Reversing malware questions

[Downloading...]

Hey there,

 

I managed to get a sample of a "Ransomware" type of virus, which just locked the computer until one paid and got puts in a code to unlock (which I doubt would actually unlock it)

 

Anyhow, I grabbed the virus.exe and it's getting detected by 22/40 AV's.

 

I looked at it witrh PEiD which couldn't find anything, I assume the file is most likely packed.

I also ran a string command on it, nothing came out (except assembly XML file, so even more chance it's packed)

 

Then I disassembled the with IDA (all this in linux since it's risky :3 )

 

Here is a list of the imports:

 

10004000  RegOpenKeyExW            ADVAPI32 

10004008  GetSaveFileNameW         COMDLG32 

1000400C  GetOpenFileNameW         COMDLG32 

10004010  ChooseFontW              COMDLG32 

10004018  CreateBitmap             GDI32    

1000401C  CreateCompatibleBitmap   GDI32    

10004020  CreateCompatibleDC       GDI32    

10004024  CreateFontIndirectW      GDI32    

10004028  CreatePen                GDI32    

1000402C  CreatePolygonRgn         GDI32    

10004030  CreateSolidBrush         GDI32    

10004034  DeleteDC                 GDI32    

10004038  DeleteObject             GDI32    

1000403C  BitBlt                   GDI32    

10004040  EnableEUDC               GDI32    

10004044  EnumFontFamiliesW        GDI32    

10004048  ExtTextOutW              GDI32    

1000404C  FillRgn                  GDI32    

10004050  GetBitmapBits            GDI32    

10004054  GetFontData              GDI32    

10004058  GetObjectW               GDI32    

1000405C  GetRgnBox                GDI32    

10004060  GetStockObject           GDI32    

10004064  GetTextExtentExPointW    GDI32    

10004068  GetTextExtentPoint32W    GDI32    

1000406C  GetTextExtentPointW      GDI32    

10004070  GetTextMetricsW          GDI32    

10004074  Ellipse                  GDI32    

10004078  PatBlt                   GDI32    

1000407C  Rectangle                GDI32    

10004080  SelectObject             GDI32    

10004084  SetBitmapBits            GDI32    

10004088  SetBkColor               GDI32    

1000408C  SetTextColor             GDI32    

10004090  StretchBlt               GDI32    

10004094  OffsetRgn                GDI32    

1000409C  ImmRegisterWordW         IMM32    

100040A0  ImmSetCompositionStringW IMM32    

100040A4  ImmSetConversionStatus   IMM32    

100040A8  ImmIsIME                 IMM32    

100040AC  ImmGetConversionStatus   IMM32    

100040B0  ImmGetCompositionStringW IMM32    

100040B4  ImmAssociateContext      IMM32    

100040B8  ImmConfigureIMEW         IMM32    

100040BC  ImmCreateContext         IMM32    

100040C0  ImmDestroyContext        IMM32    

100040C4  ImmEnumRegisterWordW     IMM32    

100040C8  ImmEscapeW               IMM32    

100040D0  WriteFile                KERNEL32 

100040D4  VirtualAlloc             KERNEL32 

100040DC  ShellAboutW              SHELL32  

100040E4  ShowWindow               USER32   

 

 

I also noticed this:

 

.text:100038D0 ; BOOL __stdcall    DllEntryPoint(HINSTANCE    hinstDLL,DWORD fdwReason,LPVOID    lpReserved)

.text:100038D0               public DllEntryPoint

.text:100038D0 DllEntryPoint   proc near

 

I suppose this means there is a DLL imbedded in the application? 

But I don't get how it is supposed to run in memory with only VirtuallAllocEx and WriteFile?

Or it's simply a dropper?

 

Couldn't find anything more intrusting in the static analysis part.

 

I'm hesitating into going into dynamic analysis before you guys give me a few pointers!

