Results 1 to 14 of 14

Thread: just today infected USB-flash

  1. #1
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1

    just today infected USB-flash

    just today my USB-flash interestingly infected.

    pasw: malware
    Attached Files Attached Files

  2. #2
    Do you have autoplay turned off for that drive ?

  3. #3
    It's dropper for bind cmd.exe to port 8000, and sets run key as "SunJavaUpdateSched" to survive restart. Payload is downloaded when you execute ~$WRYOV.USBDrv, and payload binds cmd.exe to port 8000. Well maybe in the future they will change this payload

  4. #4
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5
    @evaluator: I'm curious, how did you get infected ?
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

  5. #5
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    so after clicking My Removable Device.lnk, rundll.exe will load ~$WRYOV.USBDrv,
    which will load desktop.ini(actually code) and downloads file from address:
    http://thesecond.in/ which redirects to http://hotfile.com/dl/

  6. #6
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    file Thumbs.db is downloaded file. after decrypting it became C:\TEMP\TrustedInstaller.exe

    who, who uploaded it to vtotal!?
    Attached Files Attached Files

  7. #7
    lol, it was posted to vt one day before you posted it here:

    Code:
    First seen by VirusTotal
    2013-01-23 14:47:38 UTC ( 2 days ago )
    But game is not done by downloading to TrustedInstaller.exe, it goes to %ALLUSERPROFILES%\svchost.exe ... it's simple bind shell to port 8000. Looks like somebody created this for pentest.

  8. #8
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    ok, removed one crypt layer. inside seen "~msiexec.exe" and some ZIP data
    Attached Files Attached Files

  9. #9
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    well, also dumped "~msiexec";
    https://www.virustotal.com/file/cfcce9cf8df3984e9e1b803ff66feb50923690266477a115c3ffe3d4fabd6283/analysis/


    now most AV shows dumped as "gamarue"
    https://www.virustotal.com/file/2253b8b5cb36bdc2a45bb0e878ca4de84c0b65adec601b90c4643e9a9faddfcf/analysis/


    this cryptor does some fight with Olly using VirtualProtect..
    Attached Files Attached Files

  10. #10
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    deroko!
    what you wrote (
    svchost.exe ... it's simple bind shell to port 8000.
    )
    is third possibility! and mostly looks like fault-case (debugger detected (if jump executed on 401753)).

    look at ~msiexec_un: it has 3 packed modules. 1 is starter-injector, 2 is injected-case module, 3 is this fault-fake module.
    Attached Files Attached Files
    Last edited by evaluator; January 25th, 2013 at 14:55.

  11. #11
    yeah, I was doing it to fast. Dumped all Phew, I was really thinking that this is huge disappointment after seeing bind to port 8000.

    all c&c are down

    http://31.200.244.37/l.php
    http://xjpakmdcfuqe.in/l.php
    http://xjpakmdcfuqe.ru/l.php
    http://xjpakmdcfuqe.com/l.php
    http://xjpakmdcfuqe.biz/l.php
    http://xjpakmdcfuqe.nl/l.php

    Maybe in a day or two it would be good to refresh thesecond.in.

    here is final exe which communicates to c&c. pass: infected
    Attached Files Attached Files
    Last edited by deroko; January 25th, 2013 at 18:52.

  12. #12
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5
    Lol, download the latest file which is supplied via "http://thesecond.in" and laugh.

    Now we know one command of the trojan for sure

    Rest in peace! ;DD
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

  13. #13
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    i forgot to upload my rebuild, planned to make rebuild-contest..
    now it's here and i vv0n
    (reason: my Relocs are correct)

    pass: malware
    Attached Files Attached Files

  14. #14
    just add 0x1000 to every reloc VirtualAddress in my dump and there you have it.

Similar Threads

  1. How to analyze on a live system that is infected?
    By peekr in forum Malware Analysis and Unpacking Forum
    Replies: 16
    Last Post: August 1st, 2010, 22:56
  2. today's torrent-malware fight
    By evaluator in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: January 26th, 2009, 23:53
  3. What kind of papers do you want to read today?
    By CrackZ in forum Off Topic
    Replies: 3
    Last Post: April 12th, 2005, 03:10
  4. The isp was changed just today
    By tsehp in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: May 26th, 2001, 17:17

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •