Software Development && UnEthical Hacking
inicio hacking WiFu WiBOG MDB

Cridex
General

Este tipo de malware se está propagando actualmente a través del BlackHole Exploit Kit 2.0, al igual que la mayoría de software malicioso está diseñado para robar información financiera e información personal.

Gracias a unixfreaxjp por el archivo.

MD5: ae0bf4502ea084de7f9bee920caed615
SHA256: 60c260cf47ba29f39fe295d0ec9c5ad86348792efaa777ff25393350dd328c5c
SHA1: 60bdb79e9f8d5922ed03f499effc3e83042de0d7
Tamaño: 128.0 KB ( 131072 bytes ) 
Nombre: ae0bf4502ea084de7f9bee920caed615
Tipo: Win32 EXE
Detecciones: 33 / 46
Fecha de análisis: 2013-01-28 22:53:23 UTC

Avast Win32:Dropper-MGQ [Drp]
AVG Dropper.Generic7.AKNX
BitDefender Gen:Variant.Symmi.8717
ByteHero Virus.Win32.Heur.c
CAT-QuickHeal Trojan.Bublik.zuk
F-Secure Gen:Variant.Symmi.8717
Fortinet W32/Bublik.ZUK!tr
GData Gen:Variant.Symmi.8717
Ikarus Virus.Win32.CeeInject
Kaspersky Trojan.Win32.Bublik.zuk
Malwarebytes Trojan.Bublik
McAfee PWS-Zbot.gen.afr
Microsoft VirTool:Win32/CeeInject.gen!ID
MicroWorld-eScan Gen:Variant.Symmi.8717
Norman Injector.CZKW
Sophos Mal/ZboCheMan-L
TrendMicro TROJ_INJECT.GR

Al ejecutar el gusano about.exe se puede identificar la creación de los archivos KB00094432.exe, exp26.tmp, exp26.tmp.bat y el uso de la cmd.exe.

 

Al analizar con más detalle su funcionamiento se detectan funciones para la identificación del sistema operativo sobre el cual se está ejecutando.

 

Así mismo se identifica el proceso de creación y eliminación de los archivos. Mediante la función CreateProcessA se crea otra instancia del proceso about.exe en estado suspendido

 

También haciendo uso de la User32.dll se usan funciones como ResumeThread, la cual pone en estado activo el hilo suspendido anteriormente y se cargan los nuevos archivos.

 

Al finalizar este proceso se elimina el archivo about.exe

 

Después de ejecutarse, el malware modifica algunas funciones del API de Windows las cuales son usadas por sistemas de detección, por lo cual se impide su adecuado funcionamiento:

 

Modificaciones en el registro de Windows


Ver archivo completo

HKU\S-1-5-21-73586283-616249376-1177238915-500\Software\Microsoft\Windows\CurrentVersion\Run\KB00094432.exe: ""C:\Documents and Settings\Administrador\Datos de programa\KB00094432.exe""

HKU\S-1-5-21-73586283-616249376-1177238915-500\Software\Microsoft\Windows NT\SC8F9D084\: 3C 73 65 74 74 69 6E 67 73 20 68 61 73 68 3D 22 34 39 32 31 39 33 64 33 39 61 33 65 30 35 63 63 66 34 62 35 62 39 61 38 33 61 33 30 32 65 31 37 34 61 31 33 36 63 36 62 22 3E 3C 68 74 74 70 73 68 6F 74 73 3E 3C 75 72 6C 20 74 79 70 65 3D 22 64 65 6E 79 22 3E 5C 2E 28 63 73 73 7C 6A 73 29 28 24 7C 5C 3F 29 3C 2F 75 72 6C 3E 3C 75 72 6C 20 63 6F 6E 74 65 6E 74 54 79 70 65 3D 22 5E 74 65 78 74 2F 28
……..
65 6E 74 3E 3C 2F 6D 6F 64 69 66 79 3E 3C 2F 61 63 74 69 6F 6E 73 3E 3C 2F 68 74 74 70 69 6E 6A 65 63 74 3E 3C 2F 68 74 74 70 69 6E 6A 65 63 74 73 3E 3C 2F 73 65 74 74 69 6E 67 73 3E

 

Al analizar las modificaciones en el registro, específicamente en esta última llave (la cual es muy grande por cierto)  se identifico:

 

Conexiones con servidores remotos

<![CDATA[http://62.76.186.127/mx/4A/in/cp.php?h=8]]>
<bconnect>85.143.166.72:443</bconnect>

Phising

contentType="^text/(html|plain)">business\.macu\.com
contentType="^text/(html|plain)">business\.netbankerplus\.com
contentType="^text/(html|plain)">business_solutions contentType="^text/(html|plain)">businessaccess\.citibank\.citigroup\.com contentType="^text/(html|plain)">businessappshome contentType="^text/(html|plain)">businessbanking\.cibc\.com contentType="^text/(html|plain)">businessclassonline\.compassbank\.com contentType="^text/(html|plain)">businesslogin contentType="^text/(html|plain)">businessmanager\.com contentType="^text/(html|plain)">businessonline contentType="^text/(html|plain)">businessportal\.mibank\.com contentType="^text/(html|plain)">butterfieldonline\.ky
contentType="^text/(html|plain)">bankonline\.umpquabank\.com contentType="^text/(html|plain)">bbo\.1stsource\.com
contentType="^text/(html|plain)">accessbankplc\.com
contentType="^text/(html|plain)">accountoverview\.aspx
contentType="^text/(html|plain)">citizensbankmoneymanagergps\.com contentType="^text/(html|plain)">cmachm\.w
contentType="^text/(html|plain)">eurobankefg\.com contentType="^text/(html|plain)">exact4web contentType="^text/(html|plain)">exness\.com
contentType="^text/(html|plain)">internationalpayments contentType="^text/(html|plain)">internet\-ebanking\.com
contentType="^text/(html|plain)">ifxmanager\.bnymellon\.com contentType="^text/(html|plain)">inetbanker
contentType="^text/(html|plain)">onlinebank\.wesbanco\.com contentType="^text/(html|plain)">onlinebanker contentType="^text/(html|plain)">onlinebanking\.1stunitedbankfl\.com contentType="^text/(html|plain)">onlinebanking\.banksterling\.com
contentType="^text/(html|plain)">royalbank\.com/cgi\-bin/rbaccess contentType="^text/(html|plain)">rsagoidauthentication
contentType="^text/(html|plain)">singlepoint\.usbank\.com

<formgrabber><url type="deny">\.(swf)($|\?)
type="deny">/isapi/ocget.dll</url><url type="allow">^https?://aol.com/.*/login/ type="allow">^https?://accounts.google.com/ServiceLogin</url><url type="allow">^https?://login.yahoo.com/
type="allow">^https?://login.live.com
type="deny">^https?://(\w+\.)?aol.com type="deny">^https?://(\w+\.)?facebook.com/
type="deny">^https?://(\w+\.)?google
type="deny">^https?://(\w+\.)?yahoo
type="deny">^https?://(\w+\.)?youtube.com
type="deny">^https?://(\w+\.)?live.com
type="deny">^https?://(\w+\.)?twitter.com
type="deny">^https?://(\w+\.)?vk.com
</url></formgrabber>

Información personal

What is the name of the city where your father was born?
What is the name of the hospital in which you were born?
What was the name of your first pet?
What was the first name of your first true love?
What was the first music album that you bought?
what is the last name of your homeroom teacher in 10th grade?
In which city do you want to retire?
What is the name of the city where your mother was born?
What is of the name the city where your parents met?
What is your youngest sibling\'s middle name?
What is your oldest sibling\'s middle name?
What is your spouse\'s middle name?
What is your oldest cousin&acute;s first name?
What is your youngest cousin&acute;s first name?
Where does your nearest sibling live?
What is the name of the school you attended in 8th grade?
What was the last name of your 4th grade school teacher?
What was the first name of your best friend in high school?
What was your childhood nickname?
What was your first love\'s first name?
In what city did you meet your spouse?
What was the name of your childhood hero?
What is the name of the country you most want to visit?
What is your maternal grandfather\'s first name?
What is your maternal grandmother\'s first name?
What is your paternal grandfather\'s first name?
What is your paternal grandmother\'s first name?
What is the first name of your first boss?
What was the make of your first car?
What was your major in college?
What is your favorite Sports Team?
As a child, what did you want to be when you grew up?
What is your favorite candy?
In what city or town was your first job?
What type of dog do you have?
What is the name of a food that you refuse to eat?

Ver archivo completo

 

Información de la red

 

Enlaces


Worm:Win32/Cridex.G
W32.Cridex

 

Inicio       ||       Comunidad       ||      Servicios       ||      Proyectos       ||      Hacking       ||      Contáctenos