Things I've been reading so far:

http://www.symantec.com/connect/articles/alien-autopsy-reverse-engineering-win32-trojans-linux

http://www.symantec.com/connect/articles/reverse-engineering-hostile-code

http://www.blackhat.com/presentations/bh-dc-07/Kendall_McMillan/Presentation/bh-dc-07-Kendall_McMillan.pdf

http://www.blackhat.com/presentations/bh-dc-07/Kendall_McMillan/Paper/bh-dc-07-Kendall_McMillan-WP.pdf

https://www.hex-rays.com/products/ida/support/tutorials/unpack_pe/manual.shtml

 

Any other things I could look into?

 

And am I allowed to share an INFECTED file?

If so, I'll attach the file later on!

 

Greetings,

 

Downloading...

[Aguila]

Don't believe an import table in malware. All windows apis can be loaded dynamically. You shouldn't even look at it.

 

The ransomware I know is using a simple website trick to display complicated text on the whole screen:

http://www.codeproject.com/Articles/18417/Use-an-ActiveX-control-in-your-Win32-Project-witho

 

Maybe you should consider running it in a VM with windows xp and no internet access. Look what happens...

[Downloading...]

 Don't believe an import table in malware. All windows apis can be loaded dynamically. You shouldn't even look at it.

 

The ransomware I know is using a simple website trick to display complicated text on the whole screen:

http://www.codeproject.com/Articles/18417/Use-an-ActiveX-control-in-your-Win32-Project-witho

 

Maybe you should consider running it in a VM with windows xp and no internet access. Look what happens...

 

So it's of no use to analyse it statically?

I'll run it in a VM running Win7 and hope it won't use a 0day get out of VirtualBox... (I doubt it though)

This malware just pops up on every startup blocking everything, and it's full screen, not in a window

I'll run in on VM now, I'll update this frequently!

I still need to know if I can post an infected .exe analysis?

 

And ofcourse, thanks for the fast response!

[Conquest]

Don't believe an import table in malware. All windows apis can be loaded dynamically. You shouldn't even look at it.

hi,Aguila , by 'All windows apis can be loaded dynamically' ,are you trying to mean the import table modification at run time(like some packer do)? Edited February 3, 2013 by Conquest

[Aguila]

This malware just pops up on every startup blocking everything, and it's full screen, not in a window

 

when the content looks like a website, look at the link I posted. The malware is probably using the "website in a window trick". Of course the window is fullscreen without frame.

 

I think you can post the malware, packed in ZIP/RAR with a password and a warning message.

 

@Conquest

 

It is simliar, but usually malware is not building an import table. They just work with function pointers.

 

Simple way to do it:

 

GetProcAddress/GetModuleHandleA/LoadLibraryA

 

void * func_p = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtWriteVirtualMemory");

 

But you dont need these APIs, you can replace them with your own.

Edited February 3, 2013 by Aguila

[Downloading...]

I ran it in a Win 7 VM and it gave me an error: Not a valid PE executable file (or smth like that). Perhaps it detected VM, but I doubt it?

 

I then ran it trough OllyDbg which told me it was a DLL, and not an PE, it also asked me to run trough LOADLL.EXE, and so I did, but it's just an infinite loop from there...

 

I really wonder what is going on here...

 

Here's the INFECTED PE!

 

http://www.mediafire.com/?x0poa28rxdf9ujf

 

 

I'd love if you guys could share your finds!

 

I can eventually write a little paper on it.

 

I'm going to look into some other stuff that came with the virus...

 

This .bat file also came with it:

 

START "ok" rundll32.exe C:\Users\Username\virus.exe,M1N1 /B

 

M1N1 is the EntryPoint (function), and /B the "Base printer name" optional argument.

Edited February 3, 2013 by Downloading...

[deepzero]

START "ok" rundll32.exe C:\Users\Username\virus.exe,M1N1 /B

 

yeah, so your virus.exe is not actually an .exe file, but a .dll file. (the entrypoint named Dllmain() hints at it....).

Means, you cant "run" it, but olly should be able to handle it anyways with its dll loader.

[Downloading...]

yeah, so your virus.exe is not actually an .exe file, but a .dll file. (the entrypoint named Dllmain() hints at it....).

Means, you cant "run" it, but olly should be able to handle it anyways with its dll loader.

Exactly, I ran it in OllyDbg, I paused it, put a BP on code section, and it's just an infinite loop...Really strange!

