A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #23936  by unixfreaxjp
 Fri Sep 19, 2014 12:21 pm
Just finished categorizing these samples. Elknot ones are uploaded here.
Code: Select all
MD5 (dsfrefr.Elknot) = 3f5c73745f7c17702bac0642a85d7d80
MD5 (ferwfrre.Elknot) = a89c089b8d020034392536d66851b939
MD5 (gfhddsfew.Elknot) = 9401f208a419fb636520ea2aefc8bbd7
MD5 (gfhjrtfyhuf.Elknot) = e7c2f99b30daf8d99f6b5911d25fd8c7
MD5 (rewgtf3er4t.Elknot) = 3788a1f0d003114ecb95f70575edc431
MD5 (sdmfdsfhjfe.Elknot) = 5d10bcb15bedb4b94092c4c2e4d245b6
Attachments
7z,pwd:infected
(429.13 KiB) Downloaded 59 times
 #23980  by unixfreaxjp
 Tue Sep 23, 2014 9:21 pm
Elknot the "encrypted" sub-version https://www.virustotal.com/en/file/10e7 ... 411504901/< packed too (usual)
Previous samples for this type are:
https://www.virustotal.com/en/file/92c8 ... 406605801/
https://www.virustotal.com/en/file/1903 ... 411053039/
https://www.virustotal.com/en/file/4cc1 ... 402865829/
https://www.virustotal.com/en/file/223f ... 407913413/
(etc..)
I was about to make new family of this one, but seeing many ELknot characteristic in it so I put them all in this topic.
The code obfuscation made the low detection to every minor variant, they made their point to evade AV sigs.

In this sample these are the source codes:
Code: Select all
 Fake.cpp
 Global.cpp 
 main.cpp
 Manager.cpp
 ServerIP.cpp  
 StatBase.cpp  
 ThreadAttack.cpp 
 ThreadHostStatus.cpp
 ThreadTaskManager.cpp  
 ThreadTimer.cpp  
 AutoLock.cpp  
 FileOp.cpp 
 Log.cpp 
 Md5.cpp 
 Media.cpp  
 NetBase.cpp
 ThreadCondition.cpp 
 Thread.cpp 
 ThreadMutex.cpp  
 Utility.cpp
Typical code characteristic:
Code: Select all
_ZN13CThreadAttack5StartEP11CCmdMessage  
_ZN13CThreadAttack4StopEv 
_ZN13CThreadAttack12DomainRandExER10CRandArrayRi  
_ZN13CThreadAttack11ProcessMainEv  
_ZN13CThreadAttackD1Ev 
_ZN13CThreadAttackC2EP8CManager 
_ZN13CThreadAttackD0Ev 
_ZN13CThreadAttack6PktAtkER8CSubTaskRSt6vectorIjSaIjEE  
_ZN13CThreadAttackD2Ev 
_ZN13CThreadAttack18EmptyConnectionAtkER8CSubTask 
_ZN13CThreadAttack11FakeUserAtkER8CSubTask  
_ZN13CThreadAttackC1EP8CManager 
_ZN13CThreadAttack12DomainInitExER10CRandArrayPKc 
_ZN13CThreadAttack7HttpAtkER8CSubTask 
..and:
Code: Select all
0x0827093B  0x011 // ThreadAttack.cpp  , contains:
0x08270956  0x03A // _ZZN13CThreadAttack12DomainInitExER10CRandArrayPKcE5C.131  
0x08270990  0x03E // _ZZN13CThreadAttack6PktAtkER8CSubTaskRSt6vectorIjSaIjEEE4C.93 
0x082709CE  0x03E // _ZZN13CThreadAttack6PktAtkER8CSubTaskRSt6vectorIjSaIjEEE4C.86 
0x08270A0C  0x03E // _ZZN13CThreadAttack6PktAtkER8CSubTaskRSt6vectorIjSaIjEEE4C.83
It has a stupid trick copies the sample with adding "a" char in the end of filename to exec as child ;)
Code: Select all
execve("/bin/cp", ["cp", "{$PATH}/sample", "{$PATH}/samplea"]
execve("{$PATH}/samplea", ["{$PATH}/conga", "{$PATH}/sample"], ["   ={$PATH}/sample", "SHELL=/bin/bash", "TERM=screen", $ENV)
CNC is:
Code: Select all
183.60.205.183:10991
Attachments
7z/infected
(1.47 MiB) Downloaded 61 times
 #24033  by unixfreaxjp
 Thu Oct 02, 2014 12:34 pm
Our team mate @leonvdijk just spotted 1month 3 weeks ITW samples of x32 & x64
Image
VT:
https://www.virustotal.com/en/file/c063 ... 412251165/
https://www.virustotal.com/en/file/01a1 ... 412252605/
Both lead to CNC in USA:
Code: Select all
192.161.60.211|192.161.60.211.static.quadranet.com.|29761 | 192.161.56.0/21 | AS-QUADRANET | US | QUADRANET.COM | QUADRANET INC
With reversing PoC are in VT comments
#MalwareMustDie!
