Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Featured Replies

Posted

hey

found this on my usb so i am guessing its not a very dangerous virus.

i have sent it to any online AV checkers simply coz i am not bothered

if anyone wants to practise i have zipped unedited binaries

password: infected

usb_malware_sample.rar

Edited by GEEK

  • 2 weeks later...

Has anyone analyzed this malware?

  • 3 weeks later...

working on it-- just startd reverse engineering so im a bit new

Yeh i'd suggest running it in a VM. It's pretty heavy.

recycler .exe

autorun .exe

these 2 looks like the same old new folder.exe

  • 1 month later...

Another one but basically a script but the autorun.inf is interesting

pass : donttouch

Sorry forgot to attach the file

Don't Touch.zip

  • 3 weeks later...

@hackerbit: Here you go:

Process injected! PID: 3328

PID: 3328, All hooks are now in place!

PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: ADVAPI32.dll, flags: 00000000)

PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: USER32.dll, flags: 00000000)

PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: KERNEL32.DLL, flags: 00000000)

PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: ADVAPI32.dll, flags: 00000000)

PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: USER32.dll, flags: 00000000)

PID: 3328, 0x004A2095: GetKeyboardState()

PID: 3328, -- Keylogging attempt detected!

PID: 3328, 0x004A20E6: OpenSCManagerA(machName: (null), dbName: (null), access: 000F003F) -> h:0025BB28

PID: 3328, 0x004A1E57: CreateFileA(file: C:\WINDOWS\system32\drivers\ntfs.sys, OPEN_EXISTING)

PID: 3328, -- CreateFileA result - fHandle: 00000730

PID: 3328, 0x4F444E49: ReadFile(file: C:\WINDOWS\system32\drivers\ntfs.sys, tHandle: 00000730, numBytes: 0x0008C600)

PID: 3328, 0x004A1BAC: RegOpenKeyExA(key: HKEY_LOCAL_MACHINE, subkey: SOFTWARE\KasperskyLab\protected\AVP7\profiles\Updater) -> FAIL

PID: 3328, 0x77E84B92: CreateFileW(file: \\.\PIPE\lsarpc, OPEN_EXISTING)

PID: 3328, -- CreateFileW result - fHandle: 0000071C

PID: 3328, 0x004A12E0: AdjustTokenPrivileges()

PID: 3328, 0x004A19F6: CreateFileA(file: C:\WINDOWS\system32\drivers\klif.sys, CREATE_ALWAYS)

PID: 3328, -- CreateFileA result - fHandle: 0000071C

PID: 3328, 0x004A1A13: WriteFile(tHandle: 0000071C)

PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: ntdll.dll, flags: 00000000)

PID: 3328, 0x004A13BB: RegCreateKeyA(key: HKEY_LOCAL_MACHINE, subkey: System\CurrentControlSet\Services\KAVsys) -> SUCCESS

PID: 3328, 0x004A13E9: RegSetValueExA(keyHandle: 0000071C, valueName: Type, data: ) -> SUCCESS

PID: 3328, 0x004A13FD: RegSetValueExA(keyHandle: 0000071C, valueName: ErrorControl, data: ) -> SUCCESS

PID: 3328, 0x004A1411: RegSetValueExA(keyHandle: 0000071C, valueName: Start, data: ) -> SUCCESS

PID: 3328, 0x004A1456: RegSetValueExA(keyHandle: 0000071C, valueName: ImagePath, data: \??\C:\WINDOWS\system32\drivers\klif.sys) -> SUCCESS

PID: 3328, 0x004A14C7: RegDeleteKeyA(key: HKEY_LOCAL_MACHINE, subkey: System\CurrentControlSet\Services\KAVsys\Enum) -> SUCCESS

PID: 3328, 0x004A14EC: RegDeleteKeyA(key: HKEY_LOCAL_MACHINE, subkey: System\CurrentControlSet\Services\KAVsys\Security) -> FAIL

PID: 3328, 0x004A1511: RegDeleteKeyA(key: HKEY_LOCAL_MACHINE, subkey: System\CurrentControlSet\Services\KAVsys) -> SUCCESS

PID: 3328, 0x004A1A3D: DeleteFileA(file: C:\WINDOWS\system32\drivers\klif.sys)

PID: 3328, 0x004A1BAC: RegOpenKeyExA(key: HKEY_LOCAL_MACHINE, subkey: SOFTWARE\KasperskyLab\protected\AVP7\profiles\Updater) -> FAIL

PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: KERNEL32.DLL, flags: 00000000)

PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: USER32.dll, flags: 00000000)

PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: ADVAPI32.dll, flags: 00000000)

PID: 3328, 0x004014CB: CreateFileA(file: C:\WINDOWS\explorer.exe, OPEN_EXISTING)

PID: 3328, -- CreateFileA result - fHandle: 0000071C

PID: 3328, 0x7C81F2C6: GetFileAttributesW(C:\Documents and Settings\SunBeam\Desktop\1.exe)