Thanks for the reply!

 

I'll keep trying though, there HAS to be something.

The virus also created a .PAD file of 90mb, which is most likely webcam and logs etc.

 

I can't find what M1N refers to in disassembled DLL though?

[Downloading...]

Alright, so I ran the virus.exe trough rundll.exe and attached the process to OllyDbg.

 

What I can tell for now is it loops (with Sleep command inbetween) and searches for TASKMGR.EXE in Process Snaphot, if it exists, it gets killed.

 

It does also do some stuff with a 90mb file but I haven't found out what yet (most likely usless stuff)

 

No ransomware page, popups etc. appear...It might only be activated when connected to the internet to download the Ransom page?

Edited February 3, 2013 by Downloading...

[kakamail]

I just know that it creates a js file which is a shell run, i don't know how to copy from VB to Host, but i think it's same as your .bat file. The name is your reverse name of exe. Your uploaded file is virus.exe so it will be surir.js, it locates in AllUser/Application.
The w,a,s,m,r variable is encrypt by Dec2Ascii (i don't remember the real name of this function), after decrypting i have 

w = Shell.Application
a = C:\\WINDOWS\\system32\\rundll32.exe
s = C:\DOCUME~1\UserName\Desktop\virus.exe, M1N3
m = runas
r = WScript.Shell

I just posted the decrypt part, in this .js file it has a command is run(a+s).
It also creates a shortcut to run rundll32.exe from Startup, you can go to Startup Fodler to see.The .PAD of me is so small (i disconnected from internet during tracing time) and from compare string between LOADDLL.EXE and some other, i see the virus.exe will use this .pad when it run under svchost.exe, opera.exe, firefox.exe, chrome.exe, ie.exe, rundll32.exe.Actually that all above does not in virus.exe, it's a dll embed in virus.exe, from Allocate function we can easily dump it. I saw 3 "things" like a dll but only one can load into Olly (it's the dll above), others say "Can not load".So to conclude, i see virus.exe is a loader, the dll dumped is main function. The function is check if it (virus.exe) run under these processes above. From here on i know nothing more. Here is what i guess from running it directly. If it runs under these processed then it will run ie.exe. If not, file still running but ie.exe is not run, just viurs.exe.
I wonder if i enable internet in my VB, will it infect to my Host?

Edited February 4, 2013 by kakamail

[Aguila]

The file is packed with some kind of packer. You can easily analyze it in olly.

 

real oep looks like this:

 

0088F270                                   55                      PUSH EBP

0088F271                                   8BEC                    MOV EBP,ESP

0088F273                                   83EC 24                 SUB ESP,24

0088F276                                   C745 F8 00000000        MOV DWORD PTR SS:[EBP-8],0

0088F27D                                   C745 DC 78000000        MOV DWORD PTR SS:[EBP-24],78

0088F284                                   C745 F4 01000000        MOV DWORD PTR SS:[EBP-C],1

0088F28B                                   C745 FC 00000000        MOV DWORD PTR SS:[EBP-4],0

0088F292                                   C745 E8 00000000        MOV DWORD PTR SS:[EBP-18],0

0088F299                                   892D A0F48800           MOV DWORD PTR DS:[88F4A0],EBP

0088F29F                                   8B4D 08                 MOV ECX,DWORD PTR SS:[EBP+8]                        ; virus.<ModuleEntryPoint>

0088F2A2                                   890D 9CF48800           MOV DWORD PTR DS:[88F49C],ECX

 

you can step through the DLL Entrypoint. The packer uses the "push address + ret" trick to jump to some other location. The DLL Entrypoint is not "return"ed normally.

The file uses LoadLibraryExA/GetProcAddress to load other windows apis.

[kakamail]

I stepped thru it all. I just don't know why my .pad file is much more smaller than Downloading... (less than 500kb) And my question is would my real pc be infected by this virus.exe if i enable network in VirtualBox.

[Downloading...]

I stepped thru it all. I just don't know why my .pad file is much more smaller than Downloading... (less than 500kb) And my question is would my real pc be infected by this virus.exe if i enable network in VirtualBox.

