A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #6060  by EP_X0FF
 Wed Apr 27, 2011 1:40 pm
I don't know how really new this sample, but it uses 0x4C, however if author will only change key, it's not so hard to brute-force.
 #6061  by USForce
 Wed Apr 27, 2011 2:15 pm
Confirmed ;) I have reversed this sample and they changed the encryption byte from 0xC4 to 0x4C. At the beginning it was plain a xor between the indexed byte and the byte located at the previous position. Then they enforced it by adding a XOR 0xC4. Now they changed 0xC4 to 0x4C, I think because the decryption algorithm has been published online some months ago (http://www.prevx.com/blog/168/SpyEye-th ... eader.html)
 #6063  by EP_X0FF
 Wed Apr 27, 2011 4:40 pm
markusg wrote:http://www.virustotal.com/file-scan/rep ... 1303920299
This one with different xor byte (0xC4) and with less functionality on board.
Code: Select all
.text:00910903 SpyEye_DecryptCycle:
.text:00910903         mov     dl, [eax+ecx]
.text:00910906         xor     dl, 0C4h
.text:00910909         sub     dl, [eax+ecx-1]
.text:0091090D         mov     [eax+ecx], dl
.text:00910910         dec     eax
.text:00910911         test    eax, eax
.text:00910913         jg      short SpyEye_DecryptCycle
Find attached decrypted.

pass: E32E1781E60A9570894685D30000006D (from SpyEye)
Attachments
(17.14 KiB) Downloaded 52 times
 #6065  by EP_X0FF
 Thu Apr 28, 2011 8:06 am
SpyEye 1.3.xx (likely) from Image, yet another idiot.

91.213.217.36/BViewbv32y77ebcbc/bin/

They are from the bots trying to DDoS (SYN flood) SpyEye tracker currently.
ssyn spyeyetracker.abuse.ch 443 3600
config_pomidorka.zip - decrypted config data from first sample (DDoS plugin included)
pass: 8844F4EBB23FDE732480A38E115C8B09

Second sample equal to first (re-crypted only), including config.bin data

Both samples in malware.rar, pass: malware

edit:

Some another SpyEye with Certificates Grabber (steals certificates from the FF cryptographic storage, default only from Windows) and RDP plugins (see decrypted_CertGrabber.zip)
pass: 710A0CBACF0E771A971470DCD517A94A
RDP config
195.226.218.136:30000;vmLacswsoJaEk;sysadmin;qwe123;http://www.cushyhost.com/download.php?img=224
Attachments
pass: malware
(259.75 KiB) Downloaded 61 times
(104.05 KiB) Downloaded 59 times
pass: malware
(496.94 KiB) Downloaded 58 times
(52.84 KiB) Downloaded 56 times
Last edited by EP_X0FF on Thu Apr 28, 2011 11:40 am, edited 4 times in total. Reason: added more
 #6306  by EP_X0FF
 Fri May 13, 2011 3:27 am
markusg wrote:E3677975003727A9EE60023D0ADB08001DEC7958.exe
http://www.virustotal.com/file-scan/report.html?id=8f478f0e053fe0abd74f92fd6777e812c6826e124d1836c5016ece8964de01af-1304177506
Find attached decrypted config.bin
pass: EA9D67D04EA91926C211C45DE8AF991E

Comes with DDoS plugin targeting pro-otdyh.com.ua (ssyn)
Also included custom connector, sock5, ccgrabber.

Gates:
hxxp://193.107.172.11/~brbrabr1/gate.php;1200
hxxp://maf3support.com/~brbrabr1/gate.php;1200
hxxp://maf4support.com/~brbrabr1/gate.php;1200
Xylitol wrote:loc: turaminich.co.cc/zcontent/catalog/bin/rar.exe
Decrypted attached as Xylitol_decrypted.zip
pass: 333B27D373A91C8923561D2D905E4EA6

Only custom connector in place.

Gates:
hxxp://dug6.jz8ofdji.com/q3calw8k/gate.php;90
hxxp://h4au.ijp2fmtf.net/q3calw8k/gate.php;90
Both with AntiRapport on board.
Attachments
(3.55 KiB) Downloaded 59 times
(165.6 KiB) Downloaded 63 times
  • 1
  • 8
  • 9
  • 10
  • 11
  • 12
  • 42