[Xylitol]

related: http://www.symantec.com/connect/blogs/t ... gb-careful

27/41 >> https://www.virustotal.com/file/8133eb8 ... 338758841/
15/42 (semi-unpacked) >> https://www.virustotal.com/file/bbc7eab ... 338759025/
2/42 (full unpacked) >> https://www.virustotal.com/file/56af49c ... 338758892/

[Xylitol]

Code: Select all

ApiHooker.cpp
HermesCore.cpp
InetSession.cpp
LowILSupport.cpp
ProdIdMan.cpp
SysSecInfo.cpp
UrlMan.cpp
WMIinfo.cpp
PipeItem.cpp
PipeMan.cpp

Code: Select all

- C:\projects\astbase\Projects\HermesCore\Release\HermesCore.pdb
- HermesCore.dll

Code: Select all

http://hokobu.de/phpBB/g.php
http://tuscanvalleyhomes.com/js/g.php
http://arcicecina.it/img/g.php
http://www.cheapkidsbikes.net/bmx/g.php
http://sopranosinc.com/css/g.php
http://sweety-lingerie.be/libs/g.php
http://orfevrerie.nl/lib/g.php
http://0083b5f.netsolhost.com/mobile/g.php
http://neapolisfm.com/img/g.php
http://yourmyteam.com/g.php
http://mcsrecording.com.au/images/g.php
http://pro-wax.nl/lib/g.php
http://salanki.hu/regi/g.php
http://yfbfashion.fr/sites/g.php

Code: Select all

.?AV_com_error@@
.?AVCApiHooker@@
.?AVCAtlException@ATL@@
.?AVCDynDomain@@
.?AVCHermesCore@@
.?AVCDataBuffer@@
.?AUIHermesCore5@@
.?AUIHermesCore3@@
.?AUIHermesCore2@@
.?AUIHermesCore@@
.?AVIDataBuffer@@
.?AUIModuleBase@@
.?AVexception@std@@
.?AVout_of_range@std@@
.?AVlogic_error@std@@
.?AVlength_error@std@@
.?AVbad_alloc@std@@
.?AVCLogger@@
.?AUILogger@@
.?AVCLowILSupport@@
.?AUIHermesCore4@@
.?AV?$ctype@D@std@@
.?AUctype_base@std@@
.?AVfacet@locale@std@@
.?AVruntime_error@std@@
.?AVfailure@ios_base@std@@
.?AVbad_cast@std@@
.?AVCSecurityDesc@ATL@@
.?AVCAccessAce@CDacl@ATL@@
.?AVCDacl@ATL@@
.?AVCAce@CAcl@ATL@@
.?AVCAcl@ATL@@
.?AVCSid@ATL@@

Code: Select all

CreateProcessA
CreateProcessW
kernel32.dll
CreateProcessAsUserA
CreateProcessAsUserW
Init: 0x%x %d %d %d %d
.\ApiHooker.cpp
[%s(%u)] %s
HCPA: %u %d %d
HCPW: %u %d %d
HCPUA: %u %d %d
HCPUW: %u %d %d
Advapi32.dll
%s%02d%d
http://%s.com/g/m.php
IsWow64Process
kernel32
AppData
Adobe
Microsoft
Mozilla
Macromedia
Media Center Programs
WinRAR
Apple
Skype
vlc
ICQ
Media Player Classic
Microsoft Corporation
Opera
TeamViewer
Windows Desktop Search
Windows Search
Google
Google Inc.
Dropbox
Sun
Identities
Upgrade
renovator
Validator
UpgradeHelper
UpgradeChecker
LicenseValidator
RpcNtComm
RpcWin32Service
RpcWin32Router
RpcLowAccessPipe
Win32RpcDecrypt
RpcLowReader
Win64Expected
WindowsRpcAccess
RdcRpcController
SearchHelper
Win16Communicator
RpcSearchIndexer
Win32UserFinder
RpcScheduler
Win32Scheduler
Win64GarbageCollector
NtGarbageCollector
Win32Defender
NtCoreDefender
Win32GlobalFinder
Win32RpcAccessCtrl
%d-%02d-%02d %02d:%02d:%02d
[%s]:[%d]:[%d.%d]:[%i]:[%s]:[%u]:[%s(%u)]
GetModuleInterface
SetModuleInjectionLevel: %u %d %d
.\HermesCore.cpp
iexplore.exe
maxthon.exe
opera.exe
firefox.exe
sol.exe
StartWork: Call
StartWork: Unable to Create Main Proc
StopWork: Wait Failed
MainCoreLoop: App Type: %d IL: %d
MainCoreLoop: Build: %u
MainCoreLoop: UNable to Setup Main Timer
DetectAppType: An Unexpected Errror Occurred
explorer.exe
InstallBot: Unable to get installer path
InstallBot: Unable to remove installer
InstallBot: Unable Setup AutoRun
SetupAutoRun: Unable to Get AppData Path
.exe
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SetupAutoRun: Unable to Open Reg key
PersistFile
PersistFolder
.dat
SaveReserveCopy: Unable to Save Reserve
Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
SaveReserveCopy: Unable to Open Key
CustomBarMenu
SaveReserveCopy: Unable to Store Value
GetReserveCopyFilePath: Unable to Open Key
ModulesCache
InitModulesInfo: There are %u modules initialized
LoadAllModules: Failed: %u
Low\
~0w
StartAutoRunController: Unalble to Create Event
StartAutoRunController: Unable to Create the Thread
AutoRunControllerLoop: Unable Setup AutoRun
Software\Microsoft\Windows\CurrentVersion\Run
AutoRunControllerLoop: Unable to Open key
GetAutoRunValueName: Unable to Open Reg key
GetAutoRunValueName: Unable to query Reg value
GetAutoRunValueName: Unable to Get Known File Name
StartPipeServerRoutine: Failed on Start
GetPipeName: Unable to Open Reg Key
StartProcIrq
GetPipeName: Unable to Store In Reg
\\.\pipe\%s
GetServerPipeName: Unable to Open Reg Key
GetServerPipeName: Unable to Query Reg Value
ProcessPipeMessages: Msg Size: %u Buffer Size: %u
PPM: %d
ProcessHandShakeMessage: %u %d
ProcessHandShakeMessage: %u Load: %d
ShellExecuteA
SHGetSpecialFolderPathA
\Internet Explorer\iexplore.exe
about:blank
open
RunBrowser: Unable to Start, execute result: %d
ParsePanelReply: Wrong Pckage Magic Value: %u
ParsePanelReply: Buffer Allocation Failed, Size: %u
ParsePanelReply: Unable to Load Attached Data, Size: %u, Buffer unread Size: %u
ParsePanelReply: Success: %d Failed: %d
ProcessPanelPackage: Buffer size: %u
ProcessPanelPackage: NOT Signet Package: %u
ProcessPanelPackage: Not Supported protocol: %u
ProcessPanelPackage: Buffer : %u PayLoad: %u 
ProcessPanelPackage: CheckSumm: %u Calculated: %u
ProcessPanelPackage: Wrong Uncompressed Data Size: %u
ProcessPanelPackage: Data Decompression Failed
ProcessPanelPackage: Uncompressed Size: %u is NOT equal to Real Size: %u
ProcessPanelPackage: Module: %u CMD: %u CRC: %u
ProcessDataSender: Data: %u Sending Failed
ProcessDataSender: Out: %u In: %u
ProcessDataSender: Result: %d
ProcessSendDataMessage: NOBRO: %d
