
* Creates a mutex "c:!documents and settings!1!local settings!temporary internet files!content.ie5!".
* Creates a mutex "c:!documents and settings!1!cookies!".
* Creates a mutex "c:!documents and settings!1!local settings!history!history.ie5!".
* Enumerates running processes.
I've attached all captured samples of this downloader (155 binaries)
Attachments
pass: infected
(619.57 KiB) Downloaded 68 times