Monday, February 11, 2019

#azorult

#azorult
------------------------------
5/29/2019
https://app.any.run/tasks/0504a290-18be-4d18-ae00-e03d03b5ae4a/
https://www.virustotal.com/gui/file/ee45336a135108347af89122705d24b97c583ee2d18ec67152441f58a540f34a/detection

Running behavior: (RUN AS ADMINISTRATOR)
program crashed, did not seem to complete

Memory strings while running
0xdb136 (12): PVAULT_CRED8 
0xdb4e5 (12): outlookDecrU 
0xdc928 (84): Software\Martin Prikryl\WinSCP 2\Sessions\ 
0xdc99c (20): PortNumber 
0xdd3a4 (26): \accounts.xml 
0xdd6d4 (10): <password> 
0xdd6e8 (11): </password> 
0xdd778 (60): %APPDATA%\.purple\accounts.xml 
0xddec0 (34): %TEMP%\curbuf.dat 
0xe2874 (253): SELECT DATETIME(moz_historyvisits.visit_date/1000000, "unixepoch", "localtime"),moz_places.title,moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id ORDER By moz_historyvisits.visit_date DESC LIMIT 0, 10000 
0xe32a8 (28): \places.sqlite 
0xe4084 (16): Browsers\Cookies 
0xe40ac (16): Browsers\History 
0xe43fd (12): uFileFinderU 
0xe4ea8 (30): %APPDATA%\Skype 
0xe51d8 (40): Software\Valve\Steam 
0xe522c (26): \Config\*.vdf 
0xe5de4 (20): %APPDATA%\ 
0xe5e14 (20): \autoscan\ 
0xe5e48 (24): .address.txt 
0xe8100 (20): https://dotbit.me/a/ 
0xe8600 (12): User-agent: 
0xe8618 (51): Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 
0xea1d4 (17): PasswordsList.txt 
0xea258 (66): %appdata%\Telegram Desktop\tdata\ 
0xea360 (22): http://ip-api.com/json 
0xea3d4 (10): System.txt 
0xea450 (84): /c %WINDIR%\system32\timeout.exe 3 & del " 
0xeb7c0 (30): http://77.222.55.225/index.php



2/11/2019

https://app.any.run/tasks/7323be7e-daad-4ac7-8500-b905f7dcfaba
https://www.virustotal.com/#/file/cd4f41d81ec1f3ac046df3193e1445994c8e4a6eaaf57748faef5ada77791bf2/detection

Compiler:
- Nullsoft Scriptable Install System(3.0)[zlib]
- Microsoft Linker(6.0)[EXE32,signed]

Running behavior: (RUN AS ADMINISTRATOR)
- launches a copy of itself, then disappears from task manager
- dns lookup 3124322.pw.md-in-82.webhostbox.net (43.225.55.117)
- POST to 3124322.pw.md-in-82.webhostbox.net/index.php, (sent data is short, has a bunch of &, and . in it)
- CreateFile api calls to Login data folders (FireFox, Waterfox, IceDragon, Chrome, Pale Moon, Yandex)
- CreateFile api calls to cookie data folders (Yandex, 360Browser, Opera, TorBro, CentBrowser)
- CreateFile api calls to WebData folders (Yandex, 360Browser, Opera, TorBro, CentBrowser)
- CreateFile api calls to bitcoin folders (wallet.dat, electrum.dat, Ethereum)

Memory strings while Running:
- original exe has Nullsoft Install System v3.0 and some actual C looking lines of code with kernel32::CreateFile, user32::wsprintf, ntdll::NtMapViewOfSection, kernel32::CloseHandle
- re-spawned exe had much more
--- Network activity like 3124322.pw.md-in-82.webhostbox.net/index.php, 43.225.55.117
--- bunch of function names that all start with "Crypt"
--- internet related function names (InternetOpenA, HttpSendRequestA, etc.)
--- bunch of decimal numbers prefixed with "Gu, Du, Cu, FCu, Fu, ZGu"

IDA Pro Behavior (RUN AS ADMINISTRATOR)
- start function had "Error writing temporary file", SetErrorMode, GetVersion, etc.
- While in IDA I see process launch a child of itself, then IDA closes with "process has exited (exit code 0)", so it appears everything in IDA ran good and did not kill itself or error out at all

------------------------------
2/11/2019

https://app.any.run/tasks/6fad55c1-52c5-4dd3-89e0-7ac3a9117464
https://www.virustotal.com/#/file/ef0725492607f9f5adb086a67153f705531f98b91aec7f9d864c5fe04c7db0c1/detection

Compiler:
- Borland Delphi(2006)[-]

