Jump to content
Tuts 4 You

Reversing malware questions


Downloading...

Recommended Posts

Downloading...

Hey there,


 


I managed to get a sample of a "Ransomware" type of virus, which just locked the computer until one paid and got puts in a code to unlock (which I doubt would actually unlock it)


 


Anyhow, I grabbed the virus.exe and it's getting detected by 22/40 AV's.


 


I looked at it witrh PEiD which couldn't find anything, I assume the file is most likely packed.


I also ran a string command on it, nothing came out (except assembly XML file, so even more chance it's packed)


 


Then I disassembled the with IDA (all this in linux since it's risky :3 )


 


Here is a list of the imports:



 


10004000  RegOpenKeyExW            ADVAPI32 

10004008  GetSaveFileNameW         COMDLG32 

1000400C  GetOpenFileNameW         COMDLG32 

10004010  ChooseFontW              COMDLG32 

10004018  CreateBitmap             GDI32    

1000401C  CreateCompatibleBitmap   GDI32    

10004020  CreateCompatibleDC       GDI32    

10004024  CreateFontIndirectW      GDI32    

10004028  CreatePen                GDI32    

1000402C  CreatePolygonRgn         GDI32    

10004030  CreateSolidBrush         GDI32    

10004034  DeleteDC                 GDI32    

10004038  DeleteObject             GDI32    

1000403C  BitBlt                   GDI32    

10004040  EnableEUDC               GDI32    

10004044  EnumFontFamiliesW        GDI32    

10004048  ExtTextOutW              GDI32    

1000404C  FillRgn                  GDI32    

10004050  GetBitmapBits            GDI32    

10004054  GetFontData              GDI32    

10004058  GetObjectW               GDI32    

1000405C  GetRgnBox                GDI32    

10004060  GetStockObject           GDI32    

10004064  GetTextExtentExPointW    GDI32    

10004068  GetTextExtentPoint32W    GDI32    

1000406C  GetTextExtentPointW      GDI32    

10004070  GetTextMetricsW          GDI32    

10004074  Ellipse                  GDI32    

10004078  PatBlt                   GDI32    

1000407C  Rectangle                GDI32    

10004080  SelectObject             GDI32    

10004084  SetBitmapBits            GDI32    

10004088  SetBkColor               GDI32    

1000408C  SetTextColor             GDI32    

10004090  StretchBlt               GDI32    

10004094  OffsetRgn                GDI32    

1000409C  ImmRegisterWordW         IMM32    

100040A0  ImmSetCompositionStringW IMM32    

100040A4  ImmSetConversionStatus   IMM32    

100040A8  ImmIsIME                 IMM32    

100040AC  ImmGetConversionStatus   IMM32    

100040B0  ImmGetCompositionStringW IMM32    

100040B4  ImmAssociateContext      IMM32    

100040B8  ImmConfigureIMEW         IMM32    

100040BC  ImmCreateContext         IMM32    

100040C0  ImmDestroyContext        IMM32    

100040C4  ImmEnumRegisterWordW     IMM32    

100040C8  ImmEscapeW               IMM32    

100040D0  WriteFile                KERNEL32 

100040D4  VirtualAlloc             KERNEL32 

100040DC  ShellAboutW              SHELL32  

100040E4  ShowWindow               USER32   


 


 


I also noticed this:



 


.text:100038D0 ; BOOL __stdcall    DllEntryPoint(HINSTANCE    hinstDLL,DWORD fdwReason,LPVOID    lpReserved)

.text:100038D0               public DllEntryPoint

.text:100038D0 DllEntryPoint   proc near


 


I suppose this means there is a DLL imbedded in the application? 


But I don't get how it is supposed to run in memory with only VirtuallAllocEx and WriteFile?


Or it's simply a dropper?


 


Couldn't find anything more intrusting in the static analysis part.


 


I'm hesitating into going into dynamic analysis before you guys give me a few pointers!


