[Horgh]

OEP @ 00401414? Is that correct?

Nope, OEP is 004020C1.

Code: Select all

004020C1  |.  55            PUSH EBP
004020C2  |.  8BEC          MOV EBP,ESP
004020C4  |.  81EC 0C020000 SUB ESP,20C
004020CA  |.  53            PUSH EBX
004020CB  |.  56            PUSH ESI
004020CC  |.  8B35 44304000 MOV ESI,DWORD PTR DS:[403044]            ;  kernel32.GetModuleFileNameA
004020D2  |.  57            PUSH EDI
004020D3  |.  BF 03010000   MOV EDI,103
004020D8  |.  57            PUSH EDI                                 ; /BufSize => 103 (259.)
004020D9  |.  8D85 F8FEFFFF LEA EAX,DWORD PTR SS:[EBP-108]           ; |
004020DF  |.  33DB          XOR EBX,EBX                              ; |
004020E1  |.  50            PUSH EAX                                 ; |PathBuffer
004020E2  |.  53            PUSH EBX                                 ; |hModule => NULL
004020E3  |.  895D FC       MOV DWORD PTR SS:[EBP-4],EBX             ; |
004020E6  |.  FFD6          CALL ESI                                 ; \GetModuleFileNameA

Is this custom cryption part?

http://msdn.microsoft.com/en-us/library ... s.85).aspx
"Creates a private heap object that can be used by the calling process. The function reserves space in the virtual address space of the process and allocates physical storage for a specified initial portion of this block."

Attached what I THINK is the proper dump + IAT fix (dumped_.exe). Where do I go from here (if even on the right track) to view interesting/decrypted strings? Thank you :)

EDIT: Added dumped2_.exe. SEEMS a bit more complete and reveals program written in Delphi v2.25. Please correct if wrong.

Your first dump is wrong, you're still in the packer code. Your second dump doesn't even start. And the FakeAv is written in VC++.
It's really easy to unpack, set a bp on VirtualFree, Alt+F9, trace a bit and you'll land here :

Code: Select all

003F0CDB    83F8 01         CMP EAX,1
003F0CDE    75 04           JNZ SHORT 003F0CE4
003F0CE0    6A 00           PUSH 0
003F0CE2    FFD1            CALL ECX
003F0CE4  - FFE1            JMP ECX                                  ; (fakeAv).004020C1

This is the jump to the OEP.

In attach a crappy dump I made.

(fakeav)file1_dump_.7z

pwd : infected
(821 KiB) Downloaded 78 times

[thisisu]

Hi and thanks for your response. :)

I think we are looking at different files. It is my fault, I didn't mention at first that I ran the malware in VM and gathered the btdefender.exe from %allusersprofile%. Attached is that file. Sorry for the confusion. This is the one I've been trying to analyse.

[EP_X0FF]

Yes this software is written in CodeGear RAD studio, so thisisu correct.

It is multustaged dropper using TDL3 style spooler inject, self-decryption and antiemulation.

1 layer - dumb crypter, break on NtFreeVirtualMemory and dump container
2 layer - dropper written in C++ and using TDL3 injection, force 00401D84 to be executed, it will decrypt .inst section and transfer control to the next level.
.inst section is block of data+executable. Data is the following:

Code: Select all

btdefender.exe Internet Security Plus 
hxxp://twinkcam.net/images/s.php?id=214
hxxp://cinnamyn.com/images/s.php?id=214  

Name of malware + C&C as I understand.

3. Next stage dropper written in C++, purpose - decrypt 4 stage malware body
4. MPRESS compressed actual FakeAV body.

Maybe I missed something, just did quick looking.

If you need any layers from this crap let me know.

[thisisu]

If you need any layers from this crap let me know.

Hi, yes please if you do not mind can you attach all 4 layers? Thanks

[EP_X0FF]

Last stage mpress with not fixed iat, doesn't matter, resources and other crap readable.

2stage.exe_bin - TDL3 style injector with 3 stage in .inst section encrypted
3stage.exe_bin - decrypted .inst executable, next dropper with encrypted mpress executable inside
4stage_mpress.exe_bin - mpress itself, will work if simple launched
dumped_finalstage_noiatfix.exe_bin - name say it all (resources readable, you can extract all delphi forms etc)
For MPRESS generic, execute first instruction and goto esp value, set hardware breakpoint on access first dword, break on, follow jmp <address>, you are at OEP.

IDE used: CodeGear RAD Studio, version 11.0.2709.7128

And this is Win32/FakeRean.

Also if you are interested this FakeAV is VM aware. It detect presense of VMWare (using VMX backdoor) and VirtualPC (using invalid instruction). For more info see code at offset 0016BC25 in last stage dump.

[Xylitol]

http://cybercrime-tracker.net/vx/FakeAV ... 202013.rar
1954 FakeAV

[ELWIS1]

@ Xylitol

Link does not work ;)

[Xylitol]

everything is fine here.

[Win32:Virut]

AVASoft Professional Antivirus
http://youtu.be/e_1rj2Q-Bfg
hxxp://www18.zippyshare.com/v/79140735/file.html

It's using ClamAV engine, and really detecting threats, but it's suspicious, (it's using very simillar interface to Winwebsec fakeavs)

[Win32:Virut]

5 samples - System Care Antivirus