A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #17548  by Cassiel
 Wed Jan 02, 2013 4:15 pm
Hello all

I am currenty looking for multiple sampels from Citadel or detailed analysis from them. The one I found on the forum refuse to work in my virtual lab and kill themself.
Most likely it is the protection against VM's although I killed all processes from Virtualbox. If anybody knows how to bypass this then this is also welcome.

Regards

Cassiel
 #17553  by EP_X0FF
 Wed Jan 02, 2013 6:35 pm
Cassiel wrote:Hello all

I am currenty looking for multiple sampels from Citadel or detailed analysis from them. The one I found on the forum refuse to work in my virtual lab and kill themself.
Most likely it is the protection against VM's although I killed all processes from Virtualbox. If anybody knows how to bypass this then this is also welcome.

Regards

Cassiel
Hello,

attach or point to the sample you are talking about. AFAIR Citadel AntiVM (1.3.4.5) was just a lame check of CompanyName part VERSION_INFO block of running processes. However it might have additional vm detection at crypter level.
 #17561  by Cassiel
 Thu Jan 03, 2013 9:31 am
Hello EP_X0FF

I have attached the BSA logs + samples, I did notice that it seems to stop after getting the hostname.
It is a rather generic 'xp1' as hostname though so maybe it is just my imagination.
The check you mean was indeed the one I tried to get around but maybe I screwed up somewhere.

Cassiel


EDIT: and considering I am still sleepy I forgot the attachements, hoping this won't give double posts.
Attachments
pswd = infected
(707.91 KiB) Downloaded 85 times
 #17563  by EP_X0FF
 Thu Jan 03, 2013 11:19 am
6f6b5fe65fdc8df2a627c19f838ec6b0f6329abab82c4e8f2ce7f235f79e1c9f as test.

