This is the Gozi IFSB malware,
created to steal data & informations from the victims. In the folder
you will see all the files needed to create your own malware server.
For this malware analysis I will use an .bin
found after google search. With this .bin file I will be 2 steps closer
for the analysis. I don’t have the .doc/.pdf file with the payload, but the
.bin is the downloaded file resulted from the payload.
I will transform the .bin file to
infected.exe(10000.exe)!
008c4bd6ee834d113cfc693af0ea90396eaa47e860bcdd567ffd964b57434e1d.bin
MD5: e6d118192fc848797e15dc0600834783
SHA1: 16d5ded68677f4a870423d3fd30da8377a5b2408
Let’s go to security manipulation and creation
of the malware on the system. The $LN33 it is exported by the executable, after
that will jump to C Runtime Library.
Calling the security_init_cookie for buffer overrun protection to comprommise the system security. Let’s run the infected file to see his actions!
I see that the explorer.exe has some activiti. Cyber security – Malware analysisThere I have some movements… let’s go to
\Roaming\MIcrosoft\ to see the new folder created ‘BthM300C’. An executable(the same .exe with diffrerent
name) created in new folder after runed the infected.exe / D3DCsapi.exe aka
1000.exe The Registry. Prodefence SRLNow… the explorer.exe.
24 .dll are suspicious.
That means some of them are from the injection
process. explorer.exe (2304) – 52074 – 166.124.148.146.bc.googleusercontent.com.
This is an Google Cloud Platform and the
explorer.exe has some connections there. genesisgrandergh.at
Network traffic: In the same way it is using the /POST request for sending stealed data, when the victim visits some bank account, paypal…etc. Botnet host directory and login page:
H**p://xxx.xxx/adminpanel/admin.php
The remove is easy. You just have to follow the path’s to find the droped executables and delete the created registers.
Alexandru Anghelus – Malware analyst & investigator
Security of your personal data is very important.
Also sensitive Company data is extremely important.
If you’ve got a file and it looks suspicious, do not open it.
The .zip, .exe, .rtf, .doc, .htm, .rar … etc files can be infected and
personal data may become public or can be used against you.
With my analysis services you can remove that insecurity!
Analyzing a file can take a few minutes or even hours.
Investigating the ones found and drawing up the report may take longer, depending on the infected file.
Tracking the hacker may be impossible or may take several days.
Chances of success in discovering the infected file are 99%.
Full report services can help identify the reason, the target and whether it is a direct or random attack.
At the following address you can find some of my work in the field.
I am malware analyst and investigator.
With my skills everyone can have a clear vision about some suspicios files or emails that they have on pc.
I am the founder of Professional Defence Community, a 7 years cybersecurity website.
Web Pentesting.
Malware analysis.
Malware investigator.
Hello.
Today I had a nice surprise. I found in the Spam file an email telling me they just sent me an electronic invoice. I have to say that the surprisses are more and more.
You will see!!!
Part 1 – The infected file & dropped files
Dear Madam / Madam,
We would like to inform you that you have an electronic invoice issued. The
attachment is an official accounting document and complies with the
requirements of the Electronic Document and Electronic Signature Act. If
you have additional questions or need other information, please do not
hesitate to contact us with the contact details on your electronic
invoice. Thank you for being a customer of ENERGO-PRO. We wish you a successful day. * This email can contain personalized information. If you are not the recipient for whom it is intended, please delete it. Thank you!
I have a file attached named öá¬ÔŃÓá No 0258923817 (3)… yeeep and is a JScript file. Scanned with Virus Total.
The -1 vote is mine! (lol).
So 0 of 60 antivirus engines detects this virus.In the previous article I wrote about the problem of detection.
