A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #22453  by rinn
 Fri Mar 14, 2014 4:22 pm

Final pack of Turla files. Decrypted payload dll's extracted earlier from resource container. They share the same encryption as driver and other dlls in the main dropper.

AV play in spy games better than do their actual work.

https://www.virustotal.com/en/file/099a ... 394813556/
https://www.virustotal.com/en/file/a15c ... 394813576/
https://www.virustotal.com/en/file/564e ... 394813590/
https://www.virustotal.com/en/file/152c ... 394813624/
https://www.virustotal.com/en/file/9611 ... 394813641/
https://www.virustotal.com/en/file/4c8b ... 394813661/

Best Regards,
pass: infected
(369.8 KiB) Downloaded 187 times
 #22457  by R136a1
 Sat Mar 15, 2014 3:33 pm
Yet again a small comment from my side:

While clearing out my malware archive I found a small analysis of Turla I made in 2012, according to the 2009/2010 samples provided by Xylitol:
http://www.kernelmode.info/forum/viewto ... 6a1#p13574 :)

But my analysis doesn't contain any information that hasn't already been published in great detail, so I just want to add some domains which are not presented in BAE report:
Domains with same IP-address (
  • amazon-market.net
  • today-news.ath.cx
  • hotnews.ath.cx
  • allnews.ath.cx
  • today-news.sytes.net
IP Information for
IP Location: Estonia Estonia Tallinn Starman As
ASN: Estonia AS13272 STARMAN Starman AS (registered May 18, 2000)
Resolve Host:
IP Address: [Whois] [Reverse-Ip] [Ping] [DNS Lookup] [Traceroute]
Whois Server whois.ripe.net
Reverse IP: 1 website uses this address. (example: amazon-market.net)
Create an IP Monitor to monitor future changes to “”.
Log in or Open an Account

inetnum: -
descr: Starman Internet AS
descr: Server housing
country: EE
admin-c: SI185-RIPE
tech-c: SI185-RIPE
mnt-by: AS13272-MNT
source: RIPE # Filtered

role: Starman Internet
address: Starman AS
address: Akadeemia tee 28
address: 12618 Tallinn
address: Estonia
phone: +372 677 9933
fax-no: +372 677 9921
remarks: ------------------------------------------------------------------
remarks: all abuse notifications sent to ripe_@_starman.ee WILL BE IGNORED
remarks: ------------------------------------------------------------------
admin-c: MV88-RIPE
tech-c: MV88-RIPE
tech-c: MS19621-RIPE
nic-hdl: SI185-RIPE
mnt-by: AS13272-MNT
source: RIPE # Filtered

descr: Starman AS
origin: AS13272
mnt-by: AS13272-MNT
source: RIPE # Filtered
 #22458  by EP_X0FF
 Sat Mar 15, 2014 5:19 pm
Well I can add that old version of what is now known Turla wasn't named "Snake" or whatever, it clearly identifies itself as "CARBON SYSTEM" even with version number 3.61 as in our case (with malware dated back to October 2009). Have no idea how everybody missed this.

Starting likely from 2009 (release year of Windows 7, replaced totally failed Vista) Turla equiped with full Windows x64 support including x64 rootkit and x64 payload modules, which shifts TDL4 from first place (discovered in the July 2010) to the second place in rootkits "conquer x64" championship.

Modern Turla differs from the older variant, not only in core components code but also in new configuration store container-database. Earlier all params were stored in something like cfg file, see example.
Code: Select all

user_winmin =  600000
user_winmax = 1200000
sys_winmin = 3600000
sys_winmax = 3700000
task_min = 20000
task_max = 30000
checkmin = 60000
checkmax = 70000
logmin =  600000
logmax = 1200000
active_con = 900000

quantity = 0

quantity = 0

user_pipe = \\.\pipe\userpipe
system_pipe = \\.\pipe\iehelper

server = 135

lastsend =
logperiod = 7200

Authors information
Code: Select all
$Id: t_utils.c 5503 2007-02-26 13:14:30Z vlad $ 
$Id: t_status.c 5666 2007-03-19 16:18:00Z vlad $        
$Id: t_message1.c 5290 2007-01-26 11:15:03Z vlad $      
$Id: t_manager.c 8715 2007-11-29 16:04:46Z urik $       
$Id: t_byte1.c 5324 2007-01-30 12:45:35Z vlad $ 
$Id: np_win32_common.c 4483 2006-08-30 13:13:51Z vlad $ 
$Id: m_np.c 8825 2008-01-10 13:13:15Z vlad $    
$Id: m_frag.c 8715 2007-11-29 16:04:46Z urik $  
$Id: m2_to_b2_stub.c 4477 2006-08-28 15:58:21Z vlad $   
$Id: l1_check.c 4477 2006-08-28 15:58:21Z vlad $        
$Id: b_tcp.c 8474 2007-09-19 15:40:39Z vlad $   
$Id: b2_to_m2_stub.c 5273 2007-01-23 17:41:15Z vlad $   
$Id: thread.c 4593 2006-10-12 11:43:29Z urik $  
$Id: rw_lock.c 4482 2006-08-30 13:07:14Z vlad $ 
$Id: mutex.c 3940 2006-03-20 16:47:16Z vlad $   
$Id: load_lib_win32.c 10180 2008-11-20 12:13:01Z gilg $ 
$Id: hide_module_win32.c 10189 2008-11-25 14:25:41Z gilg $
 #22469  by R136a1
 Tue Mar 18, 2014 2:16 pm
Domain update

After further analyzing the domains of my last post I think that some don't belong to Turla, but instead to the Agent.btz/SillyFDC/Voronezh.1600 worm:

2008 Pentagon attack (offline):
  • worldnews.ath.cx
  • biznews.podzone.org
More (offline):
  • biznews.ath.cx
  • intellicast.ath.cx
New (online):
  • today-news.ath.cx
  • hotnews.ath.cx
  • allnews.ath.cx
 #22577  by natalliad
 Thu Mar 27, 2014 1:38 am
Hi R136a1, thank you for the samples and analysis. Maybe you can help. Where do i find a reference to the used C&C domains? I looked in the injected in to a browser dll but couldn't locate anything. Are they dynamically generated or encrypted? Thanks!
 #22598  by R136a1
 Mon Mar 31, 2014 3:58 pm
natalliad wrote:Hi R136a1, thank you for the samples and analysis. Maybe you can help. Where do i find a reference to the used C&C domains? I looked in the injected in to a browser dll but couldn't locate anything. Are they dynamically generated or encrypted? Thanks!
Good question! All the domains I have posted are from public resources like Virustotal, Threatexpert, Google, ...

As you said, we don't see any hardcoded domain names in the decrypted DLL provided by rinn (decrypted_inj_snake_...). Therefore they are encrypted and will probably be decrypted in memory on-the-fly. A good starting point to find the decryption routine is to look for APIs that need the plaintext server name such as gethostbyname() or InternetConnect() and trace back the appropriate parameter to some code that has the usual suspects like xor, add, ror, ... or CryptoAPI functions like CryptAcquireContext, ...
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7