Attachments
7z/infected
(831.13 KiB) Downloaded 50 times
 #24041  by unixfreaxjp
 Fri Oct 03, 2014 1:49 pm
This one is the crypted version, packed in UPX.
https://www.virustotal.com/en/file/a8bd ... 412343842/
Just spotted in Oct 2014 as attack payload, but was uploaded in infection panel from Oct 2013
I passed the CNC analysis for this one.. (too old), posted here because it is good for research reference.
Attachments
7z/infected
(1.04 MiB) Downloaded 60 times
 #24047  by unixfreaxjp
 Sat Oct 04, 2014 6:41 am
Another crypted version + UPC packed: https://www.virustotal.com/en/file/bdb1 ... 412403995/
Code: Select all
CNC: 121.40.85.20:10771
ITW uploaded by the crook to HFS panel from Sept 22 2014
Location: 121.40.85.20||37963 | 121.40.0.0/14 | CNNIC-ALIBABA-CN-NET | CN | ALIYUN.COM | ALIYUN COMPUTING CO. LTD
#MalwareMustDie (thxto @wirehack7, analysis: @unixfreaxjp)
Attachments
7z/infected
(816.37 KiB) Downloaded 55 times
 #24048  by unixfreaxjp
 Sat Oct 04, 2014 7:50 am
The MIPS and ARM version of Elknot crypt version
https://www.virustotal.com/en/file/7e57 ... 412407224/
https://www.virustotal.com/en/file/00c2 ... 412408463/
Noted "Mr. Black"
Code: Select all
CNC: 121.40.85.20
Loc: ASN: 37963 | 121.40.0.0/14 | CNNIC-ALIBABA-CN-NET | CN | ALIYUN.COM | ALIYUN COMPUTING CO. LTD
#MalwareMustDie!
Attachments
7z/infected
(369.57 KiB) Downloaded 55 times
 #24050  by unixfreaxjp
 Sat Oct 04, 2014 3:53 pm
New Elknot: https://www.virustotal.com/en/file/e58c ... 412437202/
With CNC in USA server, I must PoC it like this for the follow, they cant trust "reversing" result..
Code: Select all
MMD-BANGS-DDOS-CROOK:56706->unassigned.psychz.net:10991 (ESTABLISHED)
x.x.x.x:56706->199.83.94.82:10991 (ESTABLISHED)
send(3, "\270\v\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Linux 3.2.0-4-a"..., 401, 0)
#MalwareMustDie!
