WinNT/Simda

Forum for analysis and discussion about malware.
User avatar
EP_X0FF
Global Moderator
Posts: 4777
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Win32/Simda

Post by EP_X0FF » Sat Jun 29, 2013 12:38 pm

Unpacked driver in attach.

Simda obfuscator is somehow irritating as it multistaged. Drivers and dlls weren't updated since March 2011. The only thing they change is upper obfuscation layer.

1) original_rootkit_driver -> decrypt second stage procedures (implemeted as second native PE file), can be decrypted in user mode debugger. Or break in WinDbg at Simda driver entry and trace until "call eax"

decrypt algo at 1 stage

Code: Select all

  key1 := $E34CAD83;
  key2 := $54B14C88;
  for i := 0 to BufferSize div sizeof(DWORD) do
  begin
    dwData := IntputPtr^ + key1;
    OutputPtr^ := dwData;
    key1 := key1 + key2;
    key2 := key2 - $42BE4641;
    inc(InputPtr);
    inc(OutputPtr);
  end;
2) second stage procedures -> custom decryption of payload container (seems RC4) -> aplib unpacking next (break on aplib unpacking routine and dump kernel memory it fills).
3) third stage is 2 native PE drivers and 2 dlls, it uses for injection purposes.

All stages in attach. For more info see http://www.microsoft.com/security/porta ... imda.gen!A
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

Win32:Virut
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm

Re: WinNT/Simda

Post by Win32:Virut » Sat Jul 13, 2013 6:40 pm

52 files
You do not have the required permissions to view the files attached to this post.

User avatar
0x16/7ton
Posts: 50
Joined: Fri Apr 20, 2012 12:59 pm
Location: Russian Federation
Contact:

Re: WinNT/Simda

Post by 0x16/7ton » Fri Jul 19, 2013 8:53 pm

My view of this l0lkit :
http://inresearching.blogspot.ru/2013/0 ... yload.html
Also i attached simda web-redirect config and decryption script for him.
You do not have the required permissions to view the files attached to this post.
Cause and effect

User avatar
EP_X0FF
Global Moderator
Posts: 4777
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: WinNT/Simda

Post by EP_X0FF » Sat Jul 20, 2013 2:36 am

Most interesting part of it KiDebugRoutine usage (http://www.kernelmode.info/forum/viewto ... =13&t=1512) appeared almost in the same time as in MaxSS TDL3 fork (http://blogs.mcafee.com/mcafee-labs/mem ... -a-rootkit, http://www.kernelmode.info/forum/viewto ... 6326#p6326, http://www.kernelmode.info/forum/viewto ... 255&p=9687), to be correct - in the same 2011 quarter. And none of them weren't updated since that time - MaxSS moved to TDL4 based fork and Simda was abandoned until 2013 where Simda probably buyed and intergrated BkLoader as a replacement for old unsupported rootkit module. They are also so crazy hiding this old lolkit in dropper.
Ring0 - the source of inspiration

Win32:Virut
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm

Re: WinNT/Simda

Post by Win32:Virut » Sat Jul 27, 2013 3:56 pm

11 files.
You do not have the required permissions to view the files attached to this post.

bao
Posts: 20
Joined: Sat Sep 22, 2012 9:27 pm

Re: WinNT/Simda

Post by bao » Tue Jul 30, 2013 10:24 am

You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4777
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: WinNT/Simda

Post by EP_X0FF » Wed Sep 11, 2013 1:48 am

Ring0 - the source of inspiration

User avatar
Xylitol
Global Moderator
Posts: 1660
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: WinNT/Simda

Post by Xylitol » Thu Nov 28, 2013 11:39 am

You do not have the required permissions to view the files attached to this post.

bao
Posts: 20
Joined: Sat Sep 22, 2012 9:27 pm

Re: WinNT/Simda

Post by bao » Fri Mar 28, 2014 4:11 pm

You do not have the required permissions to view the files attached to this post.

User avatar
r3shl4k1sh
Posts: 119
Joined: Tue Feb 05, 2013 10:26 pm
Location: Israel
Contact:

Re: WinNT/Simda

Post by r3shl4k1sh » Sun Jan 11, 2015 1:08 am

Fresh sample md5: 6855c03e4f1b1cb7f93d5f732edf3f17

VT 6/56

Unpakced:
VT 35/55

(Web) Configs:

Code: Select all

[*] DWORD: 9
[*] DWORD: -1071629051
[*] DWORD: -1071629051
[*] DWORD: -1071629051
[*] DWORD: -316523259
[*] DWORD: -316523259
[*] DWORD: -316523259
[*] DWORD: 40000
[*] DWORD: 40020
[*] String: http://update1.downloadexefeed.eu/?abbr=RTK&action=download&setupType=umx&setupFileName=process_64.exe
[*] String: http://update1.downloadexefeed.eu/?abbr=RTK&action=download&setupType=um32&setupFileName=process_32.exe
[*] DWORD: 1278
[*] String: 79.142.66.239/
[*] String: 79.142.66.239/
[*] DWORD: 10000
[*] DWORD: 0
[*] String: 5.149.248.152
[*] String: 109.236.87.106
[*] DWORD: 0
[*] DWORD: 10
[*] DWORD: 1684740437
[*] DWORD: 1410201506
[*] DWORD: -691851308
[*] String: 8.8.8.8
[*] String: 8.8.8.8
[*] String: www.bing.com.=92.123.68.97
[*] String: bing.com.=92.123.68.97
[*] String: gr.bing.com.=92.123.68.97
[*] String: ir.bing.com.=92.123.68.97
[*] String: gb.bing.com.=92.123.68.97
[*] String: dk.bing.com.=92.123.68.97
[*] String: au.bing.com.=92.123.68.97
[*] String: ro.bing.com.=92.123.68.97
[*] String: ca.bing.com.=92.123.68.97
[*] String: pt.bing.com.=92.123.68.97
[*] String: it.bing.com.=92.123.68.97
[*] String: de.bing.com.=92.123.68.97
[*] String: es.bing.com.=92.123.68.97
[*] String: tr.bing.com.=92.123.68.97
[*] String: hu.bing.com.=92.123.68.97
[*] String: br.bing.com.=92.123.68.97
[*] String: cz.bing.com.=92.123.68.97
[*] String: ie.bing.com.=92.123.68.97
[*] String: ch.bing.com.=92.123.68.97
[*] String: nl.bing.com.=92.123.68.97
[*] String: se.bing.com.=92.123.68.97
[*] String: no.bing.com.=92.123.68.97
[*] String: at.bing.com.=92.123.68.97
[*] String: fi.bing.com.=92.123.68.97
[*] String: fr.bing.com.=92.123.68.97
[*] String: pl.bing.com.=92.123.68.97
[*] String: search.yahoo.com.=72.30.186.249
[*] String: www.search.yahoo.com.=72.30.186.249
[*] String: gr.uk.search.yahoo.com.=87.248.112.8
[*] String: ir.uk.search.yahoo.com.=100.6.239.84
[*] String: uk.search.yahoo.com.=87.248.112.8
[*] String: dk.search.yahoo.com.=87.248.112.8
[*] String: au.search.yahoo.com.=87.248.112.8
[*] String: ro.search.yahoo.com.=87.248.112.8
[*] String: ca.search.yahoo.com.=87.248.112.8
[*] String: pt.search.yahoo.com.=87.248.112.8
[*] String: it.search.yahoo.com.=87.248.112.8
[*] String: de.search.yahoo.com.=87.248.112.8
[*] String: es.search.yahoo.com.=87.248.112.8
[*] String: tr.search.yahoo.com.=87.248.112.8
[*] String: hu.search.yahoo.com.=87.248.112.8
[*] String: br.search.yahoo.com.=87.248.112.8
[*] String: cz.search.yahoo.com.=87.248.112.8
[*] String: ie.search.yahoo.com.=87.248.112.8
[*] String: ch.search.yahoo.com.=87.248.112.8
[*] String: nl.search.yahoo.com.=87.248.112.8
[*] String: se.search.yahoo.com.=87.248.112.8
[*] String: no.search.yahoo.com.=87.248.112.8
[*] String: fr.search.yahoo.com.=87.248.112.8
[*] String: pl.search.yahoo.com.=87.248.112.8
[*] String: mx.search.yahoo.com.=87.248.112.8
[*] String: search.yahoo.co.jp.=87.248.112.8
[*] String: gr.search.yahoo.com.=87.248.112.8
[*] String: malaysia.search.yahoo.com.=87.248.112.8
[*] String: vn.search.yahoo.com.=87.248.112.8
[*] String: cl.search.yahoo.com.=87.248.112.8
[*] String: id.search.yahoo.com.=87.248.112.8
[*] String: in.search.yahoo.com.=87.248.112.8
[*] String: co.search.yahoo.com.=87.248.112.8
[*] String: ph.search.yahoo.com.=87.248.112.8
[*] String: nz.search.yahoo.com.=87.248.112.8
[*] String: ve.search.yahoo.com.=87.248.112.8
[*] String: ar.search.yahoo.com.=87.248.112.8
[*] String: fi.search.yahoo.com.=87.248.112.8
[*] String: th.search.yahoo.com.=87.248.112.8
[*] String: sg.search.yahoo.com.=87.248.112.8
[*] String: ch.search.yahoo.com.=87.248.112.8
[*] String: at.search.yahoo.com.=87.248.112.8
[*] String: za.search.yahoo.com.=87.248.112.8
[*] String: cn.search.yahoo.com.=87.248.112.8
[*] String: www.google-analytics.com.=64.125.87.101
[*] String: google-analytics.com.=64.125.87.101
[*] String: connect.facebook.net.=64.125.87.101
[*] String: www.google-analytics.com.=64.125.87.101
[*] String: google-analytics.com.=64.125.87.101
[*] String: connect.facebook.net.=64.125.87.101
[*] DWORD: 640499052
[*] DWORD: -207220302
[*] String: 5386420
[*] DWORD: 0
[*] End of config
In attach original + unpacked + configs.
You do not have the required permissions to view the files attached to this post.

Post Reply