A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #27865  by pwnslinger
 Fri Feb 12, 2016 5:15 pm
pwnslinger wrote:
EP_X0FF wrote:
pwnslinger wrote:Hi,
using VB6 packing method, execute shellcode which is packed by MoleBox or sth like that (PUSHAD, CALL).
but i dunno why i just got into this loop. enumerates through all procedure names...
hint me plz

sample also attached below:
As with most of malware crypters used for ZBot it "decryption" based on moment when RunPE executed. Set break on CreateProcess and dump memory region it will attempt to write to the zombie target process.

https://www.virustotal.com/en/file/e4e0 ... 448537374/

"Unpacked" Kronos in attach. Posts moved.
Thanks EP. ;)

after dumping second stage (explorer.exe) (change EP with PUSH/RET) using EBFE method for attaching using ollydbg.
i dunno why when i wanna set toggle bp on code, olly can't and run (memry regions are RWC!)
then i used f4 (run till selection) and hw bp.
but when call SYSENTER... i can't take control back to myself.
me & @antelox analyzed it again and we got call fs[0xc0] related to wow64 (32 bit code running on x64) so this malware can be under controlled on win 7 x64
but in windows xp x86 debugger can't take back control after stepping this function. this is not an anti-debug trick also.
also ssdt index for ntSetValueKey change in windows 7 and you can got it using windbg
you can see differences in this two picture.
Attachments
win7x64.png
win7x64.png (40.57 KiB) Viewed 1160 times
winxpx86.png
winxpx86.png (102.93 KiB) Viewed 1160 times
 #27946  by cr33k
 Thu Feb 25, 2016 4:04 pm
08:00
(2/25/2016 6:02:28 AM) exploit.im: ~~~~!!!!!!~~~~~~
ATTENTION: Kronos Banking Trojan: Working on MSIE,FF,Chrome, and MSIE EDGE!
~~~~!!!!!!~~~~~~

Kronos has been updated and better than ever! Issues with Chrome crashing and not properly grabbing and
injecting data have been fixed. FireFox grabbing and inject have been fixed. MSIE EDGE support for
grabbing and injecting has been added. A few stability fixes have also been established.

Become a customer today and gain discounts on modules that are being developed such as USB Spreader, Socks5,
And hidden VNC.

Price is $3,000 FIRM via Bitcoin.

Useful contacts for smooth operations are given upon purchase.

Contact: Vinny@exploit.im (this is the only authorized contact. DO NOT TRUST ANY OTHERS!)

Link: https://exploit.in/forum/index.php?showtopic=79705

====================
It's advertisement
====================
Appears Kronos now supports IE Edge. No Sample At This Time.
 #28049  by Antelox
 Wed Mar 16, 2016 2:53 pm
Just to update about pwnslinger's problem about call to fs:[0xc0].

The sample analyzed queries system process and relative module loaded (through NtQuerySystemInformation API call), encodes the process/module name string, then compare it with hardocoded encoded strings. If strings match then it changes a flag otherwise it continues to search for next process/module. The flag changed influences the compare instruction at address 0xA7B3F in the picture posted above by pwnslinger; the conditional je jump must be taken to perform System Call (fs:[0xc0] indeed) otherwise sysenter is called and an ACCESS_VIOLATION happen.

Antelox
 #28055  by Antelox
 Thu Mar 17, 2016 2:34 pm
I was forgetting to post decoded process/modules name strings (Kronos's bad friends :P)
Code: Select all
vmtoolsd.exe
vboxtray.exe
idaq.exe
idaq64.exe
ollydbg.exe
windbg.exe
wireshark.exe
lordpe.exe
sbiedll.dll
dbghelp.dll
cuckoomon.dll
vmware
BR,
Antelox
 #28305  by Xylitol
 Wed Apr 13, 2016 7:58 pm
https://www.virustotal.com/en/file/673b ... 460576548/ >> 10/57, signed also
Call home: kronocloud.top/elbir/connect.php (hide behind CloudFlare but real ip is: 5.154.190.115)

Image

unpacked: https://www.virustotal.com/en/file/2d1b ... 460825906/
C:\Users\Root\Downloads\kronos\form1\VJF1\Binaries\Release\VJF 1.pdb
PDB path comparison with some other samples:
Code: Select all
MD5 - PDB - Call home
f780458c5331d4e58d09f9363e7f641d - C:\Users\Root\Downloads\dicks\VJF1\Binaries\Release\VJF 1.pdb - flashplayerliveupdate.ru
92f41793668b39e40b15e613178ef72e - C:\Users\Root\Downloads\fleet\VJF1\Binaries\Release\VJF 1.pdb - adobeflashupdate.ru
d94f26b9c84a3173cf2c58941876b5d0 - C:\Users\Root\Downloads\hw\VJF1\Binaries\Release\VJF 1.pdb - slighsplashinside.com
3d697a712c044ced7ac9aade3c06199b - C:\Users\Root\Downloads\kronos\form1\VJF1\Binaries\Release\VJF 1.pdb - morninlows.com
Malware dramascene:
Image Image

Targeting UK banks.
Code: Select all
set_url https://*http://online.lloydsbank.co.uk/personal/ * GP
set_url https://*http://secure.lloydsbank.co.uk/personal/ * GP
set_url https://www.halifax-online.co.uk/personal/ * GP
set_url https://*http://secure.halifax-online.co.uk/personal/ * GP
set_url https://bank.barclays.co.uk/olb/auth/LoginLink.actio …* GP
set_url https://*http://hsbc.co.uk * GP
set_url https://*http://nationwide.co.uk * GP
set_url https://*http://nwolb.com * GP
set_url https://*http://santander.co.uk * GP
Of interest:
https://www.lexsi.com/securityhub/overv ... t/?lang=en
https://www.lexsi.com/securityhub/krono ... s/?lang=en
Attachments
infected
(160.04 KiB) Downloaded 68 times
infected
(45.74 KiB) Downloaded 60 times
infected
(21.35 KiB) Downloaded 76 times
infected
(323.34 KiB) Downloaded 89 times
Last edited by Xylitol on Mon Apr 18, 2016 2:37 pm, edited 2 times in total.
 #28485  by Xylitol
 Wed May 11, 2016 6:58 pm
Attachments
infected
(467.24 KiB) Downloaded 95 times
 #28494  by comak
 Thu May 12, 2016 6:11 pm
few more cncs:
Code: Select all
http://johngotti-007.com:80/007/connect.php
http://johngotti.com.ng:80/007/connect.php
http://johngotti.org:80/007/connect.php
http://johngotti.co.za:80/007/connect.php
http://johngotti-007.co.za:80/007/connect.php
injects attached (from http://johngotti-007.com/007/connect.php)
Attachments
pw: infected
(21.71 KiB) Downloaded 76 times