Jump to content
Tuts 4 You

Malware sample for practice


GEEK

Recommended Posts

hey

found this on my usb so i am guessing its not a very dangerous virus.

i have sent it to any online AV checkers simply coz i am not bothered

if anyone wants to practise i have zipped unedited binaries

password: infected

usb_malware_sample.rar

Edited by GEEK
Link to comment
Share on other sites

  • 2 weeks later...
  • 3 weeks later...
  • 1 month later...
  • 3 weeks later...

@hackerbit: Here you go:

Process injected! PID: 3328

PID: 3328, All hooks are now in place!

PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: ADVAPI32.dll, flags: 00000000)

PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: USER32.dll, flags: 00000000)

PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: KERNEL32.DLL, flags: 00000000)

PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: ADVAPI32.dll, flags: 00000000)

PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: USER32.dll, flags: 00000000)

PID: 3328, 0x004A2095: GetKeyboardState()

PID: 3328, -- Keylogging attempt detected!

PID: 3328, 0x004A20E6: OpenSCManagerA(machName: (null), dbName: (null), access: 000F003F) -> h:0025BB28

PID: 3328, 0x004A1E57: CreateFileA(file: C:\WINDOWS\system32\drivers\ntfs.sys, OPEN_EXISTING)

PID: 3328, -- CreateFileA result - fHandle: 00000730

PID: 3328, 0x4F444E49: ReadFile(file: C:\WINDOWS\system32\drivers\ntfs.sys, tHandle: 00000730, numBytes: 0x0008C600)

PID: 3328, 0x004A1BAC: RegOpenKeyExA(key: HKEY_LOCAL_MACHINE, subkey: SOFTWARE\KasperskyLab\protected\AVP7\profiles\Updater) -> FAIL

PID: 3328, 0x77E84B92: CreateFileW(file: \\.\PIPE\lsarpc, OPEN_EXISTING)

PID: 3328, -- CreateFileW result - fHandle: 0000071C

PID: 3328, 0x004A12E0: AdjustTokenPrivileges()

PID: 3328, 0x004A19F6: CreateFileA(file: C:\WINDOWS\system32\drivers\klif.sys, CREATE_ALWAYS)

PID: 3328, -- CreateFileA result - fHandle: 0000071C

PID: 3328, 0x004A1A13: WriteFile(tHandle: 0000071C)

PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: ntdll.dll, flags: 00000000)

PID: 3328, 0x004A13BB: RegCreateKeyA(key: HKEY_LOCAL_MACHINE, subkey: System\CurrentControlSet\Services\KAVsys) -> SUCCESS

PID: 3328, 0x004A13E9: RegSetValueExA(keyHandle: 0000071C, valueName: Type, data: ) -> SUCCESS

PID: 3328, 0x004A13FD: RegSetValueExA(keyHandle: 0000071C, valueName: ErrorControl, data: ) -> SUCCESS

PID: 3328, 0x004A1411: RegSetValueExA(keyHandle: 0000071C, valueName: Start, data: ) -> SUCCESS

PID: 3328, 0x004A1456: RegSetValueExA(keyHandle: 0000071C, valueName: ImagePath, data: \??\C:\WINDOWS\system32\drivers\klif.sys) -> SUCCESS

PID: 3328, 0x004A14C7: RegDeleteKeyA(key: HKEY_LOCAL_MACHINE, subkey: System\CurrentControlSet\Services\KAVsys\Enum) -> SUCCESS

PID: 3328, 0x004A14EC: RegDeleteKeyA(key: HKEY_LOCAL_MACHINE, subkey: System\CurrentControlSet\Services\KAVsys\Security) -> FAIL

PID: 3328, 0x004A1511: RegDeleteKeyA(key: HKEY_LOCAL_MACHINE, subkey: System\CurrentControlSet\Services\KAVsys) -> SUCCESS

PID: 3328, 0x004A1A3D: DeleteFileA(file: C:\WINDOWS\system32\drivers\klif.sys)

PID: 3328, 0x004A1BAC: RegOpenKeyExA(key: HKEY_LOCAL_MACHINE, subkey: SOFTWARE\KasperskyLab\protected\AVP7\profiles\Updater) -> FAIL

PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: KERNEL32.DLL, flags: 00000000)

PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: USER32.dll, flags: 00000000)

PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: ADVAPI32.dll, flags: 00000000)

PID: 3328, 0x004014CB: CreateFileA(file: C:\WINDOWS\explorer.exe, OPEN_EXISTING)

PID: 3328, -- CreateFileA result - fHandle: 0000071C

PID: 3328, 0x7C81F2C6: GetFileAttributesW(C:\Documents and Settings\SunBeam\Desktop\1.exe)

PID: 3328, 0x7C81F2C6: GetFileAttributesW(C:\WINDOWS\system32\)

