Here are 7 binaries for Skynet Tor botnet aka Trojan.Tbot. Claudio's analysis is wonderfully detailed, I just added pcaps and a few words in the description
Read more here:
Rapid7. Claudio Guarnieri. Skynet, a Tor-powered botnet straight from Reddit
Files
- 2E1814CCCF0C3BB2CC32E0A0671C0891 17.1 MB Coldplay-Live_2012-2012-BriBerY.exe_
- 5375fb5e867680ffb8e72d29db9abbd5 15 MB FileMaker_Server_Advanced_v12.0.1_MULTiLANGUAGE-CYGiSO.exe_
- A0552D1BC1A4897141CFA56F75C04857 10 MB SpeedCommander.v14.40.Incl.Keygen-MESMERiZE.exe_
- 191B26BAFDF58397088C88A1B3BAC5A6 14.9 MB tor.exe_
- 519ED597B22D46EF8029C0720206E9D5 14.8 MB UEStudio.v12.20.0.1002.Incl.Keygen-MESMERiZE.exe_
- 23AAB9C1C462F3FDFDDD98181E963230 14.9 MB ysahu.ex_
- fc7c3e087789824f34a9309da2388ce5 11.3 MB Z.wie.Zorro.S01E03.Der.Brandstifter.GERMAN.ANiME.FS.DVDRip.XViD-aWake.exe_
The files are very large but contain no video or other entertainment material, just are padded with zeros.
Download
Download all 7 files above Email me if you need the password (new link)
Download all the created / dropped files for 2E1814CCCF0C3BB2CC32E0A0671C0891 (new link)
available pcaps -- Download (new link) (no password)
4.08 MB tbot_2E1814CCCF0C3BB2CC32E0A0671C0891.pcap
3.24 MB tbot_23AAB9C1C462F3FDFDDD98181E963230.pcap
7.55 MB tbot_191B26BAFDF58397088C88A1B3BAC5A6.pcap
5.19 MB tbot_5375FB5E867680FFB8E72D29DB9ABBD5.pcap
3.97 MB tbot_A0552D1BC1A4897141CFA56F75C04857.pcap
7.43 MB tbot_FC7C3E087789824F34A9309DA2388CE5.pcap
https://www.virustotal.com/file/12359624ee184639aef4ccca03751ae9ce1371512de52a3a4bfda1970edd0c60/analysis/1356590536/
SHA256: 12359624ee184639aef4ccca03751ae9ce1371512de52a3a4bfda1970edd0c60
SHA1: 93cf1d65e0374410a9a827256a923fdb8f5f38ca
MD5: a0552d1bc1a4897141cfa56f75c04857
File size: 10.0 MB ( 10491998 bytes )
File name: vti-rescan
File type: Win32 EXE
Detection ratio: 12 / 44
Analysis date: 2012-12-27 06:42:16 UTC ( 1 minute ago )
AntiVir TR/Drop.Injector.gmtj 20121226
Avast Win32:FakeAV-EEX [Trj] 20121227
AVG Win32/Cryptor 20121226
CAT-QuickHeal TrojanDropper.Injector.gmtj 20121227
ESET-NOD32 a variant of Win32/Injector.YYR 20121226
Fortinet W32/Injector.YYR!tr 20121227
GData Win32:FakeAV-EEX 20121227
Ikarus Trojan.SuspectCRC 20121227
Kaspersky Trojan-Dropper.Win32.Injector.gmtj 20121227
Panda Trj/CI.A 20121226
TrendMicro-HouseCall TROJ_GEN.R47B1LM 20121227
VIPRE Trojan.Win32.Generic!BT 20121227
https://www.virustotal.com/file/d5aa610a046132f43e3efeb47a0edce10c2d99a641eda8e1d6635f8b9dab44d3/analysis/1356590487/
SHA256: d5aa610a046132f43e3efeb47a0edce10c2d99a641eda8e1d6635f8b9dab44d3
SHA1: 21ff7e6c1bc9fb2977f45cde72599a831be3af03
MD5: 2e1814cccf0c3bb2cc32e0a0671c0891
File size: 17.1 MB ( 17949744 bytes )
File name: vti-rescan
File type: Win32 EXE
Detection ratio: 25 / 44
Analysis date: 2012-12-27 06:41:27 UTC ( 1 minute ago )
AhnLab-V3 Dropper/Win32.Injector 20121226
AntiVir TR/FakeAV.92.391 20121226
Avast Win32:FakeAV-EEX [Trj] 20121227
AVG Dropper.Generic7.TIN 20121226
BitDefender Gen:Variant.FakeAV.92 20121227
CAT-QuickHeal TrojanDropper.Injector.ggbl 20121227
Comodo UnclassifiedMalware 20121227
ESET-NOD32 a variant of Win32/Injector.YYR 20121226
F-Secure Gen:Variant.FakeAV.92 20121227
Fortinet W32/Injector.YYR 20121227
GData Gen:Variant.FakeAV.92 20121227
Ikarus Trojan.SuspectCRC 20121227
K7AntiVirus Riskware 20121226
Kaspersky Trojan-Dropper.Win32.Injector.ggbl 20121227
McAfee Artemis!2E1814CCCF0C 20121227
McAfee-GW-Edition Artemis!2E1814CCCF0C 20121226
MicroWorld-eScan Gen:Variant.FakeAV.92 20121227
Norman W32/Troj_Generic.FPNGA 20121226
Panda Trj/CI.A 20121226
Symantec WS.Reputation.1 20121227
TrendMicro TROJ_GEN.RCBZ7LB 20121227
TrendMicro-HouseCall TROJ_GEN.RCBZ7LB 20121227
VBA32 Trojan-Dropper.Injector.ggbl 20121226
VIPRE Trojan.Win32.Generic!BT 20121227
ViRobot Dropper.A.Injector.17949744 20121227
Others have similar detection - mostly generic for this type of malware
19/45 https://www.virustotal.com/file/4eb9799a2c4febffb81260abb889c909b4eaa28344a4e708d2b3231985311ec3/analysis/1356590570/
34/45
https://www.virustotal.com/file/ab8b7a7e6d5e2f98e85489c0d71e005842c3a6e085f8c4dd9f3011bfc9dbc18d/analysis/1356590585/
13/45
https://www.virustotal.com/file/9646ebf177136d9a1b3c08aad6b05ce2fca96c6e7a0d32f68d0218b9fe0c40b8/analysis/1356590598/
21/45
https://www.virustotal.com/file/e46ad827327bdcf841d0eea03675e2f7b3eafbe3a9b8fab96a9e3df586480870/analysis/1356590507/
13/45
https://www.virustotal.com/file/9646ebf177136d9a1b3c08aad6b05ce2fca96c6e7a0d32f68d0218b9fe0c40b8/analysis/
available pcaps -- Download (new link) (no password)
4.08 MB tbot_2E1814CCCF0C3BB2CC32E0A0671C0891.pcap
3.24 MB tbot_23AAB9C1C462F3FDFDDD98181E963230.pcap
7.55 MB tbot_191B26BAFDF58397088C88A1B3BAC5A6.pcap
5.19 MB tbot_5375FB5E867680FFB8E72D29DB9ABBD5.pcap
3.97 MB tbot_A0552D1BC1A4897141CFA56F75C04857.pcap
7.43 MB tbot_FC7C3E087789824F34A9309DA2388CE5.pcap
File description
Domains for each sample
191B26BAFDF58397088C88A1B3BAC5A6 4kijo4rr4b6p6uv5.onion
23AAB9C1C462F3FDFDDD98181E963230 jtjoxo3uo3mh35kw.onion
2E1814CCCF0C3BB2CC32E0A0671C0891 c24dsyw5qwcbohtv.onion
519ED597B22D46EF8029C0720206E9D5 465z2el27gv4ls74.onion
5375FB5E867680FFB8E72D29DB9ABBD5 jnc6zswe3w6siqn2.onion
A0552D1BC1A4897141CFA56F75C04857 blm6o2rzv4ucdq4m.onion
FC7C3E087789824F34A9309DA2388CE5 enklhhn44mk2s6rc.onion
Active Connections
Proto Local Address Foreign Address State PID
TCP 127.0.0.1:2064 127.0.0.1:2065 ESTABLISHED 2376
[IEXPLORE.EXE]
TCP 127.0.0.1:2065 127.0.0.1:2064 ESTABLISHED 2376
[IEXPLORE.EXE]
TCP 127.0.0.1:2069 127.0.0.1:9050 ESTABLISHED 2860
[IEXPLORE.EXE]
TCP 127.0.0.1:9050 127.0.0.1:2069 ESTABLISHED 2376
[IEXPLORE.EXE]
TCP 172.16.253.130:2100 204.45.139.123:443 ESTABLISHED 2376
[IEXPLORE.EXE]
TCP 172.16.253.130:2103 82.96.35.6:443 ESTABLISHED 2376
[IEXPLORE.EXE]
TCP 172.16.253.130:2104 109.105.109.163:44945 ESTABLISHED 2376
[IEXPLORE.EXE]
TCP 127.0.0.1:2147 127.0.0.1:42349 CLOSE_WAIT 1592
[Explorer.EXE]
File changes
Red - << old, classic, pre-Citadel Zeus
Blue - << tbot
%USERPROFILE%\Application Data\Microsoft\Address Book\Laura.wab
%USERPROFILE%\Application Data\Microsoft\Address Book\Laura.wab~
%USERPROFILE%\Application Data\Kynir\tonob.exe < copy of the original dropper
%USERPROFILE%\Application Data\tor\cached-certs
%USERPROFILE%\Application Data\tor\cached-consensus
%USERPROFILE%\Application Data\tor\cached-descriptors
%USERPROFILE%\Application Data\tor\cached-descriptors.new
%USERPROFILE%\Application Data\tor\hidden_service\hostname
%USERPROFILE%\Application Data\tor\hidden_service\private_key
%USERPROFILE%\Application Data\tor\lock
%USERPROFILE%\Application Data\tor\state
