Strange Packer [Archive] - RCE Messageboard's Regroupment

LLXX

March 31st, 2007, 06:01

A friend sent me this for analysis. NOD32 calls it a Win32/VB.ASW which is supposedly a "Yuri RAT" trojan.

I can't really tell anything other than the fact that it's written in VB due to the "MSVBVM60.DLL" in the header, and it's packed with something I haven't seen before -- it has the following entry point:

Code:

00405000: FC           cld

00405001: 55           push      ebp

00405002: 50           push      eax

00405003: E800000000   call     .000405008

00405008: 5D           pop       ebp

00405009: 60           pushad

0040500A: E803000000   call     .000405012

Section table is absolutely normal, and there are no obscure tricks like TLS (though the unpacker does look obfuscated).

MALWARE - download at your own risk!

fr33ke

March 31st, 2007, 16:54

I was playing a bit with it and check out these strings I stumbled upon:

Code:

00391DD0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 6E  ..............Un

00391DE0  6B 6E 6F 77 6E 20 65 72 72 6F 72 21 00 49 6E 74  known error!.Int

00391DF0  65 72 66 61 63 65 20 44 4C 4C 20 28 50 43 47 57  erface DLL (PCGW

00391E00  33 32 2E 44 4C 4C 29 20 69 73 20 6D 69 73 73 69  32.DLL) is missi

00391E10  6E 67 21 0D 0A 0A 54 68 69 73 20 44 4C 4C 20 69  ng!...This DLL i

00391E20  73 20 69 6E 63 6C 75 64 65 64 20 69 6E 20 50 43  s included in PC

00391E30  20 47 75 61 72 64 20 66 6F 72 20 57 69 6E 33 32   Guard for Win32

00391E40  2F 2E 4E 45 54 20 56 35 20 44 45 4D 4F 20 70 61  /.NET V5 DEMO pa

00391E50  63 6B 61 67 65 20 61 6E 64 20 73 68 6F 75 6C 64  ckage and should

00391E60  20 62 65 20 6C 6F 63 61 74 65 64 20 69 6E 20 73   be located in s

00391E70  61 6D 65 20 64 69 72 65 63 74 6F 72 79 20 61 73  ame directory as

00391E80  20 70 72 6F 74 65 63 74 65 64 20 61 70 70 6C 69   protected appli

00391E90  63 61 74 69 6F 6E 2E 00 46 69 6C 65 20 64 61 6D  cation..File dam

00391EA0  61 67 65 64 21 0D 0A 0A 50 72 6F 74 65 63 74 69  aged!...Protecti

So I think this packer is PCGuard V5.

LLXX

March 31st, 2007, 17:06

Now I know why PEiD didn't pick it up - I was using an older version. 0.94 works perfectly fine, identifying it as "PC-Guard 5.0 -> Blagoje Ceklic [Overlay]".

Did you get infected, or halt at the OEP?

fr33ke

March 31st, 2007, 17:21

I probably got infected, but I didn't save the changes on the Virtual PC

EDIT: I found OEP in a lame way (running and searching for "VB", and the push). It's 4012B8. Then I ran it with a hardware breakpoint there, and on break I dumped it with ollydump.

IT IS STILL MALWARE

Kayaker

March 31st, 2007, 20:29

Yeah, be careful with this one, it uses the Ardamax Keylogger to do some of its dirty work. I haven't really analyzed it yet but I'll mention how I got it to spew out its guts.

Loading it in Ollydbg under VMWare and passing the exceptions with Shift-F9 soon gave a MessageBox saying that it won't run in a virtual machine. At this point the process is running code under a virtual mapping at 0x840000. Olly couldn't handle digging any further (or I couldn't get it to do so), so I switched to Softice.

With Olly paused on the exception I could set a breakpoint in Softice on the next SMC instruction to be executed, let the program run again in Olly, then the Softice bp kicked in and I could continue tracing. Since this was "after the fact" it didn't do much good, so I restarted VMWare with just Softice and tried again.

With IceExt loaded and PROTECT ON I could see that IceExt was executing its MeltIce protection. So I set a breakpoint on CreateFileA (the classic MeltIce break function) and started doing some real tracing.

After bypassing MeltIce (or letting IceExt do all the work), the code went on to check IsDebuggerPresent. Since only a ring 0 debugger was active this check could be ignored. Then the code went on to retrieve the running modules with ZwQuerySystemInformation (with Class 11 SystemModuleInformation) and checked for the presence of "ntice.sys". This was easily bypassed as well by changing the string in memory.

Finally we come to the part I was looking for, that of the VM detection. Hidden within the SMC was the well documented VMWare check for the magic number 0x564D5868 (or 'VMXh').
0x8443B1 mov eax, 564D5868 // 'VMXh'

http://www.codeproject.com/system/VmDetect.asp?

Changing the magic number in memory to make the check fail was enough to let the malware execute its payload. Suddenly my ZoneAlarm under VMWare gave a warning about some executable trying to do something...

