[EP_X0FF]

Thanks for analysis. It seems author of this crapware stuck somewhere in the middle of 200x with his constant attempts to patch system files with shellcode. Well actually expectations for this loader were too high since beginning.

[R136a1]

I have realized that new H1N1 loader isn't the first malware which used the trick with WMI console to elevate privileges. Radamant ransomware used it since the end of December (2015), more of it here.

[0x16/7ton]

Ironically, I found AV "bypass" functionality in that crap.
Early samples have av name hash table

hash_table.png (2.08 KiB) Viewed 808 times

Old sample hash function:

Code: Select all

 for char_ in str_:
        char_int = ord(char_)
        hash_ = (rol(hash_,3) & 0xFFFFFFFF)
        hash_ = (hash_&0xFFFFFF00)|((hash_&0x000000ff)^char_int)

Malware enumerate processes list and check presence of AV processes via hash table. If malware founds any AV processes, it launches process in suspended state and injects payload in it.
Injected payload code is again enumerating AV processes and suspends their threads.

dumb_code.png (2.64 KiB) Viewed 808 times

So basically it is a lame proxy injecting attack. In new samples AFAIK the hash table is cutted.

[ikolor]

next ..

https://www.virustotal.com/en/file/09b6 ... 463670568/

[benkow_]

next ..

https://www.virustotal.com/en/file/09b6 ... 463670568/

h1n1 loader
Panel: hxxp://johnnebifi.com/h/admin.php?do=auth

[ikolor]

next..

https://www.virustotal.com/en/file/d950 ... 464189697/

[benkow_]

next..

https://www.virustotal.com/en/file/d950 ... 464189697/

H1N1 loader

[xors]

https://malwr.com/analysis/ZTJlOWU4OGFk ... c4MDVhZmU/

from hxxp://orhislighmi.com

[comak]

https://malwr.com/analysis/ZTJlOWU4OGFk ... c4MDVhZmU/

from hxxp://orhislighmi.com

Code: Select all

rc4key: xHjj488vs873hGGevvctRWTvc
urls	orhislighmi.com:80/h/gate.php,sofrofhatpa.ru:80/h/gate.php,wasshedtonhar.ru:80/h/gate.php

[teddybear]

Recent sample distributed in Italy via spam:

https://www.virustotal.com/en/file/6875 ... /analysis/

Lots of info in VT comments (not my own work):

Code: Select all

estero .pw/065n2azk.php
halinanos .online/065n2azk.php
ipuzu .site/065n2azk.php

Code: Select all

"botnet":	"new",
"check_config":	327685,
"send_report":	327685,
"check_update":	327685,
"url_config":	"https:// sakovel .xyz/1bahimyegowidezehutez.dat",
"url_webinjects":	"https:// sakovel .xyz/webinjects.dat",
"url_update":	"https:// sakovel .xyz/1bahimyegowidezehutez.exe",
"url_plugin_vnc32":	"https:// sakovel .xyz/vnc32.bin",
"url_plugin_vnc64":	"https:// sakovel .xyz/vnc64.bin",
"url_plugin_vnc_backserver":	"tQwxNuA2+fHsa/puvn94fz6T",
"url_plugin_backsocks":	"https:// sakovel .xyz/backsocks.bin",
"url_plugin_backsocks_backserver":	"tQwxNuA2+fHsa/puvn94fz6T",
"url_plugin_grabber":	"https:// sakovel .xyz/grabber.bin",
"grab_pass":	1,
"grab_form":	1,
"grab_cert":	1,
"grab_cookie":	1,
"grab_del_cookie":	0,