Win32/Xswkit (alias Gootkit)

Forum for analysis and discussion about malware.
puzzlex
Posts: 20
Joined: Tue Oct 20, 2015 12:22 pm

Re: Win32/Xswkit (alias Gootkit)

Post by puzzlex » Mon Dec 07, 2015 6:21 pm

Here is the spyware module (javascript) that I was able to extract. Not complete though.
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Win32/Xswkit (alias Gootkit)

Post by EP_X0FF » Thu Jun 16, 2016 4:58 pm

Here is "recent" sample from Feb-April 2016. Gootkit continues development and seems refreshed it arsenal since last time I looked on it. Dropper two staged, first seems include some LPE, payload packed with aplib. In attach dropper + unpacked payload.

Also notice they added bunch of VM/Sandbox detection inside. Don't remember this stuff previously.
AMI BOCHS VBOX QEMU SMCI INTEL - 6040000 FTNT-1 SONI prleth.sys hgfs.sys vmhgfs.sys sbiedll.dll CurrentUser Sandbox SANDBOX 7SILVIA SystemBiosVersion HARDWARE\DESCRIPTION\System VideoBiosVersion VirtualBox SOFTWARE\Microsoft\Windows\CurrentVersion 55274-640-2673064-23950 76487-644-3177037-23510 76487-337-8429955-22614
Hardware\DESCRIPTION\System\CentralProcessor\0 ProcessorNameString Xeon
Dropper is courtesy of @malekal_morte.

Payload
SHA256: a89156d38c19a175722a28f2260cd4d7c6c1d4f5c67b8b5ee9b34e23af0f3580
https://www.virustotal.com/en/file/a891 ... 466096222/

Dropper
SHA256: 07e1d92b4a01ccaa8aa2829d68c817fe2037f5619b87aa95ccfb479d0e97a76b
https://www.virustotal.com/en/file/07e1 ... 466096226/
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

puzzlex
Posts: 20
Joined: Tue Oct 20, 2015 12:22 pm

Re: Win32/Xswkit (alias Gootkit)

Post by puzzlex » Thu Jun 16, 2016 6:27 pm


Ludvig
Posts: 7
Joined: Fri Jan 29, 2016 9:30 am

Re: Win32/Xswkit (alias Gootkit)

Post by Ludvig » Fri Jun 17, 2016 9:02 am

gootkit scripts unpacked
You do not have the required permissions to view the files attached to this post.

ikolor
Posts: 320
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Wed Sep 21, 2016 7:12 pm

You do not have the required permissions to view the files attached to this post.

User avatar
xors
Posts: 163
Joined: Mon May 23, 2016 2:01 am

Re: Malware collection

Post by xors » Wed Sep 21, 2016 9:46 pm


Maybe a dropper?Not sure

PDB:"c:\safe\die\foot\stick\cover\doubleagain.pdb"
You do not have the required permissions to view the files attached to this post.
@xorsthingsv2

User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Malware collection

Post by EP_X0FF » Thu Sep 22, 2016 6:17 am

xors wrote:

Maybe a dropper?Not sure

PDB:"c:\safe\die\foot\stick\cover\doubleagain.pdb"
It is Gootkit loader.
Ring0 - the source of inspiration

User avatar
R136a1
Forum Admin
Posts: 218
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

Re: Win32/Xswkit (alias Gootkit)

Post by R136a1 » Tue Sep 27, 2016 10:42 am

Hi folks,

here are two fresh samples from beginning of September which aren't crypted. They look like some test samples, because they have "-testldr" command line switch among other things. Samples also contain two small embedded dlls (x86/64) which seem to deal with certificate related stuff. Haven't looked at it in detail, because I am currently analyzing some more interesting malware samples. Anyway, the samples are very reversing friendly...

List of strings from main dll:

Code: Select all

user32.dll
{66379400-67a1-468d-a692-6a3cfbee8ac5}
{66379400-67a1-468d-a692-6a3cfbee8ac5}
{66379400-67a1-468d-a692-6a3cfbee8ac5}
{66379400-67a1-468d-a692-6a3cfbee8ac5}
%d-%08x-%08x
IsWow64Process
ExitProcess
kernel32.dll
.detour
dbghelp.dll
ImagehlpApiVersionEx
SymInitialize
SymSetOptions
SymGetOptions
SymLoadModule64
SymGetModuleInfo64
SymFromName
.detour
testldr
vendor_id
LdrGetProcedureAddress
NTDLL.DLL
LoadLibraryExW
KERNEL32
LoadLibraryExW
KERNELBASE
GetProcAddress
KERNEL32
GetProcAddress
KERNELBASE
.text
Error
DataWriteFailed
BadStatusCode
ResponseReadFailed
CrackUrlFailed
PartialResponse
unknown error
RtlComputeCrc32
crackme
GetNativeSystemInfo
kernel32.dll
{%d}-{%s}
S:(ML;;NW;;;LW)
unstable_%d
D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)
vendor_id
127.0.0.1
scheduler_%s
vendor_id
S:(ML;;NW;;;LW)
D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)
scheduler_%d
standalonemtm
vendor_id
mainprocessoverride
RandomListenPortBase
/rpersist2/%d
/rpersist3/%d
NTDLL.DLL
LdrLoadDll
LdrGetProcedureAddress
ZwProtectVirtualMemory
LdrLoadDll
NTDLL.DLL
LdrGetProcedureAddress
NTDLL.DLL
ZwProtectVirtualMemory
NTDLL.DLL
LdrLoadDll
NTDLL.DLL
kernelbase
CreateRemoteThread
kernelbase
RtlCreateUserThread
NTDLL.DLL
RtlCreateUserThread
NTDLL.DLL
RtlDecompressBuffer
ntdll.dll
ZwWow64QueryInformationProcess64
NTDLL.DLL
VirtualQuery
KERNEL32.DLL
IsWow64Process
KERNEL32.DLL
Wow64EnableWow64FsRedirection
KERNEL32.DLL
LoadLibraryA
KERNEL32.DLL
ZwWow64ReadVirtualMemory64
NTDLL.DLL
NTDLL.DLL
ZwWow64QueryInformationProcess64
ZwGetContextThread
NTDLL.DLL
ZwSetContextThread
NTDLL.DLL
ZwMapViewOfSection
NTDLL.DLL
ZwUnmapViewOfSection
NTDLL.DLL
LoadLibraryA
KERNEL32.DLL
KERNEL32.DLL
LoadLibraryW
FreeLibrary
ping localhost -n 10 > nul
del %%0
attrib -r -s -h %%1
del %%1
if exist %%1 goto %u
del %%0
%02u-%02u-%02u %02u:%02u:%02u
SystemFunction036
advapi32.dll
UuidCreateSequential
RPCRT4.dll
BOCHS
INTEL  - 6040000
FTNT-1
prleth.sys
hgfs.sys
vmhgfs.sys
dbghelp.dll
sbiedll.dll
CurrentUser
Sandbox
SANDBOX
7SILVIA
SystemBiosVersion
HARDWARE\DESCRIPTION\System
VideoBiosVersion
HARDWARE\DESCRIPTION\System
VirtualBox
SystemBiosVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
55274-640-2673064-23950
76487-644-3177037-23510
76487-337-8429955-22614
dropper_dll_service.dll
ServiceHandler
ServiceMain
StrCmpIW
StrStrIA
StrCatW
StrStrIW
StrRChrW
StrStrA
StrDupW
StrCpyW
StrCpyNW
SHLWAPI.dll
GetProcessImageFileNameA
PSAPI.DLL
RtlRandom
_strupr
NtMapViewOfSection
RtlNtStatusToDosError
NtUnmapViewOfSection
NtCreateSection
ZwClose
ZwOpenProcess
ZwOpenProcessToken
ZwQueryInformationToken
NtQuerySystemInformation
strrchr
strchr
_vsnwprintf
ntdll.dll
CreateEnvironmentBlock
DestroyEnvironmentBlock
GetProfilesDirectoryW
USERENV.dll
WS2_32.dll
WinHttpCloseHandle
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpOpen
WinHttpSetTimeouts
WinHttpConnect
WinHttpOpenRequest
WinHttpSetOption
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpQueryHeaders
WINHTTP.dll
LoadLibraryA
GlobalFindAtomA
FindAtomA
HeapAlloc
lstrlenW
GetProcessHeap
HeapFree
CreateFileW
CloseHandle
CreateEventW
WaitForMultipleObjects
ReadFile
SetEvent
OpenProcess
ProcessIdToSessionId
GetLastError
GetProcessTimes
CreateMutexA
GetProcAddress
GetModuleHandleW
GetCurrentProcess
Sleep
ExpandEnvironmentStringsW
CreateProcessW
TerminateProcess
CreateThread
DeleteAtom
FindAtomW
ExitThread
AddAtomW
lstrlenA
WaitForSingleObject
GetCurrentProcessId
ExitProcess
GetModuleHandleA
VirtualProtect
VirtualAlloc
CreateMutexW
GetTickCount
GetCommandLineA
GetModuleFileNameW
SetEnvironmentVariableA
MultiByteToWideChar
lstrcpyA
GetSystemDirectoryW
lstrcatW
