Jump to content
Tuts 4 You

Malware


~karthikeyanck~

Recommended Posts

~karthikeyanck~

Hi All

I found the attached malware in one of my test machine. It looks like it drops itself to the system32 directory with some random name and adds entries to the registry so that it can start as a service every time the machine boots. I don't seem to go further after, can you look into this. Seems like it does do some damage so analyzing this in a virtual environment is recommended.

Attached is a malware so pls exercise care!!! password - infected

EDIT:

Nobody looked at this yet? :(

MNR8TTI7OP.zip

Edited by quosego
Link to comment

Patience, though reversers do some malware analysis here, it's purely voluntarily..

So it might take a while for some to have the time to look at your piece of malware. :)

Combined your posts.. Not really necessary to bump it.

Link to comment
  • 2 weeks later...

VMware + maltrap == pure wonders..

DLLPath: C:\Documents and Settings\Administrator\Desktop\maltrap_v0.2a\maltrap.dll

Process injected! PID: 3660

PID: 3660, All hooks are now in place!

PID: 3660, 0x00406D6E: RegOpenKeyExA(key: HKEY_LOCAL_MACHINE, subkey: SYSTEM\CurrentControlSet\Services\ferst) -> FAIL

PID: 3660, 0x00406ECB: CopyFileA(existing: C:\Documents and Settings\Administrator\Desktop\G001.exe, new: C:\WINDOWS\system32\qokqe.exe, overwrite: 00000000)

PID: 3660, 0x00406F2F: OpenSCManagerA(machName: (null), dbName: (null), access: 000F003F) -> h:0025EB58

PID: 3660, 0x00406F64: CreateServiceA(ServiceName: ferst, DisplayName: ces, Type: 00000010, StartType: 00000002, StartName: (null), Path: C:\WINDOWS\system32\qokqe.exe, Password: (null)) -> h:0025E8A0

PID: 3660, --- Service runs in its own process

PID: 3660, --- Is started automatically by the SCM during system startup

PID: 3660, 0x00406FB0: StartServiceA(hService: 0025E8A0, serviceArgs: (null)) -> SUCCESS

PID: 3660, 0x00407027: RegOpenKeyA(key: HKEY_LOCAL_MACHINE, subkey: SYSTEM\CurrentControlSet\Services\ferst) -> SUCCESS

PID: 3660, --- handle: 00000754

PID: 3660, 0x00407049: RegSetValueExA(keyHandle: 00000754, valueName: Description, data: fsr) -> SUCCESS

PID: 3660, 0x7C81F2AE: GetFileAttributesW(C:\Documents and Settings\Administrator\Desktop\G001.exe)

PID: 3660, 0x7C910A16: CreateProcessA(appName: (null), cmdLine: C:\WINDOWS\system32\cmd.exe /c del C:\DOCUME~1\ADMINI~1\Desktop\G001.exe > nul)

PID: 3660, --- Creating the process in suspended state...

PID: 3660, --- Resulting PID: 3692

PID: 3660, --- Escalating privileges so the process can be opened...

PID: 3660, --- Opening the process...

PID: 3660, --- Allocating memory in the process...

PID: 3660, --- Writing the DLL into memory...

PID: 3660, --- Resuming the suspended process...

PID: 3660, 0x00407548: ExitProcess(exitcode: 0)

[Termination] PID 3660 has terminated!

So:

1. Kill process in memory;

2. Delete file from system32;

3. Start > Run > services.msc -> then find "ces" service (in my case) and set it to disabled (you can also wipe the registry key above)

Cheers,

Sun

Edited by SunBeam
Link to comment
  • 3 weeks later...

My analysis to this malware with ollydbg

1 Grab all the information of the computer

2 Manipulate the Registry

3 Execute the function Random to create 5 different words

4 copy the same Malware [ exe ]

5 System32 is where goes the new exe

every time that a person got infected the Malware change the name

with the function Random for example: ybdaw.exe <== 5 words

6 The Malware proceed to communicate with some page,web, etc.

7 If the the Malware do not get connected then proceed to sleep

8 if the Malware got connected then change the password for user 1

then change the password for user 2

resume:

Basically this Malware is some kind of Trojan Hrse .

Edited by delldell
Link to comment
~karthikeyanck~

My analysis to this malware with ollydbg

1 Grab all the information of the computer

2 Manipulate the Registry

3 Execute the function Random to create 5 different words

4 copy the same Malware [ exe ]

5 System32 is where goes the new exe

every time that a person got infected the Malware change the name

with the function Random for example: ybdaw.exe <== 5 words

6 The Malware proceed to communicate with some page,web, etc.

7 If the the Malware do not get connected then proceed to sleep

8 if the Malware got connected then change the password for user 1

then change the password for user 2

resume:

Basically this Malware is some kind of Trojan Hrse .

I keep track of this malware till step 5, after which I'm losing track, the process just exits :S

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...