Gamarue
SHA256:
f09c17cbb207c3b8a35773e264688978a367c7974a0e49c1a198b2d5a91624aa 
File name:
Fax-transmission.exe 
https://www.virustotal.com/file/f09c17c ... /analysis/
					
										A forum for reverse engineering, OS internals and malware analysis
SeT[X] wrote:Hello,
I've receive this sample:
MD5: a393c059e5269784b58ee1742f50555a
SHA1: f819821e158fb4aee7f7c2cd824988504134355a
SHA256: 5ff4b976bdb3fee6a28102e31fd887dc966ce7879043c62e5d68f89d3ef16c96
https://www.virustotal.com/file/5ff4b97 ... /analysis/
I don't how I can atach the file here, but if anyone want it, I'll send it via email.
The binary seams to be crypted/packed with Small polymorphic crypter, but I can't unpacked it, can someone help me to unpack it please.
I have sea some anti debuggin implementations, but there are somthing more, and I don't sea it.
Help please.
Thanks in advance.
Win32:Virut wrote:Thanks, this is it.SeT[X] wrote:Hello,
I've receive this sample:
MD5: a393c059e5269784b58ee1742f50555a
SHA1: f819821e158fb4aee7f7c2cd824988504134355a
SHA256: 5ff4b976bdb3fee6a28102e31fd887dc966ce7879043c62e5d68f89d3ef16c96
https://www.virustotal.com/file/5ff4b97 ... /analysis/
I don't how I can atach the file here, but if anyone want it, I'll send it via email.
The binary seams to be crypted/packed with Small polymorphic crypter, but I can't unpacked it, can someone help me to unpack it please.
I have sea some anti debuggin implementations, but there are somthing more, and I don't sea it.
Help please.
Thanks in advance.
Redirector: digitalcurrencyreport.com (109.163.230.125)
Exploit kit: http://mongif.biz/assumed/timing_borrows.php (46.166.169.179) 
Cnc: wordpress.serveblog.net:3360 (46.253.180.35)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched: "C:\Documents and Settings\All Users\svchost.exe"
 


PID: 3140 [PATH]\calc.exe ADDR: 0x87021b
CopyFileA(lpExistingFileName: "[PATH]\calc.exe",
lpNewFileName: "%AppData%\igfx\igfxtray.exe",
bFailIfExists: 0x0)

----------------------------------
Keys added:
----------------------------------
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{SG16VPH3-6PN7-VTP0-6V64-104BV7F3IRAF}
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.Identifier
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.Identifier\OpenWithList
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\6
----------------------------------
Values added:
----------------------------------
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{SG16VPH3-6PN7-VTP0-6V64-104BV7F3IRAF}\StubPath: ""C:\Documents and Settings\USER\Application Data\igfx\igfxtray.exe""
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run\igfxtray: "C:\Documents and Settings\USER\Application Data\igfx\igfxtray.exe"
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\USER\Application Data\igfx\igfxtray.exe: "Pagent Show"
----------------------------------
Values deleted:
----------------------------------
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\14: 30 00 31 00 30 00 2E 00 62 00 6D 00 70 00 00 00 3C 00 32 00 00 00 00 00 00 00 00 00 00 00 30 31 30 2E 6C 6E 6B 00 26 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 30 00 31 00 30 00 2E 00 6C 00 6E 00 6B 00 00 00 16 00 00 00
----------------------------------
Values modified:
----------------------------------
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 02 00 00 00 1E 00 00 00 E0 FD F4 9E 68 F6 CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 02 00 00 00 20 00 00 00 00 65 59 10 6B F6 CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 02 00 00 00 3F 00 00 00 20 49 41 9F 68 F6 CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 02 00 00 00 41 00 00 00 D0 E8 6E 10 6B F6 CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:::{450Q8SON-NQ25-11Q0-98N8-0800361O1103}: 01 00 00 00 06 00 00 00 60 85 99 AA 71 A4 CD 01
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:::{450Q8SON-NQ25-11Q0-98N8-0800361O1103}: 02 00 00 00 07 00 00 00 C0 38 E9 E7 6A F6 CD 01


CnC:       
wordpress.serveblog.net:3360
Methods:
           FCONNECT %s:%d HTTP/1.0
           http://%s%s
           GET %s HTTP/1.1
           Host: %s 
           Connection: close
%s\Mozilla\Firefox\profiles.ini
%s\Mozilla\Firefox\%s
%s\Thunderbird\profiles.ini
%s\Thunderbird\%s
%s\Mozilla\SeaMonkey\profiles.ini
%s\Mozilla\SeaMonkey\%s
%s\Opera\Opera\wand.dat
%s\Opera\Opera\profile\wand.datWindowsLive:name=*
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Email
POP3 User
POP3 Server
POP3 Password
IMAP User
IMAP Server
IMAP Password
HTTP User
HTTP Server
HTTP Password
SMTP User
SMTP Server
SMTP Password
%c%c%S
abe2869f-9b47-4cd9-a358-c22904dba7f7
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
index.dat
History
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
%s\Google\Chrome\User Data\Default\Login Data
%s\Chromium\User Data\Default\Login Data
localhost
USERNAME%s.Identifier
%Rand%
%d:0:0:%s\%s;
%d:%I64u:0:%s\%s;
%c%I64u
%llu
%s%.2d-%.2d-%.4d
[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]