Things I've been reading so far:


http://www.symantec.com/connect/articles/alien-autopsy-reverse-engineering-win32-trojans-linux


http://www.symantec.com/connect/articles/reverse-engineering-hostile-code


http://www.blackhat.com/presentations/bh-dc-07/Kendall_McMillan/Presentation/bh-dc-07-Kendall_McMillan.pdf


http://www.blackhat.com/presentations/bh-dc-07/Kendall_McMillan/Paper/bh-dc-07-Kendall_McMillan-WP.pdf


https://www.hex-rays.com/products/ida/support/tutorials/unpack_pe/manual.shtml


 


Any other things I could look into?


 


And am I allowed to share an INFECTED file?


If so, I'll attach the file later on!


 


Greetings,


 


Downloading...


Link to comment

Don't believe an import table in malware. All windows apis can be loaded dynamically. You shouldn't even look at it.


 


The ransomware I know is using a simple website trick to display complicated text on the whole screen:


http://www.codeproject.com/Articles/18417/Use-an-ActiveX-control-in-your-Win32-Project-witho


 


Maybe you should consider running it in a VM with windows xp and no internet access. Look what happens...


Link to comment
Downloading...

 Don't believe an import table in malware. All windows apis can be loaded dynamically. You shouldn't even look at it.

 

The ransomware I know is using a simple website trick to display complicated text on the whole screen:

http://www.codeproject.com/Articles/18417/Use-an-ActiveX-control-in-your-Win32-Project-witho

 

Maybe you should consider running it in a VM with windows xp and no internet access. Look what happens...

 

So it's of no use to analyse it statically?

I'll run it in a VM running Win7 and hope it won't use a 0day get out of VirtualBox... (I doubt it though)

This malware just pops up on every startup blocking everything, and it's full screen, not in a window

I'll run in on VM now, I'll update this frequently!

I still need to know if I can post an infected .exe analysis?

 

And ofcourse, thanks for the fast response!

Link to comment

Don't believe an import table in malware. All windows apis can be loaded dynamically. You shouldn't even look at it.

hi,Aguila , by 'All windows apis can be loaded dynamically' ,are you trying to mean the import table modification at run time(like some packer do)? Edited by Conquest
Link to comment
This malware just pops up on every startup blocking everything, and it's full screen, not in a window

 

when the content looks like a website, look at the link I posted. The malware is probably using the "website in a window trick". Of course the window is fullscreen without frame.

 

I think you can post the malware, packed in ZIP/RAR with a password and a warning message.

 

@Conquest

 

It is simliar, but usually malware is not building an import table. They just work with function pointers.

 

Simple way to do it:

 

GetProcAddress/GetModuleHandleA/LoadLibraryA

 

void * func_p = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtWriteVirtualMemory");

 

But you dont need these APIs, you can replace them with your own.

Edited by Aguila
Link to comment
Downloading...

I ran it in a Win 7 VM and it gave me an error: Not a valid PE executable file (or smth like that). Perhaps it detected VM, but I doubt it?


 


I then ran it trough OllyDbg which told me it was a DLL, and not an PE, it also asked me to run trough LOADLL.EXE, and so I did, but it's just an infinite loop from there...


 


I really wonder what is going on here...


 


Here's the INFECTED PE!


 


http://www.mediafire.com/?x0poa28rxdf9ujf


 


 


I'd love if you guys could share your finds!


 


I can eventually write a little paper on it.


 


I'm going to look into some other stuff that came with the virus...


 


This .bat file also came with it:


 


START "ok" rundll32.exe C:\Users\Username\virus.exe,M1N1 /B


 


M1N1 is the EntryPoint (function), and /B the "Base printer name" optional argument.

Edited by Downloading...
  • Like 1
Link to comment

START "ok" rundll32.exe C:\Users\Username\virus.exe,M1N1 /B

 

yeah, so your virus.exe is not actually an .exe file, but a .dll file. (the entrypoint named Dllmain() hints at it....).

Means, you cant "run" it, but olly should be able to handle it anyways with its dll loader.

Link to comment
Downloading...

yeah, so your virus.exe is not actually an .exe file, but a .dll file. (the entrypoint named Dllmain() hints at it....).

