WinNT/Simda

Forum for analysis and discussion about malware.

Re: Win32/Simda

Postby EP_X0FF » Sat Jun 29, 2013 12:38 pm

Unpacked driver in attach.

Simda obfuscator is somehow irritating as it multistaged. Drivers and dlls weren't updated since March 2011. The only thing they change is upper obfuscation layer.

1) original_rootkit_driver -> decrypt second stage procedures (implemeted as second native PE file), can be decrypted in user mode debugger. Or break in WinDbg at Simda driver entry and trace until "call eax"

decrypt algo at 1 stage
Code: Select all
  key1 := $E34CAD83;
  key2 := $54B14C88;
  for i := 0 to BufferSize div sizeof(DWORD) do
  begin
    dwData := IntputPtr^ + key1;
    OutputPtr^ := dwData;
    key1 := key1 + key2;
    key2 := key2 - $42BE4641;
    inc(InputPtr);
    inc(OutputPtr);
  end;


2) second stage procedures -> custom decryption of payload container (seems RC4) -> aplib unpacking next (break on aplib unpacking routine and dump kernel memory it fills).
3) third stage is 2 native PE drivers and 2 dlls, it uses for injection purposes.

All stages in attach. For more info see http://www.microsoft.com/security/porta ... imda.gen!A
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4748
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 560

Re: WinNT/Simda

Postby Win32:Virut » Sat Jul 13, 2013 6:40 pm

52 files
You do not have the required permissions to view the files attached to this post.
Win32:Virut
 
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm
Reputation point: 82

Re: WinNT/Simda

Postby 0x16/7ton » Fri Jul 19, 2013 8:53 pm

My view of this l0lkit :
http://inresearching.blogspot.ru/2013/07/win32simda-family-ring0-payload.html
Also i attached simda web-redirect config and decryption script for him.
You do not have the required permissions to view the files attached to this post.
Cause and effect
User avatar
0x16/7ton
 
Posts: 50
Joined: Fri Apr 20, 2012 12:59 pm
Location: Russian Federation
Reputation point: 77

Re: WinNT/Simda

Postby EP_X0FF » Sat Jul 20, 2013 2:36 am

Most interesting part of it KiDebugRoutine usage (viewtopic.php?f=13&t=1512) appeared almost in the same time as in MaxSS TDL3 fork (http://blogs.mcafee.com/mcafee-labs/mem ... -a-rootkit, viewtopic.php?f=16&t=596&p=6326#p6326, viewtopic.php?f=16&t=1255&p=9687), to be correct - in the same 2011 quarter. And none of them weren't updated since that time - MaxSS moved to TDL4 based fork and Simda was abandoned until 2013 where Simda probably buyed and intergrated BkLoader as a replacement for old unsupported rootkit module. They are also so crazy hiding this old lolkit in dropper.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4748
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 560

Re: WinNT/Simda

Postby Win32:Virut » Sat Jul 27, 2013 3:56 pm

11 files.
You do not have the required permissions to view the files attached to this post.
Win32:Virut
 
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm
Reputation point: 82

Re: WinNT/Simda

Postby bao » Tue Jul 30, 2013 10:24 am

You do not have the required permissions to view the files attached to this post.
bao
 
Posts: 20
Joined: Sat Sep 22, 2012 9:27 pm
Reputation point: 0

Re: WinNT/Simda

Postby EP_X0FF » Wed Sep 11, 2013 1:48 am

Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4748
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 560

Re: WinNT/Simda

Postby Xylitol » Thu Nov 28, 2013 11:39 am

You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1626
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 485

Re: WinNT/Simda

Postby bao » Fri Mar 28, 2014 4:11 pm

You do not have the required permissions to view the files attached to this post.
bao
 
