A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #23330  by EP_X0FF
 Fri Jul 11, 2014 2:18 am
rkhunter wrote:http://www.circl.lu/pub/tr-25/
The only problem with this "article" - it is not needed.

1) They used old samples dated back few years ago and full of debug.
2) They copy-pasted everything about them from different sources. Just like Turla authors did with their crapware code base.
3) Every idiot can do F5 over code in HexRays. The question here - why this needed?
4) And finally - they didn't provided anything new. So reasons behind this document? Self-PR of yet another security-shit-company?
TR-25 wrote:This document is not considered a final release but a work-in-progress document.
Kill yourself and burn this Ctrl-C/Ctrl-V shit.

p.s.

Lol at diagrams at the end. Time zones? Never heard about them.
In a reality the only interesting part of this malware family is their used vbox exploit.
 #25782  by researchitdammit
 Mon May 04, 2015 3:17 am
rinn,

Can you explain the purpose of the code under the "/* fix memcpy, memset references */" section and the environment in which you compile this code. I compiled it under Visual studio 2013 after making minor changes, ran the program but crashes trying to decode the config data. I m thinking the memset, memcpy refs are the culprit.

Thanks.
 #25783  by EP_X0FF
 Mon May 04, 2015 3:30 am
researchitdammit wrote:rinn,

Can you explain the purpose of the code under the "/* fix memcpy, memset references */" section and the environment in which you compile this code. I compiled it under Visual studio 2013 after making minor changes, ran the program but crashes trying to decode the config data. I m thinking the memset, memcpy refs are the culprit.

