A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19870  by EP_X0FF
 Sat Jun 29, 2013 12:38 pm
Unpacked driver in attach.

Simda obfuscator is somehow irritating as it multistaged. Drivers and dlls weren't updated since March 2011. The only thing they change is upper obfuscation layer.

1) original_rootkit_driver -> decrypt second stage procedures (implemeted as second native PE file), can be decrypted in user mode debugger. Or break in WinDbg at Simda driver entry and trace until "call eax"

decrypt algo at 1 stage
Code: Select all
  key1 := $E34CAD83;
  key2 := $54B14C88;
  for i := 0 to BufferSize div sizeof(DWORD) do
  begin
    dwData := IntputPtr^ + key1;
    OutputPtr^ := dwData;
    key1 := key1 + key2;
    key2 := key2 - $42BE4641;
    inc(InputPtr);
    inc(OutputPtr);
  end;
2) second stage procedures -> custom decryption of payload container (seems RC4) -> aplib unpacking next (break on aplib unpacking routine and dump kernel memory it fills).
3) third stage is 2 native PE drivers and 2 dlls, it uses for injection purposes.

All stages in attach. For more info see http://www.microsoft.com/security/porta ... imda.gen!A
Attachments
pass: infected
(319.97 KiB) Downloaded 90 times
 #20179  by EP_X0FF
 Sat Jul 20, 2013 2:36 am
Most interesting part of it KiDebugRoutine usage (http://www.kernelmode.info/forum/viewto ... =13&t=1512) appeared almost in the same time as in MaxSS TDL3 fork (http://blogs.mcafee.com/mcafee-labs/mem ... -a-rootkit, http://www.kernelmode.info/forum/viewto ... 6326#p6326, http://www.kernelmode.info/forum/viewto ... 255&p=9687), to be correct - in the same 2011 quarter. And none of them weren't updated since that time - MaxSS moved to TDL4 based fork and Simda was abandoned until 2013 where Simda probably buyed and intergrated BkLoader as a replacement for old unsupported rootkit module. They are also so crazy hiding this old lolkit in dropper.
 #24905  by r3shl4k1sh
 Sun Jan 11, 2015 1:08 am
Fresh sample md5: 6855c03e4f1b1cb7f93d5f732edf3f17

