This is the Gozi IFSB malware,
created to steal data & informations from the victims. In the folder
you will see all the files needed to create your own malware server.
For this malware analysis I will use an .bin
found after google search. With this .bin file I will be 2 steps closer
for the analysis. I don’t have the .doc/.pdf file with the payload, but the
.bin is the downloaded file resulted from the payload.
I will transform the .bin file to
infected.exe(10000.exe)!
008c4bd6ee834d113cfc693af0ea90396eaa47e860bcdd567ffd964b57434e1d.bin
MD5: e6d118192fc848797e15dc0600834783
SHA1: 16d5ded68677f4a870423d3fd30da8377a5b2408
Let’s go to security manipulation and creation
of the malware on the system. The $LN33 it is exported by the executable, after
that will jump to C Runtime Library.
Calling the security_init_cookie for buffer overrun protection to comprommise the system security. Let’s run the infected file to see his actions!
I see that the explorer.exe has some activiti. Cyber security – Malware analysisThere I have some movements… let’s go to
\Roaming\MIcrosoft\ to see the new folder created ‘BthM300C’. An executable(the same .exe with diffrerent
name) created in new folder after runed the infected.exe / D3DCsapi.exe aka
1000.exe The Registry. Prodefence SRLNow… the explorer.exe.
24 .dll are suspicious.
That means some of them are from the injection
process. explorer.exe (2304) – 52074 – 166.124.148.146.bc.googleusercontent.com.
This is an Google Cloud Platform and the
explorer.exe has some connections there. genesisgrandergh.at
One engine detected this file! Hmmmm
It's easy to become a miner....just that you will not be paid.
By the way... it was posted in some forum like this:
"**** Silence Miner - Make a lot of money "
Alexandru Anghelus – Malware analyst & investigator
Security of your personal data is very important.
Also sensitive Company data is extremely important.
If you’ve got a file and it looks suspicious, do not open it.
The .zip, .exe, .rtf, .doc, .htm, .rar … etc files can be infected and
personal data may become public or can be used against you.
With my analysis services you can remove that insecurity!
Analyzing a file can take a few minutes or even hours.
Investigating the ones found and drawing up the report may take longer, depending on the infected file.
Tracking the hacker may be impossible or may take several days.
Chances of success in discovering the infected file are 99%.
Full report services can help identify the reason, the target and whether it is a direct or random attack.
At the following address you can find some of my work in the field.
I am malware analyst and investigator.
With my skills everyone can have a clear vision about some suspicios files or emails that they have on pc.
I am the founder of Professional Defence Community, a 7 years cybersecurity website.
Web Pentesting.
Malware analysis.
Malware investigator.
Hello.
Today I had a nice surprise. I found in the Spam file an email telling me they just sent me an electronic invoice. I have to say that the surprisses are more and more.
You will see!!!
Part 1 – The infected file & dropped files
Dear Madam / Madam,
We would like to inform you that you have an electronic invoice issued. The
attachment is an official accounting document and complies with the
requirements of the Electronic Document and Electronic Signature Act. If
you have additional questions or need other information, please do not
hesitate to contact us with the contact details on your electronic
invoice. Thank you for being a customer of ENERGO-PRO. We wish you a successful day. * This email can contain personalized information. If you are not the recipient for whom it is intended, please delete it. Thank you!
I have a file attached named öá¬ÔŃÓá No 0258923817 (3)… yeeep and is a JScript file. Scanned with Virus Total.
The -1 vote is mine! (lol).
So 0 of 60 antivirus engines detects this virus.In the previous article I wrote about the problem of detection.