Need quick patch for me, however I think you don't need it. Citadel trying to discover bot geographic location (GetKeyboardLayoutList) and terminates immediatelly if it found Russia (0x419) or Ukraine (0x422). Patch with two nops @0041FDC2. After this I was able to run it. Citadel installed itself, mapped into multiple processes and hooked Win32 API.
Code: Select all
[1216]explorer.exe-->ntdll.dll-->NtCreateThread, Type: Inline - PushRet 0x7C90D190-->02C09638 [unknown_code_page]
[1216]explorer.exe-->ntdll.dll-->LdrLoadDll, Type: Code Mismatch 0x7C9163A3 + 1 [13 98 C0 02 C3]
[1216]explorer.exe-->kernel32.dll-->GetFileAttributesExW, Type: Inline - PushRet 0x7C811185-->02C09A7C [unknown_code_page]
[1216]explorer.exe-->kernel32.dll-->ExitProcess, Type: Inline - PushRet 0x7C81CAFA-->02C09A3B [unknown_code_page]
[1216]explorer.exe-->advapi32.dll-->CreateProcessAsUserW, Type: Inline - PushRet 0x77DDA889-->02C09AF9 [unknown_code_page]
[1216]explorer.exe-->advapi32.dll-->CreateProcessAsUserA, Type: Inline - PushRet 0x77E00C80-->02C09AE2 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->ReleaseDC, Type: Inline - PushRet 0x7E36869D-->02C19B53 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->GetDC, Type: Inline - PushRet 0x7E3686C7-->02C19AD5 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->TranslateMessage, Type: Inline - PushRet 0x7E368BF6-->02C09D04 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->GetWindowDC, Type: Inline - PushRet 0x7E369021-->02C19B14 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->GetMessageW, Type: Inline - PushRet 0x7E3691C6-->02C0A93D [unknown_code_page]
[1216]explorer.exe-->user32.dll-->PeekMessageW, Type: Inline - PushRet 0x7E36929B-->02C0A98D [unknown_code_page]
[1216]explorer.exe-->user32.dll-->GetCapture, Type: Inline - PushRet 0x7E3694DA-->02C0A89E [unknown_code_page]
[1216]explorer.exe-->user32.dll-->RegisterClassW, Type: Inline - PushRet 0x7E36A39A-->02C12809 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->RegisterClassExW, Type: Inline - PushRet 0x7E36AF7F-->02C128A3 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->OpenInputDesktop, Type: Inline - PushRet 0x7E36ECA3-->02C12497 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->SwitchDesktop, Type: Inline - PushRet 0x7E36FE6E-->02C124E7 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->DefDlgProcW, Type: Inline - PushRet 0x7E373D3A-->02C12591 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->GetMessageA, Type: Inline - PushRet 0x7E37772B-->02C0A965 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->RegisterClassExA, Type: Inline - PushRet 0x7E377C39-->02C128F5 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->DefWindowProcW, Type: Inline - PushRet 0x7E378D20-->02C12505 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->BeginPaint, Type: Inline - PushRet 0x7E378FE9-->02C199CA [unknown_code_page]
[1216]explorer.exe-->user32.dll-->EndPaint, Type: Inline - PushRet 0x7E378FFD-->02C19A3A [unknown_code_page]
[1216]explorer.exe-->user32.dll-->GetCursorPos, Type: Inline - PushRet 0x7E37974E-->02C0A770 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->GetMessagePos, Type: Inline - PushRet 0x7E37996C-->02C0A73E [unknown_code_page]
[1216]explorer.exe-->user32.dll-->CallWindowProcW, Type: Inline - PushRet 0x7E37A01E-->02C1273B [unknown_code_page]
[1216]explorer.exe-->user32.dll-->PeekMessageA, Type: Inline - PushRet 0x7E37A340-->02C0A9B8 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->GetUpdateRect, Type: Inline - PushRet 0x7E37A8C9-->02C19B93 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->CallWindowProcA, Type: Inline - PushRet 0x7E37A97D-->02C12784 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->DefWindowProcA, Type: Inline - PushRet 0x7E37C17E-->02C1254B [unknown_code_page]
[1216]explorer.exe-->user32.dll-->SetCapture, Type: Inline - PushRet 0x7E37C35E-->02C0A7F4 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->ReleaseCapture, Type: Inline - PushRet 0x7E37C37A-->02C0A84E [unknown_code_page]
[1216]explorer.exe-->user32.dll-->GetDCEx, Type: Inline - PushRet 0x7E37C595-->02C19A7A [unknown_code_page]
[1216]explorer.exe-->user32.dll-->RegisterClassA, Type: Inline - PushRet 0x7E37EA5E-->02C12856 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->GetUpdateRgn, Type: Inline - PushRet 0x7E37F5EC-->02C19C26 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->DefFrameProcW, Type: Inline - PushRet 0x7E380833-->02C1261D [unknown_code_page]