ProcessSendDataMessage: Data Size: %u
ProcessSendDataMessage: Thread Failed on Create
SendDataToPanel: API initialization failed
GeneratePanelDataPackage: Data Compression Failed
Software\Microsoft\Windows\CurrentVersion\Explorer
Browse Files
GetBotId: Unable to Set Value
Browse Folders
GetBotId: Unable to Set Second Value
GetBotId: Unable to Set second value only
GetBotId: Unable to Open key
PanelKnockerProc: Notification failed
InstallModule: Unable to Get Module Path
InstallModule: Unable to Save
InstallModule: Failed
InstallModule: Unable to Load Module
InstallModule: Interface pointer is NULL
InstallModule: Unexpected module ID
tmp
SaveAndRun: Unable to Start, execute result: %d
SetModuleLogLevel: %u %u
CollectSystemInfo: Unable to Get Version Info
SOFTWARE\Microsoft\Windows NT\CurrentVersion
CollectSystemInfo: Unable to Open Key
InstallDate
CollectSystemInfo: Unable to Query Value
Global\NtKernelTrusted
InitTrustedLock: Failed on Mutex Creation
CheckTrustedLock: Opening Failed
UpdateCore: Size: %u
UpdateCore: Reserve Copy: %d
UpdateCore: AutoRun: %d
UpdateCore: Unable Setup AutoRun
UpdateCore: Unable to Save File
UpdateCore: Success!
UpdateCore: Going to Reboot System
UpdateAutoRunFile: Unable to Get AutoRun Value
UpdateAutoRunFile: Unable to Open RUN Key
UpdateAutoRunFile: Unable to Get Size
UpdateAutoRunFile: Size is Zero
UpdateAutoRunFile: Unable to Get File Path
UpdateAutoRunFile: Unable to Save File
UpdateAutoRunFile: DONE!
GetAutoRunFilePath: Unable to Open Key
SetAutoRunValue: Unable to Open Key
SetAutoRunValue: Unable to Set Value
Global\NtSys32AutoLock
AutoRunChangeLock: Unable Create/Open Mutex
AutoRunChangeLock: Unable to Create Mutex
ProcessLoadModuleMessage: Add Module: %u
ProcessLoadModuleMessage: Module: %u Result: %d
OnLoadModules: Call
OnLoadModules: Installing: %u Result: %d
SeShutdownPrivilege
ValidatePanelResponse: Low Data
ValidatePanelResponse: Wrong Signed Package
RunShellProgram: NO Quotes: %d
RunShellProgram: NO End Quote
RunShellProgram: EXE: '%s' ARG: '%s' SW: %u
RunShellProgram: Unable to Get SHELL PROC
RunShellProgram: %d
SendHandShakeMessage: Unable to Send HandShake message
AddCmdInfo: Unable to Open Key
PackageStore
AddCmdInfo: Unable to Get Value
AddCmdInfo: Unable to Set Value
AddCmdInfo: %u
CollectPkgCrc: Unable to Get Value, Size: %u
CollectPkgCrc: %u
CollectPkgCrc: Vec: %u
RemoteNotifyModule: Sending Failed
ProcessRemoteNotifyModule: Data Size: %u
ProcessRemoteNotifyModule: Result: %d
\syswow64\explorer.exe
RunWow64Trusted: Process Failed
RunWow64Trusted: 0x%x:%u
NtZeroWow64Access
TrustedWow64Lock: Unable to Open
TrustedWow64Lock: Create Failed
TrustedWow64Lock: Wait: 0
TrustedWow64Lock: Wait: 1
TrustedWow64Lock: Wait failed
invalid map/set<T> iterator
map/set<T> too long
vector<T> too long
shell32.dll
Wininet.dll
InternetCloseHandle
InternetOpenA
InternetSetOptionA
InternetConnectA
HttpOpenRequestA
HttpSendRequestExA
InternetWriteFile
HttpEndRequestA
InternetReadFile
HttpQueryInfoA
InternetCrackUrlA
SetUrl: URL is Empty
.\InetSession.cpp
MakeConnection: Failed on 'InternetOpen'
MakeConnection: Failed On 'InternetConnect'
POST
MakeRequest: Failed on 'HttpOpenRequest'
Content-Type: application/octet-stream
SendRequestData: Failed On 'HttpSendRequestEx'
SendRequestData: Bytes Written: %u Total: %u Sent: %u
SendRequestData: Failed On 'InternetWriteFile'
SendRequestData: Failed On 'HttpEndRequest'
ReceiveResponse: There are %u bytes received
ReceiveResponse: Status: %d
ReceiveResponse: Unable To Get Response Code
PostData: Sending Buffer Size: %u
StartCurrId
~Au
StartMainId
~Dm
StartCurrMask
StartMainMask
