{ "id": "599e8584-29af-456d-a65f-bc58583b1e4f", "created_at": "2026-04-06T00:13:31.109434Z", "updated_at": "2026-04-10T13:11:44.677624Z", "deleted_at": null, "sha1_hash": "3415c6fb5f013db840d3c0b04f1496fb8ccd222c", "title": "CIRCL » TR-25 Analysis - Turla / Pfinet / Snake", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 396771, "plain_text": "CIRCL » TR-25 Analysis - Turla / Pfinet / Snake\r\nArchived: 2026-04-05 13:05:07 UTC\r\nOverview\r\nDuring the last weeks, various samples of Uroburos (also named Urob, Turla, Sengoku, Snark and Pfinet) were analyzed\r\nand reports have been published 1234, also analyses about a suspected predecessor, Agent.btz, are public 5. CIRCL\r\nanalyzed an older version of Turla, known as a representative of the Pfinet malware family. The objective of this analysis\r\nis to gather additional Indicators of Compromise or behaviors in order to improve detection and to discover additional\r\ninsights into the malware. This document is not considered a final release but a work-in-progress document.\r\nStatic Analysis\r\nSample A\r\nHashes:\r\nType\r\nof\r\nHash\r\nHash\r\nMD5 5b4a956c6ec246899b1d459838892493\r\nSHA1 217b8fa45a24681551bd84b573795b5925b2573e\r\nSHA-256\r\n93742b415f28f57c61e7ce7d55208f71d5c4880dc66616da52f3c274b20b43b0\r\nssdeep 24576:D0MfCZaSyUS7YXz3aHUXXeJozanHZCfBvt9MSc99rdI+6cGHe:D02saHQXeManH81t9BONdI3VHe\r\nVirusTotal results for sample A\r\nAV product Result\r\nBkav W32.Clod24a.Trojan.ceee\r\nMicroWorld-eScan Dropped:Backdoor.Generic.252173\r\nnProtect Dropped:Backdoor.Generic.252173\r\nMcAfee Artemis!5B4A956C6EC2\r\nK7AntiVirus Riskware ( 10a2c0f80 )\r\nK7GW Trojan ( 00155adb1 )\r\nNANO-Antivirus Trojan.Win64.Agent.lsivh\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 1 of 51\n\nAV product Result\r\nF-Prot W32/MalwareS.IHA\r\nSymantec Backdoor.Pfinet\r\nNorman Suspicious_Gen3.DGZV\r\nTotalDefense Win32/Pfinet.A\r\nTrendMicro-HouseCall TROJ_GEN.R27E1AH\r\nAvast Win32:Malware-gen\r\nClamAV Trojan.Agent-126457\r\nKaspersky Trojan.Win32.Genome.hitb\r\nBitDefender Dropped:Backdoor.Generic.252173\r\nAgnitum Trojan.Meredrop!A/hBhJu+uNc\r\nAd-Aware Dropped:Backdoor.Generic.252173\r\nSophos Mal/Generic-S\r\nComodo TrojWare.Win32.Agent.czua\r\nF-Secure Dropped:Backdoor.Generic.252173\r\nDrWeb Trojan.Siggen.27969\r\nVIPRE Trojan.Win32.Generic!BT\r\nAntiVir TR/Agent.czua\r\nTrendMicro TROJ_GEN.R27E1AH\r\nMcAfee-GW-Edition Artemis!5B4A956C6EC2\r\nEmsisoft Dropped:Backdoor.Generic.252173 (B)\r\nMicrosoft Backdoor:WinNT/Pfinet.B\r\nGData Dropped:Backdoor.Generic.252173\r\nCommtouch W32/Risk.DWJW-7987\r\nVBA32 Trojan.Agent2\r\nBaidu-International Trojan.Win32.Genome.aR\r\nESET-NOD32 a variant of Win32/Turla.AC\r\nIkarus Trojan.Win32.Genome\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 2 of 51\n\nAV product Result\r\nFortinet W32/Pfinet!tr\r\nAVG Generic16.BBMD\r\nPanda Trj/Hmir.F\r\nScanned: 2014-03-16 01:12:54 - 49 scans - 37 detections (75.0%)\r\nFile characteristics\r\nMeta