Kakamail, thanks for your investment!!!

 

I noticed the .js being created aswell.

 

 

The .pad file is 90mb on both my friend's infected computer and my infected VM, I think it's just a try to fool antiviri?

I'm going to investigate further tomorrow because I'm drunk now.

I also wonder why it did create a real full screen popup on my friend's computer? While on my VM it does almost nothing except checking a .PAD file and killing TASKMGR.EXE....

 

Pretty cool to learn though :3

[kakamail]

I didn't see that Taskmgr.exe thing during my steps, since i use Process Explorer i didn't note my taskmanager was disabled or not either One thing i just remember is the IE.exe is created but it's not show at all, it runs background.

[Downloading...]

What I figured so far:

 

Dll is loaded, like Aquila said, return trick is used.

Once OEP is reached, the packer starts working and allocates memory (called virus_1 in memory map).

 

The control is then passed there, and that's where the actual unpacked virus starts executing.

 

It firsts checks for a file called (Reversedvirusname).pad in C:/ProgramData

NOTE: The file is only created when ran under one of the processes liste below.

 

It then checks whether it is being ran under : rundll32.exe, svchost.exe, explorer.exe .

 

In my case it wasn't (since I'm using LOADLL32.EXE from OllyDbg)

 

Then it checks this registry key, to find user start up folder:

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

 

And it looks for the key "StartUp". It then checks if a shortcut called runctf exists. The shortcut executes this command: rundll32.exe virus.exe,M1N1 (to execute virus on startup)

 

 

After that, it checks if it's being ran under iexplore.exe,iesart.exe,opera.exe,chrome.exe

 

Interestingly enough, it then terminates (because it's not being ran in one of the above processec)

 

By changing Zero flag to make it look like I'm running under rundll32.exe, it firsts create a 90mb file (Reversedvirusname).pad in C:/ProgramData (92.797 kb)

 

It does something else in depenging from what process it is being ran.

 

When ran from rundll32.exe it checks if the shortcut in start menu exists, then it add following registry keys to registry:

 

0119EE7E    BA 54EF1901     MOV EDX,salvir_1.0119EF54                ; ASCII "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1609"

0119EE83    B8 01000080     MOV EAX,80000001

0119EE88    E8 F3B1FFFF     CALL salvir_1.0119A080

0119EE8D    33C9            XOR ECX,ECX

0119EE8F    BA A8EF1901     MOV EDX,salvir_1.0119EFA8                ; ASCII "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1609"

0119EE94    B8 01000080     MOV EAX,80000001

0119EE99    E8 E2B1FFFF     CALL salvir_1.0119A080

0119EE9E    33C9            XOR ECX,ECX

0119EEA0    BA FCEF1901     MOV EDX,salvir_1.0119EFFC                ; ASCII "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1609"

0119EEA5    B8 01000080     MOV EAX,80000001

0119EEAA    E8 D1B1FFFF     CALL salvir_1.0119A080

0119EEAF    33C9            XOR ECX,ECX

0119EEB1    BA 50F01901     MOV EDX,salvir_1.0119F050                ; ASCII "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1609"

0119EEB6    B8 01000080     MOV EAX,80000001

0119EEBB    E8 C0B1FFFF     CALL salvir_1.0119A080

0119EEC0    33C9            XOR ECX,ECX

0119EEC2    BA A4F01901     MOV EDX,salvir_1.0119F0A4                ; ASCII "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1609"

0119EEC7    B8 01000080     MOV EAX,80000001

0119EECC    E8 AFB1FFFF     CALL salvir_1.0119A080

0119EED1    B9 03000000     MOV ECX,3

0119EED6    BA F8F01901     MOV EDX,salvir_1.0119F0F8                ; ASCII "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500"

0119EEDB    B8 01000080     MOV EAX,80000001

0119EEE0    E8 9BB1FFFF     CALL salvir_1.0119A080

0119EEE5    B9 03000000     MOV ECX,3

0119EEEA    BA 4CF11901     MOV EDX,salvir_1.0119F14C                ; ASCII "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500"

