A forum for reverse engineering, OS internals and malware analysis 

Win32/Reveton

Forum for analysis and discussion about malware.

Re: Trojan:Win32/Reveton

 #17121  by EP_X0FF
 Tue Dec 11, 2012 2:32 pm
@Kafeine

Thanks.
Split and attached here additionally with SHA-1.
00230c9388af89a836e47de64207c6a7d3e33b6b
02b614449436c7bdb9dd6cc98472d6344e2e3b57
039f320ea80bdef61f210728e58b9429f73ef1f1
0769d25299bd0dfd50a3a0141ec39fe7e16179de
0815563b17e380b5de6218b34bb5fcda8d408868
0939eaa85a59a86f52ddfcb86a1dfed220f73aae
0ab48e6dd8ee8062dfc528d80157c0374240cf1f
0ba6b0600598415990e2fcb3d1bf06158192ed53
0bd130b50f0b895ddcd4c3a4e94a80213e6ac584
0c65534bd15308350baf6449a78e513aaf562d29
0c978ffa5dad9606b06f51f7a37a1ca9f16ceaf4
0d68374e3b1c9836a55f5fe85c20afc08ce66bf4
0d96cf3e1618bcbf6c88310fdffd1d857f69bc93
0ddedb4a9f5d3ec92eb902a0c2c1beae0bc37275
0fcd34bce8d45f334bb48c0bb86e3d749bb16602
1061ea699721c1a25968939ab5fa18c98c65af2a
12d08515c14ed6dd903ad89670a850efca18e4f3
18895a7e8c0359a2aeb9a039f945fd7572d32a3b
190599e8455e018748c7fdaf15b009bd5cadf93f
1c321d79e2f859668f3a1e672ad877a92c6e766f
1fd3d992100434df0aaa76489d63bfe74eadfe82
216c97b06c2c6ee3c6bf06672e7c3f3498e49a6d
21918c0713e5af13b9bb37f3e371636234e3bb7e
2235a2c68186d36df545f9dc122e5466d143d07b
224f6341ebdbebcb4e0bb96120a1484d9f088ce8
22905d2e06fd3ecf08bd6e9fdeeb4946d9fd0a4b
22ac1a445695da67247ed493ec0211222e8a95ca
2346195fff01b7c334e874d6a41ba2a37d23a448
23ddae203357770483ab5216bad650373dfb015f
24ad91e06f00e5933f279520e337ddaeea1dcda2
258b75d29eff5612c0bf08515da97906148d0186
25c8c801a94daafead949a7a2639969d15cd72d8
28bfd6871451ec0ced52bbbfa29cfff3416165a0
2a3b7b156b0aeef65b0a11642f6655df1effbd02
2ad23546d5953afc0b21b7bfd16e12da2991dca3
2c5cba4df188bbce8beb5cc76493326e163a16c3
2cfb792e8fe61aa937e36a3c4d77564780d8c9dd
2d096488b1c29fae87db486859315867a0cd6b25
2e6b4e7cf62556b7f823505904f61620ea67a094
3199d4abb93d20bbd7543fe059929660ae4c9ae2
3a1e2da062d111312cedac8b0557a1982953a68d
3d71bc93f888e35ea1c1f95512047187a0674d3a
3f4cfc56b5b91b47d98948079bd023dcf4134f89
412fcddff9405e0425874b750fb7ed94280d1268
42526fa4b8ff024976c8171661aad6e97becd98a
42cd78ebdd3b259ab53ccc7719d572f6164235db
4554a7e050637a8beba0ebf0413351e605e7df01
47e99f3adcd152f867882bc40d1db0374c157047
4811aa1d191cd63626c9cd629a780d814ff05a17
49be5cdb53b765dd339ac882153d14ce5cadd4b9
4a374bf42ef2bff8a87cd2ada45cc4e31fddf88f
4e6a4d5be123bc43da0f150d25a92da19a72776e
4e995b3350eb307aaaaab51b8534c6565e6782dd
4f2c12738b80b3fbede19349352a47726bd8c99f
4fdc7266ce9fb2ea5b848c4fd7ff32d0761fb604
5219f6332c8119dec6fb552aa5d20493d984d83c
53a9647fb3ad05a9f6d2803b5813ddbfb4d0558d
53b3cc8149c30c5d42a7b032942bdbd50d6e64a4
596cfd015033bc67140074f362320d15254043ee
59baaf1332cb974d0de7d7ef844752dadbfd5a88
5b96ab2b7caf432d87ed80783724e7e55d95a4ea
5eb08e45e15c271de49913fc0d45a4533ca0e469
5ed55ee293927390b96f88d4b6da582d02b30c90
5fcc1c5462b342450aa28c14cfa7ccfff297b3b8
5fd8c0d04e26fc63fe733d9c36b1064f745a969d
637beaaebbf379c6fda36a32335ced95c55788f9
6616fb7c46ef43eed0b5f413abb35159c3af7d09
6753fb3fd284ae4a711217bd61115644a9bf9ab1
68463f9040619cfac9625ecb9fd8f491f38c1b30
6a485b32955a9d081da67f81f54e543fe6bb65cd
6b823baacd4935c658bb193cf6b7ec5865b2acb1
6c7cce172f4aab9f5a285770bc2d2beb4317b403
6f67ee2da7a28ed3b2ab04a92a0a58f302d8b02a
6fef65b9a48ff2be92687ea92d3e583da3b3547f
705c0b1e1fb2645dbdf7456180175c99bc8e790f
71fa696f2303ee88b802f35832e5e949037c1812
72abb9b404956da5dc240401081b484255822d61
7d049b693132c13e4a625c559c72c7bddbed07e4
7ff36282c5284d3a399b400699914aacf6bc23a0
81c9605b882dd943f7ca39f4f990e81621e6941e
83bc1daaba9737ec9cf94aec406bbc582bb40e60
83e30d5c5125f0c877ef3116a4595102ea96be57
842fd6f74848abf570a221233a8ae1188a536657
844fef97497aa4ed25445260dfd1b4d0df98dd49
86356a0aa51cdc12328cd9cd2644bd2809d416f6
86e3b1d656b8e3de67c80b019da5835ef3cca20a
8aacb18bc95f8a3812fe8c02deedc53026c293cc
8ae11686fdb1f2b1b1e0a07c54b72f16b3fb33ee
8ce2f6386610326537e2180bf6fa8e935e86d1c5
9002916fa66469b3143c79d1c8c8a94ad83081c3
9007a2bfdcdeb1d8bb1d24b1a0629c28d587f105
942427494bd18afd69c46803b834e4c3715415ad
949af7b965a1db50ae2d3da8e74fca54dfeff577
952c1c46edb1f02b02faedb95477c6304d59a3e9
99a80b6d8e630237e53b4689d165add0f4bac141
9aa2e358fbccd349e31dacbb58275a624d6d93eb
9c3734442d32b2c125eed9d6e7ec63dbc3daaf64
9c4a65d01c9d97a4b4e3c9ef2343d6a99abefbb3
9efcd3745278578aa4a1f2a041cfff1dd25522b6
a3ec2234d9aa719db7f2990c956605ff701c3083
a5e61be4dfdb1801317568e98e0f28607592734f
a8b10d49c1d947b5f5dac155f9b83c90133fd627
aa411fbe7136dcc2ba1bd640f3cbbb139b1549d5
ab42cd29d145f95bb6aaf9641b4968dcc84fd700
ac4105cab08183926901d2cba5d02fbdd9dc313f
ac4576f0c555e989a544effad123d4819badc07f
ad4dac85a034504818fd5ae51672f3650981b4ef
ae172f469e2d5b893f83cad5c8b73c9c80402c3f
afaca2283b3c09802821c0b88c6a7831370fac24
b12470096c2e4597cf8e341b1cfb916d82e70824
b1a36e53ce8e02154cfa79f558fe547a940f9ad6
b312cbd8138181b22d79c25aa6f0f27f10b4cf9c
b61fd66a40360f46d963c015d439c43b236499bc
b7b0a6e53bc302967c0df7be3f49350e2f3c7ce1
bcaf248f6f0f0471d93cb565d2dd5ae8713cb38f
be738b2381ec53f65b8200217dfa866d98f648f0
c00364d0591c88bb6e990c88f54b32e2f20968af