Thanks.
This code allocates executable memory, read in it patched rootkit driver and then executes decoding procedure from it. Patching this refs required because they are inside of called function and need to be corrected to use proper addresses in proper module.
 #26173  by EP_X0FF
 Wed Jun 24, 2015 7:12 pm
Updated Turla with bypass of driver loading monitors. VBoxDrv exploit now used to deliver malware driver code directly to kernel mode without triggering Windows loader and without manipulation with DSE. Dropper and all extracted components in attach. Credits to R136a1.
Code: Select all
556a00dce3ba6f9e39bab7993edc8ca7cec7f3b6 *dropper_rsrc\101_driver32.sys
abed8fb8d7dc626176a1be2cbc5e9057906e230a *dropper_rsrc\103.resource-container.bin
95b8cebffacab9d91325a8df1bd17ffbba80d80f *dropper_rsrc\103_extracted\4294967293-1-2.bin
441a230240ec068a28e6faffdb7b2c9010df3318 *dropper_rsrc\103_extracted\4294967293-1-3.bin
d18ea1c62be267f316683a60bd75645bf2812e68 *dropper_rsrc\103_extracted\4294967293-10-3.bin
12dc65ffbba11b808ddfd32e4aeb747d0df98a43 *dropper_rsrc\103_extracted\4294967293-2-3.bin
9d231e270b681d630abd2045276c40b20969e30f *dropper_rsrc\103_extracted\4294967293-3-3.bin
15806394ab93ea5f7ab650d699badcf1c5f5fe55 *dropper_rsrc\103_extracted\4294967293-4-3.bin
6a43e06c462c9107f3ba3a7721a969b83b44b958 *dropper_rsrc\103_extracted\4294967293-5-3.bin
6a10a7e4382cd643c77389e00071075edc7bdfce *dropper_rsrc\103_extracted\4294967293-6-3.bin
122751f8dc641a4a876e94661905e58335e7be9d *dropper_rsrc\103_extracted\4294967293-7-3.bin
e827a24818ba41dfb1ab804bd3b0e0632bfaffb5 *dropper_rsrc\103_extracted\4294967293-8-3.bin
2617c4f64622ef6ac6365cae124ec9088fa39bf6 *dropper_rsrc\103_extracted\4294967293-9-3.bin
3ef7655947629b02543b75ee8ce2d25a4e809fba *dropper_rsrc\103_extracted\90000-10-2.bin
59243235c2d50264a6944166c9b5a9df840adfad *dropper_rsrc\103_extracted\90000-11-2.bin
8606698b6dcfcc1e731e9fef113fe0727729dc19 *dropper_rsrc\103_extracted\90000-12-2.bin
e22fc9566dcb91af10db8aacb9d17bae6bd3a34c *dropper_rsrc\103_extracted\90000-13-2.bin
e9eaef9fb0282c5031736bc4903faadb3e92fd56 *dropper_rsrc\103_extracted\90000-14-2.bin
ac1dd032b2f8bacece0a4562eb38cad7a80eccdf *dropper_rsrc\103_extracted\90000-15-2.bin
8aa77ca407dd344d5f1c43afc9e2ddba5dfaa84b *dropper_rsrc\103_extracted\90000-16-2.bin
e4cc610fd50e638183255a862c48f2e1a8d9eeff *dropper_rsrc\103_extracted\90000-17-2.bin
33995c108f6009643e0a4fcea5e3632e577ebaa9 *dropper_rsrc\103_extracted\90000-18-2.bin
578706ed2d1ad39c89d8389e397bd747491beff5 *dropper_rsrc\103_extracted\90000-19-2.bin
789cb5267f052c4b878f4939e880fba6b2117b4e *dropper_rsrc\103_extracted\90000-20-2.bin
8e6f59fbd081e1f2bcb9259c32ececfdf94dc144 *dropper_rsrc\103_extracted\90000-21-2.bin
c4d3b69c5ad408ea300901ecef21ffa2faaf800f *dropper_rsrc\103_extracted\90000-22-2.bin
aa4a094950f7dab4c41387136f1ffac1a4fa906d *dropper_rsrc\103_extracted\90000-23-2.bin
9e84b1a575ab95a5bdf0fdc0eb5f99eaf91e3b6b *dropper_rsrc\103_extracted\90000-24-2.bin
9a70b493f3662fcbb52af4bf106ff9e20e1a593f *dropper_rsrc\103_extracted\90000-3-2.bin
ab3541a7cd0807bf331b981e91c4962b5ea2903c *dropper_rsrc\103_extracted\90000-4-65535.bin
06653373cc870bf02abf0759bb4d63fb189b271f *dropper_rsrc\103_extracted\90000-5-65535.bin
c3a924872ab0f3aa8169d85227a239314f461ef7 *dropper_rsrc\103_extracted\90000-6-2.bin
e808d86369ccb4ed58855a1a537559365fe22b5c *dropper_rsrc\103_extracted\90000-7-2.bin
3ef7655947629b02543b75ee8ce2d25a4e809fba *dropper_rsrc\103_extracted\90000-8-2.bin
e808d86369ccb4ed58855a1a537559365fe22b5c *dropper_rsrc\103_extracted\90000-9-2.bin
3ef7655947629b02543b75ee8ce2d25a4e809fba *dropper_rsrc\103_extracted\90001-10-2.bin
0b663e6891e7fd8e0700f0969694c421bae466e6 *dropper_rsrc\103_extracted\90001-11-2.bin
f935af8f5354be497b4678f7d99fa81c559ee185 *dropper_rsrc\103_extracted\90001-12-2.bin
9dbacfcba309f438429f220e2d6f70b358636e63 *dropper_rsrc\103_extracted\90001-13-2.bin
38e3c0fcacc3f544bc030321c242d6d44384c3a0 *dropper_rsrc\103_extracted\90001-14-2.bin
f110879c500dd7d8986b20527caa4e5a1d18a3a0 *dropper_rsrc\103_extracted\90001-15-2.bin
5dd48e9ebf84e55438ae6c8d90f9e06a141e66b9 *dropper_rsrc\103_extracted\90001-16-2.bin
bafbc349284677bc6b57b2738fb5e2e3afb6bfc7 *dropper_rsrc\103_extracted\90001-17-2.bin
e7e9d21ccbefbcab3aa02a172dca3ed9f4552baa *dropper_rsrc\103_extracted\90001-18-2.bin
a54261809ef6245d5aa3030faa9567b5c029bd2f *dropper_rsrc\103_extracted\90001-19-2.bin
2c6f6989be835d128e8602c2bf05325d12a3d70e *dropper_rsrc\103_extracted\90001-20-2.bin
30acebeaddd9f21423ce7fe1c63f7044a3c54eac *dropper_rsrc\103_extracted\90001-21-2.bin
33995c108f6009643e0a4fcea5e3632e577ebaa9 *dropper_rsrc\103_extracted\90001-22-2.bin
2aa9493e253a6ebe9a1226a9ab858aa381bff2a6 *dropper_rsrc\103_extracted\90001-23-2.bin
6d9178f70494aa35d30089c6459656302455e1a9 *dropper_rsrc\103_extracted\90001-24-2.bin
4c7e073520c21a9dc8b7d660ea222c05fdfa8626 *dropper_rsrc\103_extracted\90001-25-2.bin
5a3fb23ef7a49bfa3fbe203a36241264bacf478c *dropper_rsrc\103_extracted\90001-26-2.bin
9e5fc389640d2affff7df15a82e5c4bc50b68da4 *dropper_rsrc\103_extracted\90001-27-2.bin
77b808c439f1e35ee4510749eeafed0d89d8368b *dropper_rsrc\103_extracted\90001-28-2.bin
2d6273ef281d5f9b75ef1bdfd0233dc8727b4ee5 *dropper_rsrc\103_extracted\90001-3-2.bin
ab3541a7cd0807bf331b981e91c4962b5ea2903c *dropper_rsrc\103_extracted\90001-4-2.bin
06653373cc870bf02abf0759bb4d63fb189b271f *dropper_rsrc\103_extracted\90001-5-2.bin
c3a924872ab0f3aa8169d85227a239314f461ef7 *dropper_rsrc\103_extracted\90001-6-2.bin
e808d86369ccb4ed58855a1a537559365fe22b5c *dropper_rsrc\103_extracted\90001-7-2.bin
3ef7655947629b02543b75ee8ce2d25a4e809fba *dropper_rsrc\103_extracted\90001-8-2.bin
e808d86369ccb4ed58855a1a537559365fe22b5c *dropper_rsrc\103_extracted\90001-9-2.bin
3ef7655947629b02543b75ee8ce2d25a4e809fba *dropper_rsrc\103_extracted\90002-10-2.bin
7af615311373d2ada7976e5fa03b6da8c2dbd1df *dropper_rsrc\103_extracted\90002-11-2.bin
8aa77ca407dd344d5f1c43afc9e2ddba5dfaa84b *dropper_rsrc\103_extracted\90002-12-2.bin
e4cc610fd50e638183255a862c48f2e1a8d9eeff *dropper_rsrc\103_extracted\90002-13-2.bin
33995c108f6009643e0a4fcea5e3632e577ebaa9 *dropper_rsrc\103_extracted\90002-14-2.bin
32fb0760407b6b2217e0d428482f311d84b08509 *dropper_rsrc\103_extracted\90002-15-2.bin
d4eb73cd7f8cf068a1197bfc769bda0da4507613 *dropper_rsrc\103_extracted\90002-16-2.bin
01802ab29c148036622c49bbe9fed594e7777d60 *dropper_rsrc\103_extracted\90002-17-2.bin
a9fe05a680a2d95f83d79d4ff9fc7251b0ca2626 *dropper_rsrc\103_extracted\90002-18-2.bin
fb3944a56ad453a34443ad57bd4c13cce80533cb *dropper_rsrc\103_extracted\90002-3-2.bin
ab3541a7cd0807bf331b981e91c4962b5ea2903c *dropper_rsrc\103_extracted\90002-4-2.bin
06653373cc870bf02abf0759bb4d63fb189b271f *dropper_rsrc\103_extracted\90002-5-2.bin
c3a924872ab0f3aa8169d85227a239314f461ef7 *dropper_rsrc\103_extracted\90002-6-2.bin
e808d86369ccb4ed58855a1a537559365fe22b5c *dropper_rsrc\103_extracted\90002-7-2.bin
3ef7655947629b02543b75ee8ce2d25a4e809fba *dropper_rsrc\103_extracted\90002-8-2.bin
e808d86369ccb4ed58855a1a537559365fe22b5c *dropper_rsrc\103_extracted\90002-9-2.bin
3ef7655947629b02543b75ee8ce2d25a4e809fba *dropper_rsrc\103_extracted\90003-10-2.bin
013150767d2b191a87d2c16eef3ab66c05deea76 *dropper_rsrc\103_extracted\90003-11-2.bin
8aa77ca407dd344d5f1c43afc9e2ddba5dfaa84b *dropper_rsrc\103_extracted\90003-12-2.bin
e4cc610fd50e638183255a862c48f2e1a8d9eeff *dropper_rsrc\103_extracted\90003-13-2.bin
33995c108f6009643e0a4fcea5e3632e577ebaa9 *dropper_rsrc\103_extracted\90003-14-2.bin
dd2daa03ff17bca6485e27fe07754fd77b6fc1e8 *dropper_rsrc\103_extracted\90003-15-2.bin
af47cbec3dced047d27a5f1ecf5c1410a58c6c16 *dropper_rsrc\103_extracted\90003-16-2.bin
47e8bf050a5ca2ef6075b1b6739d99b0469a24e5 *dropper_rsrc\103_extracted\90003-17-2.bin
9b69431e77e2198981d8dfcd3d230d9527b582d0 *dropper_rsrc\103_extracted\90003-18-2.bin
3ef382778af068deb0d45d27a242537df69f1a3d *dropper_rsrc\103_extracted\90003-3-2.bin
ab3541a7cd0807bf331b981e91c4962b5ea2903c *dropper_rsrc\103_extracted\90003-4-2.bin
06653373cc870bf02abf0759bb4d63fb189b271f *dropper_rsrc\103_extracted\90003-5-2.bin
c3a924872ab0f3aa8169d85227a239314f461ef7 *dropper_rsrc\103_extracted\90003-6-2.bin
e808d86369ccb4ed58855a1a537559365fe22b5c *dropper_rsrc\103_extracted\90003-7-2.bin
3ef7655947629b02543b75ee8ce2d25a4e809fba *dropper_rsrc\103_extracted\90003-8-2.bin
e808d86369ccb4ed58855a1a537559365fe22b5c *dropper_rsrc\103_extracted\90003-9-2.bin
b45200fc853c7c17d0d75b1397737c4a0cf85d43 *dropper_rsrc\161_driver64.sys
b63ae176601ee70622c60a12712ee12c482edd68 *dropper_rsrc\161_unpacked.sys
1b9026d1e9fd30cd4d00742e87780b2f9c856d11 *dropper_rsrc\3000.bin
7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c *dropper_rsrc\3000_1_vboxdrv.sys
51625261791d5493617b227de45ee11966867ebd *dropper_rsrc\3000_2_expl.bin
06d5387f43478281500039d4e0f311a14f0f45fc *dropper_rsrc\3000_exploit.bin
faf84ddecefe07d0f1c76d872a7e5d43ada1080d *dropper_rsrc\3000_unpacked.bin
947f17f27dc428b1605a4d69c749431a5d788310 *dropper_rsrc\4000.bin
3eab6033e4d78fc413fc5294599513a7751c3d06 *dropper_rsrc\4000_unpacked.bin
7aa96850e59ec35d48f3856fa1d840fd3018d3d2 *dropper.bin
c53ba55b81697b2edde640377fcb270ce36db63b *dropper_unpacked.bin
https://www.virustotal.com/en/file/b9cb ... 435167845/
https://www.virustotal.com/en/file/df25 ... 435167867/
https://www.virustotal.com/en/file/5cf5 ... 435167918/
https://www.virustotal.com/en/file/3eaf ... 435167914/
https://www.virustotal.com/en/file/7157 ... 435167917/
https://www.virustotal.com/en/file/5d24 ... 435167953/
https://www.virustotal.com/en/file/7810 ... 435167964/
https://www.virustotal.com/en/file/fb93 ... 435167976/
https://www.virustotal.com/en/file/8509 ... 435167991/
https://www.virustotal.com/en/file/5ccd ... 435168007/
https://www.virustotal.com/en/file/1010 ... 435168040/
https://www.virustotal.com/en/file/2258 ... 435168067/
https://www.virustotal.com/en/file/8758 ... 435168163/
https://www.virustotal.com/en/file/3d0a ... 435168175/
https://www.virustotal.com/en/file/27ec ... 435168194/
https://www.virustotal.com/en/file/8e95 ... 435169187/
https://www.virustotal.com/en/file/1a18 ... 435169198/
https://www.virustotal.com/en/file/ccc6 ... 435170380/
https://www.virustotal.com/en/file/9ae3 ... 435170377/
Attachments
pass: infected
(6.22 MiB) Downloaded 182 times
 #26315  by R136a1
 Sat Jul 18, 2015 1:50 pm
Hi,

attached is another dropper with the same PE timestamp (05/09/2015) as previous sample examined by EP_X0FF. I haven't looked into it yet, but I doubt it has anything new...
Attachments
PW: infected
(1.63 MiB) Downloaded 133 times
 #26322  by EP_X0FF
 Sun Jul 19, 2015 3:04 pm
For fast "unpacking" - set bp on NtFreeVirtualMemory. Once it hit dump huge region with decrypted dropper body. Container decrypter code posted earlier in this thread. Extracted files attached.
Attachments
pass: infected
(2.09 MiB) Downloaded 143 times
 #27817  by EP_X0FF
 Thu Feb 04, 2016 5:35 am
EP_X0FF wrote:Updated Turla with bypass of driver loading monitors. VBoxDrv exploit now used to deliver malware driver code directly to kernel mode without triggering Windows loader and without manipulation with DSE. Dropper and all extracted components in attach. Credits to R136a1.
Implemented in TDL -> https://github.com/hfiref0x/TDL as not a copy-paste from malware.
 #28136  by frz
 Sun Mar 27, 2016 9:20 pm
Sorry for an outdated question but was trying to get up to speed on a couple of techniques. This question is referencing a comment made by EP_X0FF:

by EP_X0FF » Sun Jul 19, 2015 10:04 am

For fast "unpacking" - set bp on NtFreeVirtualMemory. Once it hit dump huge region with decrypted dropper body. Container decrypter code posted earlier in this thread. Extracted files attached.

I can get the NtFreeVirtualMemory to break in Olly however I don't really understand what region to dump.

Assuming:

NtFreeVirtualMemory(
IN HANDLE ProcessHandle,
IN PVOID *BaseAddress,
IN OUT PULONG RegionSize,
IN ULONG FreeType );

Shouldn't the region to dumb be the 3rd address on the stack?
Thanks,
frz
 #28137  by EP_X0FF
 Mon Mar 28, 2016 3:17 am
Once bp hit inspect process regions and dump that were decrypted dropped located, it will have big region size and maybe ERW protection flag I don't remember exactly. This is generic "unpacking" for most of malware crypters.
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7