VT 6/56

Unpakced:
VT 35/55

(Web) Configs:
Code: Select all
[*] DWORD: 9
[*] DWORD: -1071629051
[*] DWORD: -1071629051
[*] DWORD: -1071629051
[*] DWORD: -316523259
[*] DWORD: -316523259
[*] DWORD: -316523259
[*] DWORD: 40000
[*] DWORD: 40020
[*] String: http://update1.downloadexefeed.eu/?abbr=RTK&action=download&setupType=umx&setupFileName=process_64.exe
[*] String: http://update1.downloadexefeed.eu/?abbr=RTK&action=download&setupType=um32&setupFileName=process_32.exe
[*] DWORD: 1278
[*] String: 79.142.66.239/
[*] String: 79.142.66.239/
[*] DWORD: 10000
[*] DWORD: 0
[*] String: 5.149.248.152
[*] String: 109.236.87.106
[*] DWORD: 0
[*] DWORD: 10
[*] DWORD: 1684740437
[*] DWORD: 1410201506
[*] DWORD: -691851308
[*] String: 8.8.8.8
[*] String: 8.8.8.8
[*] String: www.bing.com.=92.123.68.97
[*] String: bing.com.=92.123.68.97
[*] String: gr.bing.com.=92.123.68.97
[*] String: ir.bing.com.=92.123.68.97
[*] String: gb.bing.com.=92.123.68.97
[*] String: dk.bing.com.=92.123.68.97
[*] String: au.bing.com.=92.123.68.97
[*] String: ro.bing.com.=92.123.68.97
[*] String: ca.bing.com.=92.123.68.97
[*] String: pt.bing.com.=92.123.68.97
[*] String: it.bing.com.=92.123.68.97
[*] String: de.bing.com.=92.123.68.97
[*] String: es.bing.com.=92.123.68.97
[*] String: tr.bing.com.=92.123.68.97
[*] String: hu.bing.com.=92.123.68.97
[*] String: br.bing.com.=92.123.68.97
[*] String: cz.bing.com.=92.123.68.97
[*] String: ie.bing.com.=92.123.68.97
[*] String: ch.bing.com.=92.123.68.97
[*] String: nl.bing.com.=92.123.68.97
[*] String: se.bing.com.=92.123.68.97
[*] String: no.bing.com.=92.123.68.97
[*] String: at.bing.com.=92.123.68.97
[*] String: fi.bing.com.=92.123.68.97
[*] String: fr.bing.com.=92.123.68.97
[*] String: pl.bing.com.=92.123.68.97
[*] String: search.yahoo.com.=72.30.186.249
[*] String: www.search.yahoo.com.=72.30.186.249
[*] String: gr.uk.search.yahoo.com.=87.248.112.8
[*] String: ir.uk.search.yahoo.com.=100.6.239.84
[*] String: uk.search.yahoo.com.=87.248.112.8
[*] String: dk.search.yahoo.com.=87.248.112.8
[*] String: au.search.yahoo.com.=87.248.112.8
[*] String: ro.search.yahoo.com.=87.248.112.8
[*] String: ca.search.yahoo.com.=87.248.112.8
[*] String: pt.search.yahoo.com.=87.248.112.8
[*] String: it.search.yahoo.com.=87.248.112.8
[*] String: de.search.yahoo.com.=87.248.112.8
[*] String: es.search.yahoo.com.=87.248.112.8
[*] String: tr.search.yahoo.com.=87.248.112.8
[*] String: hu.search.yahoo.com.=87.248.112.8
[*] String: br.search.yahoo.com.=87.248.112.8
[*] String: cz.search.yahoo.com.=87.248.112.8
[*] String: ie.search.yahoo.com.=87.248.112.8
[*] String: ch.search.yahoo.com.=87.248.112.8
[*] String: nl.search.yahoo.com.=87.248.112.8
[*] String: se.search.yahoo.com.=87.248.112.8
[*] String: no.search.yahoo.com.=87.248.112.8
[*] String: fr.search.yahoo.com.=87.248.112.8
[*] String: pl.search.yahoo.com.=87.248.112.8
[*] String: mx.search.yahoo.com.=87.248.112.8
[*] String: search.yahoo.co.jp.=87.248.112.8
[*] String: gr.search.yahoo.com.=87.248.112.8
[*] String: malaysia.search.yahoo.com.=87.248.112.8
[*] String: vn.search.yahoo.com.=87.248.112.8
[*] String: cl.search.yahoo.com.=87.248.112.8
[*] String: id.search.yahoo.com.=87.248.112.8
[*] String: in.search.yahoo.com.=87.248.112.8
[*] String: co.search.yahoo.com.=87.248.112.8
[*] String: ph.search.yahoo.com.=87.248.112.8
[*] String: nz.search.yahoo.com.=87.248.112.8
[*] String: ve.search.yahoo.com.=87.248.112.8
[*] String: ar.search.yahoo.com.=87.248.112.8
[*] String: fi.search.yahoo.com.=87.248.112.8
[*] String: th.search.yahoo.com.=87.248.112.8
[*] String: sg.search.yahoo.com.=87.248.112.8
[*] String: ch.search.yahoo.com.=87.248.112.8
[*] String: at.search.yahoo.com.=87.248.112.8
[*] String: za.search.yahoo.com.=87.248.112.8
[*] String: cn.search.yahoo.com.=87.248.112.8
[*] String: www.google-analytics.com.=64.125.87.101
[*] String: google-analytics.com.=64.125.87.101
[*] String: connect.facebook.net.=64.125.87.101
[*] String: www.google-analytics.com.=64.125.87.101
[*] String: google-analytics.com.=64.125.87.101
[*] String: connect.facebook.net.=64.125.87.101
[*] DWORD: 640499052
[*] DWORD: -207220302
[*] String: 5386420
[*] DWORD: 0
[*] End of config
In attach original + unpacked + configs.
Attachments
pass: infected
(669.59 KiB) Downloaded 60 times