c14271683aa9a7c1d6e1f8826f7be9674b25d9b1
c158ca56d5cb14b630cd94b3d50a4454164713e0
c200ee13681dba5a0cd61458b784b54e51496cb6
c237ed124348d85b35c7500801bf394b1278d8ab
c39286969f9b8df157d74d5120cbd8a20d64f31e
c540e935b54d2ecc4a00d6185b5111406dae6a1b
c559c83c9ded3e26ad693400b9317955fad2e988
c5f7ce8e04ebd41360fc783955488716d0b0be22
c6edb834c1b730cbc53d0b54292487c52599f447
c730d0ec470d0dce33e689d31ef9e7b886ffbd0d
c776a995cea407f56685a25a4a880987ade0426e
c8ece7f5b17c4fe47abb13d82e97cdb085cc49e2
cb7c346820818fbb6e7e9453a9c9ce528d7dd8f2
cbc1fee1c7181165ea7383896818a28da1f3e930
cc980418980cc3fcebdf853f18164861ab3eef37
ccd391b53093b467a8256213621a663a51c75b43
d23e1b702633afaf81d8763a7c12ef0739493414
d4cefe8249647fac695cd01fc7c968666359f2d4
d9e45c88ce296c56bb5d7fc577b0d67279f6fe57
da386d04e94020dface5089f85006fb62e11d98b
dafd321809f4ed794966208e17b343762af55709
db81efb36c98233ef34ffdd3640008e1fa8bb291
db931886f1dd59b1cd5808882a0d9190c1e58e6b
dcdcd36839fef1c531d84f2077746b50440f141d
de0694df2effcbcb09ecb34594a8f6833cf50832
df050f5bc5f7b9204f7abae2082372332397f5bb
dfad1d8f7d4e40ab90874a0af2eaedbb13c0c623
e06a59c3d7cf573711a427c47e39fa79f7278104
e089575ef4f579ab556f41544a16298b4333108f
e089c1f6eb08e955e6d73288c80079ab1d6b0499
e40935476be846e99dead5b428711b647b469e22
e4986b34def4639ca5810adf9d174f6275bb0e6a
e58316b982db51f63a93087028a30a5544d939d9
e83ee5f0959bed5b9ddab563c97cd20c68dc7eb7
e8e886e25eb5e13471979bc75546ab7b859839f7
e9a7da26979395a6efc48ee6feb82f6a46a0218c
e9deab1c56f9cbe51c09dd2c5bd95a405805f0d0
ea5d1c94eaf7fa6dff767852e18d297330efd648
ea6b456c5f8568e2073437f713793f9ac2d74a5d
eaad1a678236809dbccb6af2a84ae6eb9f331c91
ebeaf0d595a6832d2a63566ec0ec91207a740db4
f05ce33d6f749426072d56f628d35d6529759550
f09ca4cac00a2c6a7404a55d3965c59ce94fe613
f1b77af44941704f2ee77f5f9588a8cd685a015f
f39a7c68d070b6a3bd6cb24acc420c5ae61bcb10
f3b2529328a3849d763b5e055b73cc8b6f58f133
f44e883ce2b6a89cfc03d5f85a790d49fa016dff
f5b175a382a9a8634656637aee8ce60432efe3e8
f74b841bfde19d41f8a41f9caf86e8ed4ef5ed9f
fbd7209294152b44962256ca8dacd5cae7a3d322
fc623e86097ad8228f8ab6d3386a0ad39420f77b
fd80e02a3b6899514b9e82a9bc81eec21cc8fcf8
fd99e74627bc7b6bf7183fe1354d3202d0958d24
fe2464616698afcbe0745496c65077419f4b7a42
fea9abbbe677e5b96b553920aecfa7bbbaf2d397
ff47d70b5c73e082c2f55ae14541feb4bd527df6
ffbd79ff12e111369cacd5e962448cf8e85c85e1
Attachments
pass: infected
(2.91 MiB) Downloaded 79 times
pass: infected
(5 MiB) Downloaded 77 times
pass: infected
(5 MiB) Downloaded 77 times
pass: infected
(5 MiB) Downloaded 92 times