0119EEEF    B8 01000080     MOV EAX,80000001

0119EEF4    E8 87B1FFFF     CALL salvir_1.0119A080

0119EEF9    B9 03000000     MOV ECX,3

0119EEFE    BA A0F11901     MOV EDX,salvir_1.0119F1A0                ; ASCII "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500"

0119EF03    B8 01000080     MOV EAX,80000001

0119EF08    E8 73B1FFFF     CALL salvir_1.0119A080

0119EF0D    B9 03000000     MOV ECX,3

0119EF12    BA F4F11901     MOV EDX,salvir_1.0119F1F4                ; ASCII "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500"

0119EF17    B8 01000080     MOV EAX,80000001

0119EF1C    E8 5FB1FFFF     CALL salvir_1.0119A080

0119EF21    B9 03000000     MOV ECX,3

0119EF26    BA 48F21901     MOV EDX,salvir_1.0119F248                ; ASCII "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500"

0119EF2B    B8 01000080     MOV EAX,80000001

0119EF30    E8 4BB1FFFF     CALL salvir_1.0119A080

0119EF35    B9 01000000     MOV ECX,1

0119EF3A    BA 9CF21901     MOV EDX,salvir_1.0119F29C                ; ASCII "Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner"

 

 

 

I'm going to inspect the injected iexplore.exe later on!

 

I'm going to try and find where it does connect to download it's Ransomware pages.

 

I already found out where they get stored though. 

 

Thanks guy for the answers!

 

And what shall I do whet I have the server IP or some useful info?

Edited February 5, 2013 by Downloading...

[kakamail]

How do you know iexplorer.exe is injected?
How to know where it connect to download?As i know reversers always use http://whois.domaintools.com/ to find useful info about domain.

Edited February 6, 2013 by kakamail

[Downloading...]

How do you know iexplorer.exe is injected?

How to know where it connect to download?

As i know reversers always use http://whois.domaintools.com/ to find useful info about domain.

 

This virus tries to fool us by connecting to A LOT of IP's.

For now I only used the "sniffer" way to retrieve IP's.

 

But later today, I'll just jump in the code, set a BP on code section, and waiting for it to break to get in the connect routine .

I already tried this out without internet connection, in never breaks in code section, it's just looping in Wininet (which calls Ws2_32.dll).

So obviously it keeps looping there until it's being connected to the internet.

 

The data downloaded seems encrypted though, I'll need to find how it's decrypted, and if possible where the decrypted file if stored (IF it is stored).

 

Atleast I got some IP's to go from :3 .

 

And you can see it injects iexplore.exe since the process is created out of nowhere + by following the code, it does call CreateRemoteThread.

 

I'll put that code here later today.

 

EDIT: Is what I'm doing useless? I mean, the only thing I can get is knowledge (useful), and the IP (I guess that's useless?)

Edited February 6, 2013 by Downloading...

[kakamail]

hmm, i did see the CreateThread, 2 times-same place, but my olly didn't break at new thread function, i don't know what this CreateThread do :| Could you talk about it little more.About the "useless" thing, i'm just interested in cracking/reversing virus, willing spend all my time doing if it's in my level, discover new thing make me happy, my head is filled by cool things that what i need

[Downloading...]

This is the first part of the in depth analysis of the virus:

 

 

1.Rundll32.exe loads virus.exe into memory

2.RUndll32.exe jumps to virus_1 section, and there begins the actual code execution

 

-Virus creates C:/ProgramData/suriv.pad (used later to store downloaded data)

-Virus reads "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup"

-Virus creates runctf.lnk in path gotten from  "startup" key above (runctf.lnk is just a shortcut which executes rundll32.exe + virus.exe upon system startup)

(key gives this path: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup)

-virus add "zone keys" to registry(see above)

-Virus reads "HKEY_CLASSES_ROOT\Applications\iexplore.exe\shell\open\command" (reads "Default" value) (%1 is cut away later)

(key gives this path: "C:\Program Files\Internet Explorer\iexplore.exe" %1")

-virus call CreateDesktopA with following parameters:

 

 

0006FBF4   011A0BCC  |DesktopName = "loabri"

0006FBF8   00000000  |Device = NULL

0006FBFC   00000000  |pDevmode = NULL

0006FC00   00000000  |Interaction = 0.