data\r\nSize: 1052672 bytes\r\nType: PE32 executable (GUI) Intel 80386, for MS Windows\r\nDate: 0x4AC5A74C [Fri Oct 2 07:10:04 2009 UTC]\r\nEP: 0x4021bb .text 0/5\r\nCRC: Claimed: 0x0, Actual: 0x110f40 [SUSPICIOUS]\r\nResource entries\r\nName RVA Size Lang Sublang Type\r\n--------------------------------------------------------------------------------\r\nBINARY 0xd190 0x3dc00 LANG_ENGLISH SUBLANG_ENGLISH_US PE32 executable (DLL) (native) Intel 80386, for MS Windows\r\nBINARY 0x4ad90 0x1d000 LANG_ENGLISH SUBLANG_ENGLISH_US PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nBINARY 0x67d90 0x21000 LANG_ENGLISH SUBLANG_ENGLISH_US PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nBINARY 0x88d90 0x1f9 LANG_ENGLISH SUBLANG_ENGLISH_US ASCII text, with CRLF, LF line terminators\r\nBINARY 0x88f90 0x37c00 LANG_ENGLISH SUBLANG_ENGLISH_US PE32+ executable (DLL) (native) x86-64, for MS Windows\r\nBINARY 0xc0b90 0x1bc00 LANG_ENGLISH SUBLANG_ENGLISH_US PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nBINARY 0xdc790 0x24200 LANG_ENGLISH SUBLANG_ENGLISH_US PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nVersion info\r\nNo version information included.\r\nSections\r\nName VirtAddr VirtSize RawSize Entropy\r\n--------------------------------------------------------------------------------\r\n.text 0x1000 0x6f34 0x7000 6.582374\r\n.rdata 0x8000 0x1fb8 0x2000 4.803196\r\n.data 0xa000 0x26f4 0x1000 1.559595\r\n.rsrc 0xd000 0xf3990 0xf4000 5.977919\r\n.reloc 0x101000 0x188c 0x2000 2.462180\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 3 of 51\n\nSECTION 1 (.text ):\r\nvirtual size : 00006F34 ( 28468.)\r\nvirtual address : 00001000\r\nsection size : 00007000 ( 28672.)\r\noffset to raw data for section: 00001000\r\noffset to relocation : 00000000\r\noffset to line numbers : 00000000\r\nnumber of relocation entries : 0\r\nnumber of line number entries : 0\r\nalignment : 0 byte(s)\r\nFlags 60000020:\r\n text only\r\n Executable\r\n Readable\r\nSECTION 2 (.rdata ):\r\nvirtual size : 00001FB8 ( 8120.)\r\nvirtual address : 00008000\r\nsection size : 00002000 ( 8192.)\r\noffset to raw data for section: 00008000\r\noffset to relocation : 00000000\r\noffset to line numbers : 00000000\r\nnumber of relocation entries : 0\r\nnumber of line number entries : 0\r\nalignment : 0 byte(s)\r\nFlags 40000040:\r\n data only\r\n Readable\r\nSECTION 3 (.data ):\r\nvirtual size : 000026F4 ( 9972.)\r\nvirtual address : 0000A000\r\nsection size : 00001000 ( 4096.)\r\noffset to raw data for section: 0000A000\r\noffset to relocation : 00000000\r\noffset to line numbers : 00000000\r\nnumber of relocation entries : 0\r\nnumber of line number entries : 0\r\nalignment : 0 byte(s)\r\nFlags C0000040:\r\n data only\r\n Readable\r\n Writable\r\nSECTION 4 (.rsrc ):\r\nvirtual size : 000F3990 ( 997776.)\r\nvirtual address : 0000D000\r\nsection size : 000F4000 ( 999424.)\r\noffset to raw data for section: 0000B000\r\noffset to relocation : 00000000\r\noffset to line numbers : 00000000\r\nnumber of relocation entries : 0\r\nnumber of line number entries : 0\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 4 of 51\n\nalignment : 0 byte(s)\r\nFlags 40000040:\r\n data only\r\n Readable\r\nSECTION 5 (.reloc ):\r\nvirtual size : 0000188C ( 6284.)\r\nvirtual address : 00101000\r\nsection size : 00002000 ( 8192.)\r\noffset to raw data for section: 000FF000\r\noffset to relocation : 00000000\r\noffset to line numbers : 00000000\r\nnumber of relocation entries : 0\r\nnumber of line number entries : 0\r\nalignment : 0 byte(s)\r\nFlags 42000040:\r\n data only\r\n Discardable\r\n Readable\r\nStrings\r\nThe order of strings embedded in clear text in Sample A indicate that this file contains several other files, because the DOS\r\nstub (!This program cannot be run in DOS mode.) is present multiple times. We include interesting strings in the\r\ncorresponding subsection.\r\nAnalysis - Installer\r\nSample A can be considered an installer or dropper. It drops files into the system and initializes the environment for\r\nproduction. First, it probes if a virtual disk\r\n\\DEVICE\\IdeDrive1\\\r\nis present on the system. If not, the virtual disk is being created with file system NTFS, using FormatEx from Microsofts\r\nfmifs.dll.\r\n 1int __cdecl create_virtual_disk()\r\n 2{\r\n 3 HMODULE hModule_fmifs.dll;\r\n 4 int result;\r\n 5 FARPROC FormatEx;\r\n 6 WCHAR VirtualDisk;\r\n 7\r\n 8 result = 0;\r\n 9 hModule_fmifs.dll = LoadLibraryA(\"fmifs.dll\");\r\n10 if ( hModule_fmifs.dll )\r\n11 {\r\n12 FormatEx = GetProcAddress(hModule_fmifs.dll, \"FormatEx\");\r\n13 if ( FormatEx )\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 5 of 51\n\n14 {\r\n15 wsprintfW(\u0026VirtualDisk, L\"%S\", \"\\\\\\\\.\\\\IdeDrive1\\\\\\\\\");\r\n16 (FormatEx)(\u0026VirtualDisk, FMIFS_HARDDISK, L\"NTFS\", \u0026gVirtualDiskName, 1, 0, FormatExCallback);\r\n17 result = gFormatExCallbackActionInfo != 0;\r\n18 }\r\n19 FreeLibrary(hModule_fmifs.dll);\r\n20 }\r\n21 else\r\n22 {\r\n23 result = 0;\r\n24 }\r\n25 return result;\r\n26}\r\nThe presence of the malware’s configuration file is tested:\r\n\\DEVICE\\IdeDrive1\\config.txt\r\nIf not found, it is dropped from the resource section 0x88d90.\r\nThe following files are dropped depending on whether Windows is running in 32 bit or 64 bit.\r\n%SystemRoot%\\$NtUninstallQ722833$\\usbdev.sys (hidden)\r\n\\DEVICE\\IdeDrive1\\inetpub.dll\r\n\\DEVICE\\IdeDrive1\\cryptoapi.dll\r\nIndependently from the architecture, the file names of the dropped files are the same, but a specific version of the file is\r\ndropped according to the operating system architecture.\r\nThis is achieved by a logic similar to the following one. This is done for all files except the configuration file.\r\n 1if ( IsWow64 )\r\n 2 {\r\n 3 res = create_from_resources(\"#162\", \"\\\\\\\\.