Means, you cant "run" it, but olly should be able to handle it anyways with its dll loader.

Exactly, I ran it in OllyDbg, I paused it, put a BP on code section, and it's just an infinite loop...Really strange!

Thanks for the reply!

 

I'll keep trying though, there HAS to be something.

The virus also created a .PAD file of 90mb, which is most likely webcam and logs etc.

 

I can't find what M1N refers to in disassembled DLL though?

Link to comment
Downloading...

Alright, so I ran the virus.exe trough rundll.exe and attached the process to OllyDbg.


 


What I can tell for now is it loops (with Sleep command inbetween) and searches for TASKMGR.EXE in Process Snaphot, if it exists, it gets killed.


 


It does also do some stuff with a 90mb file but I haven't found out what yet (most likely usless stuff)


 


No ransomware page, popups etc. appear...It might only be activated when connected to the internet to download the Ransom page?


Edited by Downloading...
Link to comment

I just know that it creates a js file which is a shell run, i don't know how to copy from VB to Host, but i think it's same as your .bat file. The name is your reverse name of exe. Your uploaded file is virus.exe so it will be surir.js, it locates in AllUser/Application.
The w,a,s,m,r variable is encrypt by Dec2Ascii (i don't remember the real name of this function), after decrypting i have 

w = Shell.Application
a = C:\\WINDOWS\\system32\\rundll32.exe
s = C:\DOCUME~1\UserName\Desktop\virus.exe, M1N3
m = runas
r = WScript.Shell


I just posted the decrypt part, in this .js file it has a command is run(a+s).
It also creates a shortcut to run rundll32.exe from Startup, you can go to Startup Fodler to see.The .PAD of me is so small (i disconnected from internet during tracing time) and from compare string between LOADDLL.EXE and some other, i see the virus.exe will use this .pad when it run under svchost.exe, opera.exe, firefox.exe, chrome.exe, ie.exe, rundll32.exe.Actually that all above does not in virus.exe, it's a dll embed in virus.exe, from Allocate function we can easily dump it. I saw 3 "things" like a dll but only one can load into Olly (it's the dll above), others say "Can not load".So to conclude, i see virus.exe is a loader, the dll dumped is main function. The function is check if it (virus.exe) run under these processes above. From here on i know nothing more. Here is what i guess from running it directly. If it runs under these processed then it will run ie.exe. If not, file still running but ie.exe is not run, just viurs.exe.
I wonder if i enable internet in my VB, will it infect to my Host?

Edited by kakamail
Link to comment

The file is packed with some kind of packer. You can easily analyze it in olly.


 


real oep looks like this:


 



0088F270 55 PUSH EBP
0088F271 8BEC MOV EBP,ESP
0088F273 83EC 24 SUB ESP,24
0088F276 C745 F8 00000000 MOV DWORD PTR SS:[EBP-8],0
0088F27D C745 DC 78000000 MOV DWORD PTR SS:[EBP-24],78
0088F284 C745 F4 01000000 MOV DWORD PTR SS:[EBP-C],1
0088F28B C745 FC 00000000 MOV DWORD PTR SS:[EBP-4],0
0088F292 C745 E8 00000000 MOV DWORD PTR SS:[EBP-18],0
0088F299 892D A0F48800 MOV DWORD PTR DS:[88F4A0],EBP
0088F29F 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; virus.<ModuleEntryPoint>
0088F2A2 890D 9CF48800 MOV DWORD PTR DS:[88F49C],ECX

 


you can step through the DLL Entrypoint. The packer uses the "push address + ret" trick to jump to some other location. The DLL Entrypoint is not "return"ed normally.


The file uses LoadLibraryExA/GetProcAddress to load other windows apis.


Link to comment

I stepped thru it all. I just don't know why my .pad file is much more smaller than Downloading... (less than 500kb) And my question is would my real pc be infected by this virus.exe if i enable network in VirtualBox.


Link to comment
Downloading...