[1216]explorer.exe-->user32.dll-->DefMDIChildProcW, Type: Inline - PushRet 0x7E380A47-->02C126AF [unknown_code_page]
[1216]explorer.exe-->user32.dll-->GetClipboardData, Type: Inline - PushRet 0x7E380DBA-->02C09E7A [unknown_code_page]
[1216]explorer.exe-->user32.dll-->DefDlgProcA, Type: Inline - PushRet 0x7E38E577-->02C125D7 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->DefFrameProcA, Type: Inline - PushRet 0x7E39F965-->02C12666 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->DefMDIChildProcA, Type: Inline - PushRet 0x7E39F9B4-->02C126F5 [unknown_code_page]
[1216]explorer.exe-->user32.dll-->SetCursorPos, Type: Inline - PushRet 0x7E3A61B3-->02C0A7B7 [unknown_code_page]
[1216]explorer.exe-->wininet.dll-->HttpOpenRequestA, Type: Inline - PushRet 0x771B2AF9-->02C1BCBE [unknown_code_page]
[1216]explorer.exe-->wininet.dll-->InternetCloseHandle, Type: Inline - PushRet 0x771B4D8C-->02C1BF76 [unknown_code_page]
[1216]explorer.exe-->wininet.dll-->HttpSendRequestA, Type: Inline - PushRet 0x771B60A1-->02C1BD51 [unknown_code_page]
[1216]explorer.exe-->wininet.dll-->HttpQueryInfoA, Type: Inline - PushRet 0x771B79C2-->02C1C116 [unknown_code_page]
[1216]explorer.exe-->wininet.dll-->InternetReadFile, Type: Inline - PushRet 0x771B82EA-->02C1BFE3 [unknown_code_page]
[1216]explorer.exe-->wininet.dll-->HttpSendRequestExW, Type: Inline - PushRet 0x771BE9C1-->02C1BDA6 [unknown_code_page]
[1216]explorer.exe-->wininet.dll-->HttpOpenRequestW, Type: Inline - PushRet 0x771BF4D7-->02C1BC80 [unknown_code_page]
[1216]explorer.exe-->wininet.dll-->InternetQueryDataAvailable, Type: Inline - PushRet 0x771C89F7-->02C1C0EA [unknown_code_page]
[1216]explorer.exe-->wininet.dll-->InternetSetFilePointer, Type: Inline - PushRet 0x771E840B-->02C1C090 [unknown_code_page]
[1216]explorer.exe-->wininet.dll-->InternetReadFileExA, Type: Inline - PushRet 0x771E9100-->02C1C011 [unknown_code_page]
[1216]explorer.exe-->wininet.dll-->HttpSendRequestW, Type: Inline - PushRet 0x77202EBC-->02C1BCFC [unknown_code_page]
[1216]explorer.exe-->wininet.dll-->HttpSendRequestExA, Type: Inline - PushRet 0x77202FC1-->02C1BE43 [unknown_code_page]
[1216]explorer.exe-->wininet.dll-->HttpEndRequestA, Type: Inline - PushRet 0x77203027-->02C1BEE0 [unknown_code_page]
[1216]explorer.exe-->wininet.dll-->HttpEndRequestW, Type: Inline - PushRet 0x77203059-->02C1BF2B [unknown_code_page]
[1216]explorer.exe-->ws2_32.dll-->getaddrinfo, Type: Inline - PushRet 0x71A92A6F-->02C20DB1 [unknown_code_page]
[1216]explorer.exe-->ws2_32.dll-->closesocket, Type: Inline - PushRet 0x71A93E2B-->02C211A0 [unknown_code_page]
[1216]explorer.exe-->ws2_32.dll-->send, Type: Inline - PushRet 0x71A94C27-->02C211D8 [unknown_code_page]
[1216]explorer.exe-->ws2_32.dll-->gethostbyname, Type: Inline - PushRet 0x71A95355-->02C20D41 [unknown_code_page]
[1216]explorer.exe-->ws2_32.dll-->WSASend, Type: Inline - PushRet 0x71A968FA-->02C211F9 [unknown_code_page]
[1216]explorer.exe-->crypt32.dll-->PFXImportCertStore, Type: Inline - PushRet 0x77ADFF8F-->02C218D9 [unknown_code_page]
Autorun entry set.

I see you use VirtualBox. See Buster_BSA link.
 #17564  by Cassiel
 Thu Jan 03, 2013 11:40 am
I hereby officially declare that I only understand a part of allyou said but i will try to figure it out ;)
 #17580  by Cassiel
 Fri Jan 04, 2013 10:03 am
I also tried the citadel sample with everythng i could adjust and that doesn't work. Seems like it is google timeand hopeto find something :)
 #17583  by Cassiel
 Fri Jan 04, 2013 10:51 am
@ EP_X0FF

I have run the sample in my VM and I noticed some strange things. If I run it outside BSA it will set the autorun part, if I run it inside BSA it won't.
There are the "usual" registry changes but there is nothing being added to the run key. It is like it puts itself to sleep and then can no longer continue.
 #17587  by EP_X0FF
 Fri Jan 04, 2013 11:07 am
Cassiel wrote:I also tried the citadel sample with everythng i could adjust and that doesn't work. Seems like it is google timeand hopeto find something :)
What exactly does not working and what sample you looking and how? Same as here http://www.kernelmode.info/forum/viewto ... 563#p17563?
  • 1
  • 2
  • 3
  • 4
  • 5
  • 20