0006FC04   000F01FF  |DesiredAccess = DESKTOP_READOBJECTS|DESKTOP_CREATEWINDOW|DESKTOP_CREATEMENU|DESKTOP_HOOKCONTROL|DESKTOP_JOURNALRECORD|DESKTOP_JOURNALPLAYBACK|DESKTOP_ENUMERATE|DESKTOP_WRITEOBJECTS|DESKTOP_SWITCHDESKTOP|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER

0006FC08   00000000  \pSecurity = NULL

 

 

 

Now it's getting intrusting

 

3.virus creates iexplore.exe process (child of rundll32.exe) (By Hooking CreateProcessA, see below)

 

 

 

 

0117ABB3    68 00AD1701     PUSH salvir_1.0117AD00                   ; ASCII "kernel32.dll"

0117ABB8    E8 1FAFFFFF     CALL salvir_1.01175ADC                   ; JMP to kernel32.GetModuleHandleA

75A55E2F    68 585EA575     PUSH apphelp.75A55E58                    ; ASCII "[StubGetProcAddress] Stack capture caller 0x%p

"

 

 

 

So it call this multiple times to get addresses of following API in virus.exe:

 

 

 

 

0117AC34    68 80AD1701     PUSH salvir_1.0117AD80                   ; ASCII "Process32First"

0117AC46    68 90AD1701     PUSH salvir_1.0117AD90                   ; ASCII "Process32Next"

0117AC58    68 A0AD1701     PUSH salvir_1.0117ADA0                   ; ASCII "Process32FirstW"

0117AC6A    68 B0AD1701     PUSH salvir_1.0117ADB0                   ; ASCII "Process32NextW"

0117AC7C    68 C0AD1701     PUSH salvir_1.0117ADC0                   ; ASCII "Thread32First"

0117AC8E    68 D0AD1701     PUSH salvir_1.0117ADD0                   ; ASCII "Thread32Next"

0117ACA0    68 E0AD1701     PUSH salvir_1.0117ADE0                   ; ASCII "Module32First"

0117ACB2    68 F0AD1701     PUSH salvir_1.0117ADF0                   ; ASCII "Module32Next"

0117ACC4    68 00AE1701     PUSH salvir_1.0117AE00                   ; ASCII "Module32FirstW"

0117ACD6    68 10AE1701     PUSH salvir_1.0117AE10                   ; ASCII "Module32NextW"

 

 

 

Then:

 

 

0117AE31    FF15 6CC81801   CALL DWORD PTR DS:[118C86C]              ; kernel32.CreateToolhelp32Snapshot

 

 

 

Then:

 

 

0117AE91    FF15 9CC81801   CALL DWORD PTR DS:[118C89C]              ; kernel32.Module32First

 

 

 

Then:

 

 

0117AEB1    FF15 A0C81801   CALL DWORD PTR DS:[118C8A0]              ; kernel32.Module32Next

 

 

 

Then:

 

 

0117E0AB    E8 6479FFFF     CALL salvir_1.01175A14                   ; JMP to kernel32.CloseHandle

 

 

 

Then:

 

 

 

0117E1D4    E8 B379FFFF     CALL salvir_1.01175B8C                   ; JMP to kernel32.OpenProcess

 

0006FBD0   02000000  |Access = 2000000

0006FBD4   00000000  |Inheritable = FALSE

0006FBD8   000006B0  \ProcessId = 6B0

 

 

 

Screenshot of processes involved:

 

 

As you can see from previous screenshot, the process 6B0 (= 1712 decimal) will be opened.