I stepped thru it all. I just don't know why my .pad file is much more smaller than Downloading... (less than 500kb) And my question is would my real pc be infected by this virus.exe if i enable network in VirtualBox.

Kakamail, thanks for your investment!!!

 

I noticed the .js being created aswell.

 

 

The .pad file is 90mb on both my friend's infected computer and my infected VM, I think it's just a try to fool antiviri?

I'm going to investigate further tomorrow because I'm drunk now.

I also wonder why it did create a real full screen popup on my friend's computer? While on my VM it does almost nothing except checking a .PAD file and killing TASKMGR.EXE....

 

Pretty cool to learn though :3

Link to comment

I didn't see that Taskmgr.exe thing during my steps, since i use Process Explorer i didn't note my taskmanager was disabled or not either :D One thing i just remember is the IE.exe is created but it's not show at all, it runs background.


Link to comment
Downloading...
What I figured so far:

 

Dll is loaded, like Aquila said, return trick is used.

Once OEP is reached, the packer starts working and allocates memory (called virus_1 in memory map).

 

The control is then passed there, and that's where the actual unpacked virus starts executing.

 

It firsts checks for a file called (Reversedvirusname).pad in C:/ProgramData

NOTE: The file is only created when ran under one of the processes liste below.

 

It then checks whether it is being ran under : rundll32.exe, svchost.exe, explorer.exe .

 

In my case it wasn't (since I'm using LOADLL32.EXE from OllyDbg)

 

Then it checks this registry key, to find user start up folder:

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

 

And it looks for the key "StartUp". It then checks if a shortcut called runctf exists. The shortcut executes this command: rundll32.exe virus.exe,M1N1 (to execute virus on startup)

 

 

After that, it checks if it's being ran under iexplore.exe,iesart.exe,opera.exe,chrome.exe

 

Interestingly enough, it then terminates (because it's not being ran in one of the above processec)

 

By changing Zero flag to make it look like I'm running under rundll32.exe, it firsts create a 90mb file (Reversedvirusname).pad in C:/ProgramData (92.797 kb)

 

It does something else in depenging from what process it is being ran.

 

When ran from rundll32.exe it checks if the shortcut in start menu exists, then it add following registry keys to registry:

 



0119EE7E BA 54EF1901 MOV EDX,salvir_1.0119EF54 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1609"
0119EE83 B8 01000080 MOV EAX,80000001
0119EE88 E8 F3B1FFFF CALL salvir_1.0119A080
0119EE8D 33C9 XOR ECX,ECX
0119EE8F BA A8EF1901 MOV EDX,salvir_1.0119EFA8 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1609"
0119EE94 B8 01000080 MOV EAX,80000001
0119EE99 E8 E2B1FFFF CALL salvir_1.0119A080
0119EE9E 33C9 XOR ECX,ECX
0119EEA0 BA FCEF1901 MOV EDX,salvir_1.0119EFFC ; ASCII "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1609"
0119EEA5 B8 01000080 MOV EAX,80000001
0119EEAA E8 D1B1FFFF CALL salvir_1.0119A080
0119EEAF 33C9 XOR ECX,ECX
0119EEB1 BA 50F01901 MOV EDX,salvir_1.0119F050 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1609"
0119EEB6 B8 01000080 MOV EAX,80000001
0119EEBB E8 C0B1FFFF CALL salvir_1.0119A080
0119EEC0 33C9 XOR ECX,ECX
0119EEC2 BA A4F01901 MOV EDX,salvir_1.0119F0A4 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1609"
0119EEC7 B8 01000080 MOV EAX,80000001
0119EECC E8 AFB1FFFF CALL salvir_1.0119A080
0119EED1 B9 03000000 MOV ECX,3
0119EED6 BA F8F01901 MOV EDX,salvir_1.0119F0F8 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500"
0119EEDB B8 01000080 MOV EAX,80000001
0119EEE0 E8 9BB1FFFF CALL salvir_1.0119A080
0119EEE5 B9 03000000 MOV ECX,3
0119EEEA BA 4CF11901 MOV EDX,salvir_1.0119F14C ; ASCII "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500"
0119EEEF B8 01000080 MOV EAX,80000001
0119EEF4 E8 87B1FFFF CALL salvir_1.0119A080
0119EEF9 B9 03000000 MOV ECX,3
0119EEFE BA A0F11901 MOV EDX,salvir_1.0119F1A0 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500"
0119EF03 B8 01000080 MOV EAX,80000001
0119EF08 E8 73B1FFFF CALL salvir_1.0119A080
0119EF0D B9 03000000 MOV ECX,3
0119EF12 BA F4F11901 MOV EDX,salvir_1.0119F1F4 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500"
0119EF17 B8 01000080 MOV EAX,80000001
0119EF1C E8 5FB1FFFF CALL salvir_1.0119A080
0119EF21 B9 03000000 MOV ECX,3
0119EF26 BA 48F21901 MOV EDX,salvir_1.0119F248 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500"
0119EF2B B8 01000080 MOV EAX,80000001
0119EF30 E8 4BB1FFFF CALL salvir_1.0119A080
0119EF35 B9 01000000 MOV ECX,1
0119EF3A BA 9CF21901 MOV EDX,salvir_1.0119F29C ; ASCII "Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner"