PID: 3328, 0x004016BE: DeleteFileA(file: C:\WINDOWS\system32\ckvo.exe)

PID: 3328, 0x00401A7A: SetFileAttributesA(file: C:\WINDOWS\system32\ckvo.exe, attrs: 00000080)

PID: 3328, 0x004016E0: CopyFileA(existing: C:\DOCUME~1\SunBeam\Desktop\1.exe, new: C:\WINDOWS\system32\ckvo.exe, overwrite: 00000000)

PID: 3328, 0x00401A7A: SetFileAttributesA(file: C:\WINDOWS\system32\ckvo.exe, attrs: 00000007)

PID: 3328, 0x00401A7A: SetFileAttributesA(file: C:\WINDOWS\system32\ckvo0.dll, attrs: 00000080)

PID: 3328, 0x004017D2: DeleteFileA(file: C:\WINDOWS\system32\ckvo0.dll)

PID: 3328, 0x004017EA: CreateFileA(file: C:\WINDOWS\system32\ckvo0.dll, CREATE_ALWAYS)

PID: 3328, -- CreateFileA result - fHandle: 00000718

PID: 3328, 0x00401A7A: SetFileAttributesA(file: C:\WINDOWS\system32\ckvo0.dll, attrs: 00000007)

PID: 3328, 0x7C8106F5: CreateRemoteThread(tHandle: FFFFFFFF, nHandle: 00000718, startAddr: 00401DB4, flags: 00000000)

PID: 3328, 0x00401EB9: PostMessageA(tHandle: 00000000, Msg: WM_CLOSE)

PID: 3328, 0x7C8106F5: CreateRemoteThread(tHandle: FFFFFFFF, nHandle: 00000718, startAddr: 00401D17, flags: 00000000)

PID: 3328, 0x00401AA0: RegOpenKeyExA(key: HKEY_CURRENT_USER, subkey: SoftWare\Microsoft\Windows\CurrentVersion\Run) -> SUCCESS

PID: 3328, --- handle: 00000718

PID: 3328, 0x00401ABB: RegSetValueExA(keyHandle: 00000718, valueName: kamsoft, data: C:\WINDOWS\system32\ckvo.exe) -> SUCCESS

PID: 3328, 0x0040196D: OpenProcess(procID: 1792, access: 001F0FFF)

PID: 3328, --- handle 0000071C

PID: 3328, 0x00401984: VirtualAllocEx(tHandle: 0000071C, startAddr: 0, size: 00001000)

PID: 3328, 0x0040199D: WriteProcessMemory(tHandle: 0000071C, bytes: 0x00000457, buffer(dll?): è)

PID: 3328, 0x00401EB9: PostMessageA(tHandle: 00000000, Msg: WM_CLOSE)

PID: 3328, 0x00401A27: CreateRemoteThread(tHandle: 0000071C, nHandle: 00000718, startAddr: 049B0000, flags: 00000000)

PID: 3328, 0x00401A62: ExitProcess(exitcode: 0)

[Termination] PID 3328 has terminated!

Get these:

- Process Explorer - kill the new thread the process made in explorer.exe (you'll find it's assigned to ckvo.exe) ;-)

- kOuD3LkA Restrictions Remover v1.0 - will: enable folder options, task manager, registry tools, fix "show hidden files" and "show protected operating system files";

Then open up regedit and delete that "kamsoft" key program put in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

Once that is done, just delete ckvo.exe and ckvo0.dll from system32.

Delete autorun.inf and rs.cmd from all your partitions (mind they are hidden, and set to 'system files' attribute) ;-)

Cheers,

Sun

P.S.: Note that the .dll file will fail to be deleted since it's injected in most processes running on your OS. Either unload it from every .exe by searching for its module, or just reboot and then delete it afterward.

Edited by SunBeam
Link to comment
Share on other sites

  • 5 months later...

hi SunBeam,

I am wondering what tool did you use to do analysis, so that automatically created a list of all the API called (with results, too) by malware above??

Thanks,

N

Link to comment
Share on other sites

Looks like MAtrap?

Either that or try APISpy or WinAPIOverride

Could you please tell me where to get the MAtrap and APISpy?

I googled, but it either returned useless (MAtrap), or too much unrelated information (APISpy).

Thanks,

N

Link to comment
Share on other sites

Sorry, that should have been MalTrap... both are available on this forum via the search button (in the tools forum).

Link to comment
Share on other sites

  • 2 months later...
Fullmetal2

Looks like MAtrap?

Either that or try APISpy or WinAPIOverride

hey sry i cant find matrap in this forum.. can u link me plz?

Link to comment
Share on other sites

  • 2 months later...

Yea MalTrap doesnt seem bad.. saw the educational video on its injecting... anyone know how it works?

Is it using SetWindowsHookEx API??

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...