I know how to install it (using the famous dropper), but how can i further operate it using the various modules?
How can i trigger it to infect another computer on the network (using the Windows Update Proxy server) ?
How can i make it recognize the browse32.ocx module so that it would uninstall itself ?
How can i decrypt the ~rf288.tmp (from %Windir%\Temp) file ? (this file that suppose to have the directory listing in a DB format). See at the end of this post.
In short my goal is to get something to present from the malware, i would like to see the data as it goes out to the C&C, or to see the Screenshots it gets.
After playing a little with it, i found somthing intresting in the memory of shell32.dll (in which flame is inject according to CrySys article), take a look:
I have nothing to do with Kaspersky on my VM, so probably it is some sort of evasion or it is the checking that the Malware does as it is mentioned at Kaspersky article:
“MUNCH” is the name of the HTTP server module in Flame. It is started only if “MUNCH.SHOULD_RUN” variable is set to “True” and there are no running programs that can alert the victim. These programs (anti-virus, firewalls, network sniffers etc.) are defined in the Flame’s registry in a list called “SECURITY.BAD_PROGRAMS”https://www.securelist.com/en/blog/2081 ... oxy_server
I have successfully decrypted the ~rf288.tmp (from %Windir%\Temp), this file as mentioned in the CrySyS reprot contain a directory listing of your files in a database format, (so you need SQL browser to see its content).
Code: Select all
import struct
intab = "234,130,99,174,163,140,102,73,243,1,103,6,18,199,182,178,7,239,28,193,117,253,23,62,224,254,61,202,30,221,26,149,181,192,183,248,157,31,226,47,145,67,111,191,175,159,250,166,205,95,81,96,101,143,255,249,187,153,77,89,241,105,116,208,46,240,108,42,196,179,127,176,36,128,113,10,48,150,118,106,63,122,137,33,151,207,55,242,223,52,190,59,20,11,238,16,4,17,78,70,134,12,87,71,162,230,225,79,169,206,198,218,125,43,83,216,40,75,123,37,222,236,29,156,164,139,110,85,142,57,93,74,56,168,53,246,19,27,251,50,131,120,90,97,154,136,80,35,184,64,252,39,247,66,104,203,84,86,9,186,49,138,212,24,213,91,228,172,2,185,129,170,44,58,0,167,209,195,161,112,244,155,119,197,201,158,121,109,15,200,173,76,60,92,65,133,88,219,141,98,229,144,215,14,204,3,171,147,21,72,232,8,41,188,124,68,146,126,210,165,235,180,217,54,38,160,34,100,227,231,177,51,194,115,135,25,69,211,5,245,45,114,94,148,233,237,152,220,214,22,189,32,107,132,82,13"
intabArray = intab.split(",")
file = open("file.tmp", "r")
newfile = open("newfile.tmp", "wb")
content = file.read()
for b in content:
b = str(ord(b))
indexa = intabArray.index(b)
z = struct.pack('B',indexa)
newfile.write(z)
file.close()
newfile.close()