\\\\IdeDrive1\\\\inetpub.dll\");\r\n 4 if ( last_error )\r\n 5 {\r\n 6 error = GetLastError();\r\n 7 log(last_error, \"ef1... %d, %d\\n\", res, error);\r\n 8 }\r\n 9 v29 = create_from_resources(\"#165\", \"\\\\\\\\.\\\\IdeDrive1\\\\cryptoapi.dll\");\r\n10 }\r\nThe function create_from_resources() looks like:\r\n 1int __cdecl create_from_resources(LPCSTR NameOfResource, LPCSTR lpSrc)\r\n 2{\r\n 3 HRSRC HRSRC;\r\n 4 HGLOBAL hGlobal;\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 6 of 51\n\n5 DWORD SizeOfResource;\r\n 6 HANDLE hFile;\r\n 7 DWORD error;\r\n 8 CHAR lpFileName;\r\n 9 char pSecurityDescriptor;\r\n10 DWORD NumberOfBytesWritten;\r\n11 LPCVOID lpBuffer;\r\n12\r\n13 ExpandEnvironmentStringsA(lpSrc, \u0026lpFileName, 0x104u);\r\n14 HRSRC = FindResourceA(0, NameOfResource, \"BINARY\");\r\n15 if ( !HRSRC )\r\n16 return 0;\r\n17 hGlobal = LoadResource(0, HRSRC);\r\n18 if ( !hGlobal )\r\n19 return 0;\r\n20 lpBuffer = LockResource(hGlobal);\r\n21 if ( !lpBuffer )\r\n22 return 0;\r\n23 SizeOfResource = SizeofResource(0, HRSRC);\r\n24 hFile = CreateFileA(\u0026lpFileName, GENERIC_WRITE, 0, 0, 2u, 0x80u, 0);\r\n25 if ( hFile == -1 )\r\n26 {\r\n27 if ( last_error )\r\n28 {\r\n29 error = GetLastError();\r\n30 log(last_error, \"ex_fail... %d\\n\", error);\r\n31 }\r\n32 return 0;\r\n33 }\r\n34 WriteFile(hFile, lpBuffer, SizeOfResource, \u0026NumberOfBytesWritten, 0);\r\n35 CloseHandle(hFile);\r\n36 if ( !InitializeSecurityDescriptor(\u0026pSecurityDescriptor, 1u) )\r\n37 return 0;\r\n38 return SetFileSecurityA(\u0026lpFileName, DACL_SECURITY_INFORMATION, \u0026pSecurityDescriptor) != 0;\r\n39}\r\nSubsequently, after dropping the correct files, the malware makes itself persistent on the system and creates a service with\r\nthe following parameters, which loads the file usbdev.sys as a kernel driver:\r\nIn: HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services:\r\nKey: usblink\r\nType: 1 (SERVICE_KERNEL_DRIVER)\r\nStart: 1 (SERVICE_SYSTEM_START)\r\nErrorControl: 0 (SERVICE_ERROR_IGNORE)\r\nGroup: Streams Drivers\r\nDisplayName: usblink\r\nImagePath: \\SystemRoot\\$NtUninstallQ722833$\\usbdev.sys\r\nIf during installation anything goes wrong, the registry keys are deleted. The files however are not.\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 7 of 51\n\nDuring the installation process, extensive logging is ensuring good visibility on potential installation problems. The\r\nattacker uses english language for the logging, although he is lacking attention to detail when it comes to correct usage of\r\nthe language, as the following examples demonstrate:\r\nwin32 detect... (should be simple past)\r\nx64 detect... (should be simple past)\r\nCretaFileA(%s): (should be CreateFileA)\r\nCan`t open SERVICES key (that shouldn't be a backtick)\r\nLanguage deficits are also demonstrated in other files of this collection. We show them in a separate chapter.\r\nA list of dropped files is given in the next chapter.