Attachments
7z/infected
(427.87 KiB) Downloaded 57 times
 #24060  by unixfreaxjp
 Mon Oct 06, 2014 6:59 am
Image
x32 2 samples:
https://www.virustotal.com/en/file/725a ... 412577173/
https://www.virustotal.com/en/file/3037 ... 412577183/
CNC:
Code: Select all
up check: (DNS) baidu.com
cnc check: 222.186.21.55:80
config+comm: 222.186.21.55:10991 
loc: 222.186.21.55||65222 | 222.186.21.55/32 | -Private | | CHINATELECOM.COM.CN | CHINANET JIANGSU PROVINCE NETWORK
config:
Code: Select all
00000000  4b 01 00 00 3d 1f 01 01  a8 5f 01 01 d3 62 04 01  |K...=...._...b..|
00000010  3d b1 07 01 3d 93 25 01  d3 a2 3e 01 ca 26 40 01  |=...=.%...>..&@.|
00000020  ca c4 40 01 d3 5f 48 01  d3 8a 5b 01 db eb 7f 01  |..@.._H...[.....|
00000030  d3 4e 82 01 da 02 87 01  a8 5f c0 01 3d 1f e9 01  |.N......._..=...|
00000040  d2 2a f1 01 dd e4 ff 01  3a f2 02 02 ca 65 06 02  |.*......:....e..|
00000050  da c9 11 02 da 68 4e 02  dd 0b 84 02 d3 8a b4 02  |.....hN.........|
00000060  d3 8b 01 03 ca af 03 03  d3 93 06 03 3d bb 62 03  |............=.b.|
00000070  da cb 65 03 ca 66 98 03  ca 66 9a 03 d3 a1 9f 03  |..e..f...f......|
00000080  dc a8 d0 03 3d 3c e0 03  3d 86 01 04 d3 62 02 04  |....=<..=....b..|
00000090  ca 0e 43 04 ca 63 a6 04  ca 75 60 05 de 2e 78 05  |..C..c...u`...x.|
000000a0  d3 89 a0 05 ca 60 d1 05  3d 3c e0 05 3c bf f4 05  |.....`..=<..<...|
000000b0  3d ea fe 05 dd b0 04 06  77 06 06 06 ca 61 07 06  |=.......w....a..|
000000c0  3d bb 62 06 d3 8a a4 06  d2 15 c4 06 dc a8 d0 06  |=.b.............|
000000d0  ca 72 f0 06 d3 62 48 07  ca af 03 08 ca 63 a8 08  |.r...bH......c..|
000000e0  ca 64 c7 08 ca 63 e0 08  ca 3c fc 08 dd b0 04 09  |.d...c...<......|
000000f0  3d e9 09 09 cb 50 60 09  ca 71 10 0a dd 07 22 0a  |=....P`..q....".|
00000100  ca 75 60 0a ca 70 70 0a  db 8d 88 0a db 8d 8c 0a  |.u`..pp.........|
00000110  65 2f bd 0a ca 71 10 0b  dd 03 83 0b d3 a1 9e 0b  |e/...q..........|
00000120  dd b0 04 0c 3d eb a4 0d  ca 0e 43 0e dd b0 04 0f  |....=.....C.....|
00000130  ca 60 68 0f ca 60 9a 0f  8b af fc 10 ca 61 07 11  |.`h..`.......a..|
00000140  d3 8b 02 12 dd b0 04 12  ca 60 56 12 cb 8e 64 12  |.........`V...d.|
00000150  3d eb a4 12 65 2f bd 12  d3 8a f2 12 b4 a8 ff 12  |=...e/..........|
00000160  d3 8a 6a 13 ca 6a 00 14  dd 07 01 14 8b af 0a 14  |..j..j..........|
00000170  cb ba 5e 14 8b af 96 14  dd b0 04 15 cb 8e 64 15  |..^...........d.|