 


 



 

I'm going to inspect the injected iexplore.exe later on!

 

I'm going to try and find where it does connect to download it's Ransomware pages.

 

I already found out where they get stored though. 

 

Thanks guy for the answers!

 

And what shall I do whet I have the server IP or some useful info?

Edited by Downloading...
Link to comment
Downloading...

How do you know iexplorer.exe is injected?

How to know where it connect to download?

As i know reversers always use http://whois.domaintools.com/ to find useful info about domain.

 

This virus tries to fool us by connecting to A LOT of IP's.

For now I only used the "sniffer" way to retrieve IP's.

 

But later today, I'll just jump in the code, set a BP on code section, and waiting for it to break to get in the connect routine :).

I already tried this out without internet connection, in never breaks in code section, it's just looping in Wininet (which calls Ws2_32.dll).

So obviously it keeps looping there until it's being connected to the internet.

 

The data downloaded seems encrypted though, I'll need to find how it's decrypted, and if possible where the decrypted file if stored (IF it is stored).

 

Atleast I got some IP's to go from :3 .

 

And you can see it injects iexplore.exe since the process is created out of nowhere + by following the code, it does call CreateRemoteThread.

 

I'll put that code here later today.

 

EDIT: Is what I'm doing useless? I mean, the only thing I can get is knowledge (useful), and the IP (I guess that's useless?)

Edited by Downloading...
Link to comment

hmm, i did see the CreateThread, 2 times-same place, but my olly didn't break at new thread function, i don't know what this CreateThread do :| Could you talk about it little more.About the "useless" thing, i'm just interested in cracking/reversing virus, willing spend all my time doing if it's in my level, discover new thing make me happy, my head is filled by cool things that what i need :D

  • Like 1
Link to comment
Downloading...

This is the first part of the in depth analysis of the virus:


 


 


1.Rundll32.exe loads virus.exe into memory

2.RUndll32.exe jumps to virus_1 section, and there begins the actual code execution

 

-Virus creates C:/ProgramData/suriv.pad (used later to store downloaded data)

-Virus reads "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup"

-Virus creates runctf.lnk in path gotten from  "startup" key above (runctf.lnk is just a shortcut which executes rundll32.exe + virus.exe upon system startup)

(key gives this path: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup)

-virus add "zone keys" to registry(see above)

-Virus reads "HKEY_CLASSES_ROOT\Applications\iexplore.exe\shell\open\command" (reads "Default" value) (%1 is cut away later)

(key gives this path: "C:\Program Files\Internet Explorer\iexplore.exe" %1")

-virus call CreateDesktopA with following parameters:

 


 