Posts: 20
Joined: Sat Sep 22, 2012 9:27 pm
Reputation point: 0

Re: WinNT/Simda

Postby r3shl4k1sh » Sun Jan 11, 2015 1:08 am

Fresh sample md5: 6855c03e4f1b1cb7f93d5f732edf3f17

VT 6/56

Unpakced:
VT 35/55

(Web) Configs:
Code: Select all
[*] DWORD: 9
[*] DWORD: -1071629051
[*] DWORD: -1071629051
[*] DWORD: -1071629051
[*] DWORD: -316523259
[*] DWORD: -316523259
[*] DWORD: -316523259
[*] DWORD: 40000
[*] DWORD: 40020
[*] String: http://update1.downloadexefeed.eu/?abbr=RTK&action=download&setupType=umx&setupFileName=process_64.exe
[*] String: http://update1.downloadexefeed.eu/?abbr=RTK&action=download&setupType=um32&setupFileName=process_32.exe
[*] DWORD: 1278
[*] String: 79.142.66.239/
[*] String: 79.142.66.239/
[*] DWORD: 10000
[*] DWORD: 0
[*] String: 5.149.248.152
[*] String: 109.236.87.106
[*] DWORD: 0
[*] DWORD: 10
[*] DWORD: 1684740437
[*] DWORD: 1410201506
[*] DWORD: -691851308
[*] String: 8.8.8.8
[*] String: 8.8.8.8
[*] String: www.bing.com.=92.123.68.97
[*] String: bing.com.=92.123.68.97
[*] String: gr.bing.com.=92.123.68.97
[*] String: ir.bing.com.=92.123.68.97
[*] String: gb.bing.com.=92.123.68.97
[*] String: dk.bing.com.=92.123.68.97
[*] String: au.bing.com.=92.123.68.97
[*] String: ro.bing.com.=92.123.68.97
[*] String: ca.bing.com.=92.123.68.97
[*] String: pt.bing.com.=92.123.68.97
[*] String: it.bing.com.=92.123.68.97
[*] String: de.bing.com.=92.123.68.97
[*] String: es.bing.com.=92.123.68.97
[*] String: tr.bing.com.=92.123.68.97
[*] String: hu.bing.com.=92.123.68.97
[*] String: br.bing.com.=92.123.68.97
[*] String: cz.bing.com.=92.123.68.97
[*] String: ie.bing.com.=92.123.68.97
[*] String: ch.bing.com.=92.123.68.97
[*] String: nl.bing.com.=92.123.68.97
[*] String: se.bing.com.=92.123.68.97
[*] String: no.bing.com.=92.123.68.97
[*] String: at.bing.com.=92.123.68.97
[*] String: fi.bing.com.=92.123.68.97
[*] String: fr.bing.com.=92.123.68.97
[*] String: pl.bing.com.=92.123.68.97
[*] String: search.yahoo.com.=72.30.186.249
[*] String: www.search.yahoo.com.=72.30.186.249
[*] String: gr.uk.search.yahoo.com.=87.248.112.8
[*] String: ir.uk.search.yahoo.com.=100.6.239.84
[*] String: uk.search.yahoo.com.=87.248.112.8
[*] String: dk.search.yahoo.com.=87.248.112.8
[*] String: au.search.yahoo.com.=87.248.112.8
[*] String: ro.search.yahoo.com.=87.248.112.8
[*] String: ca.search.yahoo.com.=87.248.112.8
[*] String: pt.search.yahoo.com.=87.248.112.8
[*] String: it.search.yahoo.com.=87.248.112.8
[*] String: de.search.yahoo.com.=87.248.112.8
[*] String: es.search.yahoo.com.=87.248.112.8
[*] String: tr.search.yahoo.com.=87.248.112.8
[*] String: hu.search.yahoo.com.=87.248.112.8
[*] String: br.search.yahoo.com.=87.248.112.8
[*] String: cz.search.yahoo.com.=87.248.112.8
[*] String: ie.search.yahoo.com.=87.248.112.8
[*] String: ch.search.yahoo.com.=87.248.112.8
[*] String: nl.search.yahoo.com.=87.248.112.8
[*] String: se.search.yahoo.com.=87.248.112.8
[*] String: no.search.yahoo.com.=87.248.112.8
[*] String: fr.search.yahoo.com.=87.248.112.8
[*] String: pl.search.yahoo.com.=87.248.112.8
[*] String: mx.search.yahoo.com.=87.248.112.8
[*] String: search.yahoo.co.jp.=87.248.112.8
[*] String: gr.search.yahoo.com.=87.248.112.8
[*] String: malaysia.search.yahoo.com.=87.248.112.8
[*] String: vn.search.yahoo.com.=87.248.112.8
[*] String: cl.search.yahoo.com.=87.248.112.8
[*] String: id.search.yahoo.com.=87.248.112.8
[*] String: in.search.yahoo.com.=87.248.112.8
[*] String: co.search.yahoo.com.=87.248.112.8
[*] String: ph.search.yahoo.com.=87.248.112.8
[*] String: nz.search.yahoo.com.=87.248.112.8
[*] String: ve.search.yahoo.com.=87.248.112.8
[*] String: ar.search.yahoo.com.=87.248.112.8
[*] String: fi.search.yahoo.com.=87.248.112.8
[*] String: th.search.yahoo.com.=87.248.112.8
[*] String: sg.search.yahoo.com.=87.248.112.8
[*] String: ch.search.yahoo.com.=87.248.112.8
[*] String: at.search.yahoo.com.=87.248.112.8
[*] String: za.search.yahoo.com.=87.248.112.8
[*] String: cn.search.yahoo.com.=87.248.112.8
[*] String: www.google-analytics.com.=64.125.87.101
[*] String: google-analytics.com.=64.125.87.101
[*] String: connect.facebook.net.=64.125.87.101
[*] String: www.google-analytics.com.=64.125.87.101
[*] String: google-analytics.com.=64.125.87.101
[*] String: connect.facebook.net.=64.125.87.101
[*] DWORD: 640499052
[*] DWORD: -207220302
[*] String: 5386420
[*] DWORD: 0
[*] End of config


In attach original + unpacked + configs.
You do not have the required permissions to view the files attached to this post.
User avatar
r3shl4k1sh
 
Posts: 119
Joined: Tue Feb 05, 2013 10:26 pm
Location: Israel
Reputation point: 41

PreviousNext

Return to Malware

Who is online

Users browsing this forum: No registered users and 6 guests