W32.Xpaj.B

#8353 by NarfBang
Tue Aug 30, 2011 3:22 pm

Hello all,

I'm looking for a sample of the Xpaj botnet.
Kaspersky labels it W32.Xpaj.B, referenced here http://www.symantec.com/connect/blogs/x ... rches-year

I have no MD5 and couldn't find reference to it anywhere on this site, or elsewhere.

TIA

Username

NarfBang

Posts

17

Joined

Thu Jun 30, 2011 4:29 pm

Re: Malware Requests - Xpaj

#8363 by PX5
Wed Aug 31, 2011 3:34 pm

NarfBang wrote:Hello all,

I'm looking for a sample of the Xpaj botnet.
Kaspersky labels it W32.Xpaj.B, referenced here http://www.symantec.com/connect/blogs/x ... rches-year

I have no MD5 and couldn't find reference to it anywhere on this site, or elsewhere.

TIA

Attachments

XpajB.zip

(1.3 MiB) Downloaded 254 times

Arrogance led me to my Ignorance

Username

PX5

Posts

144

Joined

Thu Apr 29, 2010 1:14 am

Re: Malware Requests - Xpaj

#12873 by Flopik
Tue Apr 24, 2012 12:29 pm

NarfBang wrote:Hello all,

I'm looking for a sample of the Xpaj botnet.
Kaspersky labels it W32.Xpaj.B, referenced here http://www.symantec.com/connect/blogs/x ... rches-year

I have no MD5 and couldn't find reference to it anywhere on this site, or elsewhere.

TIA

A new analysis is available : http://labs.bitdefender.com/2012/04/xpa ... t-edition/

Username

Flopik

Posts

47

Joined

Wed Sep 08, 2010 5:39 pm

Re: W32.Xpaj.B

#12897 by R136a1
Wed Apr 25, 2012 1:26 pm

Luckily they provide a MD5 hash: d5c12fcfeebbe63f74026601cd7f39b2

So if anyone has this sample, please upload!

Malware Reversing
http://www.malware-reversing.com

Username

R136a1

Rank

Forum Admin

Posts

272

Joined

Wed Jul 13, 2011 4:30 pm

Location

Netherlands

Re: W32.Xpaj.B

#12908 by Disillusion
Thu Apr 26, 2012 6:54 am

Sample Attached

Attachments

xpaj.rar

(206.61 KiB) Downloaded 164 times

Username

Disillusion

Posts

14

Joined

Tue Mar 16, 2010 2:35 am

Re: W32.Xpaj.B

#12924 by R136a1
Fri Apr 27, 2012 5:25 pm

While analysing the sample (d5c12fcfeebbe63f74026601cd7f39b2) in OllyDbg I came across an Anti-Debug function I don't understand.
This function just alters the return address on the stack, so when the return opcode is executed it jumps to a new location. Something like an code obfuscation construct. Nothing special one may think, but if I want to step over the function (F8) an exception occurs and I end up in kernel32.dll. If I single step through the function (F7) everything works as expected.

Code: Select all

Disassembly:
0001AD38	pushf
0001AD39	push    ebx
0001AD3A	push    eax
0001AD3B	mov     ebx, [esp+0Ch]
0001AD3F	and     eax, 0
0001AD42	jnz     short loc_1ACE0
0001AD44	not     eax
0001AD46	and     eax, 24F9h
0001AD4C	add     eax, [ebx-4]
0001AD4F	add     eax, [esp+0Ch+arg_0]
0001AD53	add     [esp+0Ch], eax
0001AD57	pop     eax
0001AD58	pop     ebx
0001AD59	popf
0001AD5A	retn    4

Can someone explain me why this happens?

Malware Reversing
http://www.malware-reversing.com

Username

R136a1

Rank

Forum Admin

Posts

272

Joined

Wed Jul 13, 2011 4:30 pm

Location

Netherlands