A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #16168  by Cody Johnston
 Fri Oct 19, 2012 7:55 pm
Whenever I see lsass.exe when used with Reveton, it is not infected. It is just rundll32.exe renamed so that an untrained eye cannot pick it up in the startup. If you open up the properties of the file, you will see that it still even says "Run Dll as an app" in the description. In my cases, it is still running exe/dll from the %temp% dir. Check properties of ctfmon shortcut to verify next time you see it. You will see that it starts up lsass.exe in the same way that rundll32.exe is invoked, then starts the file from %temp% with an argument.
 #16169  by markusg
 Fri Oct 19, 2012 7:57 pm
but perhaps lsass.exe is used to load the malware, all copys i get from lsass.exe are only removed to the new folder and are clean
is this a pc you have at home or is it in a forum? if yes, can you post perhaps the link
 #16172  by Cody Johnston
 Fri Oct 19, 2012 8:27 pm
Same lsass.exe attached in my previous post here:

http://www.kernelmode.info/forum/viewto ... 230#p15770

New analysis report on VT from today for lsass.exe:

https://www.virustotal.com/file/dee53d6 ... 350677994/

SHA256:
dee53d6d332dadd40c0ce34a425a6c0781f611765dcd4299d869f2b1ee80ae66

Here is report from rundll32.exe on clean XP install:

https://www.virustotal.com/file/dee53d6 ... 350678239/

SHA256:
dee53d6d332dadd40c0ce34a425a6c0781f611765dcd4299d869f2b1ee80ae66

They are the same SHA256/same file. Reveton guys are too lazy to forge a file. AFAIK (according to Xylitol), these guys use free web hosting even.
 #16173  by thisisu
 Fri Oct 19, 2012 8:54 pm
User posted new logs:
Code: Select all
[RUN][SUSP PATH] HKUS\S-1-5-21-4195540046-1241745021-4260514785-1007_Classes[...]\Run : AppleData (rundll32.exe "C:\Users\<username>\AppData\Local\Apple\AppleData\Appledata.dll",DllRegisterServer) -> DELETED
[TASK][SUSP PATH] At73 : C:\ProgramData\bu3s24Ex.exe_ -> DELETED
There is the DLL that was not revealed. At least the registry reference to it. Should find out if it's actually still on system in later logs.

I'm pretty sure the bu3s24Ex.exe_ file was used in conjunction with all the At*.job tasks. - Not related IMO
 #16174  by Quads
 Sat Oct 20, 2012 12:35 am
Thisisu

You stay confused, gives you something to think about.

It is easy to work out that the .exe is a legit file just copied , as I said before, I even in the archive gave a copy of ctfmon whuch shows the target file for the ransom

C:\ProgramData\lsass.exe C:\Users\[username]\AppData\Local\Temp\ctfmon.dll,GOF1

Also the FRST.txt shows the user has used tools between being infected and the use of FRST, meaning these other tools may have or probably took objects which would have made things look different than usual

Quads
 #16199  by Quads
 Mon Oct 22, 2012 1:39 am
I notice this showing up with the FBI ransomware also

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No (at times states Yes instead)

There is no volume associated with this partition.
Partition 3 Primary 11 GB 454 GB


YUM, something deeper

Quads
 #16221  by Quads
 Mon Oct 22, 2012 11:52 pm
Both the systems are indeed Toshiba, fancy that

I also used OTL without touching the TEMP folders and it also after shows the Ransom .dll located in C:\Users\[username]\AppData\Local\Temp\rundll32.dll for info purposes.

OTL and FRST don't list files created / modified if they are in the temp folders otherwise the lists could get rather long.

Quads
  • 1
  • 10
  • 11
  • 12
  • 13
  • 14