FindFirstFileW
FindNextFileW
FindClose
GetEnvironmentVariableA
GlobalMemoryStatusEx
GetSystemInfo
GlobalAlloc
LocalFree
GlobalFree
CreateEventA
TerminateThread
GetEnvironmentVariableW
SetEnvironmentVariableW
GetFileSize
SetFilePointer
WriteFile
SetEndOfFile
lstrcpyW
GetComputerNameA
WideCharToMultiByte
GetVersion
GetComputerNameW
CreateRemoteThread
GetExitCodeThread
GetShortPathNameW
lstrcmpA
VirtualFree
lstrcmpiA
FileTimeToSystemTime
HeapReAlloc
LocalAlloc
lstrcmpW
CreateFileMappingW
MapViewOfFile
OpenFileMappingW
UnmapViewOfFile
GetSystemTimeAsFileTime
SystemTimeToTzSpecificLocalTime
GetFileAttributesW
GetFileAttributesA
lstrcatA
GetWindowsDirectoryA
KERNEL32.dll
wsprintfW
wsprintfA
GetShellWindow
GetWindowThreadProcessId
GetForegroundWindow
USER32.dll
RegCreateKeyExW
RegSetValueExW
RegCloseKey
RegOpenKeyW
OpenProcessToken
GetTokenInformation
LookupAccountSidW
DuplicateTokenEx
SetTokenInformation
AllocateAndInitializeSid
GetLengthSid
FreeSid
CreateProcessAsUserW
GetUserNameW
RegQueryValueExW
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
CheckTokenMembership
CreateWellKnownSid
GetSidSubAuthorityCount
GetSidSubAuthority
ConvertStringSecurityDescriptorToSecurityDescriptorA
RegOpenKeyExW
RegDeleteValueW
SetServiceStatus
RegisterServiceCtrlHandlerW
OpenSCManagerW
CreateServiceW
ChangeServiceConfig2W
RegCreateKeyW
StartServiceW
DeleteService
CloseServiceHandle
SetEntriesInAclW
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
SetFileSecurityW
LookupPrivilegeValueW
AdjustTokenPrivileges
ConvertSidToStringSidW
RegCreateKeyA
GetUserNameA
ADVAPI32.dll
ShellExecuteExW
SHELL32.dll
CoInitializeEx
CoUninitialize
CoCreateInstance
CoInitialize
CoTaskMemFree
ole32.dll
_allshl
_aullshr
memcpy
memset
Shell
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
SESSION:\\%s\%s\%d
kernel32
SeCreateTokenPrivilege
SeAssignPrimaryTokenPrivilege
SeLockMemoryPrivilege
SeIncreaseQuotaPrivilege
SeUnsolicitedInputPrivilege
SeMachineAccountPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeCreatePagefilePrivilege
SeCreatePermanentPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeChangeNotifyPrivilege
SeRemoteShutdownPrivilege
SeUndockPrivilege
SeSyncAgentPrivilege
SeEnableDelegationPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeTrustedCredManAccessPrivilege
SeRelabelPrivilege
SeIncreaseWorkingSetPrivilege
SeTimeZonePrivilege
SeCreateSymbolicLinkPrivilege
winsta0\default
svchost.exe
%SystemRoot%\system32\svchost.exe
rundll32
%SystemRoot%\system32\svchost.exe
ServiceEntryPointThread
SiInstallAndStartServiceThread
Range: bytes=%d-
2NTDLL.DLL
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0
\*.exe
Local\
Local\
ProcessorNameString
Hardware\DESCRIPTION\System\CentralProcessor\0
vendor_id
USERNAME
UNKNOW
%windir%\system32\cmd.exe
 /c "start %s"
runas
{%08X%04X%04X%04X%08X%04X}
%08X%04X%04X%04X%08X%04X
WinHTTP Example/1.0
login.live.com
twitter.com
%s_%i.dll
%s.dll
y%lu.bat
%lu.bat
Software
Software\AppDataLow
binaryImage%d
%s_%d
%s_%d
binaryImage%d
%s_%d
EventSubsystem
systemprofile
%%SystemRoot%%\System32\svchost.exe -k %s
SYSTEM\CurrentControlSet\Services\%s
Parameters
ServiceDll
DLLPATH
FUNCTIONNAME
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
"%DLLPATH%", %FUNCTIONNAME%
%APPDATA%\Microsoft\Internet Explorer\
%APPDATA%\
%SystemRoot%\SysWOW64\rundll32.exe
%SystemRoot%\System32\rundll32.exe
%SystemRoot%\System32\
SeDebugPrivilege
S-1-5-18
abcdefghijklmnopqrstuvwxyz
%USERDOMAIN%
%COMPUTERNAME%
%s\%s
dll",
rundll32.exe
SeShutdownPrivilege
AppData\Local\Temp
Local Settings\Temp
%s\%s\%s
%SystemRoot%\Temp
%TEMP%\uqjckeguhl.tmp
\Device\Afd
\Device\Afd
wszDllNameSharedSection
List of strings from embedded dlls:

Code: Select all

CertGetCertificateChain
crypt32.dll
CertVerifyCertificateChainPolicy
ntdll.dll
NtQuerySystemInformation
NtQueryObject
nss3.dll
CERT_GetDefaultCertDB
CERT_ImportCerts
CERT_ChangeCertTrust
CERT_DecodeCertFromPackage
CERT_DecodeTrustString
TCu,Cu,Tu
ws2_32.dll
WPUCloseEvent
WPUCloseSocketHandle
WPUCreateEvent
WPUCreateSocketHandle
WPUFDIsSet
WPUGetProviderPath
WPUModifyIFSHandle
WPUPostMessage
WPUQueryBlockingCallback
WPUQuerySocketHandleContext
WPUQueueApc
WPUResetEvent
WPUSetEvent
WPUOpenCurrentThread
WPUCloseThread
WSPStartup
mswsock.dll
StrStrIW
PathRemoveExtensionW
SHLWAPI.dll
CertOpenStore
CertGetIntendedKeyUsage
CertCloseStore
CertGetNameStringA
CertGetCertificateContextProperty
CertEnumCertificatesInStore
CRYPT32.dll
WSCGetProviderPath
WSAEnumProtocolsW
WSAIoctl
WS2_32.dll
malloc
_strupr
msvcrt.dll
GetLastError
SetLastError
ResumeThread
GetThreadContext
SetThreadContext
VirtualQuery
GetCurrentProcess
GetCurrentThread
FlushInstructionCache
VirtualAlloc
VirtualProtect
GetCurrentThreadId
SuspendThread
CloseHandle
GetProcAddress
LoadLibraryA
HeapAlloc
HeapFree
GetProcessHeap
GetCurrentProcessId
Sleep
LocalFree
CreateThread
LocalAlloc
lstrlenA
GetModuleFileNameA
LoadLibraryW
GetModuleHandleA
ExpandEnvironmentStringsW
KERNEL32.dll
memcpy
memset
Main dlls:
https://virustotal.com/en/file/bf577993 ... /analysis/
https://virustotal.com/en/file/051134ba ... /analysis/

Certificate related dlls:
https://virustotal.com/en/file/3a1c2334 ... /analysis/
https://virustotal.com/en/file/c80543d9 ... /analysis/
https://virustotal.com/en/file/497b28ce ... /analysis/
You do not have the required permissions to view the files attached to this post.

r3versesh3ll
Posts: 2
Joined: Wed Dec 07, 2016 10:20 am

Re: Win32/Xswkit (alias Gootkit)

Post by r3versesh3ll » Tue Dec 27, 2016 6:46 pm

Hi Guys

Gootkit

https://twitter.com/benkow_/status/813771762378899456

C&C
hxxp[:]//goldeneggs .club/

DDBB
hxxp[:]//goldeneggs .club/storage/db.sqlite

:o

patriq
Posts: 108
Joined: Fri Jun 28, 2013 8:11 pm
Contact:

Re: Win32/Xswkit (alias Gootkit)

Post by patriq » Wed Jan 11, 2017 7:04 pm

para la policia -drop location Madrid Spain.
(BIC for BANKIA S.A. bank located in VALENCIA - SPAIN)
gootkit_panel.PNG
You do not have the required permissions to view the files attached to this post.

Post Reply