A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #13541  by rkhunter
 Wed May 30, 2012 1:22 pm
+2
MD5: 20732c97ef66dd97389e219fc0182cb5
MD5: f0a654f7c485ae195ccf81a72fe083a2
Attachments
pass:infected
(551.31 KiB) Downloaded 124 times
 #13560  by rkhunter
 Thu May 31, 2012 5:13 am
 #13569  by rkhunter
 Thu May 31, 2012 11:51 am
It infects fine my WinXP SP3:
- file with MD5: bdc9e04388bda8527b398a8c34667e18 rename to msdclr64.ocx
- execute command "rundll32.exe msdclr64.ocx,DDEnumCallback" with full path to msdclr64.ocx
- wait rundll terminate
- go to HKLM_SYSTEM\CurrentControlSet\Control\Lsa and look mssecmgr.ocx was added to Authentication Packages
- next reboot
- waiting for payload downloads
On infected system:
Image

Missed mscrypt.dat, ntcache.dat from infected machine in attach.

CrySys report very useful for infection reproduce.
Attachments
pass:infected
(3.18 MiB) Downloaded 145 times
 #13584  by rkhunter
 Thu May 31, 2012 7:12 pm
Guys, anyone can help with tool/code for .dat decryption?
 #13593  by EP_X0FF
 Fri Jun 01, 2012 3:32 am
rkhunter wrote:Guys, anyone can help with tool/code for .dat decryption?
I'm sorry this code is fast & ugly but overall principle should be clear :)
There are some PE executables inside dat files (4 in mscrypt.dat). For example (RAW copy-past) https://www.virustotal.com/file/04c84a3 ... 338521820/ Hehe dr.web fails again.
Code: Select all
byte dict[256] = {
234,
130,
99,
174,
163,
140,
102,
73,
243,
1,
103,
6,
18,
199,
182,
178,
7,
239,
28,
193,
117,
253,
23,
62,
224,
254,
61,
202,
30,
221,
26,
149,
181,
192,
183,
248,
157,
31,
226,
47,
145,
67,
111,
191,
175,
159,
250,
166,
205,
95,
81,
96,
101,
143,
255,
249,
187,
153,
77,
89,
241,
105,
116,
208,
46,
240,
108,
42,
196,
179,
127,
176,
36,
128,
113,
10,
48,
150,
118,
106,
63,
122,
137,
33,
151,
207,
55,
242,
223,
52,
190,
59,
20,
11,
238,
16,
4,
17,
78,
70,
134,
12,
87,
71,
162,
230,
225,
79,
169,
206,
198,
218,
125,
43,
83,
216,
40,
75,
123,
37,
222,
236,
29,
156,
164,
139,
110,
85,
142,
57,
93,
74,
56,
168,
53,
246,
19,
27,
251,
50,
131,
120,
90,
97,
154,
136,
80,
35,
184,
64,
252,
39,
247,
66,
104,
203,
84,
86,
9,
186,
49,
138,
212,
24,
213,
91,
228,
172,
2,
185,
129,
170,
44,
58,
0,
167,
209,
195,
161,
112,
244,
155,
119,
197,
201,
158,
121,
109,
15,
200,
173,
76,
60,
92,
65,
133,
88,
219,
141,
98,
229,
144,
215,
14,
204,
3,
171,
147,
21,
72,
232,
8,
41,
188,
124,
68,
146,
126,
210,
165,
235,
180,
217,
54,
38,
160,
34,
100,
227,
231,
177,
51,
194,
115,
135,
25,
69,
211,
5,
245,
45,
114,
94,
148,
233,
237,
152,
220,
214,
22,
189,
32,
107,
132,
82,
13
};

byte DecodeByte(byte c)
{
	int i = 0;
	byte j;
	for ( i = 0; i < 256; i++ ) {
		j = dict[i];
		if ( j == c ) 
			break;
	}
	return i;
}

void DecryptDatFile(LPTSTR f)
{
	byte *in, *out = NULL;
	DWORD i, bytesIO = 0;
	HANDLE hOutput = NULL;

	in = (byte*)MapFile(f, &bytesIO);
	if ( in ) {

		out = (byte*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, bytesIO);
		if ( out ) {

			for ( i = 0; i < bytesIO; i++ ) 
				out[i] = DecodeByte(in[i]);		
			
			hOutput = CreateFile(TEXT("output.dat"), GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);
			if ( hOutput ) {

				WriteFile(hOutput, (LPCVOID)out, bytesIO, &bytesIO, NULL);
				CloseHandle(hOutput);
			}

			HeapFree(GetProcessHeap(), 0, out);
		}
		UnmapViewOfFile(in);
	}
}
 #13595  by rkhunter
 Fri Jun 01, 2012 4:32 am
EP_X0FF wrote:Hehe dr.web fails again.
I'm not surprised, think you too.
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7
  • 14