Gamarue
SHA256:
f09c17cbb207c3b8a35773e264688978a367c7974a0e49c1a198b2d5a91624aa
File name:
Fax-transmission.exe
https://www.virustotal.com/file/f09c17c ... /analysis/
A forum for reverse engineering, OS internals and malware analysis
Attachments
(34.17 KiB) Downloaded 81 times
Attachments
(33.79 KiB) Downloaded 81 times
Samples:
Attachments
Password is "infected" without quotes
(17.73 KiB) Downloaded 75 times
(17.73 KiB) Downloaded 75 times
Password is "infected" without quotes
(17.71 KiB) Downloaded 75 times
(17.71 KiB) Downloaded 75 times
Password is "infected" without quotes
(31.2 KiB) Downloaded 80 times
(31.2 KiB) Downloaded 80 times
Hello,
I've receive this sample:
MD5: a393c059e5269784b58ee1742f50555a
SHA1: f819821e158fb4aee7f7c2cd824988504134355a
SHA256: 5ff4b976bdb3fee6a28102e31fd887dc966ce7879043c62e5d68f89d3ef16c96
https://www.virustotal.com/file/5ff4b97 ... /analysis/
I don't how I can atach the file here, but if anyone want it, I'll send it via email.
The binary seams to be crypted/packed with Small polymorphic crypter, but I can't unpacked it, can someone help me to unpack it please.
I have sea some anti debuggin implementations, but there are somthing more, and I don't sea it.
Help please.
Thanks in advance.
I've receive this sample:
MD5: a393c059e5269784b58ee1742f50555a
SHA1: f819821e158fb4aee7f7c2cd824988504134355a
SHA256: 5ff4b976bdb3fee6a28102e31fd887dc966ce7879043c62e5d68f89d3ef16c96
https://www.virustotal.com/file/5ff4b97 ... /analysis/
I don't how I can atach the file here, but if anyone want it, I'll send it via email.
The binary seams to be crypted/packed with Small polymorphic crypter, but I can't unpacked it, can someone help me to unpack it please.
I have sea some anti debuggin implementations, but there are somthing more, and I don't sea it.
Help please.
Thanks in advance.
SeT[X] wrote:Hello,
I've receive this sample:
MD5: a393c059e5269784b58ee1742f50555a
SHA1: f819821e158fb4aee7f7c2cd824988504134355a
SHA256: 5ff4b976bdb3fee6a28102e31fd887dc966ce7879043c62e5d68f89d3ef16c96
https://www.virustotal.com/file/5ff4b97 ... /analysis/
I don't how I can atach the file here, but if anyone want it, I'll send it via email.
The binary seams to be crypted/packed with Small polymorphic crypter, but I can't unpacked it, can someone help me to unpack it please.
I have sea some anti debuggin implementations, but there are somthing more, and I don't sea it.
Help please.
Thanks in advance.
Please compress this file with password "infected" and attach using:
Win32:Virut wrote:Thanks, this is it.SeT[X] wrote:Hello,
I've receive this sample:
MD5: a393c059e5269784b58ee1742f50555a
SHA1: f819821e158fb4aee7f7c2cd824988504134355a
SHA256: 5ff4b976bdb3fee6a28102e31fd887dc966ce7879043c62e5d68f89d3ef16c96
https://www.virustotal.com/file/5ff4b97 ... /analysis/
I don't how I can atach the file here, but if anyone want it, I'll send it via email.
The binary seams to be crypted/packed with Small polymorphic crypter, but I can't unpacked it, can someone help me to unpack it please.
I have sea some anti debuggin implementations, but there are somthing more, and I don't sea it.
Help please.
Thanks in advance.
Attachments
(33.75 KiB) Downloaded 100 times
Hi first post here,
Thanks for the sample attached above. The crypter used for this is not hard at all to unpack. Heck, I managed to do it, without even setting any anti-debug options.
Once the crypter layer has been bypassed, its the same old Andromeda binary. When you see OpenMutex with 'lol' as a parameter, thats the original Gamarue/Andro binary.
Thanks for the sample attached above. The crypter used for this is not hard at all to unpack. Heck, I managed to do it, without even setting any anti-debug options.
Once the crypter layer has been bypassed, its the same old Andromeda binary. When you see OpenMutex with 'lol' as a parameter, thats the original Gamarue/Andro binary.
this one dropps also a zbot
Attachments
(26.69 KiB) Downloaded 88 times
I saw a double infectionwhich utilize the Trojan/Andromeda.
Nature of infection: t was served in Apache's infector od Blackhole v2.1
The double payloads downloaded via a faking Java u11 updater.
Infection related data in the below details:
The info.exe is trojan/Andromeda. It drops itself:
Making registry autorun:
And opening TCP/IP:Port 0.0.0.0:8000 as backdoor:
Anti-VM trace, Fake JavaUpdate traces also detected in memory:
Although many AV products mentioned it as downloader, I run it for 12 hrs with capturing network traffic, other than backdoor at 0.0.0.0:8000 this trojan doesn't do downloads, or at least not yet.
It came in pair with calc.exe which I suspect it as the ransomware.
(I am sorry if this thread is not about ransomware, but allow me to wrote as explanation of Andromeda nature of this infection)
After self copied, self deletion and self executable...
More registry changes occured:
log:
Inside the log:
https://lh3.googleusercontent.com/-SqNC ... 44/014.jpg
Tried to XOR even translate it but no luck, not yet...
(Identifier file was in the pic above registry changes data)
In this ifgxtray.exe memory I saw the CnC information:
It looks detecting the browsers:
The sample I share, here: http://www.mediafire.com/?nbaaur1unj8abim
Please kindly help to register the samples into the known AV products since the detection ratio still too low..