NtControlPipe
\\.\pipe\%s.%d
.\LowILSupport.cpp
ios_base::badbit set
ios_base::failbit set
ios_base::eofbit set
MD5::update:  Can't update a finalized digest!
MD5::finalize:  Already finalized this digest!
finalized the digest!
MD5::hex_digest:  Can't get digest if you haven't 
%02x
bad cast
Analyze: Buffer Size: %u
.\ProdIdMan.cpp
Analyze: DOS Header Failed
Analyze: DOS Stub Buffer Allocation Failed
Analyze: DOS Stub Buffer Failed
Analyze: NT Header Failed
Analyze: Section Header Failed: %u
Analyze: NT Section Stub Failed: %u
Analyze: Section Stub Read Position: %u
Analyze: Key2 Read Failed
Analyze: Key1 Read Failed
Analyze: Success!
CheckStub: Failed, Size: %u
CheckStub: Failed, Pos: %u
CheckStub: Unable to Read Data
ValidateProdId: %x:%x-%x:%x-%x
Wscapi.dll
CollectSecProvInfo: Failed on Load
.\SysSecInfo.cpp
WscGetSecurityProviderHealth
CollectSecProvInfo: Unable to get Proc Address
5prluzcidm
aHR0cDovL2hva29idS5kZS9waHBCQi9nLnBocA==
aHR0cDovL3R1c2NhbnZhbGxleWhvbWVzLmNvbS9qcy9nLnBocA==
aHR0cDovL2FyY2ljZWNpbmEuaXQvaW1nL2cucGhw
aHR0cDovL3d3dy5jaGVhcGtpZHNiaWtlcy5uZXQvYm14L2cucGhw
aHR0cDovL3NvcHJhbm9zaW5jLmNvbS9jc3MvZy5waHA=
aHR0cDovL3N3ZWV0eS1saW5nZXJpZS5iZS9saWJzL2cucGhw
aHR0cDovL29yZmV2cmVyaWUubmwvbGliL2cucGhw
aHR0cDovLzAwODNiNWYubmV0c29saG9zdC5jb20vbW9iaWxlL2cucGhw
aHR0cDovL25lYXBvbGlzZm0uY29tL2ltZy9nLnBocA==
aHR0cDovL3lvdXJteXRlYW0uY29tL2cucGhw
aHR0cDovL21jc3JlY29yZGluZy5jb20uYXUvaW1hZ2VzL2cucGhw
aHR0cDovL3Byby13YXgubmwvbGliL2cucGhw
aHR0cDovL3NhbGFua2kuaHUvcmVnaS9nLnBocA==
aHR0cDovL3lmYmZhc2hpb24uZnIvc2l0ZXMvZy5waHA=
GetUrl: Use DynDom: %d:%d
.\UrlMan.cpp
GetUrl: Index: %u
GetUrl: %u
http://
AdvancedImages
StoreAdvUrls: Unable to Open Key
StoreAdvUrls: Unable to set Value
LoadAdvUrls: Reg Buffer is Corrupted
RemoveUrls: Unable to Open Reg Key
StartUrlId
GetCurrentIndex: Failed: %u
Init: Failed on COM initialization, Result: 0x%x
.\WMIinfo.cpp
Init: Failed on Security Initialization, Result: 0x%x
Init: Failed to create WBEM Locator Object, Result: 0x%x
ConnectServer: Failed, Result: 0x%x
ConnectServer: Could not set proxy blanket, Result: 0x%x
WQL
ExecuteQuery: WQL Query Failed, Result: 0x%x
NextItem: Failed, Result: 0x%x
NextItem: No More Item
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
?456789:;<=
 !"#$%&'()*+,-./0123
ReadData: Thread: %u, Unable to Get Expected buffer size
.\PipeItem.cpp
ReadData: Thread: %u, Timed Out after %u ms
ReadData: Thread: %u, Wait Failed
WriteData: Invalid Pipe Handle: 0x%x
WriteData: Invalid Buffer: 0x%x Size: %u
WriteData: Thread: %u, Not All Sent %u:%u
WriteData: Thread: %u, Writing failed
WriteData: Thread: %u, Unable to get overlapped result
WriteData: Thread: %u, Not All Transferred %u:%u
WriteData: Thread: %u, Wait Failed
SetPipeHandle: Read Event Failed
SetPipeHandle: Write Event Failed
StartAsServer: Pipe Name May NOT be Empty
.\PipeMan.cpp
StartAsServer: Stop Event Creation Failed
StartAsServer: Server Routine Thread Creation Failed
ServerRoutine: Unable to Create Event
ServerRoutine: Unable to Create Server Item Processing Thread
ServerRoutine: Unable to Create Informer Thread
S:(ML;;NW;;;LW)
CreatePipeInstance: Failed on Create
WaitForPipeConnection: Unable to get overlapped result
WaitForPipeConnection: Wait Failed
PipeItemProc: Unable to Get Pipe Item for: %u
PipeItemProc: Thread: %u Data validation failed, size: %u
PipeItemProc: Thread: %u Unable to Create Informer Thread
StopServer: Wait Timed Out
StopServer: Wait Failed
StartAsClient: An Unexpected Error occurred
StartAsClient: timed out.
StartAsClient: Unable to set Pipe State
StartAsClient: Unable to Create Main Stop Event