00000180  ca 67 b0 16 71 6f d3 16  ca 60 68 1a ca 60 6b 1b  |.g..qo...`h..`k.|
00000190  d3 62 79 1b ca 76 01 1d  dd e8 81 1e ca 70 90 1e  |.by..v.......p..|
000001a0  ca 55 80 20 3a f0 39 21  ca c1 40 21 3d ec 5d 21  |.U. :.9!..@!=.]!|
000001b0  ca cb 80 21 ca 60 86 21  ca cb 90 21 ca cb a0 21  |...!.`.!...!...!|
000001c0  d2 26 c0 21 ca cb c0 21  ca cb d0 21 ca cb e0 21  |.&.!...!...!...!|
000001d0  ca 66 18 22 d3 8b 49 22  d3 89 f1 22 3d 82 fe 22  |.f."..I"..."=.."|
000001e0  ca 73 20 24 ca 60 67 24  db 8d 94 25 ca 60 45 26  |.s $.`g$...%.`E&|
000001f0  ca 73 20 27 db 8d 94 27  de 2d 01 28 da 1e 13 28  |.s '...'.-.(...(|
00000200  db ef 1a 2a 3a f1 d0 2e  ca 60 90 2f da 1e 13 32  |...*:....`./...2|
00000210  d3 88 70 32 76 1d f9 32  dd 82 21 34 ca 76 01 35  |..p2v..2..!4.v.5|
00000220  76 1d f9 36 70 04 00 37  ca 65 62 37 db 95 c2 37  |v..6p..7.eb7...7|
00000230  ca 2d 54 3a d3 8c c5 3a  dd 82 21 3c d3 a2 3e 3c  |.-T:...:..!<..><|
00000240  3d e9 09 3d d3 5a 48 41  d3 5a 50 41 d3 61 60 41  |=..=.ZHA.ZPA.a`A|
00000250  db 92 01 42 db 93 01 42  dd 06 04 42 3d 8b 36 42  |...B...B...B=.6B|
00000260  dd 04 42 42 3a 16 60 42  d3 88 96 42 d3 8a 9c 42  |..BB:.`B...B...B|
00000270  ca 63 c0 42 db 94 cc 42  ca 2d 54 43 ca 62 c0 43  |.c.B...B.-TC.b.C|
00000280  ca 63 e0 43 ca 62 00 44  ca 67 00 44 ca 62 05 44  |.c.C.b.D.g.D.b.D|
00000290  ca 67 18 44 d3 8b 1d 44  ca 60 40 44 dc aa 40 44  |.g.D...D.`@D..@D|
000002a0  ca 60 4b 44 d3 8d 5a 44  ca 60 60 44 ca 62 60 44  |.`KD..ZD.``D.b`D|
000002b0  ca 63 60 44 ca 64 60 44  ca 63 68 44 dd 07 80 44  |.c`D.d`D.chD...D|
000002c0  ca 60 80 44 ca 66 80 44  3d 80 80 44 ca 66 86 44  |.`.D.f.D=..D.f.D|
000002d0  dd 07 88 44 ca 63 a0 44  3d 84 a3 44 ca 63 c0 44  |...D.c.D=..D.c.D|
000002e0  ca 64 c0 44 ca 66 c0 44  3d 80 c0 44 ca 6a c3 44  |.d.D.f.D=..D.j.D|
000002f0  ca 66 c7 44 de ac c8 44  ca 66 d5 44 ca 61 e0 44  |.f.D...D.f.D.a.D|
00000300  ca 62 e0 44 ca 65 e0 44  ca 66 e0 44 ca 67 e0 44  |.b.D.e.D.f.D.g.D|
00000310  ca 67 e1 44 ca 65 e2 44  ca 66 e3 44 3d 8b 02 45  |.g.D.e.D.f.D=..E|
00000320  dd 83 8f 45 d3 8a c8 45  dd b0 03 46 dd b0 03 49  |...E...E...F...I|
00000330  3d 8b 27 49 dd b0 03 4c  dd b0 03 4f de f6 81 50  |=.'I...L...O...P|
00000340  d3 5d 00 51 de f3 81 51  d3 5c 88 51 dd b0 03 53  |.].Q...Q.\.Q...S|
00000350  dd b0 03 55 de 55 55 55  ca 65 6b 55 dd 07 5c 56  |...U.UUU.ekU..\V|