All are Tor servers and VPN servers. GET /tor/status-vote/current/consensus from hosts:
86.59.21.38/154.35.175.225
There are BitBlinder Project files(see on github more informations). Remember this.. i will give you some good info later! Connected servers:
5.149.213.224/86.59.21.38/199.254.238.52/154.35.175.225/178.16.208.59/46.23.72.81/91.219.237.154/46.101.183.160/93.115.84.143/165.227.130.167
What else to show you from this file…
Last write session:
Mades alot of changes after running:
Remote AccessTries to identify its external IP address
Stealer/PhishingScans for artifacts that may help identify the target
Touched instant messenger related registry keysPersistenceInjects into explorer
Injects into remote processes
Modifies auto-execute functionality by setting/creating a value in the registry
Spawns a lot of processes
Writes data to a remote process
Dropped files:
adprtext.dll
agreebowl.dll
Let’s see the agreebowl.dll
Part 2 – The “öá¬ÔŃÓá No 0258923817 (3)” file code.
The
0/60 file detection is due to the programming mode. The programmer used
an ingenious way to write the code to have a signature different from
that of the viruses.
Here i will show you a part of thecompiled code:
ozen.decideWorry+sickCityAdditionDepth[15]+seriousPaidRegion.happened;}function
pigDutyUnusual(passForeignPush){return
lowerCountryCharacter[5];}function
frontFurtherAfterMadeConstruction(wasMoodCleanRefusedPush){return
slightForgotDiscussionHistoryGiant[3]+temperatureBeforeDo.audienceCircus+evidenceCompositionCrackPrincipalEar[2]+seriousPaidRegion.engineer+sickCityAdditionDepth[3]+sickCityAdditionDepth[4]+breatheCupParentEscape[13]+biggerShellsDeterminePorchCreature[7]+temperatureBeforeDo.twoWest+importanceArtAgain[7];}function
compareSpeciesGiantBuildingSeveral(excitedCanScoreCarefulFine){return
roughWhenPlentyDistanceFrozen.decideWorry+townOrdinaryDarkFlowerLibrary.careful+importanceArtAgain[7]+temperatureBeforeDo.audienceCircus+wonProvideMostOrdinaryRoad.railroadOr+slightForgotDiscussionHistoryGiant[7]+importanceArtAgain[7]+evidenceCompositionCrackPrincipalEar[2]+breatheCupParentEscape[17];}var
clearlyPieceBillEarlierOrganization=[];
clearlyPieceBillEarlierOrganization[todayBehaviorStrengthQuietlyTypical(‘p-_sI1owb)jB:o6’)](visitorBehindSpeak(‘9
K0c0htw(o.kvr’));
var packageLargePig=[-314];
var tearsKitchenCatchNeck=[66];
var fifteenRunStraightSpeech=[];
var aidMirrorWeakProgressInclude=[7];
var sightDistanceDid=[1];
var taskAnywayHungry=[mightEmptyCarriedRapidlyOnce(’26P:Y&kwgPLW0′)];
function partRelatedBatBaby(metFreeSomeone){
Part 3 – BitBlinder project
BitBlinder project – A way to create your own hidden services on DarkWeb. Project-specific files:
Hello again. After a few tested files, I found something good to analyze. On hacking or warez forums, you find a lot of infected files.
Today I analyzed a program used by hackers to hide their viruses. A
program that combines two files, and in use one is visible and the other
runs hidden.
Although the one who posted the software
announced it is a cracked version, it still seems strange that the name
is Celeste instead of Celesty, and the details are completely missing.
After
a brief analysis I realized that the software already contains two
files and both executables, that is, exactly what the Celest software
should do.
The executables seem to be the Celesty software and
something called Encrypt and if we remember the role of the binder, we
understand that Celesty will appear on the screen and Encrypt will be
hidden.
Analyzed in more detail, we can see that Celest’s resources are exactly the two hidden files.
OK. If you think things have become complicated … wait a little longer. Moving to more advanced techniques, I’ve been able to discover what’s going on beyond that first downloadable software. Do you remember how it all started? A .rar file … An .exe extracted from it … Two hidden files. Now look at my reversemalware folder!
Quite interesting!
I double click as a victim and let the executables do what they want. Now that everything seems quiet, I can see that the file
OrcusWatchdog does not want to stop, even if you can stop it “Keep
alive” it brings it back to life.
Okay, let’s see what’s going on. Celest_Binder looked ok at first, but what it brings with it is not good for the computer. Drops executables files:
Contains ability to manipulate the desktop.
Password stealing functions.
Recording the keyboard strokes.
So, let’s not mess up so much, I can tell you it’s a *remote administration tool that can do the following:
Control
Basic information about the client (operating system, language, privileges, path, ip address, …) Uninstall, Kill, Make Admin Computer
Get a lot of information about the client’s pc Categories: Operating System, System, Bios, Hardware (Processor,
Videocard), Software, Network (local addresses, geo location data),
Drives
Passwords
Recover passwords
from famous applications (Google Chrome, Mozilla Firefox, FileZilla,
Internet Explorer, JDownloader, Opera, Thunderbird, WinSCP, Pidgin, …) Recover cookies from webbrowsers (Google Chrome, Mozilla Firefox, Yandex) File Explorer
Interface like the Windows file explorer Download, rename, create or remove files and directories Download directly to the server Execute files with arguments, verbs and other settings Show properties of files (size, dates, details like size of a
picture or bitrate of a video) and calculate hash values (MD5, SHA1,
SHA256, SHA512) Upload files Open Console here Go back/forward Pinned folders of the client’s system are directly added to the tree view (Dropbox, OneDrive, Creative Cloud Files, etc.) Support for special folders like the recycle bin Search for files in the current folder Enter path directly or select the path with autocomplete and drop down
Programs
Receive all installed programs Start uninstaller of a program Open path in File Explorer
… and a lot *more! That’s the situation!
Things are not as you want and do not forget!
When something is free, you are not the customer but the product!
Today i found new backdooredhacking tool to play with.
A new Silent Miner made to infect with remote access some ”hackers”.
The exe it is binded with some files to work underground.
I found some ”free” software on the internet backdoored with that Silent Minergate, so this time i downloaded the Minergate to play with. What i found? Surprise, surprise … i have a backdoored one!!!
I found another backdoored software. This was made for thouse who want to become hackers… or to make some easy money.
Founded on Youtube.com with a search ”Bitcoin stealer”.
How to use it… the uploader helps you.
Senha: Techup
Desativar Antivirus (Claro, se trata de um hack)
Chave
Servidor de Ligação
Adicionar a sua carteira
Use Proxy
Aceite os termos
Verifique se o programa está atualizado
Password: Techup
Disable Antivirus (Of course, this is a hack)
Key
Connection Server
Add to your wallet
Use Proxy
Accept the terms
Make sure the program is up to date
All you have to do is to download it, run it and you become a rich guy…
We will not double click the .exe file…( it looks like a .exe).. or better say this SFX rar archive?!?
Let’s see something about the archive with richt click and propreties!
I dont like this SILENT=1. LOL
If we dont run the ”.exe”, the backdoor will not run in the background,
so let’s Extract it … and surprise.. there are more then one file,
including the backdoor files.
Options: -user account email from minergate.com proxy server URL. Supports only socks protocols (for example: socks://192.168.0.1:1080
possible values: bcn xmr qcn xdn fcn mcn aeon dsh inf8
<mm_cc>+bcn <mm_cc>+xmr <mm_cc>+qcn <mm_cc>+xdn
<mm_cc>+aeon <mm_cc>+dsh. Where <mm_cc> is fcn or mcn threads count for specified currency GPU mining intensity (NVidia only) (values range: 1..4. Recommended: 2) mining pool URL mining pool login CPU threads count GPU mining intensity
Conecting to: h**ps://minergate.com
It seems that we have a nice backdoored software.
After
you will run it.. in the backgound a silent miner will be instaled on
your computer and in front of you will apare a nice error like this:
Blockchain Wallet Stealer 2017\message.vbs x=msgbox(“Hardware is not compatible, try on another PC or restart and run with disabled antivirus.”, 0+16, “Error“)
If
you dont understand, you will download this software, after the first
run will appear a error message and it will not work, but in underground
you will have already instaled a virus. This time the virus is a
Silent Miner, that will use your computer to work for some hacker and
this will help hit to make some bitcoins.
The Youtube channel Teck up has more videos like this one .. and all of them are with this backdoor.
Have fun & Stay safe!!!