I'm still in the middle of investigating the case, but you can have more information about the -
investigation and additional downloads like PCAP files, memory dumps and others download data of this case in here: http://malwaremustdie.blogspot.jp/2013/ ... kdoor.html
#MalwareMUSTdie
Nature of infection: t was served in Apache's infector od Blackhole v2.1
The double payloads downloaded via a faking Java u11 updater.
Infection related data in the below details:
Code: Select all
Set of samples captured: (info.exe = Trojan/Andromeda)Redirector: digitalcurrencyreport.com (109.163.230.125)
Exploit kit: http://mongif.biz/assumed/timing_borrows.php (46.166.169.179)
Cnc: wordpress.serveblog.net:3360 (46.253.180.35)The info.exe is trojan/Andromeda. It drops itself:
Making registry autorun:
Code: Select all
Self injection to other process:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched: "C:\Documents and Settings\All Users\svchost.exe"
And opening TCP/IP:Port 0.0.0.0:8000 as backdoor:
Anti-VM trace, Fake JavaUpdate traces also detected in memory:
Although many AV products mentioned it as downloader, I run it for 12 hrs with capturing network traffic, other than backdoor at 0.0.0.0:8000 this trojan doesn't do downloads, or at least not yet.
It came in pair with calc.exe which I suspect it as the ransomware.
(I am sorry if this thread is not about ransomware, but allow me to wrote as explanation of Andromeda nature of this infection)
After self copied, self deletion and self executable...
Code: Select all
PID: 3140 [PATH]\calc.exe ADDR: 0x87021b
CopyFileA(lpExistingFileName: "[PATH]\calc.exe",
lpNewFileName: "%AppData%\igfx\igfxtray.exe",
bFailIfExists: 0x0)More registry changes occured:
Code: Select all
following by the creation of the malicious log file and identification file:----------------------------------
Keys added:
----------------------------------
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{SG16VPH3-6PN7-VTP0-6V64-104BV7F3IRAF}
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.Identifier
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.Identifier\OpenWithList
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\6
----------------------------------
Values added:
----------------------------------
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{SG16VPH3-6PN7-VTP0-6V64-104BV7F3IRAF}\StubPath: ""C:\Documents and Settings\USER\Application Data\igfx\igfxtray.exe""
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run\igfxtray: "C:\Documents and Settings\USER\Application Data\igfx\igfxtray.exe"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\USER\Application Data\igfx\igfxtray.exe: "Pagent Show"
----------------------------------
Values deleted:
----------------------------------
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\14: 30 00 31 00 30 00 2E 00 62 00 6D 00 70 00 00 00 3C 00 32 00 00 00 00 00 00 00 00 00 00 00 30 31 30 2E 6C 6E 6B 00 26 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 30 00 31 00 30 00 2E 00 6C 00 6E 00 6B 00 00 00 16 00 00 00
----------------------------------
Values modified:
----------------------------------
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 02 00 00 00 1E 00 00 00 E0 FD F4 9E 68 F6 CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 02 00 00 00 20 00 00 00 00 65 59 10 6B F6 CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 02 00 00 00 3F 00 00 00 20 49 41 9F 68 F6 CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 02 00 00 00 41 00 00 00 D0 E8 6E 10 6B F6 CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:::{450Q8SON-NQ25-11Q0-98N8-0800361O1103}: 01 00 00 00 06 00 00 00 60 85 99 AA 71 A4 CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:::{450Q8SON-NQ25-11Q0-98N8-0800361O1103}: 02 00 00 00 07 00 00 00 C0 38 E9 E7 6A F6 CD 01log:
Inside the log:
https://lh3.googleusercontent.com/-SqNC ... 44/014.jpg
Tried to XOR even translate it but no luck, not yet...
(Identifier file was in the pic above registry changes data)
In this ifgxtray.exe memory I saw the CnC information:
Code: Select all
The traffic below is the PoC of this CnC:CnC:
wordpress.serveblog.net:3360
Methods:
FCONNECT %s:%d HTTP/1.0
http://%s%s
GET %s HTTP/1.1
Host: %s
Connection: closeIt looks detecting the browsers:
Code: Select all
And the below looks like credential stealer to me...
%s\Mozilla\Firefox\profiles.ini
%s\Mozilla\Firefox\%s
%s\Thunderbird\profiles.ini
%s\Thunderbird\%s
%s\Mozilla\SeaMonkey\profiles.ini
%s\Mozilla\SeaMonkey\%s
%s\Opera\Opera\wand.dat
%s\Opera\Opera\profile\wand.datCode: Select all
The below trace looks like the log format..
WindowsLive:name=*
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Email
POP3 User
POP3 Server
POP3 Password
IMAP User
IMAP Server
IMAP Password
HTTP User
HTTP Server
HTTP Password
SMTP User
SMTP Server
SMTP Password
%c%c%S
abe2869f-9b47-4cd9-a358-c22904dba7f7
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
index.dat
History
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
%s\Google\Chrome\User Data\Default\Login Data
%s\Chromium\User Data\Default\Login Data
localhost
USERNAMECode: Select all
Research Materials/ Samples Download:%s.Identifier
%Rand%
%d:0:0:%s\%s;
%d:%I64u:0:%s\%s;
%c%I64u
%llu
%s%.2d-%.2d-%.4d
[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]The sample I share, here: http://www.mediafire.com/?nbaaur1unj8abim
Please kindly help to register the samples into the known AV products since the detection ratio still too low..
I'm still in the middle of investigating the case, but you can have more information about the -
investigation and additional downloads like PCAP files, memory dumps and others download data of this case in here: http://malwaremustdie.blogspot.jp/2013/ ... kdoor.html
#MalwareMUSTdie