A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #8792  by EP_X0FF
 Wed Sep 28, 2011 8:45 am
markusg wrote:dll.exe
MD5   : 9ce020a0719921748b41fa76df876283
https://www.virustotal.com/file-scan/re ... 1317137762

file.exe
https://www.virustotal.com/file-scan/re ... 1317137394
MD5   : 909e35b8b43949dc008f6f88e93cbcf0
file.exe
[main]
version=0.03
aid=30227
sid=0
builddate=351
installdate=28.9.2011 8:39:38
rnd=2728766874
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://lo4undreyk.com/;hxxps://sh01cilewk.com/;hxxps://cap01tchaa.com/;hxxps://kur1k0nona.com/;hxxps://u101mnay2k.com/
wsrv=hxxp://gnarenyawr.com/;hxxp://rinderwayr.com/;hxxp://jukdoout0.com/;hxxp://swltcho0.com/;hxxp://ranmjyuke.com/
psrv=hxxp://crj71ki813ck.com/
version=0.31
dll.exe
[main]
version=0.03
aid=30041
sid=0
builddate=351
installdate=28.9.2011 8:42:46
rnd=2326177136
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://lo4undreyk.com/;hxxps://sh01cilewk.com/;hxxps://cap01tchaa.com/;hxxps://kur1k0nona.com/;hxxps://u101mnay2k.com/
wsrv=hxxp://gnarenyawr.com/;hxxp://rinderwayr.com/;hxxp://jukdoout0.com/;hxxp://swltcho0.com/;hxxp://ranmjyuke.com/
psrv=hxxp://crj71ki813ck.com/
version=0.31
All extracted data from both in attach.
Attachments
pass: malware
(192.91 KiB) Downloaded 130 times
 #8836  by rough_spear
 Thu Sep 29, 2011 5:06 pm
Hi,
I m back with TDL4/TDSS. :mrgreen:
Dropper as well as dropped files are posted.

web link - hxxp://nitroz66.fileave.com/02set.exe

VT link - http://www.virustotal.com/file-scan/rep ... 1317276329

File size - 173 KB.

MD5 : 244175144a37d7ff3ad725b1d28f98b0
SHA1 : 494d17f7cc17e57dd645d5787744c37324c16e41
SHA256: cd3a72225a59fc9ea4e705aacfa7776cd623039dac13b4e32e27e7e49c2568c4
ssdeep: 3072:9fncREqbTUz2dUf+ANytOdqum+7vVI7ppgY7gY77RZLS:9ftqbT3YzScqj7pD7Dj2

config.ini-
Code: Select all
[main]
version=0.03
aid=30044
sid=0
builddate=351
installdate=29.9.2011 17:1:32
rnd=791871199
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=https://lo4undreyk.com/;https://sh01cilewk.com/;https://cap01tchaa.com/;https://kur1k0nona.com/;https://u101mnay2k.com/
wsrv=http://gnarenyawr.com/;http://rinderwayr.com/;http://jukdoout0.com/;http://swltcho0.com/;http://ranmjyuke.com/
psrv=http://crj71ki813ck.com/
version=0.31
Regards,

rough_spear. ;)
Attachments
password - malware.
(87.14 KiB) Downloaded 113 times
password - malware.
(141.22 KiB) Downloaded 165 times
Last edited by EP_X0FF on Fri Sep 30, 2011 7:34 am, edited 1 time in total. Reason: code tags added
 #8839  by rough_spear
 Thu Sep 29, 2011 6:26 pm
Hi,
Interesting news.. TDL4 downloaded the plugin and modified the cfg.ini file. :D

File downloaded is - kwrd.dll
File Size - 204 KB.
VT Link - http://www.virustotal.com/file-scan/rep ... 1317320303

MD5 : 8ea57e8b69f25aed867066ee413d77ca
SHA1 : f7ecceb9b8b36d91660c387176b0be1242fe69d6
SHA256: 385411db62796f6df02a95c10e6f85d8a21567bd2592709bc44c020d4478bbe4
ssdeep: 6144:qJVRAjyPbvmR0cL+o8kMiX9lHkC5+F83oS:IRKR0cyomitlE9F83oS
Code: Select all
[main]
version=0.03
aid=30044
sid=0
builddate=351
installdate=29.9.2011 17:1:32
rnd=791871199
knt=1317315984
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=https://lo4undreyk.com/;https://sh01cilewk.com/;https://cap01tchaa.com/;https://kur1k0nona.com/;https://u101mnay2k.com/
wsrv=http://gnarenyawr.com/;http://rinderwayr.com/;http://jukdoout0.com/;http://swltcho0.com/;http://ranmjyuke.com/
psrv=http://crj71ki813ck.com/
version=0.31
bsh=d8d6128f84bfff8f4d9b16f8fd65c3e27a6fa06d
dlc_srand=103
ns_conf=0
delay=7200
ssl=http://revalati0n-startup.com:8344/
[tasks]
Regards,

rough_spear. 8-)
Attachments
password - malware.
(203.61 KiB) Downloaded 107 times
Last edited by EP_X0FF on Fri Sep 30, 2011 7:32 am, edited 1 time in total. Reason: code tags added
 #8852  by EP_X0FF
 Fri Sep 30, 2011 7:31 am
kwrd.dll is part of BitCoinMiner, this dll is now hardcoded inside tdlcmd so no surprise to see it.
here is it after removing av confusing UPX http://www.virustotal.com/file-scan/rep ... 1317366896

And I suggest you to use [ code ] [ /code ] or [ quote ] [ /quote ] tags next time to make your posts readable.
 #8950  by SUPERIOR
 Tue Oct 04, 2011 2:14 pm
Code: Select all
http://www.heise.de/security/artikel/Tatort-Internet-Operation-am-offenen-Herzen-1338967.html
i found it interesting article though its german

PS : sorry found the english version
Code: Select all
http://www.h-online.com/security/features/CSI-Internet-Open-heart-surgery-1350313.html
 #9130  by EP_X0FF
 Fri Oct 14, 2011 4:10 am
Julian wrote:Every new sample I tried didn't work for me on Win 7 x64 with MS Patch in VirtualBox.
Is there a sample that surely does the job?
Try different VM, or real machine. It work.
 #9199  by Julian
 Sun Oct 16, 2011 8:38 pm
EP_X0FF wrote:IDK what exactly does not working for Julian but it isn't antivm or something, because I've some of these posted samples in my vm repository. It is known that updated TDL4 may cause KB2506014 patched system unbootable.
Dropper tries to infect MBR but doesn't succeed (thanks to MS patch) and so infection attempts run in a queue.
System remains bootable.
Will try VMware later.
 #9264  by markvirussearch
 Wed Oct 19, 2011 3:21 am
Can someone post a dump of a MBR infected by TDL4?

btw just to check: I have been reading them on the infected machines that I see off of a ubuntu live cd with:
Code: Select all
sudo dd if=/dev/sda of=mbr.bin bs=512 count=1
file mbr.bin >> mbr.txt
(then I look at the .txt file in gedit)
does that work fine or am I missing something?
  • 1
  • 52
  • 53
  • 54
  • 55
  • 56
  • 60