Pages

Thursday, December 27, 2012

Dec. 2012 Skynet Tor botnet / Trojan.Tbot samples



Here are 7 binaries for Skynet Tor botnet aka Trojan.Tbot.  Claudio's analysis is wonderfully detailed, I just added  pcaps  and a few words in the description

Read more here:
Rapid7.  Claudio Guarnieri.  Skynet, a Tor-powered botnet straight from Reddit



Files



  • 2E1814CCCF0C3BB2CC32E0A0671C0891 17.1 MB Coldplay-Live_2012-2012-BriBerY.exe_
  • 5375fb5e867680ffb8e72d29db9abbd5 15 MB FileMaker_Server_Advanced_v12.0.1_MULTiLANGUAGE-CYGiSO.exe_
  • A0552D1BC1A4897141CFA56F75C04857 10 MB SpeedCommander.v14.40.Incl.Keygen-MESMERiZE.exe_
  • 191B26BAFDF58397088C88A1B3BAC5A6 14.9 MB tor.exe_
  • 519ED597B22D46EF8029C0720206E9D5 14.8 MB UEStudio.v12.20.0.1002.Incl.Keygen-MESMERiZE.exe_
  • 23AAB9C1C462F3FDFDDD98181E963230 14.9 MB ysahu.ex_
  • fc7c3e087789824f34a9309da2388ce5 11.3 MB Z.wie.Zorro.S01E03.Der.Brandstifter.GERMAN.ANiME.FS.DVDRip.XViD-aWake.exe_


The files are very large but contain no video or other entertainment material, just are padded with zeros.


Download


  Download all 7 files above        Email me if you need the password  (new link)

  Download all the created / dropped files for 2E1814CCCF0C3BB2CC32E0A0671C0891 (new link)

   available pcaps -- Download (new link)  (no password)

4.08 MB tbot_2E1814CCCF0C3BB2CC32E0A0671C0891.pcap
3.24 MB tbot_23AAB9C1C462F3FDFDDD98181E963230.pcap
7.55 MB tbot_191B26BAFDF58397088C88A1B3BAC5A6.pcap
5.19 MB tbot_5375FB5E867680FFB8E72D29DB9ABBD5.pcap
3.97 MB tbot_A0552D1BC1A4897141CFA56F75C04857.pcap
7.43 MB tbot_FC7C3E087789824F34A9309DA2388CE5.pcap




File description

Domains for each sample


191B26BAFDF58397088C88A1B3BAC5A6  4kijo4rr4b6p6uv5.onion

23AAB9C1C462F3FDFDDD98181E963230  jtjoxo3uo3mh35kw.onion
2E1814CCCF0C3BB2CC32E0A0671C0891  c24dsyw5qwcbohtv.onion
519ED597B22D46EF8029C0720206E9D5  465z2el27gv4ls74.onion
5375FB5E867680FFB8E72D29DB9ABBD5  jnc6zswe3w6siqn2.onion
A0552D1BC1A4897141CFA56F75C04857  blm6o2rzv4ucdq4m.onion
FC7C3E087789824F34A9309DA2388CE5  enklhhn44mk2s6rc.onion


Active Connections 


  Proto  Local Address          Foreign Address        State           PID
  TCP    127.0.0.1:2064         127.0.0.1:2065         ESTABLISHED     2376
  [IEXPLORE.EXE]

  TCP    127.0.0.1:2065         127.0.0.1:2064         ESTABLISHED     2376
  [IEXPLORE.EXE]

  TCP    127.0.0.1:2069         127.0.0.1:9050         ESTABLISHED     2860
  [IEXPLORE.EXE]

  TCP    127.0.0.1:9050         127.0.0.1:2069         ESTABLISHED     2376
  [IEXPLORE.EXE]

  TCP    172.16.253.130:2100    204.45.139.123:443     ESTABLISHED     2376
  [IEXPLORE.EXE]

  TCP    172.16.253.130:2103    82.96.35.6:443         ESTABLISHED     2376
  [IEXPLORE.EXE]

  TCP    172.16.253.130:2104    109.105.109.163:44945  ESTABLISHED     2376
  [IEXPLORE.EXE]

  TCP    127.0.0.1:2147         127.0.0.1:42349        CLOSE_WAIT      1592
  [Explorer.EXE]
File changes
Red -  << old, classic, pre-Citadel Zeus
Blue - << tbot


%USERPROFILE%\Application Data\Microsoft\Address Book\Laura.wab 
%USERPROFILE%\Application Data\Microsoft\Address Book\Laura.wab~ 
%USERPROFILE%\Application Data\Kynir\tonob.exe < copy of the original dropper
%USERPROFILE%\Application Data\tor\cached-certs
%USERPROFILE%\Application Data\tor\cached-consensus
%USERPROFILE%\Application Data\tor\cached-descriptors
%USERPROFILE%\Application Data\tor\cached-descriptors.new
%USERPROFILE%\Application Data\tor\hidden_service\hostname
%USERPROFILE%\Application Data\tor\hidden_service\private_key
%USERPROFILE%\Application Data\tor\lock
%USERPROFILE%\Application Data\tor\state

%USERPROFILE%\Local Settings\Application Data\Identities\{2C885C6E-EF41-44B6-8DF1-67B7CC85A1F4}\Microsoft\Outlook Express\Folders.dbx
%USERPROFILE%\Local Settings\Application Data\Identities\{2C885C6E-EF41-44B6-8DF1-67B7CC85A1F4}\Microsoft\Outlook Express\Inbox.dbx
%USERPROFILE%\Local Settings\Application Data\Identities\{2C885C6E-EF41-44B6-8DF1-67B7CC85A1F4}\Microsoft\Outlook Express\Offline.dbx
%USERPROFILE%\Local Settings\Application Data\Identities\{2C885C6E-EF41-44B6-8DF1-67B7CC85A1F4}\Microsoft\Outlook Express\Sent Items.dbx
%USERPROFILE%\Local Settings\Temp\OpenCL.dll
%USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\1Y7JRJG6\test[1].txt
%USERPROFILE%\Application Data\Egoffi\poofd.tmp

deleted_files
%USERPROFILE%\Application Data\tor\cached-descriptors
%USERPROFILE%\Application Data\tor\cached-descriptors.new
%USERPROFILE%\Application Data\tor\hidden_service\hostname
%USERPROFILE%\Application Data\tor\state
%USERPROFILE%\Application Data\tor\unverified-consensus
%USERPROFILE%\Cookies\laura@accounts.google[2].txt (plus all other cookies)
%USERPROFILE%\Local Settings\Temp\MPS9.tmp
%USERPROFILE%\Local Settings\Temp\tmp1c031ecd.bat
%USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\17K91ZPH\gate[1].htm
%USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\1Y7JRJG6\config[1].bin
%USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\1Y7JRJG6\gate[1].htm
%USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\1Y7JRJG6\webhp[1].txt 

State
# Tor state file last generated on 2012-12-23 21:40:56 local time
# Other times below are in GMT
# You *do not* need to edit this file.
TorVersion Tor 0.2.2.35 (git-b04388f9e7546a9f)
LastWritten 2012-12-24 02:40:56


"When the Trojan is executed, it creates the following files:

C:\Documents and Settings\Administrator\Application Data\[RANDOM CHARACTERS FOLDER NAME]\[RANDOM CHARACTERS FILE NAME].exe
C:\Documents and Settings\Administrator\Application Data\[RANDOM CHARACTERS FOLDER NAME]\[RANDOM CHARACTERS FILE NAME].tmp
C:\Documents and Settings\Administrator\Application Data\[RANDOM CHARACTERS FOLDER NAME]\[RANDOM CHARACTERS FILE NAME].upp
C:\Documents and Settings\Administrator\Application Data\tor\cached-certs
C:\Documents and Settings\Administrator\Application Data\tor\cached-consensus
C:\Documents and Settings\Administrator\Application Data\tor\cached-descriptors
C:\Documents and Settings\Administrator\Application Data\tor\cached-descriptors.new
C:\Documents and Settings\Administrator\Application Data\tor\hidden_service\hostname
C:\Documents and Settings\Administrator\Application Data\tor\hidden_service\private_key
C:\Documents and Settings\Administrator\Application Data\tor\lock
C:\Documents and Settings\Administrator\Application Data\tor\state
C:\Documents and Settings\Administrator\Local Settings\Temp\OpenCL.dll
The Trojan then creates the following registry entry:
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Run\{58918AFF-36B7-5CDE-6038-278B35A6192F}: "C:\Documents and Settings\Administrator\Application Data\[RANDOM CHARACTERS FOLDER NAME]\[RANDOM CHARACTERS FILE NAME].exe"

The Trojan copies itself to the following location:
%UserProfile%\Application Data

The Trojan creates a directory with a random name and renames itself with a random string.

The Trojan injects itself into an svchost.exe process and terminates the original process.

The Trojan connects to an IRC channel and receives commands which may perform the following actions:

Steal information from the compromised computer and send it to the remote attacker
Download and execute files from a remote location
Download and inject files into a running process
Connect to an arbitrary URL
Set up a SOCKS proxy
Support denial-of-service attacks
The Trojan drops the following files:

Tor: A network client for the Tor anonymous network that is used to route and hide all the network traffic the threat sends to the IRC C&C server
Trojan.Zbot: An additional threat installed by Trojan.Tbot
CGMiner: An open source bitcoin mining tool used for performing CPU intensive work in exchange for Bitcoin currency"


Automatic scans

https://www.virustotal.com/file/12359624ee184639aef4ccca03751ae9ce1371512de52a3a4bfda1970edd0c60/analysis/1356590536/

SHA256: 12359624ee184639aef4ccca03751ae9ce1371512de52a3a4bfda1970edd0c60
SHA1: 93cf1d65e0374410a9a827256a923fdb8f5f38ca
MD5: a0552d1bc1a4897141cfa56f75c04857
File size: 10.0 MB ( 10491998 bytes )
File name: vti-rescan
File type: Win32 EXE
Detection ratio: 12 / 44
Analysis date: 2012-12-27 06:42:16 UTC ( 1 minute ago )
AntiVir TR/Drop.Injector.gmtj 20121226
Avast Win32:FakeAV-EEX [Trj] 20121227
AVG Win32/Cryptor 20121226
CAT-QuickHeal TrojanDropper.Injector.gmtj 20121227
ESET-NOD32 a variant of Win32/Injector.YYR 20121226
Fortinet W32/Injector.YYR!tr 20121227
GData Win32:FakeAV-EEX 20121227
Ikarus Trojan.SuspectCRC 20121227
Kaspersky Trojan-Dropper.Win32.Injector.gmtj 20121227
Panda Trj/CI.A 20121226
TrendMicro-HouseCall TROJ_GEN.R47B1LM 20121227
VIPRE Trojan.Win32.Generic!BT 20121227



https://www.virustotal.com/file/d5aa610a046132f43e3efeb47a0edce10c2d99a641eda8e1d6635f8b9dab44d3/analysis/1356590487/
SHA256: d5aa610a046132f43e3efeb47a0edce10c2d99a641eda8e1d6635f8b9dab44d3
SHA1: 21ff7e6c1bc9fb2977f45cde72599a831be3af03
MD5: 2e1814cccf0c3bb2cc32e0a0671c0891
File size: 17.1 MB ( 17949744 bytes )
File name: vti-rescan
File type: Win32 EXE
Detection ratio: 25 / 44
Analysis date: 2012-12-27 06:41:27 UTC ( 1 minute ago )
AhnLab-V3 Dropper/Win32.Injector 20121226
AntiVir TR/FakeAV.92.391 20121226
Avast Win32:FakeAV-EEX [Trj] 20121227
AVG Dropper.Generic7.TIN 20121226
BitDefender Gen:Variant.FakeAV.92 20121227
CAT-QuickHeal TrojanDropper.Injector.ggbl 20121227
Comodo UnclassifiedMalware 20121227
ESET-NOD32 a variant of Win32/Injector.YYR 20121226
F-Secure Gen:Variant.FakeAV.92 20121227
Fortinet W32/Injector.YYR 20121227
GData Gen:Variant.FakeAV.92 20121227
Ikarus Trojan.SuspectCRC 20121227
K7AntiVirus Riskware 20121226
Kaspersky Trojan-Dropper.Win32.Injector.ggbl 20121227
McAfee Artemis!2E1814CCCF0C 20121227
McAfee-GW-Edition Artemis!2E1814CCCF0C 20121226
MicroWorld-eScan Gen:Variant.FakeAV.92 20121227
Norman W32/Troj_Generic.FPNGA 20121226
Panda Trj/CI.A 20121226
Symantec WS.Reputation.1 20121227
TrendMicro TROJ_GEN.RCBZ7LB 20121227
TrendMicro-HouseCall TROJ_GEN.RCBZ7LB 20121227
VBA32 Trojan-Dropper.Injector.ggbl 20121226
VIPRE Trojan.Win32.Generic!BT 20121227
ViRobot Dropper.A.Injector.17949744 20121227

Others have similar detection - mostly generic for this type of malware
19/45 https://www.virustotal.com/file/4eb9799a2c4febffb81260abb889c909b4eaa28344a4e708d2b3231985311ec3/analysis/1356590570/ 

34/45
https://www.virustotal.com/file/ab8b7a7e6d5e2f98e85489c0d71e005842c3a6e085f8c4dd9f3011bfc9dbc18d/analysis/1356590585/

13/45
https://www.virustotal.com/file/9646ebf177136d9a1b3c08aad6b05ce2fca96c6e7a0d32f68d0218b9fe0c40b8/analysis/1356590598/

21/45
https://www.virustotal.com/file/e46ad827327bdcf841d0eea03675e2f7b3eafbe3a9b8fab96a9e3df586480870/analysis/1356590507/

13/45
https://www.virustotal.com/file/9646ebf177136d9a1b3c08aad6b05ce2fca96c6e7a0d32f68d0218b9fe0c40b8/analysis/

No comments:

Post a Comment