Citadel (Zeus clone)

Forum for analysis and discussion about malware.

Re: Citadel (Zeus clone)

Postby Apocalypse » Sun Oct 28, 2012 9:53 am

Because .htaccess may not work on not apache web-servers.
Apocalypse
 
Posts: 12
Joined: Fri Oct 28, 2011 11:51 am
Reputation point: 0

Citadel

Postby Cassiel » Wed Jan 02, 2013 4:15 pm

Hello all

I am currenty looking for multiple sampels from Citadel or detailed analysis from them. The one I found on the forum refuse to work in my virtual lab and kill themself.
Most likely it is the protection against VM's although I killed all processes from Virtualbox. If anybody knows how to bypass this then this is also welcome.

Regards

Cassiel
Cassiel
 
Posts: 13
Joined: Mon Dec 17, 2012 12:03 pm
Reputation point: 6

Re: Citadel

Postby Buster_BSA » Wed Jan 02, 2013 5:22 pm

Read this thread: viewtopic.php?f=11&t=1911
User avatar
Buster_BSA
 
Posts: 390
Joined: Mon Mar 22, 2010 6:42 am
Reputation point: 35

Re: Citadel

Postby EP_X0FF » Wed Jan 02, 2013 6:35 pm

Cassiel wrote:Hello all

I am currenty looking for multiple sampels from Citadel or detailed analysis from them. The one I found on the forum refuse to work in my virtual lab and kill themself.
Most likely it is the protection against VM's although I killed all processes from Virtualbox. If anybody knows how to bypass this then this is also welcome.

Regards

Cassiel


Hello,

attach or point to the sample you are talking about. AFAIR Citadel AntiVM (1.3.4.5) was just a lame check of CompanyName part VERSION_INFO block of running processes. However it might have additional vm detection at crypter level.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Citadel (Zeus clone)

Postby Cassiel » Thu Jan 03, 2013 9:31 am

Hello EP_X0FF

I have attached the BSA logs + samples, I did notice that it seems to stop after getting the hostname.
It is a rather generic 'xp1' as hostname though so maybe it is just my imagination.
The check you mean was indeed the one I tried to get around but maybe I screwed up somewhere.

Cassiel


EDIT: and considering I am still sleepy I forgot the attachements, hoping this won't give double posts.
You do not have the required permissions to view the files attached to this post.
Cassiel
 
Posts: 13
Joined: Mon Dec 17, 2012 12:03 pm
Reputation point: 6

Re: Citadel (Zeus clone)

Postby EP_X0FF » Thu Jan 03, 2013 11:19 am

6f6b5fe65fdc8df2a627c19f838ec6b0f6329abab82c4e8f2ce7f235f79e1c9f as test.

Need quick patch for me, however I think you don't need it. Citadel trying to discover bot geographic location (GetKeyboardLayoutList) and terminates immediatelly if it found Russia (0x419) or Ukraine (0x422). Patch with two nops @0041FDC2. After this I was able to run it. Citadel installed itself, mapped into multiple processes and hooked Win32 API.

