Win32/CBeplay

Forum for analysis and discussion about malware.

Re: Trojan WinAD (alias Ransom.ER, Winlock, Win32.Timer)

Postby markusg » Wed Oct 05, 2011 5:44 pm

0.4658229854220858.exe
MD5   : ec9bdf9d0c71f868b65faeaa62140814
http://www.virustotal.com/file-scan/rep ... 1317836088
You do not have the required permissions to view the files attached to this post.
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Re: Trojan WinAD (alias Ransom.ER, Winlock, Win32.Timer)

Postby EP_X0FF » Thu Oct 06, 2011 3:26 am

markusg wrote:0.4658229854220858.exe
MD5   : ec9bdf9d0c71f868b65faeaa62140814
http://www.virustotal.com/file-scan/rep ... 1317836088


Trojan Ransom Bundez Polizei with few features on board. 1 stage contains basic AntiVMs checking + checking presence of Wireshark (because of network features this ransom has on board). It's decrypt and decompresses payload then injects it into svchost.exe copy. Payload has multiple AntiVMs checks inside called in a few places - IDK why did they think this can slowdown or make analysis difficult - this is pretty lame. If something is detected it tries to execute the following nonsense through cmd.exe

"/q /c for /l %%i in (1, 1, 4000000000) do if not exist \"%s\" (exit) else (del /f \"%s\"


or simple quits.

For work it creates new desktop MyDesktop2, hides Program Manager, taskbar windows and starts additional thread that switches desktop and executes main ransom payload. Malware has a timer counter, so basically you can get rid from it by changing system time long forward.

Image

In attach decrypted + patched to get rid of Sandbox/VMS checks so it will work everywhere without any problem.

Posts moved.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Trojan Winlock / Ransom / ScreenLocker

Postby Maxstar » Sat Mar 24, 2012 8:43 am

Attached the samples of the KLPD trojan.ransom, in a virtual mode there not working.

Image
http://www.imgdumper.nl/uploads5/4f6d88 ... screen.jpg
You do not have the required permissions to view the files attached to this post.
User avatar
Maxstar
 
Posts: 88
Joined: Wed Jan 26, 2011 10:20 am
Reputation point: 39

Re: Trojan Winlock / Ransom / ScreenLocker

Postby EP_X0FF » Sat Mar 24, 2012 9:31 am

Maxstar wrote:in a virtual mode there not working.


I assume all three samples are identical, so I take care only of one of them. In attach crypter free sample with removed AntiVM part so it should work everywhere.

It is completely similar to viewtopic.php?p=8984#p8984 except title.

Posts moved
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Win32/CBeplay

Postby Kafeine » Fri Jan 11, 2013 1:37 pm

Seems this Ransomware got some attention since it's being right now deployed via some Cool EK featurings last CVE-2013-0422 and the malware has some AntiVM stuff builtin.
http://joe4security.blogspot.ch/2013/01/cve-2013-0422-java-0-day-technical.html

(didn't find a dedicated thread, sorry if one already exist)

Image (one UK Design) :
Image
You'll find a page with the Designs here :
https://www.botnets.fr/index.php/CBeplay.P

Attach some sample i took time to gather including recent one (available also here : http://dl.dropbox.com/u/106864056/CBeplay.Others.zip )
You'll find more sample here :
http://dl.dropbox.com/u/106864056/CBeplay.P_2012-11-07_to_16.zip (17 samples)
and here :
http://dl.dropbox.com/u/106864056/CBeplayFrom26-08-2012_to_07-08-2012.zip (118 samples from 26-08-2012 to 07-09-2012 when it was pushed via Sakura)
You do not have the required permissions to view the files attached to this post.
Kafeine
 
Posts: 105
Joined: Thu Jul 28, 2011 1:19 pm
Reputation point: 74

Re: CBeplay.P

Postby EP_X0FF » Fri Jan 11, 2013 1:54 pm

Kafeine wrote:Seems this Ransomware got some attention since it's being right now deployed via some Cool EK featurings last CVE-2013-0422 and the malware has some AntiVM stuff builtin.


From the given description AntiVM isn't changed and equal to viewtopic.php?p=8984#p8984 & this viewtopic.php?p=12309#p12309
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: CBeplay.P

Postby Kafeine » Sun Jan 13, 2013 7:43 am

@EP_X0FF thanks.

Having trouble with Dropbox/Min.US here are New link:

http://ovh.to/Z2UZ - CBeplay.Others.zip
http://ovh.to/DivT - CBeplay.P_2012-11-07_to_16.zip
http://ovh.to/tSds - CBeplay.P_2012-11-07_to_16.zip
Kafeine
 
Posts: 105
Joined: Thu Jul 28, 2011 1:19 pm
Reputation point: 74

Re: CBeplay.P

Postby kmd » Sun Jan 27, 2013 1:09 pm

Hi all. Im having trouble running CBeplay samples on virtual pc (xp mode). they quit at start. Is there any antivm for M$ vpc inside? I read from blog entry that it has detection of sandbox and vbox but not vpc.

tya
User avatar
kmd
 
Posts: 268
Joined: Mon Mar 15, 2010 4:09 am
Location: Russian Federation
Reputation point: 17

Re: CBeplay.P

Postby EP_X0FF » Sun Jan 27, 2013 1:53 pm

kmd wrote:Hi all. Im having trouble running CBeplay samples on virtual pc (xp mode). they quit at start. Is there any antivm for M$ vpc inside? I read from blog entry that it has detection of sandbox and vbox but not vpc.

tya


It is detecting VPC by two conditions:

1) Querying specific code, that has effect only under Virtual PC.

Code: Select all
.text:00401980 IsVirtualPC:                             ; CODE XREF: Cbeplay_VMDetect:loc_401B58p
.text:00401980                 push    ebp
.text:00401981                 mov     ebp, esp
.text:00401983                 push    0FFFFFFFFh
.text:00401985                 push    offset unk_4032E8
.text:0040198A                 push    offset sub_402288
.text:0040198F                 mov     eax, large fs:0
.text:00401995                 push    eax
.text:00401996                 mov     large fs:0, esp
.text:0040199D                 sub     esp, 0Ch
.text:004019A0                 push    ebx
.text:004019A1                 push    esi
.text:004019A2                 push    edi
.text:004019A3                 mov     [ebp-18h], esp
.text:004019A6                 xor     eax, eax
.text:004019A8                 mov     [ebp-19h], al
.text:004019AB                 mov     [ebp-4], eax
.text:004019AE                 push    ebx
.text:004019AF                 mov     ebx, 0 //flag
.text:004019B4                 mov     eax, 1 //service number
.text:004019B9                 db 00Fh, 03Fh, 007h, 00Bh

....

.text:004019CF
.text:004019CF loc_4019CF:                           
.text:004019CF                 mov     dword ptr [ebp-4], 0FFFFFFFFh
.text:004019D6                 mov     al, [ebp-19h]
.text:004019D9                 mov     ecx, [ebp-10h]
.text:004019DC                 mov     large fs:0, ecx
.text:004019E3                 pop     edi
.text:004019E4                 pop     esi
.text:004019E5                 pop     ebx
.text:004019E6                 mov     esp, ebp
.text:004019E8                 pop     ebp
.text:004019E9                 retn


*Sorry IDA failed to properly disassemble.

If (IsVirtualPC() == TRUE ) then exit;

Likely this routine above written on pascal as function - assembler block.

2) Querying hard disk name. If it has substring "VIRTUAL" in name then exit.

Since this malware is two staged you will have to extract final binary and patch it. I've already posted links to previous analysis. Absolutely nothing changed.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: CBeplay.P

Postby Buster_BSA » Sun Jan 27, 2013 5:41 pm

Probably the function is this one:

Code: Select all
function IsRunningVirtualPC: Boolean;
asm
  push ebp;
  mov ebp, esp;

  mov ecx, offset @exception_handler;

  push ebx;
  push ecx;

  push dword ptr fs:[0];
  mov dword ptr fs:[0], esp;

  mov ebx, 0; // Flag
  mov eax, 1; // VPC function number

  // call VPC
  db $0F, $3F, $07, $0B

  mov eax, dword ptr ss:[esp];
  mov dword ptr fs:[0], eax;

  add esp, 8;

  test ebx, ebx;

  setz al;

  lea esp, dword ptr ss:[ebp-4];
  mov ebx, dword ptr ss:[esp];
  mov ebp, dword ptr ss:[esp+4];

  add esp, 8;

  jmp @ret1;

  @exception_handler:
  mov ecx, [esp+0Ch];
  mov dword ptr [ecx+0A4h], -1; // EBX = -1 ->; not running, ebx = 0 -> running
  add dword ptr [ecx+0B8h], 4; // ->; skip past the call to VPC
  xor eax, eax; // exception is handled

  @ret1:
end;
User avatar
Buster_BSA
 
Posts: 390
Joined: Mon Mar 22, 2010 6:42 am
Reputation point: 35

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 9 guests