Page 1 of 1
Malware unpacking (inject code)
PostPosted:Thu Jul 12, 2012 7:55 pm
by EX!
Hallo,
Can you guys help me unpacking this malware?
The sample launches an svchost.exe process and injects the executable code into its address space, also connect with c&c
(vmware, Sboxie, qemu & debugging protection)
Thanks :mrgreen:
Re: Malware unpacking (inject code)
PostPosted:Fri Jul 13, 2012 3:17 am
by EX!
The sample is Smoke Bot .
http://img843.imageshack.us/img843/8297/smokebot.jpg
C&C
hxxp://strelokfancy.com/viaweb/imgs/header.png
Bye,
Re: Malware unpacking (inject code)
PostPosted:Sat Jul 14, 2012 5:25 am
by EP_X0FF
If IIRC this bot uses similar injection code (except few non important things)
http://pastebin.com/yTuU4z8W
it principle ripped from Andromeda :)
Re: Malware unpacking (inject code)
PostPosted:Sat Jul 14, 2012 6:25 am
by R00tKit
Re: Malware unpacking (inject code)
PostPosted:Sat Jul 14, 2012 10:06 pm
by EX!
thanks! I will continue investigating.
Kind regards.
Re: Malware unpacking (inject code)
PostPosted:Sun Jul 15, 2012 11:07 am
by Xylitol
Got a look to your SmokeBot C&C..
Code: Select all++ IP Address: xxx.xx.58.187 | From: EC | ID: A60D47A8CB6C4C5516C8E03084CFB3413E727418 | Date: 15.07.2012 00:06:47 ++
=============================
Windows Live Messenger
=============================
UIN/Name: xxxxmoll@hotmail.com
...
UIN/Name: xxxxolita2009@hotmail.com
=============================
Internet Explorer
=============================
http://www.facebook.com/index.php@@@xxxxnavega@yahoo.es:
http://www.facebook.com/index.php@@@xxxxolita2009@hotmail.com:
http://www.facebook.com/index.php@@@xxxxavito20-19@hotmail.com:xxxx2011
http://www.facebook.com/index.php@@@xxxxl0218@hotmail.com:
http://www.facebook.com/index.php@@@xxxxissvc@hotmail.com:xxxx1991
http://www.facebook.com/index.php@@@xxxxl0218@hotmal.com :
http://www.facebook.com/index.php@@@xxxxysaltos@hotmail.es:
http://www.facebook.com/index.php@@@xxxxsarmiento13@hotmail.com:
http://www.facebook.com/index.php@@@xxxxnavega@yaho.es:
http://www.facebook.com/index.php@@@xxxxnavega@yahoo.es:
http://www.facebook.com/index.php@@@xxxxolita2009@hotmail.com:
http://www.facebook.com/index.php@@@xxxxavito20-19@hotmail.com:xxxx2011
http://www.facebook.com/index.php@@@xxxxl0218@hotmail.com:
http://www.facebook.com/index.php@@@xxxxissvc@hotmail.com:xxxx1991
http://www.facebook.com/index.php@@@xxxxl0218@hotmal.com :
http://www.facebook.com/index.php@@@xxxxysaltos@hotmail.es:
http://www.facebook.com/index.php@@@xxxxsarmiento13@hotmail.com:
etc...
--
• dns: 1 ›› ip: 76.72.169.3 - adresse: STRELOKFANCY.COM
hxxp://strelokfancy.com/viaweb/mods/socks
hxxp://strelokfancy.com/viaweb/mods/grab
hxxp://strelokfancy.com/viaweb/mods/hosts
Crypted modules, uploaded the 22 june.
Campaign started the 4 jully, ten days so, and looks like the guys removed exes from panel.
Also the guest login is defaut credential, but nothing interesting.
Re: Malware unpacking (inject code)
PostPosted:Mon Jul 16, 2012 12:49 pm
by EX!
Thanks Xylitol!!!
Bye.