Win32/Kovter

Forum for analysis and discussion about malware.

Win32/Kovter

Postby p4r4n0id » Fri Mar 29, 2013 5:52 pm

Ransomware - Kovter : looking at your bowsing history for more credibility (by kafeine)

http://malware.dontneedcoffee.com/2013/ ... -your.html

MD5: 19561b33793dcb865eae56575a899ce8

Sample grabbed from post!
You do not have the required permissions to view the files attached to this post.
Keep Low. Move Fast. Kill First. Die Last. One Shot. One Kill. No Luck. Pure Skill.
http://p4r4n0id.com/
p4r4n0id
 
Posts: 126
Joined: Thu Sep 22, 2011 11:36 am
Location: Israel
Reputation point: 30

Re: Win32/Kovter

Postby EP_X0FF » Sat Mar 30, 2013 5:28 am

Decrypted attached. Sample contain fun AV blacklist.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Win32/Kovter

Postby p4r4n0id » Sat Mar 30, 2013 8:25 am

EP_X0FF wrote:Decrypted attached. Sample contain fun AV blacklist.


Was not sure if to open a new topic for this one :)
Keep Low. Move Fast. Kill First. Die Last. One Shot. One Kill. No Luck. Pure Skill.
http://p4r4n0id.com/
p4r4n0id
 
Posts: 126
Joined: Thu Sep 22, 2011 11:36 am
Location: Israel
Reputation point: 30

Re: Win32/Kovter

Postby EP_X0FF » Sat Mar 30, 2013 8:29 am

p4r4n0id wrote:
EP_X0FF wrote:Decrypted attached. Sample contain fun AV blacklist.


Was not sure if to open a new topic for this one :)


Well it comes from the same group doing this ransom viewtopic.php?f=16&t=1363&start=40 and some others. Anyway it completely different in comparison.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Win32/Kovter

Postby EP_X0FF » Fri May 24, 2013 3:44 am

original
https://www.virustotal.com/en/file/ee9435588703e9945fa550b48a458c99720c8c3653c2b16e4a5c236965368456/analysis/

unpacked (UPX[scrambler or crypter], idgaf->Dynamic Drop->UPX->Borland Delphi 6-7 without VCL)
https://www.virustotal.com/en/file/dc62be51a07f15219888fcafdb9f8a9ccc9db65ee02f6cf94b13ebd60e6b9a51/analysis/

Sample contains AV blacklist

Code: Select all
CODE:00425314 00000018 unicode bdagent.exe   
CODE:00425330 00000016 unicode vsserv.exe     
CODE:0042534C 0000001C unicode BullGuard.exe 
CODE:004253BC 00000016 unicode op_mon.exe     
CODE:004253D8 00000014 unicode avcom.exe     
CODE:004253F0 00000016 unicode tptray.exe     
CODE:00425428 00000010 unicode cfp.exe       
CODE:0042543C 0000001A unicode cmdagent.exe   
CODE:0042545C 00000016 unicode CLPSLS.exe     
CODE:00425478 0000001A unicode dwengine.exe   
CODE:00425498 0000001C unicode dwservice.exe 
CODE:004254B8 00000020 unicode spideragent.exe


and Duqu/Andromeda injection code, malware is WOW64 compatible. The build has been cleaned from original to eradicate some AV detections.

C&C at freons.tk
Lockscreen at hxxp://freons.tk//page/back.jpg
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Win32/Kovter

Postby EP_X0FF » Thu May 30, 2013 8:57 am

6 Kovter droppers.

SHA1

Code: Select all
02341b3c04b1ccc053df196cf34571543d287da9
2060e07809876514ac7cd1fcb9be6d693766fbb6
38daa900c2f7ca07b7c86fe450bf0dbbac653a45
5c27ab7871f9f6119570b609185efac511c8e920
69375fb214ba5de010b16a426d9921ba801924de
de6f8d3b49210dbe12c97dc796ceba7ce2e84d60
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Win32/Urausy (aka "WinLocker")

Postby Cody Johnston » Wed Jun 26, 2013 8:13 pm

This is probably Urausy:

Fresh from today, has "Permanent Lock" timer:

Image

MD5: cd889f6200fcb97fc786d9ff12e757f1

VT: 14/47

https://www.virustotal.com/en/file/f168cae429fe544809cd50a0a40823ae46054d9960981963a0eb93a7c30ce7bd/analysis/1372276276/
You do not have the required permissions to view the files attached to this post.
Cody Johnston
 
Posts: 157
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Reputation point: 69

Re: Win32/Urausy (aka "WinLocker")

Postby Horgh » Thu Jun 27, 2013 8:02 am

Not Urausy for sure. MS says : Trojan:Win32/Kovter.B
unpacked in attach (xpack)

dump (2).zip
You do not have the required permissions to view the files attached to this post.
Horgh
 
Posts: 37
Joined: Fri Dec 07, 2012 9:48 am
Location: France
Reputation point: 40

Re: Win32/Urausy (aka "WinLocker")

Postby Kafeine » Thu Jun 27, 2013 8:40 am

Kafeine
 
Posts: 105
Joined: Thu Jul 28, 2011 1:19 pm
Reputation point: 74

Re: Win32/Kovter

Postby EP_X0FF » Thu Jun 27, 2013 1:00 pm

Second version with anti-forensic features on board against homemade virus analysts who are living mostly in 200x and 199x years. Coder of this sample did good job with reporting events - leaving all sensitive strings in code, making it much more readable. Thanks.

We are starting with
Code: Select all
i:\MySoft\project Locker\optimize orig Binary\kol\err.pas


@0040D1F4 GlobalAntiForensics procedure
@0040CC18 AntiVMWare -> VMX backdoor
@0040CC9C AntiVMWareEx -> rdstc calculating ticks between instructions, > 200? Vmware detected. (I have a bad news for malware writers who copy-paste this for years)
@0040CCB0 AntiVirtualBox -> NtQuerySystemInformation(SystemProcessesAndThreads) -> VBoxService.exe
@0040CD88 AntiVirtualPC -> by invalid instruction
@0040CCEC AntiSandboxie -> by GetModuleHandle("sbiedll.dll")
@0040CD10 AntiThreadExpert -> script-kiddie author mean AntiThreatExpert. By GetModuleHandle("dbghelp.dll")
@0040CDA0 AntiWireshark -> NtQuerySystemInformation(SystemProcessesAndThreads) -> wireshark.exe
@0040CDD8 AntiJoeBox -> same as previous, by "joeboxserver.exe" and "joeboxcontrol.exe" process names
AntiRFP (RegMon @0040CE50, FileMon @0040CE84, ProcMon @0040CEB8)
@0040CF84 AntiAllDebugger -> IsDebuggerPresent and same directly from PEB flag.
@0040CFA0 AntiOllyDbg -> part of previous (blind copy-paste)
@0040D058 AntiSoftIce -> by device symbolic links, hello from 200x
@0040D0CC AntiSyserDebugger -> by device symbolic links
@0040D12C AntiTrwDebugger -> by CreateFile, hello from 199x
@0040CD34 AntiVirtualMachine -> sldt instruction, I have a bad news for ransom author
@0040D14C AntiSunbeltSandboxie -> GetModuleHandle("api_log.dll"), GetModuleHandle("dir_watch.dll")

Collection of primitive and out-of-date methods created by mindless copy-paste.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 16 guests