4 files are created in a hidden folder under C:/Windows/System32/Sys
alex_v13_server.exe - main executable identified as New Malware.b
alex_v13_server.001 - keyfile of some sort
alex_v13_server.006 - Ardamax Keylogger dll
alex_v13_server.007 - Ardamax Keylogger dll

Kayaker

LLXX

April 1st, 2007, 02:02

Ardamax? That one has a rather simple "encryption" for its configuration file (including where the keylogs get sent to). Try to figure it out before scrolling down in the codebox for the solution

Code:

 A r d a m a x K e y l o g g e r

[6CB250655FB043cfA9C9E9DBC29A5AD6]

I n s t a l l T i m e

0D2F4046252D5F662D2C56=5E6FDC7044413332

R e g N a m e

1624547C252C56=1024525F002E585729285F4744

I n v i s i b i l i t y . T r a y I c o n

0D2F455B3728515B2828474B6A1541533D08505D2A=44413332

I n v i s i b i l i t y . T a s k L i s t

0D2F455B3728515B2828474B6A1552412F0D5A4130=44413332

I n v i s i b i l i t y . P r o g r a m G r o u p

0D2F455B3728515B2828474B6A11415D2333525F03335C4734=45413332

I n v i s i b i l i t y . U n i n s t a l l L i s

0D2F455B3728515B2828474B6A145D5B2A324753282D7F5B37=45413332

I n v i s i b i l i t y . P r o g r a m F o l d e r

0D2F455B3728515B2828474B6A11415D2333525F022E5F562133=45413332

I n v i s i b i l i t y . A u t o s t a r t

0D2F455B3728515B2828474B6A0046462B3247533635=45413332

E m a i l . P o r t

012C525B286F635D3635=5D413332

E m a i l . S e n d T o

012C525B286F60572A25675D=272D525C20335C4204295C4629205A5E6A225C5F44

E m a i l . S m t p H o s t

012C525B286F605F30317B5D3735=2939071C2C2E475F25285F1C272E5E32

E m a i l . U s e r n a m e

012C525B286F664121335D532924=44

E m a i l . P a s s w o r d

012C525B286F63533732445D3625=44

F T P . P o r t

0215631C142E4146=51413332

F T P . F T P H o s t

0215631C0215637A2B3247=44

F T P . R e m o t e F o l d e r

0215631C16245E5D3024755D28255640=44

F T P . P a s s i v e M o d e

0215631C142040412D37567F2B2556=45413332

F T P . U s e r n a m e

0215631C113256402A205E57=44

F T P . P a s s w o r d

0215631C14204041332E4156=44

C o n t r o l . N u m b e r 

072E5D46362E5F1C0A345E502133=45413332

C o n t r o l . P e r i o d T y p e

072E5D46362E5F1C1424415B2B25674B3424=46413332

C o n t r o l . S e n d

072E5D46362E5F1C17245D56=45413332

C o n t r o l . V i a E m a i l

072E5D46362E5F1C1228527729205A5E=45413332

C o n t r o l . V i a F T P

072E5D46362E5F1C122852741011=44413332

C o n t r o l . I n c l u d e K e y s L o g

072E5D46362E5F1C0D2F505E312556792138407E2B26=45413332

C o n t r o l . I n c l u d e W e b L o g

072E5D46362E5F1C0D2F505E3125566521237F5D23=45413332

C o n t r o l . C h e c k M i n L o g S i z e

072E5D46362E5F1C072956512F0C5A5C082E54612D3B56=45413332

C o n t r o l . P e r i o d T y p e 

072E5D46362E5F1C09285D7E2B26605B3E24=76413332

S e c u r i t y . P a s s w o r d

172450473628474B6A11524137365C4020=44

S e c u r i t y . P r o t e c t L o g F i l e

172450473628474B6A11415D30245046082E54742D2D56=45413332

S e c u r i t y . P r o t e c t H i d d e n M o d e

172450473628474B6A11415D302450460C285756212F7E5D2024=45413332

S e c u r i t y . P r o t e c t O p t i o n s

172450473628474B6A11415D302450460B31475B2B2F40=45413332

S e c u r i t y . L o c k C l o s e

172450473628474B6A0D5C512F025F5D3724=45413332

O p t i o n s . A u t o s t a r t

0B31475B2B2F401C0534475D3735524030=44413332

O p t i o n s . H i d e O n S t a r t u p

0B31475B2B2F401C0C2857570B2F60462533474734=45413332

O p t i o n s . H i d e H o t k e y

0B31475B2B2F401C0C2857570C2E47592138=0C463332

O p t i o n s . S e l f D e s t r u c t

0B31475B2B2F401C17245F540024404636345046=44413332

O p t i o n s . D a t e S e l f D e s t r u c t

0B31475B2B2F401C0020475717245F540024404636345046=44413332444133324441333244413332

N o t i c e . H i d d e n M o d e

0A2E475B27241D7A2D2557572A0C5C5621=44413332

I n s t a n t . L o g g i n g E n a b l e d

0D2F4046252F471C082E54552D2F54772A20515E2125=44413332



**  XOR with repeating sequence "DA32" (44 41 33 32)

I don't know why, but keyloggers are my fetish

I've analysed at least 5 different ones already.

Also, nice to see old SoftICE get a little respect