%USERPROFILE%\Local Settings\Application Data\Identities\{2C885C6E-EF41-44B6-8DF1-67B7CC85A1F4}\Microsoft\Outlook Express\Folders.dbx
%USERPROFILE%\Local Settings\Application Data\Identities\{2C885C6E-EF41-44B6-8DF1-67B7CC85A1F4}\Microsoft\Outlook Express\Inbox.dbx
%USERPROFILE%\Local Settings\Application Data\Identities\{2C885C6E-EF41-44B6-8DF1-67B7CC85A1F4}\Microsoft\Outlook Express\Offline.dbx
%USERPROFILE%\Local Settings\Application Data\Identities\{2C885C6E-EF41-44B6-8DF1-67B7CC85A1F4}\Microsoft\Outlook Express\Sent Items.dbx
%USERPROFILE%\Local Settings\Temp\OpenCL.dll
%USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\1Y7JRJG6\test[1].txt
%USERPROFILE%\Application Data\Egoffi\poofd.tmp
deleted_files
%USERPROFILE%\Application Data\tor\cached-descriptors
%USERPROFILE%\Application Data\tor\cached-descriptors.new
%USERPROFILE%\Application Data\tor\hidden_service\hostname
%USERPROFILE%\Application Data\tor\state
%USERPROFILE%\Application Data\tor\unverified-consensus
%USERPROFILE%\Cookies\laura@accounts.google[2].txt (plus all other cookies)
%USERPROFILE%\Local Settings\Temp\MPS9.tmp
%USERPROFILE%\Local Settings\Temp\tmp1c031ecd.bat
%USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\17K91ZPH\gate[1].htm
%USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\1Y7JRJG6\config[1].bin
%USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\1Y7JRJG6\gate[1].htm
%USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\1Y7JRJG6\webhp[1].txt
State
# Tor state file last generated on 2012-12-23 21:40:56 local time
# Other times below are in GMT
# You *do not* need to edit this file.
TorVersion Tor 0.2.2.35 (git-b04388f9e7546a9f)
LastWritten 2012-12-24 02:40:56
"When the Trojan is executed, it creates the following files:
C:\Documents and Settings\Administrator\Application Data\[RANDOM CHARACTERS FOLDER NAME]\[RANDOM CHARACTERS FILE NAME].exe
C:\Documents and Settings\Administrator\Application Data\[RANDOM CHARACTERS FOLDER NAME]\[RANDOM CHARACTERS FILE NAME].tmp
C:\Documents and Settings\Administrator\Application Data\[RANDOM CHARACTERS FOLDER NAME]\[RANDOM CHARACTERS FILE NAME].upp
C:\Documents and Settings\Administrator\Application Data\tor\cached-certs
C:\Documents and Settings\Administrator\Application Data\tor\cached-consensus
C:\Documents and Settings\Administrator\Application Data\tor\cached-descriptors
C:\Documents and Settings\Administrator\Application Data\tor\cached-descriptors.new
C:\Documents and Settings\Administrator\Application Data\tor\hidden_service\hostname
C:\Documents and Settings\Administrator\Application Data\tor\hidden_service\private_key
C:\Documents and Settings\Administrator\Application Data\tor\lock
C:\Documents and Settings\Administrator\Application Data\tor\state
C:\Documents and Settings\Administrator\Local Settings\Temp\OpenCL.dll
The Trojan then creates the following registry entry:
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Run\{58918AFF-36B7-5CDE-6038-278B35A6192F}: "C:\Documents and Settings\Administrator\Application Data\[RANDOM CHARACTERS FOLDER NAME]\[RANDOM CHARACTERS FILE NAME].exe"
The Trojan copies itself to the following location:
%UserProfile%\Application Data
The Trojan creates a directory with a random name and renames itself with a random string.
The Trojan injects itself into an svchost.exe process and terminates the original process.