00000360  ca 60 80 56 dd 05 cb 56  dd 05 58 58 de 58 58 58  |.`.V...V..XX.XXX|
00000370  ca 66 07 5a dd 05 cb 5a  de 2f 1d 5d d3 5f 01 61  |.f.Z...Z./.]._.a|
00000380  d3 5f c1 61 3d eb 46 62  dd 07 5c 62 dd 05 cb 62  |._.a=.Fb..\b...b|
00000390  d3 8e d2 62 db 95 06 63  d3 8d 10 63 da 55 98 63  |...b...c...c.U.c|
000003a0  da 55 9d 63 dd 82 20 64  70 64 64 64 da 4c c0 64  |.U.c.. dpddd.L.d|
000003b0  d3 8e d2 64 d3 8a f0 64  d3 67 0d 65 3d a6 96 65  |...d...d.g.e=..e|
000003c0  ca 66 c8 65 dd 82 20 67  da 68 20 6a dd 82 20 6a  |.f.e.. g.h j.. j|
000003d0  da 68 80 6a d3 88 11 6b  dd 82 20 6d de 2d 00 6e  |.h.j...k.. m.-.n|
000003e0  7c cf a0 6e ca 67 60 70  ca 67 f3 70 da 68 6f 72  ||..n.g`p.g.p.hor|
000003f0  72 72 72 72 da 6a 7f 72  72 72 73 73 ca 6a c4 73  |rrrr.j.rrrss.j.s|
00000400  ca 67 00 75 74 e4 6f 76  da 68 6f 7a da 6a 7f 7a  |.g.ut.ov.hoz.j.z|
00000410  d3 8a 4b 7b 3d a6 96 7b  da 59 00 7c d3 5d 18 81  |..K{=..{.Y.|.]..|
00000420  3d a6 19 81 d3 5d 40 81  d3 61 40 81 d3 5b 58 81  |=....]@..a@..[X.|
00000430  de 4b 98 81 3d 0a 00 82  3d 0a 01 82 d2 15 04 82  |.K..=...=.......|
00000440  da ca 98 82 db 96 20 84  3d 80 72 85 ca 60 86 85  |...... .=.r..`..|
00000450  ca 60 d1 85 3d a6 96 8b  da 06 c8 8b d2 15 03 8c  |.`..=...........|
00000460  ca 66 03 8d ca 66 08 8d  ca 66 09 8d de 2f 3e 8e  |.f...f...f.../>.|
00000470  ca 66 03 90 d3 8b 1d 96  ca 67 2c 96 ca 6a 2e 97  |.f.......g,..j..|
00000480  d3 5c 90 a1 d3 8a 97 a1  de 34 76 a2 3d 80 72 a6  |.\.......4v.=.r.|
00000490  ca 60 80 a6 ca 62 c6 a7  d3 8b 1d aa a8 5f c0 ae  |.`...b......._..|
000004a0  d3 89 20 b2 d3 8a f5 b4  d3 89 a0 b9 d2 c8 d3 c1  |.. .............|
000004b0  d3 8a 91 c2 da cb a0 c2  dd 82 fc c8 3b 33 4e d2  |............;3N.|
000004c0  ca 6a c4 d4 da 6c f8 db  de de de de d3 a2 3d e1  |.j...l........=.|
000004d0  d2 c8 d3 e1 dd 0c 01 e3  dd 0c 21 e3 ca 6a c4 e4  |..........!..j..|
000004e0  77 e9 ff e4 ca 6a c4 e6  db 93 c6 e6 d3 88 1c e7  |w....j..........|
000004f0  ca 6a c4 e8 d3 88 1c ea  7c a1 61 ea d3 a2 3d eb  |.j......|.a...=.|
00000500  d3 88 1c ed ca 6a c4 ed  7c a1 61 ee de dd 05 f0  |.....j..|.a.....|
00000510  7a 48 21 f0 cb ba 5e f1  ca 72 00 f2 7c a1 61 f2  |zH!...^..r..|.a.|
00000520  8b af 37 f4 da 6c f8 f5  db 48 e1 fd d3 a2 3d ff  |..7..l...H....=.|
00000530
Attachments
7z/infected
(754.48 KiB) Downloaded 52 times