Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Malware

~karthikeyanck~
~karthikeyanck~
in Malware Reverse Engineering

Featured Replies

Posted

Hi All

I found the attached malware in one of my test machine. It looks like it drops itself to the system32 directory with some random name and adds entries to the registry so that it can start as a service every time the machine boots. I don't seem to go further after, can you look into this. Seems like it does do some damage so analyzing this in a virtual environment is recommended.

Attached is a malware so pls exercise care!!! password - infected

EDIT:

Nobody looked at this yet? :(

MNR8TTI7OP.zip

Edited by quosego

Patience, though reversers do some malware analysis here, it's purely voluntarily..

So it might take a while for some to have the time to look at your piece of malware. :)

Combined your posts.. Not really necessary to bump it.

  • Author

sure quosego :thumbsup:

  • 2 weeks later...

VMware + maltrap == pure wonders..

DLLPath: C:\Documents and Settings\Administrator\Desktop\maltrap_v0.2a\maltrap.dll

Process injected! PID: 3660

PID: 3660, All hooks are now in place!

PID: 3660, 0x00406D6E: RegOpenKeyExA(key: HKEY_LOCAL_MACHINE, subkey: SYSTEM\CurrentControlSet\Services\ferst) -> FAIL

PID: 3660, 0x00406ECB: CopyFileA(existing: C:\Documents and Settings\Administrator\Desktop\G001.exe, new: C:\WINDOWS\system32\qokqe.exe, overwrite: 00000000)

PID: 3660, 0x00406F2F: OpenSCManagerA(machName: (null), dbName: (null), access: 000F003F) -> h:0025EB58

PID: 3660, 0x00406F64: CreateServiceA(ServiceName: ferst, DisplayName: ces, Type: 00000010, StartType: 00000002, StartName: (null), Path: C:\WINDOWS\system32\qokqe.exe, Password: (null)) -> h:0025E8A0

PID: 3660, --- Service runs in its own process

PID: 3660, --- Is started automatically by the SCM during system startup

PID: 3660, 0x00406FB0: StartServiceA(hService: 0025E8A0, serviceArgs: (null)) -> SUCCESS

PID: 3660, 0x00407027: RegOpenKeyA(key: HKEY_LOCAL_MACHINE, subkey: SYSTEM\CurrentControlSet\Services\ferst) -> SUCCESS

PID: 3660, --- handle: 00000754

PID: 3660, 0x00407049: RegSetValueExA(keyHandle: 00000754, valueName: Description, data: fsr) -> SUCCESS

PID: 3660, 0x7C81F2AE: GetFileAttributesW(C:\Documents and Settings\Administrator\Desktop\G001.exe)

PID: 3660, 0x7C910A16: CreateProcessA(appName: (null), cmdLine: C:\WINDOWS\system32\cmd.exe /c del C:\DOCUME~1\ADMINI~1\Desktop\G001.exe > nul)

PID: 3660, --- Creating the process in suspended state...

PID: 3660, --- Resulting PID: 3692

PID: 3660, --- Escalating privileges so the process can be opened...

PID: 3660, --- Opening the process...

PID: 3660, --- Allocating memory in the process...

PID: 3660, --- Writing the DLL into memory...

PID: 3660, --- Resuming the suspended process...

PID: 3660, 0x00407548: ExitProcess(exitcode: 0)

[Termination] PID 3660 has terminated!

So:

1. Kill process in memory;

2. Delete file from system32;

3. Start > Run > services.msc -> then find "ces" service (in my case) and set it to disabled (you can also wipe the registry key above)

Cheers,

Sun

Edited by SunBeam

  • Author

Thanks for your time SunBeam much appreciated.... I was actually wondering what is it capable of doing? :confused:

  • 3 weeks later...

My analysis to this malware with ollydbg

1 Grab all the information of the computer

2 Manipulate the Registry

3 Execute the function Random to create 5 different words

4 copy the same Malware [ exe ]

5 System32 is where goes the new exe

every time that a person got infected the Malware change the name

with the function Random for example: ybdaw.exe <== 5 words

6 The Malware proceed to communicate with some page,web, etc.

7 If the the Malware do not get connected then proceed to sleep

8 if the Malware got connected then change the password for user 1

then change the password for user 2

resume:

Basically this Malware is some kind of Trojan Hrse .

Edited by delldell

  • Author

My analysis to this malware with ollydbg

1 Grab all the information of the computer

2 Manipulate the Registry

3 Execute the function Random to create 5 different words

4 copy the same Malware [ exe ]

5 System32 is where goes the new exe

every time that a person got infected the Malware change the name

with the function Random for example: ybdaw.exe <== 5 words

6 The Malware proceed to communicate with some page,web, etc.

7 If the the Malware do not get connected then proceed to sleep

8 if the Malware got connected then change the password for user 1

then change the password for user 2

resume:

Basically this Malware is some kind of Trojan Hrse .

I keep track of this malware till step 5, after which I'm losing track, the process just exits :S

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.