Monday, March 30, 2015

#12 Project APC - Technische Analyse einer Schadsoftware

Den nachfolgend im Detail beschriebenen Bot habe ich auf der Suche nach Schadsoftware gefunden, die mit Hilfe sog. asynchroner Funktionsaufrufe (engl. Asynchronous Procedure Calls oder kurz APC) Schadcode in einen anderen Prozess laden kann. Neben der Möglichkeit sich mittels APCs in verschiedene Windows Prozesse zu injizieren, besitzt dieser Bot eine Reihe anderer interessanter Funktionen. Zum Beispiel enthält die Schadsoftware, wie normalerweise üblich, keinerlei verschlüsselten oder im Klartext vorhandenen Command-and-Control-Server (C&C-Server) in Form einer IP Adresse, einem Domainnamen oder einem Domain-Generierungs-Algorithmus (DGA). Stattdessen implementierte der Autor einen Mechanismus um mit Hilfe des Mikroblogging-Dienstes Twitter an den C&C-Server zu gelangen. Diese Methode ist nicht neu und kam schon bei der OSX/Flashback Schadsoftware zum Einsatz. Des Weiteren verwendet die Schadsoftware durchgehend verschiedene Verschlüsselungsmethoden, um die Analyse der Daten und des Datenverkehrs zu erschweren.


Samples: (PW: infected)

Friday, July 18, 2014

#11 Dyre banker aka CdIL aka Win32/Win64 Battdil - Inside the Webpanel

What I have learned over the years as a hobby malware analyst is whenever you think you are the first who discovered a new malware family, you can be sure at least a dozen people are already working on the threat. And I am not speaking about what you can later see in public...

As in the case of the recently discovered banker named Dyre this is no exception. While cleaning up my malware collection yesterday, I stumbled upon a malware threat which Anton Cherepanov and I briefly analyzed 3 months ago. After a quick search on the Internet, I realized that this sample which was first discovered by ESET and named Win32/Battdil.A respectively Win64/Battdil.A is the recently publicated threat named Dyre or Dyreza banker. You can read about this malware here:

Monday, June 23, 2014

#10 Malware spread over Facebook - TrojanDownloader:Java/Carastavona.E

Earlier today, I stumbled upon a blogpost by Bitdefender which describes a malware sample that spreads across Facebook users:

I thought to give it a shot, since I have realized in my last article that reversing Java malware is quite funny, probably because it is easier and not that exhausting as looking over hundreds/thousands of lines of disassembled code. Unfortunately, the article doesn't give any hashes, just the file name of the malware sample which is named

Friday, June 20, 2014

#9 Blitzanalysis: Embassy of Greece Beijing - Compromise

It's friday afternoon, I had a bit of free time and stumbled across this tweet by PhysicalDrive0 (thx!) two hours ago and thought to give it a try to finally add a new article to this Blog (first of 2014):

So, I went to Google to search for the domain of the Embassy of Greece Beijing and added the (allegedly) malicious java file package that was found by PhysicalDrive0:

Monday, September 9, 2013

#8 Back to the future - Analysis of an old Downloader

This article is an analysis of a Downloader first discovered ITW in 2006. It is widely detected by Anti-Virus vendors, also several reports are available:

It uses a couple of interesting techniques, although it later showed some were implemented in a sloppy way:

- Uses some sort of code obfuscation
- Sensitive strings are encrypted
- uses a kernelmode driver to hide its process

Virustotal statistics indicate this downloader is still in use, although the server of the sample I have analyzed isn't available anymore (more samples see Appendix).

Sample (UPX packed)
Target machine: x86
Size: 13.824 bytes
Compilation timestamp: 2006-11-25 19:29:09
SHA1: f18803def56bf6bfb067459ee6a9589d9f135c29
Download (pw: infected):
Appendix samples (pw: infected):

Sunday, August 11, 2013

#7 Brief description of a signed Adware/PUP Downloader

To publish articles more frequently and thus making this Blog a bit more interesting, I decided to drop my intention to only write "in-depth" analyses about "special" malware. From today, I start to also release information about my "every day" discoveries, which in the past always ended up in the trash (and there was a lot of them :-)). Of course, these "every day" Blogposts can not be that technical and detailed as a complete malware analysis, but I hope it's interesting anyway.

To start with, this Blogpost is something like a warming phase to my upcoming article about a cross-platform (x86/x64) "Adware" family with some interesting techniques.

So let's go...

The downloader comes in two different sizes (376.9 KB, 381.5 KB) and with a lot of instances (see list of hashes at the end). Two samples of each size can be downloaded here:

Sample - 376.9 KB
VT Report:
Download (PW: infected):

Sample - 381.5 KB
VT Report:
Download (PW: infected):

Wednesday, June 19, 2013

#6 South Korea Incident - Analysis of a tiny Downloader

In this short Blogpost I am going to dissect a Downloader which is part of the ongoing "1Mission" campaign against targets in South Korea (thanks Chae Jong Bin for pointing me at). The Downloader comes in the form of a DLL and has the small size of 4 KB. What remains unknown is the way the DLL gets executed (through exploit/loader/...). Except its small size there isn't anything special about this malware. Unfortunately the file it wanted to download isn't available anymore, so there is no chance to dig deeper...

DLL sample
Size: 4.096 Bytes
Timestamp: 2013-05-30 03:54:37
MD5: 17e3e09c27d26c81c9f33882279d6319
SHA1: c467f59cddba2d029044f6f2b22b6b2123b341b6