A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #23474  by iShare2
 Wed Jul 30, 2014 3:43 pm
See the attachment
You do not have the required permissions to view the files attached to this post.
 #25093  by kmd
 Wed Jan 28, 2015 5:29 pm
me again 8-) i'm plan to test this rootkit on x64 windows, should i take latest win version or try on smth like windows 7?
 #25094  by EP_X0FF
 Wed Jan 28, 2015 6:47 pm
kmd wrote:me again 8-) i'm plan to test this rootkit on x64 windows, should i take latest win version or try on smth like windows 7?
As far as I remember this trash using embedded in the dropper bcdedit to set boot option TESTSIGNING with forced reboot next. Since Windows 8+ with SecureBoot enabled this will no longer work. Take out-dated OS like vista/7.
 #28719  by tim
 Mon Jun 20, 2016 1:23 pm
Has anyone got recent samples of this and the Spam module that is linked to Locky/Dridex ?
 #28907  by mkroll
 Tue Jul 19, 2016 12:28 pm
Is this a recent unpacked sample? Its config contains the same IPs as the last sample I collected on 2016-05-31. But I can only decrypt some parts of the config currently.
What's the SHA256 of the original sample?

Searching on VT for new Necurs samples, I only find Upatres/Yarwis from 2014 which some "nice person" executes so the file path is appended to the file and then reuploads it to VT as something new... and some AV vendors detect it as Necurs...

As you probably know, Dridex also has a spam module. But I don't know, whether it uses it for "self-advertising" or also sells the service to others, or doesn't use it at all.
 #28939  by mkroll
 Tue Jul 26, 2016 4:12 pm
Sorry, tim, I didn't get an email notification for your PMs and I'm still unworthy to compose PMs myself.

I didn't communicate with Necurs CnCs, yet, so I cannot say, since when it's offline from my perspective.
 #28972  by mkroll
 Wed Aug 03, 2016 6:24 pm
Today we have seen a big number of requests for the Necurs 32-bit driver component (Avira initially detected it in the cloud as TR/Rootkit.Gen, it's RKit/Necurs now):
https://www.virustotal.com/en/file/58d5 ... /analysis/

The strings in the unpacked driver match the ones mentioned at the begining of this thread by EP_X0FF. I unpacked the sample manually using an interactive usermode emulator ^_^
WinDefend BITS wuauserv KSLDriver.sys Microsoft Malware Protection KProcessHacker VirusBuster Ltd Beijing Jiangmin SUNBELT SOFTWARE Sunbelt Software K7 Computing Immunet Corporation Beijing Rising G DATA Software Quick Heal Technologies Comodo Security Solutions Sophos Plc Anti-Virus CJSC Returnil Software NovaShield Inc antimalware BullGuard Ltd Check Point Software Technologies Ltd Panda Software International Kaspersky Lab FRISK Software International Ltd ESET, spol. s r.o. Doctor Web Ltd Comodo Inc BitDefender SRL BITDEFENDER LLC Avira GmbH GRISOFT, s.r.o. PC Tools ALWIL Software Agnitum Ltd kprocesshacker.sys Vba32dNT.sys v3engine.sys AntiyFW.sys AhnRec2k.sys ahnflt2k.sys KmxStart.sys KmxAMVet.sys KmxAMRT.sys KmxAgent.sys ssfmonm.sys rvsmon.sys lbd.sys klif.sys kldtool.sys kldlinf.sys kldback.sys klbg.sys avgntflt.sys MiniIcpt.sys PktIcpt.sys HookCentre.sys aswmonflt.sys AVC3.SYS bdfm.sys bdfsfltr.sys AVCKF.SYS issfltr.sys nvcmflt.sys K7Sentry.sys cmdguard.sys mfehidk.sys mfencoas.sys kmkuflt.sys catflt.sys ggc.sys PZDrvXP.sys antispyfilter.sys ZxFsFilt.sys ikfilesec.sys PCTCore.sys PCTCore64.sys fsgk.sys vradfil2.sys savant.sys sascan.sys strapvista64.sys strapvista.sys ssvhook.sys snscore.sys HookSys.sys Rtw.sys cwdriver.sys fpav_rtp.sys fsfilter.sys fildds.sys SCFltr.sys UFDFilter.sys STKrnl64.sys Spiderg3.sys dwprot.sys EstRkr.sys EstRkmon.sys pwipf6.sys OADevice.sys savonaccess.sys fortishield.sys fortirmon.sys fortimon2.sys avgmfrs.sys avgmfi64.sys avgmfx64.sys avgmfx86.sys pervac.sys THFilter.sys issregistry.sys nregsec.sys nprosec.sys shldflt.sys NanoAVMF.sys AntiLeakFilter.sys NxFsMon.sys vchle.sys vcreg.sys vcdriv.sys V3Flu2k.sys OMFltLh.sys AszFltNt.sys AhnRghLh.sys ArfMonNt.sys V3IftmNt.sys V3Ift2k.sys V3MifiNt.sys V3Flt2k.sys ATamptNt.sys SMDrvNt.sys tkfsavxp64.sys tkfsavxp.sys tkfsft64.sys tkfsft.sys BdFileSpy.sys NovaShield.sys eeyehv64.sys eeyehv.sys SegF.sys csaav.sys AshAvScan.sys PLGFltr.sys avmf.sys ino_fltr.sys caavFltr.sys amm6460.sys amm8660.sys amfsm.sys PSINFILE.SYS PSINPROC.SYS mpFilter.sys drivesentryfilterdriver2lite.sys vcMFilter.sys tmpreflt.sys tmevtmgr.sys SDActMon.sys MaxProtector.sys eamonm.sys mbam.sys a2acc64.sys a2acc.sys a2gffi64.sys a2gffx64.sys a2gffx86.sys SRTSP64.SYS SRTSPIT.sys SRTSP.sys eraser.sys eeCtrl.sys ZwFlushBuffersFile \??\PCI#VEN_25AF&DEV_0209&SUBSYS_070455AF&REV_00 \Device\NTPNP_PCI2F81 *%08x%08x PAGE Boot Bus Extender Group \SystemRoot\System32\Drivers\ ImagePath Tag Start Type ErrorControl DisplayName %s\Services\%S ControlSet \REGISTRY\MACHINE\SYSTEM \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\%S \SystemRoot\System32\Drivers\%S.sys %x%x services.exe DB1 20101 ObRegisterCallbacks \SystemRoot\ \??\ \SystemRoot\System32\Drivers\%s.sys System32\ * DB5 DB6 \SystemRoot\System32\winload.exe \bootmgr \boot.ini \ntldr \SystemRoot\System32\ *.dll \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services \SystemRoot\System32\ntdll.dll win32k.sys
Instead of "\??\NtSecureSys" and "\Device\NtSecureSys" it's now using "\??\PCI#VEN_25AF&DEV_0209&SUBSYS_070455AF&REV_00" and "\Device\NTPNP_PCI2F81".

Does anybody have a current Necurs downloader or a current 64-bit version of the driver?
You do not have the required permissions to view the files attached to this post.
 #28982  by mkroll
 Fri Aug 05, 2016 3:08 pm
We found a new Necurs from yesterday (https://www.virustotal.com/en/file/d138 ... /analysis/).
The stub is still unchanged, same as the one in the Necurs from http://www.malware-traffic-analysis.net ... index.html distributed by Neutrino EK.
But the config is quite big, 16kB.
Hardcoded CnC seems to be jfbbrj3bbbd.bit/locator.php

Does anybody know, where they are coming from? Maybe fileless exploit kit?
You do not have the required permissions to view the files attached to this post.
  • 1
  • 4
  • 5
  • 6
  • 7
  • 8