Log in

View Full Version : just today infected USB-flash

evaluator
January 24th, 2013, 08:41
just today my USB-flash interestingly infected.

pasw: malware
mint77
January 24th, 2013, 10:16
Do you have autoplay turned off for that drive ?
deroko
January 24th, 2013, 16:52
It's dropper for bind cmd.exe to port 8000, and sets run key as "SunJavaUpdateSched" to survive restart. Payload is downloaded when you execute ~$WRYOV.USBDrv, and payload binds cmd.exe to port 8000. Well maybe in the future they will change this payload
OHPen
January 24th, 2013, 19:13
@evaluator: I'm curious, how did you get infected ?
evaluator
January 25th, 2013, 09:30
so after clicking My Removable Device.lnk, rundll.exe will load ~$WRYOV.USBDrv,
which will load desktop.ini(actually code) and downloads file from address:
http://thesecond.in/ which redirects to http://hotfile.com/dl/
evaluator
January 25th, 2013, 10:08
file Thumbs.db is downloaded file. after decrypting it became C:\TEMP\TrustedInstaller.exe

who, who uploaded it to vtotal!?
deroko
January 25th, 2013, 10:20
lol, it was posted to vt one day before you posted it here:

Code:


First seen by VirusTotal

2013-01-23 14:47:38 UTC ( 2 days ago )


But game is not done by downloading to TrustedInstaller.exe, it goes to %ALLUSERPROFILES%\svchost.exe ... it's simple bind shell to port 8000. Looks like somebody created this for pentest.
evaluator
January 25th, 2013, 12:45
ok, removed one crypt layer. inside seen "~msiexec.exe" and some ZIP data
evaluator
January 25th, 2013, 13:22
well, also dumped "~msiexec";
https://www.virustotal.com/file/cfcce9cf8df3984e9e1b803ff66feb50923690266477a115c3ffe3d4fabd6283/analysis/


now most AV shows dumped as "gamarue"
https://www.virustotal.com/file/2253b8b5cb36bdc2a45bb0e878ca4de84c0b65adec601b90c4643e9a9faddfcf/analysis/


this cryptor does some fight with Olly using VirtualProtect..
evaluator
January 25th, 2013, 14:46
deroko!
what you wrote (
Quote:
svchost.exe ... it's simple bind shell to port 8000.
)
is third possibility! and mostly looks like fault-case (debugger detected (if jump executed on 401753)).

look at ~msiexec_un: it has 3 packed modules. 1 is starter-injector, 2 is injected-case module, 3 is this fault-fake module.
deroko
January 25th, 2013, 15:11
yeah, I was doing it to fast. Dumped all Phew, I was really thinking that this is huge disappointment after seeing bind to port 8000.

all c&c are down

http://31.200.244.37/l.php
http://xjpakmdcfuqe.in/l.php
http://xjpakmdcfuqe.ru/l.php
http://xjpakmdcfuqe.com/l.php
http://xjpakmdcfuqe.biz/l.php
http://xjpakmdcfuqe.nl/l.php

Maybe in a day or two it would be good to refresh thesecond.in.

here is final exe which communicates to c&c. pass: infected
OHPen
January 27th, 2013, 14:57
Lol, download the latest file which is supplied via "http://thesecond.in" and laugh.

Now we know one command of the trojan for sure

Rest in peace! ;DD
evaluator
January 28th, 2013, 11:37
i forgot to upload my rebuild, planned to make rebuild-contest..
now it's here and i vv0n
(reason: my Relocs are correct)

pass: malware
deroko
January 29th, 2013, 03:59
just add 0x1000 to every reloc VirtualAddress in my dump and there you have it.