Code: Select all
[1216]explorer.exe-->ntdll.dll-->NtCreateThread, Type: Inline - PushRet 0x7C90D190-->02C09638 [unknown_code_page]
[1216]explorer.exe-->ntdll.dll-->LdrLoadDll, Type: Code Mismatch 0x7C9163A3 + 1 [13 98 C0 02 C3]
[1216]explorer.exe-->kernel32.dll-->GetFileAttributesExW, Type: Inline - PushRet 0x7C811185-->02C09A7C [unknown_code_page]
[1216]explorer.exe-->kernel32.dll-->ExitProcess, Type: Inline - PushRet 0x7C81CAFA-->02C09A3B [unknown_code_page]
[1216]explorer.exe-->advapi32.dll-->CreateProcessAsUserW, Type: Inline - PushRet 0x77DDA889-->02C09AF9 [unknown_code_page]
[1216]explorer.exe-->advapi32.dll-->CreateProcessAsUserA, Type: Inline - PushRet 0x77E00C80-->02C09AE2 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->ReleaseDC, Type: Inline - PushRet 0x7E36869D-->02C19B53 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->GetDC, Type: Inline - PushRet 0x7E3686C7-->02C19AD5 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->TranslateMessage, Type: Inline - PushRet 0x7E368BF6-->02C09D04 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->GetWindowDC, Type: Inline - PushRet 0x7E369021-->02C19B14 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->GetMessageW, Type: Inline - PushRet 0x7E3691C6-->02C0A93D [unknown_code_page]
[1216]explorer.exe-->user32.dll-->PeekMessageW, Type: Inline - PushRet 0x7E36929B-->02C0A98D [unknown_code_page]
[1216]explorer.exe-->user32.dll-->GetCapture, Type: Inline - PushRet 0x7E3694DA-->02C0A89E [unknown_code_page]
[1216]explorer.exe-->user32.dll-->RegisterClassW, Type: Inline - PushRet 0x7E36A39A-->02C12809 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->RegisterClassExW, Type: Inline - PushRet 0x7E36AF7F-->02C128A3 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->OpenInputDesktop, Type: Inline - PushRet 0x7E36ECA3-->02C12497 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->SwitchDesktop, Type: Inline - PushRet 0x7E36FE6E-->02C124E7 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->DefDlgProcW, Type: Inline - PushRet 0x7E373D3A-->02C12591 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->GetMessageA, Type: Inline - PushRet 0x7E37772B-->02C0A965 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->RegisterClassExA, Type: Inline - PushRet 0x7E377C39-->02C128F5 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->DefWindowProcW, Type: Inline - PushRet 0x7E378D20-->02C12505 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->BeginPaint, Type: Inline - PushRet 0x7E378FE9-->02C199CA [unknown_code_page]
[1216]explorer.exe-->user32.dll-->EndPaint, Type: Inline - PushRet 0x7E378FFD-->02C19A3A [unknown_code_page]
[1216]explorer.exe-->user32.dll-->GetCursorPos, Type: Inline - PushRet 0x7E37974E-->02C0A770 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->GetMessagePos, Type: Inline - PushRet 0x7E37996C-->02C0A73E [unknown_code_page]
[1216]explorer.exe-->user32.dll-->CallWindowProcW, Type: Inline - PushRet 0x7E37A01E-->02C1273B [unknown_code_page]
[1216]explorer.exe-->user32.dll-->PeekMessageA, Type: Inline - PushRet 0x7E37A340-->02C0A9B8 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->GetUpdateRect, Type: Inline - PushRet 0x7E37A8C9-->02C19B93 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->CallWindowProcA, Type: Inline - PushRet 0x7E37A97D-->02C12784 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->DefWindowProcA, Type: Inline - PushRet 0x7E37C17E-->02C1254B [unknown_code_page]
[1216]explorer.exe-->user32.dll-->SetCapture, Type: Inline - PushRet 0x7E37C35E-->02C0A7F4 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->ReleaseCapture, Type: Inline - PushRet 0x7E37C37A-->02C0A84E [unknown_code_page]
[1216]explorer.exe-->user32.dll-->GetDCEx, Type: Inline - PushRet 0x7E37C595-->02C19A7A [unknown_code_page]
[1216]explorer.exe-->user32.dll-->RegisterClassA, Type: Inline - PushRet 0x7E37EA5E-->02C12856 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->GetUpdateRgn, Type: Inline - PushRet 0x7E37F5EC-->02C19C26 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->DefFrameProcW, Type: Inline - PushRet 0x7E380833-->02C1261D [unknown_code_page]
[1216]explorer.exe-->user32.dll-->DefMDIChildProcW, Type: Inline - PushRet 0x7E380A47-->02C126AF [unknown_code_page]
[1216]explorer.exe-->user32.dll-->GetClipboardData, Type: Inline - PushRet 0x7E380DBA-->02C09E7A [unknown_code_page]
[1216]explorer.exe-->user32.dll-->DefDlgProcA, Type: Inline - PushRet 0x7E38E577-->02C125D7 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->DefFrameProcA, Type: Inline - PushRet 0x7E39F965-->02C12666 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->DefMDIChildProcA, Type: Inline - PushRet 0x7E39F9B4-->02C126F5 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->SetCursorPos, Type: Inline - PushRet 0x7E3A61B3-->02C0A7B7 [unknown_code_page]
[1216]explorer.exe-->wininet.dll-->HttpOpenRequestA, Type: Inline - PushRet 0x771B2AF9-->02C1BCBE [unknown_code_page]
[1216]explorer.exe-->wininet.dll-->InternetCloseHandle, Type: Inline - PushRet 0x771B4D8C-->02C1BF76 [unknown_code_page]
[1216]explorer.exe-->wininet.dll-->HttpSendRequestA, Type: Inline - PushRet 0x771B60A1-->02C1BD51 [unknown_code_page]
[1216]explorer.exe-->wininet.dll-->HttpQueryInfoA, Type: Inline - PushRet 0x771B79C2-->02C1C116 [unknown_code_page]
[1216]explorer.exe-->wininet.dll-->InternetReadFile, Type: Inline - PushRet 0x771B82EA-->02C1BFE3 [unknown_code_page]
[1216]explorer.exe-->wininet.dll-->HttpSendRequestExW, Type: Inline - PushRet 0x771BE9C1-->02C1BDA6 [unknown_code_page]
[1216]explorer.exe-->wininet.dll-->HttpOpenRequestW, Type: Inline - PushRet 0x771BF4D7-->02C1BC80 [unknown_code_page]
[1216]explorer.exe-->wininet.dll-->InternetQueryDataAvailable, Type: Inline - PushRet 0x771C89F7-->02C1C0EA [unknown_code_page]
[1216]explorer.exe-->wininet.dll-->InternetSetFilePointer, Type: Inline - PushRet 0x771E840B-->02C1C090 [unknown_code_page]
[1216]explorer.exe-->wininet.dll-->InternetReadFileExA, Type: Inline - PushRet 0x771E9100-->02C1C011 [unknown_code_page]
[1216]explorer.exe-->wininet.dll-->HttpSendRequestW, Type: Inline - PushRet 0x77202EBC-->02C1BCFC [unknown_code_page]
[1216]explorer.exe-->wininet.dll-->HttpSendRequestExA, Type: Inline - PushRet 0x77202FC1-->02C1BE43 [unknown_code_page]
[1216]explorer.exe-->wininet.dll-->HttpEndRequestA, Type: Inline - PushRet 0x77203027-->02C1BEE0 [unknown_code_page]
[1216]explorer.exe-->wininet.dll-->HttpEndRequestW, Type: Inline - PushRet 0x77203059-->02C1BF2B [unknown_code_page]
[1216]explorer.exe-->ws2_32.dll-->getaddrinfo, Type: Inline - PushRet 0x71A92A6F-->02C20DB1 [unknown_code_page]
[1216]explorer.exe-->ws2_32.dll-->closesocket, Type: Inline - PushRet 0x71A93E2B-->02C211A0 [unknown_code_page]
[1216]explorer.exe-->ws2_32.dll-->send, Type: Inline - PushRet 0x71A94C27-->02C211D8 [unknown_code_page]
[1216]explorer.exe-->ws2_32.dll-->gethostbyname, Type: Inline - PushRet 0x71A95355-->02C20D41 [unknown_code_page]
[1216]explorer.exe-->ws2_32.dll-->WSASend, Type: Inline - PushRet 0x71A968FA-->02C211F9 [unknown_code_page]
[1216]explorer.exe-->crypt32.dll-->PFXImportCertStore, Type: Inline - PushRet 0x77ADFF8F-->02C218D9 [unknown_code_page]


Autorun entry set.

I see you use VirtualBox. See Buster_BSA link.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Citadel (Zeus clone)

Postby Cassiel » Thu Jan 03, 2013 11:40 am

I hereby officially declare that I only understand a part of allyou said but i will try to figure it out ;)
Cassiel
 
Posts: 13
Joined: Mon Dec 17, 2012 12:03 pm
Reputation point: 6

Re: VirtualBox Anti-AntiVM

Postby Cassiel » Fri Jan 04, 2013 10:03 am

I also tried the citadel sample with everythng i could adjust and that doesn't work. Seems like it is google timeand hopeto find something :)
Cassiel
 
Posts: 13
Joined: Mon Dec 17, 2012 12:03 pm
Reputation point: 6

Re: Citadel (Zeus clone)

Postby Cassiel » Fri Jan 04, 2013 10:51 am

@ EP_X0FF

I have run the sample in my VM and I noticed some strange things. If I run it outside BSA it will set the autorun part, if I run it inside BSA it won't.
There are the "usual" registry changes but there is nothing being added to the run key. It is like it puts itself to sleep and then can no longer continue.
Cassiel
 
Posts: 13
Joined: Mon Dec 17, 2012 12:03 pm
Reputation point: 6

Re: VirtualBox Anti-AntiVM

Postby EP_X0FF » Fri Jan 04, 2013 11:07 am

Cassiel wrote:I also tried the citadel sample with everythng i could adjust and that doesn't work. Seems like it is google timeand hopeto find something :)


What exactly does not working and what sample you looking and how? Same as here viewtopic.php?p=17563#p17563?
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

PreviousNext

Return to Malware

Who is online

Users browsing this forum: No registered users and 2 guests