 #32305  by Patrick
 Thu Dec 06, 2018 7:21 pm
Write-up from Kaspersky from back in Nov.

Anyone ever take a look into this malware? Share your findings and experiences. I've taken a very quick and limited look so far...

Packed w/ UPX (UPX 0/1)
Executing in a non-intended environment only makes a few changes to the OS, like:
Nothing gets dropped here afaik due to the detection and nature of the environment.
Opens IE to the Gusanito webpage, which is the Spanish translation "An endeering term to describe shady, scared and mischievous people. Spanish translation - Worm/Caterpillar."
 #32309  by Patrick
 Tue Dec 11, 2018 9:50 am
I had some time tonight so I took a look with Olly.

Definitely packed w/ UPX as the program pauses at a PUSHAD unpack stub at 0000F51AD0.
00F51AD0 > $ 60 PUSHAD
If we step into the PUSHAD and follow the ESP register's contents in memory dump, we wind up at 0000F51AD1, which is the MOV instruction for moving the executable and the ESI register. Highlighting the first 4 hex dump values (zeroed out), setting a hardware breakpoint, and executing the program leads us to 0000F526AA's compare of EAX>ESP. Notice we now also have reached our series of DB00:
00F526AA   . 39C4           CMP ESP,EAX
00F526AC   .^75 FA          JNZ SHORT DarkTequ.00F526A8
00F526AE   . 83EC 80        SUB ESP,-80
00F526B1   .-E9 E882F2FF    JMP DarkTequ.00E7A99E
00F526B6     00             DB 00
00F526B7     00             DB 00
00F526B8     48             DB 48                                    ;  CHAR 'H'
00F526B9     00             DB 00
00F526BA     00             DB 00
00F526BB     00             DB 00


From here we can see our tail jump prior the the first DB00, at address 0000F526B1. If we set a BP on this instruction and then execute the program to trigger it, we can then step over and reach our OEP.
00E7A99E   E8 54120000      CALL DarkTequ.00E7BBF7
The malware does not allow a dump of the process with Olly, so it's likely checking for a debugger environment and may even be deleting its own PE. Not sure.