The Trojan connects to an IRC channel and receives commands which may perform the following actions:
Steal information from the compromised computer and send it to the remote attacker
Download and execute files from a remote location
Download and inject files into a running process
Connect to an arbitrary URL
Set up a SOCKS proxy
Support denial-of-service attacks
The Trojan drops the following files:
Tor: A network client for the Tor anonymous network that is used to route and hide all the network traffic the threat sends to the IRC C&C server
Trojan.Zbot: An additional threat installed by Trojan.Tbot
CGMiner: An open source bitcoin mining tool used for performing CPU intensive work in exchange for Bitcoin currency"
Automatic scans
https://www.virustotal.com/file/12359624ee184639aef4ccca03751ae9ce1371512de52a3a4bfda1970edd0c60/analysis/1356590536/
SHA256: 12359624ee184639aef4ccca03751ae9ce1371512de52a3a4bfda1970edd0c60
SHA1: 93cf1d65e0374410a9a827256a923fdb8f5f38ca
MD5: a0552d1bc1a4897141cfa56f75c04857
File size: 10.0 MB ( 10491998 bytes )
File name: vti-rescan
File type: Win32 EXE
Detection ratio: 12 / 44
Analysis date: 2012-12-27 06:42:16 UTC ( 1 minute ago )
AntiVir TR/Drop.Injector.gmtj 20121226
Avast Win32:FakeAV-EEX [Trj] 20121227
AVG Win32/Cryptor 20121226
CAT-QuickHeal TrojanDropper.Injector.gmtj 20121227
ESET-NOD32 a variant of Win32/Injector.YYR 20121226
Fortinet W32/Injector.YYR!tr 20121227
GData Win32:FakeAV-EEX 20121227
Ikarus Trojan.SuspectCRC 20121227
Kaspersky Trojan-Dropper.Win32.Injector.gmtj 20121227
Panda Trj/CI.A 20121226
TrendMicro-HouseCall TROJ_GEN.R47B1LM 20121227
VIPRE Trojan.Win32.Generic!BT 20121227
https://www.virustotal.com/file/d5aa610a046132f43e3efeb47a0edce10c2d99a641eda8e1d6635f8b9dab44d3/analysis/1356590487/
SHA256: d5aa610a046132f43e3efeb47a0edce10c2d99a641eda8e1d6635f8b9dab44d3
SHA1: 21ff7e6c1bc9fb2977f45cde72599a831be3af03
MD5: 2e1814cccf0c3bb2cc32e0a0671c0891
File size: 17.1 MB ( 17949744 bytes )
File name: vti-rescan
File type: Win32 EXE
Detection ratio: 25 / 44
Analysis date: 2012-12-27 06:41:27 UTC ( 1 minute ago )
AhnLab-V3 Dropper/Win32.Injector 20121226
AntiVir TR/FakeAV.92.391 20121226
Avast Win32:FakeAV-EEX [Trj] 20121227
AVG Dropper.Generic7.TIN 20121226
BitDefender Gen:Variant.FakeAV.92 20121227
CAT-QuickHeal TrojanDropper.Injector.ggbl 20121227
Comodo UnclassifiedMalware 20121227
ESET-NOD32 a variant of Win32/Injector.YYR 20121226
F-Secure Gen:Variant.FakeAV.92 20121227
Fortinet W32/Injector.YYR 20121227
GData Gen:Variant.FakeAV.92 20121227
Ikarus Trojan.SuspectCRC 20121227
K7AntiVirus Riskware 20121226
Kaspersky Trojan-Dropper.Win32.Injector.ggbl 20121227
McAfee Artemis!2E1814CCCF0C 20121227
McAfee-GW-Edition Artemis!2E1814CCCF0C 20121226
MicroWorld-eScan Gen:Variant.FakeAV.92 20121227
Norman W32/Troj_Generic.FPNGA 20121226
Panda Trj/CI.A 20121226
Symantec WS.Reputation.1 20121227
TrendMicro TROJ_GEN.RCBZ7LB 20121227
TrendMicro-HouseCall TROJ_GEN.RCBZ7LB 20121227
VBA32 Trojan-Dropper.Injector.ggbl 20121226
VIPRE Trojan.Win32.Generic!BT 20121227
ViRobot Dropper.A.Injector.17949744 20121227
Others have similar detection - mostly generic for this type of malware
19/45 https://www.virustotal.com/file/4eb9799a2c4febffb81260abb889c909b4eaa28344a4e708d2b3231985311ec3/analysis/1356590570/
34/45
https://www.virustotal.com/file/ab8b7a7e6d5e2f98e85489c0d71e005842c3a6e085f8c4dd9f3011bfc9dbc18d/analysis/1356590585/
13/45
https://www.virustotal.com/file/9646ebf177136d9a1b3c08aad6b05ce2fca96c6e7a0d32f68d0218b9fe0c40b8/analysis/1356590598/
21/45
https://www.virustotal.com/file/e46ad827327bdcf841d0eea03675e2f7b3eafbe3a9b8fab96a9e3df586480870/analysis/1356590507/
13/45
https://www.virustotal.com/file/9646ebf177136d9a1b3c08aad6b05ce2fca96c6e7a0d32f68d0218b9fe0c40b8/analysis/
No comments:
Post a Comment