A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #7746  by Evilcry
 Fri Jul 29, 2011 7:33 am
Hi,

Some time ago i wrote a little tutorial on Carberp, from a reversing point of view, here the link:

http://quequero.org/Carberp_Reverse_Engineering

Some additional info with Wireshark Extension to automate decryption

Decrypting Carberp C&C communication

http://securityblog.s21sec.com/2011/07/ ... ation.html

In attachment with password infected the sample used for analysis

Regards,
Evilcry
Attachments
(128.13 KiB) Downloaded 64 times
 #7748  by Evilcry
 Fri Jul 29, 2011 8:43 am
it's highly probable that still keeps rk functionalities, because lately there aren't much variations on the binary :)

In attachment some other Carberp i've here
Attachments
infected
(85.61 KiB) Downloaded 56 times
infected
(58.29 KiB) Downloaded 51 times
infected
(150.02 KiB) Downloaded 62 times
 #7749  by EP_X0FF
 Fri Jul 29, 2011 8:48 am
I take first sample, yes everything are still in place :) Binary still under Start Menu\Programs\Startup and hooks are in place.
[1176]explorer.exe-->ntdll.dll-->NtQueryDirectoryFile, Type: Code Mismatch 0x7C90D750 + 6 [5C 23 58 03]
[1176]explorer.exe-->ntdll.dll-->NtResumeThread, Type: Code Mismatch 0x7C90DB20 + 6 [4C 23 58 03]
[1176]explorer.exe-->wininet.dll-->HttpOpenRequestA, Type: Inline - RelativeJump 0x630187BC-->0356C5A0 [unknown_code_page]
[1176]explorer.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump 0x6301AC9D-->0356C470 [unknown_code_page]
[1176]explorer.exe-->wininet.dll-->HttpSendRequestW, Type: Inline - RelativeJump 0x6301F73E-->0356C3E0 [unknown_code_page]
[1176]explorer.exe-->wininet.dll-->HttpOpenRequestW, Type: Inline - RelativeJump 0x6301F87B-->0356C5E0 [unknown_code_page]
[1176]explorer.exe-->wininet.dll-->InternetQueryDataAvailable, Type: Inline - RelativeJump 0x6301FEB1-->0356C500 [unknown_code_page]
[1176]explorer.exe-->wininet.dll-->InternetCloseHandle, Type: Inline - RelativeJump 0x63020A61-->0356C530 [unknown_code_page]
[1176]explorer.exe-->wininet.dll-->HttpSendRequestA, Type: Inline - RelativeJump 0x6302E822-->0356C3B0 [unknown_code_page]
[1176]explorer.exe-->wininet.dll-->InternetReadFileExW, Type: Inline - RelativeJump 0x6303377E-->0356C4D0 [unknown_code_page]
[1176]explorer.exe-->wininet.dll-->InternetReadFileExA, Type: Inline - RelativeJump 0x630337B6-->0356C4A0 [unknown_code_page]
[1176]explorer.exe-->wininet.dll-->HttpSendRequestExA, Type: Inline - RelativeJump 0x6308A9EE-->0356C410 [unknown_code_page]
 #7752  by t4L
 Fri Jul 29, 2011 9:21 am
Is this trojan kit still available or anywhere leaked? I want to study the control panel part of this banking kit.