Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

just today infected USB-flash

This forum focuses on analyzing malware and any aspects of dealing with packer protections.
Locked
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

just today infected USB-flash

Post by evaluator »

just today my USB-flash interestingly infected.

pasw: malware
Attachments
USB_infecteda.zip
(182.25 KiB) Downloaded 149 times
User avatar
mint77
Posts: 88
Joined: Wed Dec 12, 2012 3:50 pm
Location: Seabrook

Post by mint77 »

Do you have autoplay turned off for that drive ?
User avatar
deroko
Posts: 307
Joined: Tue Oct 04, 2005 8:29 am

Post by deroko »

It's dropper for bind cmd.exe to port 8000, and sets run key as "SunJavaUpdateSched" to survive restart. Payload is downloaded when you execute ~$WRYOV.USBDrv, and payload binds cmd.exe to port 8000. Well maybe in the future they will change this payload :)
User avatar
OHPen
Posts: 399
Joined: Wed Nov 06, 2002 1:20 pm
Location: .text

Post by OHPen »

@evaluator: I'm curious, how did you get infected ? :D
- Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

so after clicking My Removable Device.lnk, rundll.exe will load ~$WRYOV.USBDrv,
which will load desktop.ini(actually code) and downloads file from address:
http://thesecond.in/ which redirects to http://hotfile.com/dl/
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

file Thumbs.db is downloaded file. after decrypting it became C:\TEMP\TrustedInstaller.exe

who, who uploaded it to vtotal!? :stunned:
Attachments
TrustedInstaller.zip
(151.82 KiB) Downloaded 96 times
User avatar
deroko
Posts: 307
Joined: Tue Oct 04, 2005 8:29 am

Post by deroko »

lol, it was posted to vt one day before you posted it here:

Code: Select all

First seen by VirusTotal
2013-01-23 14:47:38 UTC ( 2 days ago ) 
But game is not done by downloading to TrustedInstaller.exe, it goes to %ALLUSERPROFILES%\svchost.exe ... it's simple bind shell to port 8000. Looks like somebody created this for pentest.
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

ok, removed one crypt layer. inside seen "~msiexec.exe" and some ZIP data
Attachments
TrustedInstaller_in1.zip
(113.37 KiB) Downloaded 87 times
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

well, also dumped "~msiexec";
https://www.virustotal.com/file/cfcce9c ... /analysis/


now most AV shows dumped as "gamarue"
https://www.virustotal.com/file/2253b8b ... /analysis/


this cryptor does some fight with Olly using VirtualProtect..
Attachments
msiexec.zip
(58.01 KiB) Downloaded 84 times
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

deroko!
what you wrote (
svchost.exe ... it's simple bind shell to port 8000.
)
is third possibility! and mostly looks like fault-case (debugger detected (if jump executed on 401753)).

look at ~msiexec_un: it has 3 packed modules. 1 is starter-injector, 2 is injected-case module, 3 is this fault-fake module.
Attachments
3mods.zip
(11.43 KiB) Downloaded 85 times
User avatar
deroko
Posts: 307
Joined: Tue Oct 04, 2005 8:29 am

Post by deroko »

yeah, I was doing it to fast. Dumped all :) Phew, I was really thinking that this is huge disappointment after seeing bind to port 8000.

all c&c are down :(

http://31.200.244.37/l.php
http://xjpakmdcfuqe.in/l.php
http://xjpakmdcfuqe.ru/l.php
http://xjpakmdcfuqe.com/l.php
http://xjpakmdcfuqe.biz/l.php
http://xjpakmdcfuqe.nl/l.php

Maybe in a day or two it would be good to refresh thesecond.in.

here is final exe which communicates to c&c. pass: infected
Attachments
1e61d52800c4fcf897e5e8481a4536fb.zip
(9.24 KiB) Downloaded 102 times
User avatar
OHPen
Posts: 399
Joined: Wed Nov 06, 2002 1:20 pm
Location: .text

Post by OHPen »

Lol, download the latest file which is supplied via "http://thesecond.in" and laugh.

Now we know one command of the trojan for sure ;)

Rest in peace! ;DD
- Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

i forgot to upload my rebuild, planned to make rebuild-contest..
now it's here and i vv0n :D
(reason: my Relocs are correct)

pass: malware
Attachments
module_wuauclt-injected.zip
(9.35 KiB) Downloaded 89 times
User avatar
deroko
Posts: 307
Joined: Tue Oct 04, 2005 8:29 am

Post by deroko »

just add 0x1000 to every reloc VirtualAddress in my dump and there you have it.
Locked