Creadit Analysis to : OSIRIS Security
Check your PC infected or not, already discussed under anti Hacker section
Link to sales thread: http://www.hackforums.net/showthread.php?tid=3088446
(lol poor kid closed the thread)
Newer thread: http://www.hackforums.net/showthread.php?tid=3203361
Malware Sample http://www.sendspace.com/file/xq74qt
inb4 this isn't the real file.
Well yes it is otherwise it wouldn't be making HWID checks.
![[Image: dXo8oz5.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uyDJ0NxSNwQ6tBUrSol_7pdWCw4dU6IDvxuKPqzo-QG4XnR_vbjsInWoAuxT84HSCz0noDTwP2HCFV2lhiMAhr4g=s0-d)
Please direct your attention to this Anubis scan report: http://anubis.iseclab.org/?action=result...ormat=html
The first time executed the file copies itself to AppData.
\Device\HarddiskVolume1\Documents and Settings\Administrator\Application Data\fileprotector\
Registry Values Added:
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\ Windows\CurrentVersion\Explorer\MountPoints2\{a109 4da8-30a0-11dd-817b-806d6172696f}\
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\ Windows\CurrentVersion\Explorer\MountPoints2\{a109 4daa-30a0-11dd-817b-806d6172696f}\
The coder of this backdoor is actually smart and this is a unique method I have not encountered a lot. So first let me explain what MountPoints2 is. It is a registry entry that stores data regarding USB devices, however; it can also be used to save information regarding autorun actions. So now direct your attention to the mapped files at the bottom of the Anubis report.
\Device\HarddiskVolume1\FileProtector\FileProtector.exe
As you can clearly see this file adds itself as a drive to autorun on system startup. To further confirm this you also see that the file makes device control communications with MountPointManager.
Okay so lets analyze this further.
![[Image: MfytRSv.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_trlJ7PpoRBZIM3lZSvzPF4q1AZ7-Iy3wQUmZ3frL7vtg3BQIhWZo_L-D0ajqx3wHbqkERdWPnrN9-WB-DU_pGPZQ=s0-d)
Quickly read the summaries of these Windows functions if you are unfamiliar with them:
VirtualAllocEx: http://msdn.microsoft.com/en-ca/library/...85%29.aspx
WriteProcessMemory: http://msdn.microsoft.com/en-ca/library/...85%29.aspx
What VirutalAllocEx does is creates a space in memory for a new process which as you can see creates an exact size for the main file. The szExeFile and dwSize parameters confirm this. It appears as if this program is trying to inject itself into another programs memory.
Now here is where the proof comes:
![[Image: koWvnh6.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tIsB3N87LTwQ84yobwrJtLpEwWtzVOZYDiY-q5WgGiHM70Y_ptCzAaQNH4Y3-GoNBhuHKz6-xgP1Fl5mU5sP4Teg=s0-d)
CreateRemoteThread: http://msdn.microsoft.com/en-ca/library/...85%29.aspx
So the file creates a thread inside the virtual address space of another process. This is injecting itself into the memory so the process can now hide inside explorer.exe or any other legitimate system process.
As you can also see IsDebuggerPresent() is called right before dropping the payload. From all my years of experience I cannot think of any reason why a legitimate program would check for a debugger or sandbox before dropping a file.
Now here is the source for the network information: http://www.hackforums.net/showthread.php...id30542839
The file downloads two text files http://142.0.36.38/u/main.txt and http://142.0.36.37/u/usft_ext.txt these hosts are no longer valid as Carbon stopped spreading his old version. But it does indeed attempt to download it. Another user uploaded the files prior to this:
usft_ext.txt http://ge.tt/api/1/files/2QrHrnY/0/blob?download
main.txt http://ge.tt/api/1/files/2s6EtnY/0/blob?download
Here is something interesting. The file ends up changing its extension from .TXT to .DLL
![[Image: 3044bff0ee85c4921b9626adb3eb6528.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_s7Vq3sQMEaWRYlOpd-HnFXRihEDa2j7lucHagdx6kcVCiDaMC-VR5mB7V5erk95KoeysbDwShR2_dqqrkO5Jla1yTNUfvy79BysiCwziGbPkkVIrgr-xPe=s0-d)
Take a look at what this user had to say about that: http://www.hackforums.net/showthread.php...id30678114
So what is happening? What does this backdoor do?
Well it is a silent Bitcoin miner.
usft_ext.txt becomes renamed to usft_exe.dll
main.txt becomes renamed to main.exe
Just to be sure I actually have a recent Ufasoft mining client on my computer. So I compared the size of usft_ext.txt and main.txt to the real files Ufasoft uses.
![[Image: ic1xW1MENeaS0.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_s6sTeK5DqHkdZ7wnNtHXSMm2M__n4VYq1e0Rmb1Dlmo0RunvZoQZ3arjx8gHA4bao_68wIe8i-ZtOOyVqvbJlfvX6G_MlHvQ=s0-d)
Motive?
He did this just before his rep fuck and ban ( http://www.hackforums.net/showthread.php...id29945192 ). Clearly he wouldn't care about infecting members of this community. The new version of FileProtector may have the backdoor removed however he definitely backdoored this version.
inb4 lots of negative rep but I don't care. The members of this community deserve to know this and be safe.
Here are other users who feel the exact same way I do:
http://www.hackforums.net/showthread.php...id29949644
http://www.hackforums.net/showthread.php...id30678114
http://www.hackforums.net/showthread.php...id29953017
http://www.hackforums.net/showthread.php...id30542839
http://www.hackforums.net/showthread.php...id31015693
http://www.hackforums.net/showthread.php...id31845618
Link to v5.4 to 6.1 for further analysis: http://www.mediafire.com/?igwuyq191ass6qx (pass = punks)
Newer thread: http://www.hackforums.net/showthread.php?tid=3203361
Malware Sample http://www.sendspace.com/file/xq74qt
inb4 this isn't the real file.
Well yes it is otherwise it wouldn't be making HWID checks.
Please direct your attention to this Anubis scan report: http://anubis.iseclab.org/?action=result...ormat=html
The first time executed the file copies itself to AppData.
\Device\HarddiskVolume1\Documents and Settings\Administrator\Application Data\fileprotector\
Registry Values Added:
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\ Windows\CurrentVersion\Explorer\MountPoints2\{a109 4da8-30a0-11dd-817b-806d6172696f}\
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\ Windows\CurrentVersion\Explorer\MountPoints2\{a109 4daa-30a0-11dd-817b-806d6172696f}\
The coder of this backdoor is actually smart and this is a unique method I have not encountered a lot. So first let me explain what MountPoints2 is. It is a registry entry that stores data regarding USB devices, however; it can also be used to save information regarding autorun actions. So now direct your attention to the mapped files at the bottom of the Anubis report.
\Device\HarddiskVolume1\FileProtector\FileProtector.exe
As you can clearly see this file adds itself as a drive to autorun on system startup. To further confirm this you also see that the file makes device control communications with MountPointManager.
Okay so lets analyze this further.
Quickly read the summaries of these Windows functions if you are unfamiliar with them:
VirtualAllocEx: http://msdn.microsoft.com/en-ca/library/...85%29.aspx
WriteProcessMemory: http://msdn.microsoft.com/en-ca/library/...85%29.aspx
What VirutalAllocEx does is creates a space in memory for a new process which as you can see creates an exact size for the main file. The szExeFile and dwSize parameters confirm this. It appears as if this program is trying to inject itself into another programs memory.
Now here is where the proof comes:
CreateRemoteThread: http://msdn.microsoft.com/en-ca/library/...85%29.aspx
So the file creates a thread inside the virtual address space of another process. This is injecting itself into the memory so the process can now hide inside explorer.exe or any other legitimate system process.
As you can also see IsDebuggerPresent() is called right before dropping the payload. From all my years of experience I cannot think of any reason why a legitimate program would check for a debugger or sandbox before dropping a file.
Now here is the source for the network information: http://www.hackforums.net/showthread.php...id30542839
The file downloads two text files http://142.0.36.38/u/main.txt and http://142.0.36.37/u/usft_ext.txt these hosts are no longer valid as Carbon stopped spreading his old version. But it does indeed attempt to download it. Another user uploaded the files prior to this:
usft_ext.txt http://ge.tt/api/1/files/2QrHrnY/0/blob?download
main.txt http://ge.tt/api/1/files/2s6EtnY/0/blob?download
Here is something interesting. The file ends up changing its extension from .TXT to .DLL
Take a look at what this user had to say about that: http://www.hackforums.net/showthread.php...id30678114
So what is happening? What does this backdoor do?
Well it is a silent Bitcoin miner.
usft_ext.txt becomes renamed to usft_exe.dll
main.txt becomes renamed to main.exe
Just to be sure I actually have a recent Ufasoft mining client on my computer. So I compared the size of usft_ext.txt and main.txt to the real files Ufasoft uses.
Motive?
He did this just before his rep fuck and ban ( http://www.hackforums.net/showthread.php...id29945192 ). Clearly he wouldn't care about infecting members of this community. The new version of FileProtector may have the backdoor removed however he definitely backdoored this version.
inb4 lots of negative rep but I don't care. The members of this community deserve to know this and be safe.
Here are other users who feel the exact same way I do:
http://www.hackforums.net/showthread.php...id29949644
http://www.hackforums.net/showthread.php...id30678114
http://www.hackforums.net/showthread.php...id29953017
http://www.hackforums.net/showthread.php...id30542839
http://www.hackforums.net/showthread.php...id31015693
http://www.hackforums.net/showthread.php...id31845618
Link to v5.4 to 6.1 for further analysis: http://www.mediafire.com/?igwuyq191ass6qx (pass = punks)