Running behavior: (RUN AS ADMINISTRATOR)
- i saw a task for cmd.exe launching timeout.exe, then exes closed in task manager
- original file was deleted
- POST to 23.227.206.245/Panel/index.php , sent data is short, has a bunch of /, (, >, and . in it)
- CreateFile api calls to Login data folders (FireFox, Waterfox, IceDragon, Chrome, Pale Moon, Yandex)
- CreateFile api calls to cookie data folders (Yandex, 360Browser, Opera, TorBro, CentBrowser)
- CreateFile api calls to WebData folders (Yandex, 360Browser, Opera, TorBro, CentBrowser)
- CreateFile api calls to bitcoin folders (wallet.dat, electrum.dat, Ethereum)

Memory strings while Running:
- wasn't running long enough to grab

IDA Pro Behavior (RUN AS ADMINISTRATOR)
- WinMain has GetCommandLineA, GetModuleHandleA, DialogBoxParamA, "Selected Process", "Count of GDI objects", "Count of USER object", etc.
- In WinMain, the DialogBoxParamA call shows this message, 73ED3C62: The instruction at 0x73ED3C62 referenced memory at 0x74. The memory could not be read -> 00000074 (exc.code c000005, tid 388)

------------------------------
2/5/2019

https://www.virustotal.com/#/file/5691a24d176090bc059f91f3d05d2e9e39ee071652b4c41dd85ffb8961cb8b03/community

hxxp://modexcommunications[.]eu/jeff/jeff.exe

Notes: I think this run failed because C2 host was taken down

Compiler:
Borland Delphi(7)[-]

Running behavior: (RUN AS ADMINISTRATOR)
- writes jeffie[.exe to %appdata%\roaming\jefery
- dns lookup wp.icf-fx[.]kz (185.255.91[.]82:80)
- POST to /Panel/index[.]php 
- then disappears off task manager

Memory strings while Running:
- very small file, not much in there
- network activity like (wp.icf-fx[.]kz , 185.255.91[.]82:80, /Panel/index[.]php   )
- bunch of function names that all start with "Crypt"
- internet related function names (InternetOpenA, HttpSendRequestA, etc.)
- bunch of decimal numbers prefixed with "Gu, Du, Cu, FCu, Fu, ZGu"

IDA Pro Behavior (RUN AS ADMINISTRATOR)
- follow into @Sysinit@@InitExe, @System@@StartExe, @System@_16705
- loops in there for a while, with "call eax" that appears to subtract, i break on the exit from the loop, but instead IDA errors with "0: The instruction 0x0 referenced memory at 0x0. The memory could not be executed -> 00000000 (exc.code c0000006 tid 2748)"


------------------------------
1/23/2019

https://www.virustotal.com/#/file/8a8c2c4563a1f1cbd82f4f8aa5e43fb7adb83197b594bad2dd83dd8a7a2e4692/detection
https://app.any.run/tasks/09cb8551-a11b-4a51-974f-2c5a4cfcac79

hxxp://pioneerfitting[.]com/http/asok.exe

Compiler:
- Microsoft Visual Basic(6.0)[P-code]

Running behavior: (RUN AS ADMINISTRATOR)
- writes filename.exe & filename.vbs to %appdata%\local\temp\subfolder\
- filename.exe runs a copy of itself (hollowing?)
- POST to /trial/index.php (5.34.244.250:8080) , sent data is short, has a bunch of /, (, >, and . in it)
- %appdata%\local\temp\subfolder\filename.vbs added as autorun
- then disappears from task manager

Memory strings while Running:
- asok.exe & the parent filename.exe almost nothing in it of interest
- the copy of itself, child filename.exe, contains
--- network activity like (5.34.244.250:8080/trail.index.php)
--- bitcoin filenames like (wallet.dat, electrum.data, BitcoinCore, monero-core, Ethereum)
--- cred filenames like (accounts.xml, PasswordsList.txt, <password>, PVAULT_CRED8)
--- internet related function names (InternetOpenA, HttpSendRequestA, etc.)
--- vbs script code (WScript.Shell, Wscript.Sleep, Wscript.Quit, WshShell.RegWrite)
--- bunch of function names that all start with "Crypt"
--- bunch of decimal numbers prefixed with "Gu, Du, Cu, FCu, Fu, ZGu"
--- other software names like (Skype, Steam, Outlook, WinSCP)
--- urls (dotbit.me, ip-api.com)
--- commands (%windir%\system32\timeout.exe & del)

IDA Pro Behavior: (RUN AS ADMINISTRATOR)
- Inside ThunRtMain, a jmp if you step into goes into MSVBM60, a "call near ptr unk_7294AA4C2" throws error 755FC54F: Floating point inexact result (exc.code c000008f, tid 1008)

No comments:

Post a Comment