PID: 3328, 0x7C81F2C6: GetFileAttributesW(C:\WINDOWS\system32\)

PID: 3328, 0x004016BE: DeleteFileA(file: C:\WINDOWS\system32\ckvo.exe)

PID: 3328, 0x00401A7A: SetFileAttributesA(file: C:\WINDOWS\system32\ckvo.exe, attrs: 00000080)

PID: 3328, 0x004016E0: CopyFileA(existing: C:\DOCUME~1\SunBeam\Desktop\1.exe, new: C:\WINDOWS\system32\ckvo.exe, overwrite: 00000000)

PID: 3328, 0x00401A7A: SetFileAttributesA(file: C:\WINDOWS\system32\ckvo.exe, attrs: 00000007)

PID: 3328, 0x00401A7A: SetFileAttributesA(file: C:\WINDOWS\system32\ckvo0.dll, attrs: 00000080)

PID: 3328, 0x004017D2: DeleteFileA(file: C:\WINDOWS\system32\ckvo0.dll)

PID: 3328, 0x004017EA: CreateFileA(file: C:\WINDOWS\system32\ckvo0.dll, CREATE_ALWAYS)

PID: 3328, -- CreateFileA result - fHandle: 00000718

PID: 3328, 0x00401A7A: SetFileAttributesA(file: C:\WINDOWS\system32\ckvo0.dll, attrs: 00000007)

PID: 3328, 0x7C8106F5: CreateRemoteThread(tHandle: FFFFFFFF, nHandle: 00000718, startAddr: 00401DB4, flags: 00000000)

PID: 3328, 0x00401EB9: PostMessageA(tHandle: 00000000, Msg: WM_CLOSE)

PID: 3328, 0x7C8106F5: CreateRemoteThread(tHandle: FFFFFFFF, nHandle: 00000718, startAddr: 00401D17, flags: 00000000)

PID: 3328, 0x00401AA0: RegOpenKeyExA(key: HKEY_CURRENT_USER, subkey: SoftWare\Microsoft\Windows\CurrentVersion\Run) -> SUCCESS

PID: 3328, --- handle: 00000718

PID: 3328, 0x00401ABB: RegSetValueExA(keyHandle: 00000718, valueName: kamsoft, data: C:\WINDOWS\system32\ckvo.exe) -> SUCCESS

PID: 3328, 0x0040196D: OpenProcess(procID: 1792, access: 001F0FFF)

PID: 3328, --- handle 0000071C

PID: 3328, 0x00401984: VirtualAllocEx(tHandle: 0000071C, startAddr: 0, size: 00001000)

PID: 3328, 0x0040199D: WriteProcessMemory(tHandle: 0000071C, bytes: 0x00000457, buffer(dll?): è)

PID: 3328, 0x00401EB9: PostMessageA(tHandle: 00000000, Msg: WM_CLOSE)

PID: 3328, 0x00401A27: CreateRemoteThread(tHandle: 0000071C, nHandle: 00000718, startAddr: 049B0000, flags: 00000000)

PID: 3328, 0x00401A62: ExitProcess(exitcode: 0)

[Termination] PID 3328 has terminated!

Get these:

- Process Explorer - kill the new thread the process made in explorer.exe (you'll find it's assigned to ckvo.exe) ;-)

- kOuD3LkA Restrictions Remover v1.0 - will: enable folder options, task manager, registry tools, fix "show hidden files" and "show protected operating system files";

Then open up regedit and delete that "kamsoft" key program put in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

Once that is done, just delete ckvo.exe and ckvo0.dll from system32.

Delete autorun.inf and rs.cmd from all your partitions (mind they are hidden, and set to 'system files' attribute) ;-)

Cheers,

Sun

P.S.: Note that the .dll file will fail to be deleted since it's injected in most processes running on your OS. Either unload it from every .exe by searching for its module, or just reboot and then delete it afterward.

Edited by SunBeam

  • 5 months later...

hi SunBeam,

I am wondering what tool did you use to do analysis, so that automatically created a list of all the API called (with results, too) by malware above??

Thanks,

N

Looks like MAtrap?

Either that or try APISpy or WinAPIOverride

Looks like MAtrap?

Either that or try APISpy or WinAPIOverride

Could you please tell me where to get the MAtrap and APISpy?

I googled, but it either returned useless (MAtrap), or too much unrelated information (APISpy).

Thanks,

N

Sorry, that should have been MalTrap... both are available on this forum via the search button (in the tools forum).

  • 2 months later...

Looks like MAtrap?

Either that or try APISpy or WinAPIOverride

hey sry i cant find matrap in this forum.. can u link me plz?

  • 2 months later...

Yea MalTrap doesnt seem bad.. saw the educational video on its injecting... anyone know how it works?

Is it using SetWindowsHookEx API??

Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.