Skip to content

Instantly share code, notes, and snippets.

@Wack0

Wack0/gist:25a155e9f7ecef46da180b55b7e87931

Last active January 13, 2017 22:45
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Wack0/25a155e9f7ecef46da180b55b7e87931 to your computer and use it in GitHub Desktop.
Save Wack0/25a155e9f7ecef46da180b55b7e87931 to your computer and use it in GitHub Desktop.
Download ZIP
Karmav2? hashes
Raw
gistfile1.md

Setup: https://www.virustotal.com/en/file/4280f729d317156706db6e9c87503d636f806e09efdfcf00e73dd3e71740c966/analysis/ App: https://www.virustotal.com/en/file/2260f04aff68f77102525c61ccab4680b869b27672f6939693b23c1c04c7fe82/analysis/ Unpacked + partially-deobfuscated: https://www.virustotal.com/en/file/f754f949651f628b3f1c1fbe327d7b87ea63ecdab6c59b8431d459e67b11cbd2/analysis/

Deobfuscated taskscheduler .xml string:

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2016-10-28T00:37:02.5049122</Date>
    <Author>memOptimizer</Author>
  </RegistrationInfo>
  <Triggers>
    <LogonTrigger>
      <Repetition>
        <Interval>PT1M</Interval>
        <Duration>PT2M</Duration>
        <StopAtDurationEnd>false</StopAtDurationEnd>
      </Repetition>
      <Enabled>true</Enabled>
      <Delay>PT30S</Delay>
    </LogonTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>-xUID-</UserId>
      <LogonType>InteractiveToken</LogonType>
      <RunLevel>HighestAvailable</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
    <AllowHardTerminate>false</AllowHardTerminate>
    <StartWhenAvailable>true</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>false</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>false</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>"xAppPath"</Command>
    </Exec>
  </Actions>
</Task>

C&C: http://www.memoryopt.com/mem64_update.php?user=C: hd serial&chase=hash of that, detailed below Also contacts: http://www.memoryopt.com/mem786_pix.php?user=C: hd serial&subid=subid provided to setup&chase=same hash as before

chase= hash: php -r "$m1 = md5('C: hd serial'); $m2 = md5($m1[29].$m1[14].$m1[5].$m1[19].$m1[11].$m1[24].$m1[31].$m1[8]); echo $m2;

Raw
gistfile2.md

New sample from 2017-01-12:

Setup: https://www.virustotal.com/en/file/bfd1b8285320323ffac2d74b7b257b0b4a76e5c3ea4f2a28ee506694567f3412/analysis/
Executable inside setup: https://www.virustotal.com/en/file/39b32e03467ef7d06f255f7bfa3e99bc18afd87a0e43d71070000ec7503dde2b/analysis/
Unpacked + partially-deobfuscated (entry point removed to avoid accidental infection, easy to put back if needed): https://www.virustotal.com/en/file/a1ecfdafc8f3d81251c8a8a8f944a149a105c43326d08cd92454443c9899146e/analysis/

Deobfuscated tackscheduler .xml string is the same as the last sample.

C&C URLs are also the same as the last sample.

Basically this seems to be the same sample as last time but recompiled, reobfuscated and setup remade, and everything re-signed with the same "Davinder Singh" cert.

Still no idea what gets downloaded on the C&C's say so.

chase= hash: php -r "$m1 = md5('C: hd serial'); $m2 = md5($m1[22].$m1[12].$m1[17].$m1[24].$m1[18].$m1[13].$m1[31].$m1[3]); echo $m2;

Raw
gistfile3.md

New sample from 2017-01-13:

Setup: https://www.virustotal.com/en/file/b4324c9b1e031275afd53553f9ac74b85d5726b587717f45febb6b34f1314886/analysis/ Executable inside setup: https://www.virustotal.com/en/file/eb333c142110c181bcfd5b801056b8189e2e6c05d97cf872b5549836dfa4d0fc/analysis/ Unpacked + partially-deobfuscated (entry point removed to avoid accidental infection, easy to put back if needed): https://www.virustotal.com/en/file/df3c9a76c498aee92644e980aa382f2081ad167520fac8d2ebe8e1b64d53656d/analysis/

Seems to be a recompiled version of the last file, has the same chase= hash algorithm and C&C URLs, etc, as yesterday's.

@Wack0
Copy link
Author

Wack0 commented Jan 13, 2017

New sample, 2017-01-13 18:58 UTC

Setup: https://virustotal.com/en/file/8ab3022c80f21729205e4a6ce6717c0a4f32bb6572682aeba1eb70ae2732de6b/analysis/
Executable inside setup: https://virustotal.com/en/file/05507fbea96d53ad9144425db095f75e9057a1bef5f0a80500d826653a237b86/analysis/
Unpacked + partially deobfuscated: https://virustotal.com/en/file/e8d3779f8c53e4afcd81d766703f8056f904e13d2f4460d33be5b8675e9cc194/analysis/

Changes: chase= hash changed again: php -r "$m1 = md5('C: hd serial'); $m2 = md5($m1[22].$m1[12].$m1[17].$m1[24].$m1[18].$m1[13].$m1[31].$m1[13]); echo $m2;

@Wack0
Copy link
Author

Wack0 commented Jan 13, 2017
edited

New sample 2017-01-13 21:04 UTC -- after 4 samples today, slowly automating the manual part of the unpacking work...

Setup: https://virustotal.com/en/file/dc88d544134cf6cf0d5e85f3170b48c53668606ea056e20932707a86e37d73b5/analysis/
Executable inside setup: https://virustotal.com/en/file/b0eede32224122b9380af24c04bf147bc51fca3478577ccd1df6188eca4734b4/analysis/
Unpacked + partially deobfuscated: https://virustotal.com/en/file/16847470734932c4ca9bd22a32ba91a524b8e1b55a9f1e35c74ec6ab05f2b6d4/analysis/

Changes: none, just a recompile it seems

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment