Aerosol Posted May 16, 2015 Report Share Posted May 16, 2015 Malware downloader using some anti-forensics (doesn't work), UAC bypass method (uacme concept #10) and seems full of specific code for various AV's behaviour detection systems. According to VT there is no meaningful name to it from AV, yet. Loader comes probably from script-kiddie who previously worked on ransomware(s). Nick name "Phobos".Reviewed by damagelab -> https://damagelab.org/index.php?showtopic=25839 (site unavailable at the moment of post).Except uac bypass so far there is nothing interesting in this loader. Malware injects itself into copy of explorer.exe and by using IFileOperation autoelevation (trigger UAC set on max) copies bthudtask.exe to system32\setup folder. Next it makes a copy of system dll newdev.dll, patches it with shellcode (EPO + new section) and again with IFileOperation (triggering UAC 2nd time) copies this dll into system32\setup. Next loader start bthudtask.exe with ShellExecuteEx. As result there happening classical dll hijacking and since bthudtask.exe autoelevated, malware stored inside patched newdev.dll will be running on High IL. This autoelevation method abuses way of whitelisting MS did with UAC, where it doesn't control full path to autoelevated application (while they actually must be all hardcoded) nor controlling application specific dlls loading path (even if application inside system32 you must control it too) allowing attacker do all required manipulations inside Windows folder, preparing things for successful dll hijacking.After successful elevation you will see hit-parade of spawning processes - two copies of explorer.exe for example or svchost.exe if something went wrong. That circus not suspicious at all, sarcasm. There was an interesting overview of successful/failed autoelevations in damagelab post. Statistic data show that most of people (in targeted countries) sit under default UAC settings (or with UAC turned off) even on Windows 8.1.Please don't be shy and submit sample to as many AV companies as you can.VT dropperhttps://www.virustotal.com/en/file/903d299b366ef1ba11538924dd57811aff80b8b91123889b872a098639a8effa/analysis/1431575696/VT loader parthttps://www.virustotal.com/en/file/ad3ba3bcd64aa9670389bedebe328c6874c96f2dea6ec2abb41b8c7537dc3d8d/analysis/1431574970/Sample courtesy of vaber and R136a1Dropper and patched by shellcode newdev.dll in attach.DownloadPass: malwareSource Quote Link to comment Share on other sites More sharing options...
Darkod Posted August 10, 2015 Report Share Posted August 10, 2015 reupload for mega.co.nz please Quote Link to comment Share on other sites More sharing options...