All are Tor servers and VPN servers. GET /tor/status-vote/current/consensus from hosts:
86.59.21.38/154.35.175.225
There are BitBlinder Project files(see on github more informations). Remember this.. i will give you some good info later! Connected servers:
5.149.213.224/86.59.21.38/199.254.238.52/154.35.175.225/178.16.208.59/46.23.72.81/91.219.237.154/46.101.183.160/93.115.84.143/165.227.130.167
What else to show you from this file…
Last write session:
Mades alot of changes after running:
Remote AccessTries to identify its external IP address
Stealer/PhishingScans for artifacts that may help identify the target
Touched instant messenger related registry keysPersistenceInjects into explorer
Injects into remote processes
Modifies auto-execute functionality by setting/creating a value in the registry
Spawns a lot of processes
Writes data to a remote process
Dropped files:
adprtext.dll
agreebowl.dll
Let’s see the agreebowl.dll
Part 2 – The “öá¬ÔŃÓá No 0258923817 (3)” file code.
The
0/60 file detection is due to the programming mode. The programmer used
an ingenious way to write the code to have a signature different from
that of the viruses.
Here i will show you a part of thecompiled code:
ozen.decideWorry+sickCityAdditionDepth[15]+seriousPaidRegion.happened;}function
pigDutyUnusual(passForeignPush){return
lowerCountryCharacter[5];}function
frontFurtherAfterMadeConstruction(wasMoodCleanRefusedPush){return
slightForgotDiscussionHistoryGiant[3]+temperatureBeforeDo.audienceCircus+evidenceCompositionCrackPrincipalEar[2]+seriousPaidRegion.engineer+sickCityAdditionDepth[3]+sickCityAdditionDepth[4]+breatheCupParentEscape[13]+biggerShellsDeterminePorchCreature[7]+temperatureBeforeDo.twoWest+importanceArtAgain[7];}function
compareSpeciesGiantBuildingSeveral(excitedCanScoreCarefulFine){return
roughWhenPlentyDistanceFrozen.decideWorry+townOrdinaryDarkFlowerLibrary.careful+importanceArtAgain[7]+temperatureBeforeDo.audienceCircus+wonProvideMostOrdinaryRoad.railroadOr+slightForgotDiscussionHistoryGiant[7]+importanceArtAgain[7]+evidenceCompositionCrackPrincipalEar[2]+breatheCupParentEscape[17];}var
clearlyPieceBillEarlierOrganization=[];
clearlyPieceBillEarlierOrganization[todayBehaviorStrengthQuietlyTypical(‘p-_sI1owb)jB:o6’)](visitorBehindSpeak(‘9
K0c0htw(o.kvr’));
var packageLargePig=[-314];
var tearsKitchenCatchNeck=[66];
var fifteenRunStraightSpeech=[];
var aidMirrorWeakProgressInclude=[7];
var sightDistanceDid=[1];
var taskAnywayHungry=[mightEmptyCarriedRapidlyOnce(’26P:Y&kwgPLW0′)];
function partRelatedBatBaby(metFreeSomeone){
Part 3 – BitBlinder project
BitBlinder project – A way to create your own hidden services on DarkWeb. Project-specific files:
Hello. I have some free time and I try to deal with internet safety. I’m just a small drop of the ocean, but I’m here!
Today I will introduce you something different.
As usual, I downloaded a few softwares and started the analysis.
I have a ”great offer”:
Hotspot Shield VPN 7.20.8.Elite Cracked
Woooow!!!(just kidding)
We have 3 important files. Setup.exe and Update.exe appear to be archived files and from previous posts we know what this means, but today our target is the HSS v.2.exe file.
It is noticed that it is the latest file created. Also, the installation method requires using this file.
OK.Let’s scan this time! Virus Total Report 20/68 detection?!?
I mean, only 20 of the antivirus applications will see this file as a virus.
OK.
It’s normal to be seen by antivirus. It’s just a crack, a patch, etc.
You have to disable the antivirus to install it, it’s just a pirated software.
Let’s get started It looks like this .exe is actually a .rar archive After opening, he has a lot of work in the background. We let him do the job to find out what he is doing! When everything is quiet, we see that something is left to work.