 

Then:

 

 

0117E1FE    E8 B979FFFF     CALL salvir_1.01175BBC                   ; JMP to kernel32.VirtualAllocEx

0006FBC8   00000114

0006FBCC   00000000

0006FBD0   0000003A

0006FBD4   00001000

0006FBD8   00000004

0006FBDC   0006FC00

0006FBE0   0000003A

0006FBE4   75BCDA1D  KERNELBA.75BCDA1D

 

 

 

 

And finally, what we've all been waiting for:

 

 

0117E286    FF15 C0CA1801   CALL DWORD PTR DS:[118CAC0]              ; kernel32.WriteProcessMemory

0006FBC8   00000114  |hProcess = 00000114 (window)

0006FBCC   019A0000  |Address = 19A0000

0006FBD0   0118C8B0  |Buffer = salvir_1.0118C8B0

0006FBD4   0000003A  |BytesToWrite = 3A (58.)

0006FBD8   0006FBF0  \pBytesWritten = 0006FBF0

 

 

 

Process memory has been written, but execution has not been passe don yet, so yeah:

 

 

0117E2E6    FF5424 44       CALL DWORD PTR SS:[ESP+44]               ; ntdll.ZwCreateThreadEx

 

 

 

I saw this, but this doesn't get called:

0117E2FA    FF15 C4CA1801   CALL DWORD PTR DS:[118CAC4]              ; kernel32.CreateRemoteThread

 

Instead, NtCreateThreadEx gets called to create a REMOTE thread in IEXPLORE.EXE (injected process)

 

 

Then this:

 

0117E32B    E8 7C77FFFF     CALL salvir_1.01175AAC                   ; JMP to kernel32.GetExitCodeThread

 

 

 

 

And this:

 

 

0117E335    E8 DA76FFFF     CALL salvir_1.01175A14                   ; JMP to kernel32.CloseHandle

 

 

 

Then:

 

 

01173FAE    E8 1DD1FFFF     CALL salvir_1.011710D0                   ; JMP to kernel32.CreateThread

0006FC44   00000000  |pSecurity = NULL

0006FC48   00000000  |StackSize = 0

0006FC4C   01173F40  |ThreadFunction = salvir_1.01173F40

0006FC50   011A0B88  |pThreadParm = 011A0B88

0006FC54   00000000  |CreationFlags = 0

0006FC58   0118F844  \pThreadId = salvir_1.0118F844

 

 

 

It creates 2 of these threads (WITHING Rundll32.exe's memory)

 

One of the threads keeps checking in a loop for runcft.lnk

The other thread does this in loop:

-Check for "C:\ProgramData\surivlas.pad"

-Kills TASKMGR.EXE

 

NOTES:

* Behaviour is different when using OllyDbg's LOADLL.EXE! It's better to load Rundll32.exe directly in OllyDbg and pass arguments mentioned above!

 

The IEXPLORE.EXE thread created before, is used to connect and download data from website .

 

That's about it :3

Edited February 8, 2013 by Downloading...

[Downloading...]

Alright, I found where it connected to, and it seems there are some analysis done before on this type, sincei just googled the IP's and came up with these:

 

http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~EncPk-AHC/detailed-analysis.aspx

http://www.threatexpert.com/report.aspx?md5=b369e09677e4c1dfc29c70bf907a410a

http://www.soleranetworks.com/blogs/tag/146-185-255-219/

 

So yeah, I think I found the whole thing out by myself

Still a nice feeling to rape this virus

 

I found 3 names to whom domains are registered, they are probably fake, but oh well...

 

I think I can conclude the anlaysis is done, since there is nothing more to uncover :3

The .pad file is the location of the downloaded data

 

Voila, finito...

Edited February 8, 2013 by Downloading...

[kakamail]

Congrats! So no harm registry key, no file infect, just download "thing" from internet

Edited February 8, 2013 by kakamail

[Downloading...]

Congrats! So no harm registry key, no file infect, just download "thing" from internet

 

Yeah, it add some startup keys and internet zone keys, but for the rest, it just downloads data from internet, and locks up your computer

But I think the website is blocked now, not sure...

[kakamail]

hmm, so when network is on computer will be locked. Maybe you should tell the way to prevent that thing happen to finish your work

[Downloading...]

I guess that's doable yeah.

 

Start in safe mode, kill iexplore.exe, rundll32.exe .

Delete runctf.lnk

Delete keys mentioned above

all .pad files

Delete shell startup (.js) you posted

open msconfig.exe disable start up (and delete key)

get an AV

 

Normally, your comp should be up and running again :3