A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #8800  by EP_X0FF
 Wed Sep 28, 2011 11:24 am
Thanks. And what about ntdll.dll/kernel32.dll from infected machine, can you attach them too?
 #8822  by dcmorton
 Thu Sep 29, 2011 5:33 am
EP_X0FF wrote:Thanks. And what about ntdll.dll/kernel32.dll from infected machine, can you attach them too?
I no longer have access to the machine that those two files came off of, however the next machine that myself or my colleagues come across with this infection, I'll make sure to grab them and post them here.
 #11159  by Cody Johnston
 Fri Jan 20, 2012 12:30 pm
Copy of infected svchost.exe by Bamtial.Q

Please correct me if I am wrong, but I have seen this particular version re-infecting machines and it has been quite aggressive. For example, a rogue is removed from the system (such as 2012) - and by all means completely removed. Once the system is rebooted with Bamital still infecting it, the PC is reinfected with both FakeSysDef and Security Defender.

svchost.exe

SHA256: 8d037b85b43e3f79c6377640fdf71f3729caf64bff29cdeac4a10296d23cd314

https://www.virustotal.com/file/8d037b8 ... /analysis/
Attachments
Password: infected
(31.85 KiB) Downloaded 63 times
 #11412  by dcmorton
 Fri Feb 03, 2012 1:37 am
Here's explorer.exe, winlogon.exe, svchost.exe, kernel32.dll, and ntdll.dll all from a XP SP3 host infected with Bamital.Q

explorer.exe
https://www.virustotal.com/file/622f507 ... /analysis/

kernel32.dll
https://www.virustotal.com/file/d3b69a8 ... /analysis/

ntdll.dll
https://www.virustotal.com/file/54df909 ... /analysis/

svchost.exe
https://www.virustotal.com/file/4a7b6f8 ... /analysis/

winlogon.exe - VT scan still pending at time of post
https://www.virustotal.com/file/93a2d0f ... 328232090/
Attachments
password: infected
(1.41 MiB) Downloaded 65 times
 #11413  by EP_X0FF
 Fri Feb 03, 2012 3:36 am
Thank you. Bamital stores its payload code in infected file (previously it was standalone file in system32 folder). Infection is system dependent, because it uses hardcoding of VirtualAlloc function address, probably it calculates by dropper-infector. That's why it was required to look at system libraries from infected machine.

Image

So infection works like this -> patched OEP of svchost.exe/explorer/winlogon -> VirtualAlloc + copy main payload data to allocated region -> decrypt sensitive data with xor -> execute decrypted data.

Dump of sensitive strings from infection payload
dwmapi.dll ntmarta.dll /a /c vu open http://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) GET HTTP/1.0
Host: Content-Length: Pragma: no-cache
User-Agent: Host: type=renderer ntdll.dll kernel32.dll
shell32.dll ws2_32.dll
ole32.dll Imagehlp.dll Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry
Software\Microsoft\Windows NT\CurrentVersion\Temp
SYSTEM\CurrentControlSet\Services\sr\Parameters
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
FirstRun DisableSR \user32.dll /m.php
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup [%subid] <d> </d> <u> </u> <a> </a> <c> </c> google.com Date: X55Fut2999 ?subid= &id= \user32.dll TimeGetWork Uses32 Domen Data / & \ PROCESSOR_IDENTIFIER ? &os= &flg= &ver= &pr= \MicrosoftNT \winserver.exe 11expl22 11svch22 19792079 sfc_os.dll win winlogon.exe dllcache\winlogon.exe svchost.exe dllcache\svchost.exe explorer.exe dllcache\explorer.exe user32.dll opera.exe \SysWoW64 \wbem\ C: \ s y s p r e p \ c r y p t b a s e . d l l c r y p t b a s e . d l l cryptbase.dll \sysprep sysprep.exe elev.exe
decryption routine
Code: Select all
00000021 decryption_loop:                        
00000021                 xor     [edi], dl
00000023                 inc     edx
00000024                 cmp     edx, 0FFh
0000002A                jbe      continue
0000002C                 mov     edx, 0
00000031
00000031 continue:                                
00000031                 add     edi, 1
00000034                 loop    decryption_loop
Attachments
pass: malware
(12.95 KiB) Downloaded 59 times
 #11615  by dcmorton
 Mon Feb 13, 2012 11:55 pm
Believe this to be another Bamital.Q infection; low detection on VT however.

Explorer
https://www.virustotal.com/file/2683b11 ... 329175220/

Winlogon
https://www.virustotal.com/file/610bf54 ... 329175604/

Svchost
https://www.virustotal.com/file/3405567 ... /analysis/

Explorer, winlogon, svchost, ntdll, and kernel32 from XP SP3 in attach.
Attachments
password: infected
(1.34 MiB) Downloaded 69 times
 #11672  by Xylitol
 Fri Feb 17, 2012 9:10 pm
TeamRocketOps wrote:Hey guys. I am looking for a Bamital dropper that drops this svchost infected file:

Win32/Bamital.Q (alias Tojan.Kordeef)

MD5: 7c4efffec2a73c88ebbffdbcd369cde6 (and any other recent droppers if possible)

https://www.virustotal.com/file/4a7b6f8 ... /analysis/

Thank you in advance!

:D
Attachments
 #11743  by EP_X0FF
 Wed Feb 22, 2012 8:31 am
dcmorton wrote:Believe this to be another Bamital.Q infection; low detection on VT however.
They were all cured already by AV. PE rebuilt, EP restored and virus code filled with zeroes.