0006FBF4   011A0BCC  |DesktopName = "loabri"
0006FBF8   00000000  |Device = NULL
0006FBFC   00000000  |pDevmode = NULL
0006FC00   00000000  |Interaction = 0.
0006FC04   000F01FF  |DesiredAccess = DESKTOP_READOBJECTS|DESKTOP_CREATEWINDOW|DESKTOP_CREATEMENU|DESKTOP_HOOKCONTROL|DESKTOP_JOURNALRECORD|DESKTOP_JOURNALPLAYBACK|DESKTOP_ENUMERATE|DESKTOP_WRITEOBJECTS|DESKTOP_SWITCHDESKTOP|DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER
0006FC08   00000000  \pSecurity = NULL
 

 



 

Now it's getting intrusting :)

 

3.virus creates iexplore.exe process (child of rundll32.exe) (By Hooking CreateProcessA, see below)

 

c0ExoFW.png

 

OPAGnEi.png

 

JDiihYb.png


 



0117ABB3    68 00AD1701     PUSH salvir_1.0117AD00                   ; ASCII "kernel32.dll"
0117ABB8    E8 1FAFFFFF     CALL salvir_1.01175ADC                   ; JMP to kernel32.GetModuleHandleA
75A55E2F    68 585EA575     PUSH apphelp.75A55E58                    ; ASCII "[StubGetProcAddress] Stack capture caller 0x%p
"
 

 



 

So it call this multiple times to get addresses of following API in virus.exe:

 

ExerzRc.png

 

t3cP9df.png

 


 



0117AC34    68 80AD1701     PUSH salvir_1.0117AD80                   ; ASCII "Process32First"
0117AC46    68 90AD1701     PUSH salvir_1.0117AD90                   ; ASCII "Process32Next"
0117AC58    68 A0AD1701     PUSH salvir_1.0117ADA0                   ; ASCII "Process32FirstW"
0117AC6A    68 B0AD1701     PUSH salvir_1.0117ADB0                   ; ASCII "Process32NextW"
0117AC7C    68 C0AD1701     PUSH salvir_1.0117ADC0                   ; ASCII "Thread32First"
0117AC8E    68 D0AD1701     PUSH salvir_1.0117ADD0                   ; ASCII "Thread32Next"
0117ACA0    68 E0AD1701     PUSH salvir_1.0117ADE0                   ; ASCII "Module32First"
0117ACB2    68 F0AD1701     PUSH salvir_1.0117ADF0                   ; ASCII "Module32Next"
0117ACC4    68 00AE1701     PUSH salvir_1.0117AE00                   ; ASCII "Module32FirstW"
0117ACD6    68 10AE1701     PUSH salvir_1.0117AE10                   ; ASCII "Module32NextW"
 

 



 

Then:

 


 



0117AE31    FF15 6CC81801   CALL DWORD PTR DS:[118C86C]              ; kernel32.CreateToolhelp32Snapshot
 

 



 

Then:

 


 



0117AE91    FF15 9CC81801   CALL DWORD PTR DS:[118C89C]              ; kernel32.Module32First
 

 



 

Then:

 


 



0117AEB1    FF15 A0C81801   CALL DWORD PTR DS:[118C8A0]              ; kernel32.Module32Next
 

 



 

Then:

 


 



0117E0AB    E8 6479FFFF     CALL salvir_1.01175A14                   ; JMP to kernel32.CloseHandle
 

 



 

Then:

 


 




 



0117E1D4    E8 B379FFFF     CALL salvir_1.01175B8C                   ; JMP to kernel32.OpenProcess
 
0006FBD0   02000000  |Access = 2000000
0006FBD4   00000000  |Inheritable = FALSE
0006FBD8   000006B0  \ProcessId = 6B0
 

 




 



Screenshot of processes involved:

 

raD4T2b.png

 

As you can see from previous screenshot, the process 6B0 (= 1712 decimal) will be opened.