Re: Trojan:Win32/Reveton

 #17145  by Neurofunk
 Wed Dec 12, 2012 6:53 pm
https://www.virustotal.com/file/d5a7e7c ... /analysis/

edit: this one is kind of fucked up in my opinion, there is a VERY questionable image embedded into it when it executes. Also not sure if the right place but does anyone know what the giant 90+ meg .pad files this thing writes are for?

MD5: 179caa8975162f0be43fa08b1a8dbde7
Detection ratio: 11 / 45
Attachments
password: infected
(86.94 KiB) Downloaded 90 times

Re: Trojan:Win32/Reveton

 #17149  by EP_X0FF
 Thu Dec 13, 2012 3:53 am
Neurofunk wrote:https://www.virustotal.com/file/d5a7e7c ... /analysis/

edit: this one is kind of fucked up in my opinion, there is a VERY questionable image embedded into it when it executes. Also not sure if the right place but does anyone know what the giant 90+ meg .pad files this thing writes are for?

MD5: 179caa8975162f0be43fa08b1a8dbde7
Detection ratio: 11 / 45
There is no embedded images or HTML data, all downloaded from C&C 31.44.184.134:https. Reveton and C&C are now working with SSL. Pad file you mentioned is encrypted container containing wave file. Why it 90Mb? Mad skillz maybe the reason. It creates it already 90 Mb and fills with 65k block write loop. Downloaded content stored at offset 11576 with size about 1 Mb.

Scary face with some pron.
img.jpg
img.jpg (282.97 KiB) Viewed 607 times
As for ransom exports, it determines which mode Reveton use.

H1N1 - something like initialize, lock screen by switching to specially created desktop (name random) with full screen IE window.
H1N2 - doing webcam record from rundll32.exe process launched again on different specially created desktop (name random). H1N2 export called via rundll32.exe from Reveton mapped code inside IEXPLORE zombie process.

Because of using different desktops this trojan is very comfortable for dynamic analysis.

Autoruns via Start->Programs->Autorun. Terminates TaskManager process (lookups in watchdog by TASKMGR.EXE name).

Decrypted working ransom dll in attach, crappy Delphi origin. Run from debugger or rundll32. Contains massive log output with spelling errors
Lock DLL Download and Write Complite
.
X:\PGP\Programming\JimmMonsterNew\ServerWinlock\Source\SysUtils.pas
In comparison with Urausy - Reveton is simple and trash.
Attachments
pass: malware
(51.86 KiB) Downloaded 95 times

Re: Trojan:Win32/Reveton

 #17150  by rinn
 Thu Dec 13, 2012 7:22 am
Hi.
H1N1 - something like initialize, lock screen by switching to specially created desktop (name random) with full screen IE window.
No, the actual locker is on second Reveton desktop, not first. Invisible IE on first Reveton desktop used for silent download. As for code inside rundll32.exe running on second Reveton desktop:

TForm1 "" (WS_EX_TOPMOST, WS_VISIBLE) <--- Reveton main window, size is dynamic depending on screen resolution (window will be stretched for full screen).
TScrollBox "" <--- auto scroll window of TForm1
TPanel "" ---> has child window ClsCapWin "My Own Capture Window" <--- webcam.
TEdit "" ---> Reveton code input window.
TForm2 "" (hidden) --> error payment window
TForm3 "" (hidden) --> transfer success window

H1N2 can be executed by rundll32.exe only from browser process (Stage 2).

Image

(-.-)

Best Regards,
-rin

Re: Trojan:Win32/Reveton

 #17179  by EP_X0FF
 Fri Dec 14, 2012 4:41 pm
rinn wrote:Hi.
H1N1 - something like initialize, lock screen by switching to specially created desktop (name random) with full screen IE window.
No, the actual locker is on second Reveton desktop, not first. Invisible IE on first Reveton desktop used for silent download.
Yes, my mistake :)
  • 1
  • 5
  • 6
  • 7
  • 8
  • 9
  • 16
 Return to “Malware”