A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #28832  by nullptr
 Thu Jul 07, 2016 2:14 pm
ikolor wrote: Please about comment what it is.!!!
The one named "sprawa 07072016 t_fdp.rar" is Win32/Ursnif.HP according to MS. Unpacked attached.
The other one is Ransom Shade aka Troldesh. Also attached.
Attachments
pw: infected
(1011.49 KiB) Downloaded 55 times
pw: infected
(172.46 KiB) Downloaded 52 times
Last edited by nullptr on Thu Jul 07, 2016 2:42 pm, edited 1 time in total.
 #28839  by nullptr
 Fri Jul 08, 2016 3:52 am
Ransom Shade/Troldesh listed above targets the following extensions:
Code: Select all
wb2|cdr|srw|p7b|odm|mdf|p7c|3fr|der|odb|arw|rwl|cer|xlk|pdd|rw2|crt|dx|r3d|pem|bay|ptx|pfx|indd|nrw|p12|bd|backup|torrent|kwm|pwm|safe|xl|xls|xlsx|xlsm|xlsb
|xltm|xlt|xlam|xla|mdb|rtf|txt|xml|csv|pdf|prn|dif|slk|ods|xltx|xlm|odc|xlw|uxdc|pm|udl|dsn|iqy|dqy|rqy|oqy|cub|bak|xsn|xsf|xtp|xtp2|accdb|adb|adp|mda|accda|
mde|accde|accdw|accdt|accdc|mdw|dbf|tab|asc|frm|opt|myd|myi|db|onetoc2|one|onepkg|vcs|ics|pst|oft|msg|pptx|ppt|pptm|pps|ppsm|pot|potx|potm|odp|thmx|wpd|
wps|ppa|ppam|wmf|emf|pub|ps|xps|vsd|vdx|vss|vsx|vst|vtx|vsw|vdw|emz|dwg|dxf|docx|doc|docm|dotx|dot|dotm|djvu|chm|htm|html|mht|mhtml|shtml|shtm|asp|
aspx|dwt|stm|cs|css|psd|pdd|3ds|max|crw|nef|raf|orf|mrw|dcr|mos|pef|srf|dng|x3f|cr2|erf|sr2|kdc|mfw|mef|cin|sdpx|dpx|fido|dae|dcm|dc3|dic|eps|kmz|iff|tdi|
exr|pcx|pdp|pxr|sct|u3d|obj|ai3|ai4|ai5|ai6|ai7|ai8|ai|epsp|epsf|hdr|rgbe|xyze|flm|pbm|pgm|ppm|pnm|pfm|pam|pct|pict|psb|fxg|swf|hta|htc|ssi|as|asr|xsl|xsd|dtd|
xslt|rss|rdf|lbi|asa|ascx|asmx|config|cfm|cfml|cfc|tld|phtml|jsp|wml|tpl|lasso|jsf|vb|vbs|vtm|vtml|edml|raw|jpg|jpeg|jpe|bmp|png|tif|tiff|dib|gif|svg|svgz|rle|tga|
vda|icb|wbm|wbmp|jpf|jpx|jp2|j2k|j2c|jpc|avi|mkv|mov|mp4|wmv|3gp|mpg|mpeg|m4v|divx|mpv|m1v|dat|anim|m4a|qt|3g2|f4v|mkidx|mka|avs|vdr|flv|bin|mp3|wav|
asx|pls|zip|7z|rar|tar|gz|bz2|wim|xz|c|h|hpp|cpp|php|php3|php4|php5|py|pl|sln|js|json|inc|sql|java|class|ini|asm|clx|tbb|tbi|tbk|pst|dbx|cbf|crypted|tib|eml|fld|vbm|
vbk|vib|vhd|mtr|vault|1cd|dt|cf|cfu|mxl|epf|vrp|grs|geo|elf|lgf|lgp|log|st|pff|mft|efd|md|dmp|fdb|lst|fbk
Encrypted files have the extension .da_vinci_code or .magic_software_syndicate
 #28846  by sysopfb
 Sat Jul 09, 2016 1:01 am
xors wrote:The first file looks like a common keylogger-stealer. Will look at it more later. Unpacked in the attachment.

https://www.hybrid-analysis.com/sample/ ... mentId=100 (the unpacked)

That's a gozi/isfb variant

The URL can be turned into the structure you would expect by reversing how the bot transforms it, first it prepends a random %s=%s& to the URI encrypts the URI using Serpent in CBC mode. The string is then base64 encoded, next the bot turns all '/' chars into _2F and all '+' chars into _2B and then adds in random '/' characters affixs a static .bmp in this case and removes the base64 padding at the end. The Serpent key in this case is 77694321POIRYTRI

If we take your URI and strip off the .bmp
07cQjh78k/h9_2F7Bko9MXaAhDpedg/nuZyGeOKKI2LsDNQQF_/2BchxOxhOXrqgnPAATLfeB/9jQkF4RR3sJVr/7rWAOT48/5anqeUiMzjqdcswwKNtn9ps/cKWpK_2FRF/saO8k83UR6VeLIC6o/QJsgGGfOax/iDJZi

Revert the conversions we get:
07cQjh78kh9/7Bko9MXaAhDpedgnuZyGeOKKI2LsDNQQF+chxOxhOXrqgnPAATLfeB9jQkF4RR3sJVr7rWAOT485anqeUiMzjqdcswwKNtn9pscKWpK/RFsaO8k83UR6VeLIC6oQJsgGGfOaxiDJZi==

Base64 decoding and then serpent decryption using the aforementioned key gives us:
ufihdhdto=ptpb&soft=1&version=214721&user=00283f5318307646a07fd209ec95398a&server=12&id=1009&crc=3b284a

If you APLib decompress the dll out of the .mem file you uploaded to hybrid analysis and then decode the strings you should see most of the relevant strings you would expect including 'ISFB'