 

Then:

 


 



0117E1FE    E8 B979FFFF     CALL salvir_1.01175BBC                   ; JMP to kernel32.VirtualAllocEx
0006FBC8   00000114
0006FBCC   00000000
0006FBD0   0000003A
0006FBD4   00001000
0006FBD8   00000004
0006FBDC   0006FC00
0006FBE0   0000003A
0006FBE4   75BCDA1D  KERNELBA.75BCDA1D
 

 



 

 

And finally, what we've all been waiting for:

 


 



0117E286    FF15 C0CA1801   CALL DWORD PTR DS:[118CAC0]              ; kernel32.WriteProcessMemory
0006FBC8   00000114  |hProcess = 00000114 (window)
0006FBCC   019A0000  |Address = 19A0000
0006FBD0   0118C8B0  |Buffer = salvir_1.0118C8B0
0006FBD4   0000003A  |BytesToWrite = 3A (58.)
0006FBD8   0006FBF0  \pBytesWritten = 0006FBF0
 

 



 

Process memory has been written, but execution has not been passe don yet, so yeah:

 


 



0117E2E6    FF5424 44       CALL DWORD PTR SS:[ESP+44]               ; ntdll.ZwCreateThreadEx
 

 



 

I saw this, but this doesn't get called:

0117E2FA    FF15 C4CA1801   CALL DWORD PTR DS:[118CAC4]              ; kernel32.CreateRemoteThread

 

Instead, NtCreateThreadEx gets called to create a REMOTE thread in IEXPLORE.EXE (injected process)

 

 

Then this:


 



0117E32B    E8 7C77FFFF     CALL salvir_1.01175AAC                   ; JMP to kernel32.GetExitCodeThread
 

 



 

 

And this:

 


 



0117E335    E8 DA76FFFF     CALL salvir_1.01175A14                   ; JMP to kernel32.CloseHandle
 

 



 

Then:

 


 



01173FAE    E8 1DD1FFFF     CALL salvir_1.011710D0                   ; JMP to kernel32.CreateThread
0006FC44   00000000  |pSecurity = NULL
0006FC48   00000000  |StackSize = 0
0006FC4C   01173F40  |ThreadFunction = salvir_1.01173F40
0006FC50   011A0B88  |pThreadParm = 011A0B88
0006FC54   00000000  |CreationFlags = 0
0006FC58   0118F844  \pThreadId = salvir_1.0118F844
 

 



 

It creates 2 of these threads (WITHING Rundll32.exe's memory)

 

One of the threads keeps checking in a loop for runcft.lnk

The other thread does this in loop:

-Check for "C:\ProgramData\surivlas.pad"

-Kills TASKMGR.EXE

 

NOTES:

* Behaviour is different when using OllyDbg's LOADLL.EXE! It's better to load Rundll32.exe directly in OllyDbg and pass arguments mentioned above!

 

The IEXPLORE.EXE thread created before, is used to connect and download data from website :) .

 

That's about it :3

Edited by Downloading...
Link to comment
Downloading...

Alright, I found where it connected to, and it seems there are some analysis done before on this type, sincei just googled the IP's and came up with these:


 


http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~EncPk-AHC/detailed-analysis.aspx


http://www.threatexpert.com/report.aspx?md5=b369e09677e4c1dfc29c70bf907a410a


http://www.soleranetworks.com/blogs/tag/146-185-255-219/


 


So yeah, I think I found the whole thing out by myself :)


Still a nice feeling to rape this virus :D


 


I found 3 names to whom domains are registered, they are probably fake, but oh well...


 


I think I can conclude the anlaysis is done, since there is nothing more to uncover :3


The .pad file is the location of the downloaded data :)


 


Voila, finito...


Edited by Downloading...
Link to comment
Downloading...

Congrats! So no harm registry key, no file infect, just download "thing" from internet :)

 

Yeah, it add some startup keys and internet zone keys, but for the rest, it just downloads data from internet, and locks up your computer :D

But I think the website is blocked now, not sure...

Link to comment
Downloading...

I guess that's doable yeah.


 


Start in safe mode, kill iexplore.exe, rundll32.exe .


Delete runctf.lnk


Delete keys mentioned above


all .pad files


Delete shell startup (.js) you posted


open msconfig.exe disable start up (and delete key)


get an AV


 


Normally, your comp should be up and running again :3


  • Like 1
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...