A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #8984  by EP_X0FF
 Thu Oct 06, 2011 3:26 am
markusg wrote:0.4658229854220858.exe
MD5   : ec9bdf9d0c71f868b65faeaa62140814
http://www.virustotal.com/file-scan/rep ... 1317836088
Trojan Ransom Bundez Polizei with few features on board. 1 stage contains basic AntiVMs checking + checking presence of Wireshark (because of network features this ransom has on board). It's decrypt and decompresses payload then injects it into svchost.exe copy. Payload has multiple AntiVMs checks inside called in a few places - IDK why did they think this can slowdown or make analysis difficult - this is pretty lame. If something is detected it tries to execute the following nonsense through cmd.exe
"/q /c for /l %%i in (1, 1, 4000000000) do if not exist \"%s\" (exit) else (del /f \"%s\"
or simple quits.

For work it creates new desktop MyDesktop2, hides Program Manager, taskbar windows and starts additional thread that switches desktop and executes main ransom payload. Malware has a timer counter, so basically you can get rid from it by changing system time long forward.

Image

In attach decrypted + patched to get rid of Sandbox/VMS checks so it will work everywhere without any problem.

Posts moved.
Attachments
pass: malware
(54.38 KiB) Downloaded 103 times
 #12309  by EP_X0FF
 Sat Mar 24, 2012 9:31 am
Maxstar wrote:in a virtual mode there not working.
I assume all three samples are identical, so I take care only of one of them. In attach crypter free sample with removed AntiVM part so it should work everywhere.

It is completely similar to http://www.kernelmode.info/forum/viewto ... 8984#p8984 except title.

Posts moved
Attachments
pass: malware
(66.01 KiB) Downloaded 87 times
 #17678  by Kafeine
 Fri Jan 11, 2013 1:37 pm
Seems this Ransomware got some attention since it's being right now deployed via some Cool EK featurings last CVE-2013-0422 and the malware has some AntiVM stuff builtin.
http://joe4security.blogspot.ch/2013/01 ... nical.html

(didn't find a dedicated thread, sorry if one already exist)

Image (one UK Design) :
Image
You'll find a page with the Designs here :
https://www.botnets.fr/index.php/CBeplay.P

Attach some sample i took time to gather including recent one (available also here : http://dl.dropbox.com/u/106864056/CBeplay.Others.zip )
You'll find more sample here :
http://dl.dropbox.com/u/106864056/CBepl ... _to_16.zip (17 samples)
and here :
http://dl.dropbox.com/u/106864056/CBepl ... 8-2012.zip (118 samples from 26-08-2012 to 07-09-2012 when it was pushed via Sakura)
Attachments
17 items - Pass infected
(1.73 MiB) Downloaded 124 times
 #17679  by EP_X0FF
 Fri Jan 11, 2013 1:54 pm
Kafeine wrote:Seems this Ransomware got some attention since it's being right now deployed via some Cool EK featurings last CVE-2013-0422 and the malware has some AntiVM stuff builtin.
From the given description AntiVM isn't changed and equal to http://www.kernelmode.info/forum/viewto ... 8984#p8984 & this http://www.kernelmode.info/forum/viewto ... 309#p12309
 #17891  by kmd
 Sun Jan 27, 2013 1:09 pm
Hi all. Im having trouble running CBeplay samples on virtual pc (xp mode). they quit at start. Is there any antivm for M$ vpc inside? I read from blog entry that it has detection of sandbox and vbox but not vpc.

tya
 #17892  by EP_X0FF
 Sun Jan 27, 2013 1:53 pm
kmd wrote:Hi all. Im having trouble running CBeplay samples on virtual pc (xp mode). they quit at start. Is there any antivm for M$ vpc inside? I read from blog entry that it has detection of sandbox and vbox but not vpc.

tya
It is detecting VPC by two conditions:

1) Querying specific code, that has effect only under Virtual PC.
Code: Select all
.text:00401980 IsVirtualPC:                             ; CODE XREF: Cbeplay_VMDetect:loc_401B58p
.text:00401980                 push    ebp
.text:00401981                 mov     ebp, esp
.text:00401983                 push    0FFFFFFFFh
.text:00401985                 push    offset unk_4032E8
.text:0040198A                 push    offset sub_402288
.text:0040198F                 mov     eax, large fs:0
.text:00401995                 push    eax
.text:00401996                 mov     large fs:0, esp
.text:0040199D                 sub     esp, 0Ch
.text:004019A0                 push    ebx
.text:004019A1                 push    esi
.text:004019A2                 push    edi
.text:004019A3                 mov     [ebp-18h], esp
.text:004019A6                 xor     eax, eax
.text:004019A8                 mov     [ebp-19h], al
.text:004019AB                 mov     [ebp-4], eax
.text:004019AE                 push    ebx
.text:004019AF                 mov     ebx, 0 //flag
.text:004019B4                 mov     eax, 1 //service number
.text:004019B9                 db 00Fh, 03Fh, 007h, 00Bh 

....

.text:004019CF
.text:004019CF loc_4019CF:                            
.text:004019CF                 mov     dword ptr [ebp-4], 0FFFFFFFFh
.text:004019D6                 mov     al, [ebp-19h]
.text:004019D9                 mov     ecx, [ebp-10h]
.text:004019DC                 mov     large fs:0, ecx
.text:004019E3                 pop     edi
.text:004019E4                 pop     esi
.text:004019E5                 pop     ebx
.text:004019E6                 mov     esp, ebp
.text:004019E8                 pop     ebp
.text:004019E9                 retn
*Sorry IDA failed to properly disassemble.

If (IsVirtualPC() == TRUE ) then exit;

Likely this routine above written on pascal as function - assembler block.

2) Querying hard disk name. If it has substring "VIRTUAL" in name then exit.

Since this malware is two staged you will have to extract final binary and patch it. I've already posted links to previous analysis. Absolutely nothing changed.
 #17898  by Buster_BSA
 Sun Jan 27, 2013 5:41 pm
Probably the function is this one:
Code: Select all
function IsRunningVirtualPC: Boolean;
asm
  push ebp;
  mov ebp, esp;

  mov ecx, offset @exception_handler;

  push ebx;
  push ecx;

  push dword ptr fs:[0];
  mov dword ptr fs:[0], esp;

  mov ebx, 0; // Flag
  mov eax, 1; // VPC function number

  // call VPC
  db $0F, $3F, $07, $0B

  mov eax, dword ptr ss:[esp];
  mov dword ptr fs:[0], eax;

  add esp, 8;

  test ebx, ebx;

  setz al;

  lea esp, dword ptr ss:[ebp-4];
  mov ebx, dword ptr ss:[esp];
  mov ebp, dword ptr ss:[esp+4];

  add esp, 8;

  jmp @ret1;

  @exception_handler:
  mov ecx, [esp+0Ch];
  mov dword ptr [ecx+0A4h], -1; // EBX = -1 ->; not running, ebx = 0 -> running
  add dword ptr [ecx+0B8h], 4; // ->; skip past the call to VPC
  xor eax, eax; // exception is handled

  @ret1:
end;