StartAsClient: Pipe Item Initialization failed
StartAsClient: Unable to Create Main Thread
StopClient: Wait Failed
StopClient: Wait Timed Out
RSDSo
D\h
C:\projects\astbase\Projects\HermesCore\Release\HermesCore.pdb
9~6b
wdc
VirtualProtect
WriteProcessMemory
GetCurrentProcess
GetProcAddress
VirtualAlloc
ReadProcessMemory
GetModuleHandleA
LoadLibraryA
FreeLibrary
CreateProcessA
CreateProcessW
CreateFileA
GetFileSize
ReadFile
CloseHandle
SetFilePointer
WriteFile
GetWindowsDirectoryA
GetSystemDirectoryA
GetEnvironmentVariableA
GetTempPathA
GetModuleFileNameA
InitializeCriticalSection
DeleteCriticalSection
GetLastError
EnterCriticalSection
LeaveCriticalSection
GetCurrentProcessId
CreateThread
WaitForSingleObject
DeleteFileA
Sleep
CreateDirectoryA
lstrlenW
WideCharToMultiByte
GetTempFileNameA
CreateEventA
SetEvent
WaitForMultipleObjects
GetCurrentThreadId
InterlockedIncrement
SetLastError
lstrlenA
GetTickCount
ExpandEnvironmentStringsA
GetVersionExA
CreateMutexA
OpenMutexA
ReleaseMutex
OpenProcess
SizeofResource
LockResource
LoadResource
FindResourceA
FindResourceExA
LocalAlloc
LocalFree
InterlockedDecrement
KERNEL32.dll
PostThreadMessageA
SetTimer
GetMessageA
ExitWindowsEx
USER32.dll
CreateProcessAsUserA
CreateProcessAsUserW
RegCloseKey
RegCreateKeyExA
RegSetValueExA
RegOpenKeyExA
RegQueryValueExA
RegNotifyChangeKeyValue
RegDeleteValueA
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
GetTokenInformation
GetSidSubAuthority
ADVAPI32.dll
CoCreateGuid
StringFromGUID2
CoUninitialize
CoInitializeEx
CoInitializeSecurity
CoCreateInstance
CoSetProxyBlanket
ole32.dll
OLEAUT32.dll
PeekNamedPipe
GetOverlappedResult
DisconnectNamedPipe
ResetEvent
ResumeThread
CreateNamedPipeA
ConnectNamedPipe
WaitNamedPipeA
SetNamedPipeHandleState
HeapDestroy
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
GetProcessHeap
RaiseException
GetSystemTimeAsFileTime
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetCommandLineA
GetModuleHandleW
ExitProcess
RtlUnwind
LCMapStringA
MultiByteToWideChar
LCMapStringW
GetCPInfo
GetTimeZoneInformation
HeapCreate
VirtualFree
GetStdHandle
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
GetACP
GetOEMCP
IsValidCodePage
SetHandleCount
GetFileType
GetStartupInfoA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
InitializeCriticalSectionAndSpinCount
GetConsoleCP
GetConsoleMode
FlushFileBuffers
GetUserDefaultLCID
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
GetStringTypeA
GetStringTypeW
GetLocaleInfoW
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
CompareStringA
CompareStringW
SetEnvironmentVariableA
GetSidLengthRequired
InitializeSid
CopySid
GetLengthSid
IsValidSid
InitializeAcl
AddAce
GetAclInformation
ConvertStringSecurityDescriptorToSecurityDescriptorA
GetSecurityDescriptorOwner
GetSecurityDescriptorGroup
GetSecurityDescriptorDacl
SetSecurityDescriptorDacl
GetSecurityDescriptorSacl
MakeSelfRelativeSD
GetSecurityDescriptorLength
GetSecurityDescriptorControl
MakeAbsoluteSD
InitializeSecurityDescriptor
HermesCore.dll
FreeCore
InitCore

Ref: http://blog.eset.com/2012/08/13/win32ga ... d-analysis
From: http://www.kernelmode.info/forum/viewto ... =20#p17698

Hermes.exe: https://www.virustotal.com/file/3332731 ... 358324310/ > 28/46
Unpack: https://www.virustotal.com/file/31d2fc3 ... 358324331/ > 34/46
HermesCore: https://www.virustotal.com/file/c579bfa ... 358324342/ > 13/46

[bsteo]

Is this Zutick/Gataka?

[Xylitol]

Yes part of, HermesCore is the main plugin inside.
For some other plugins you can have a look here: http://www.kernelmode.info/forum/viewto ... 106#p15106
Ref: http://blog.eset.com/2012/06/28/win32ga ... o-take-off