\r\nDropped files\r\nSample B - usbdev.sys (Resource: 101)\r\nHashes\r\nType\r\nof\r\nHash\r\nHash\r\nMD5 db93128bff2912a75b39ee117796cdc6\r\nSHA1 418645c09002845a8554095b355f47907f762797\r\nSHA-256\r\n57b8c2f5cfeaca97da58cfcdaf10c88dbc2c987c436ddc1ad7b7ed31879cb665\r\nssdeep 3072:3B9f3bhj+FqCjAsWnQNCb/XzeQdRSFqfCeEmI/2XxjptNdjxjkMAE4E:3B9tQHWLrFfCZmI/MttB+E4\r\nVirusTotal results for sample B\r\nAV product Result\r\nBkav W32.Cloda11.Trojan.222a\r\nMicroWorld-eScan Backdoor.Generic.252173\r\nnProtect Trojan/W32.Agent2.252928\r\nMcAfee Artemis!DB93128BFF29\r\nK7GW Trojan ( 0001140e1 )\r\nK7AntiVirus Riskware ( 10a2c0f80 )\r\nAgnitum Trojan.Agent2!HMPS2EOZWFE\r\nF-Prot W32/MalwareS.IHA\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 8 of 51\n\nAV product Result\r\nSymantec Backdoor.Pfinet\r\nNorman Suspicious_Gen3.DGZV\r\nTrendMicro-HouseCall TROJ_GEN.R27E1AH\r\nAvast Win32:Malware-gen\r\nKaspersky Trojan.Win32.Agent2.flce\r\nBitDefender Backdoor.Generic.252173\r\nAd-Aware Backdoor.Generic.252173\r\nSophos Mal/Generic-S\r\nF-Secure Backdoor.Generic.252173\r\nDrWeb Trojan.Siggen1.51234\r\nVIPRE Trojan.Win32.Generic!BT\r\nAntiVir TR/Rootkit.Gen\r\nTrendMicro TROJ_GEN.R27E1AH\r\nMcAfee-GW-Edition Artemis!DB93128BFF29\r\nEmsisoft Backdoor.Generic.252173 (B)\r\nJiangmin Trojan/Agent.djjf\r\nAntiy-AVL Trojan/Win32.Agent2\r\nKingsoft Win32.Troj.Agent2.(kcloud)\r\nMicrosoft Backdoor:WinNT/Pfinet.B\r\nGData Backdoor.Generic.252173\r\nCommtouch W32/Risk.DWJW-7987\r\nVBA32 Trojan.Agent2\r\nPanda Rootkit/Agent.IOO\r\nESET-NOD32 a variant of Win32/Turla.AC\r\nIkarus Trojan.Win32.Agent\r\nFortinet W32/Agent2.LDY!tr\r\nAVG Agent2.AHWF\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 9 of 51\n\nAV product Result\r\nBaidu-International Trojan.Win32.Agent.AFZ\r\nScanned: 2014-03-23 21:28:41 - 51 scans - 36 detections (70.0%)\r\nFile characteristics\r\nMeta data\r\nSize: 252928 bytes\r\nType: PE32 executable (DLL) (native) Intel 80386, for MS Windows\r\nDate: 0x4AC48FC8 [Thu Oct 1 11:17:28 2009 UTC]\r\nEP: 0x22d80 .text 0/5\r\nCRC: Claimed: 0x3e7fe, Actual: 0x3e7fe\r\nSections\r\nName VirtAddr VirtSize RawSize Entropy\r\n--------------------------------------------------------------------------------\r\n.text 0x1000 0x28084 0x28200 6.325480\r\n.basein 0x2a000 0x135 0x200 3.791369\r\n.data 0x2b000 0x20e34 0x12600 1.335577\r\nINIT 0x4c000 0xebc 0x1000 5.343628\r\n.reloc 0x4d000 0x1de0 0x1e00 6.448244\r\nStrings\r\nInteresting strings:\r\nCsrClientCallServer\r\nExitThread\r\nLdrGetProcedureAddress\r\nZwTerminateThread\r\n\\SystemRoot\\system32\\%s\r\nIoCreateDevice\r\nModuleStart\r\nModuleStop\r\n\\??\\%s\\cryptoapi.dll\r\n\\??\\%s\\inetpub.dll\r\nservices.exe\r\niexplore.exe\r\nfirefox.exe\r\nopera.exe\r\nnetscape.exe\r\nmozilla.exe\r\nmsimn.exe\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 10 of 51\n\noutlook.exe\r\nadobeupdater.exe\r\nSample C - inetpub.dll (Resource: 102)\r\nHashes\r\nType of\r\nHash\r\nHash\r\nMD5 2145945b9b32b4ccbd498db50419b39b\r\nSHA1 690f18810b0cbef06f7b864c7585bd6ed0d207e0\r\nSHA-256\r\n3de0ba77fa2d8b26e4226fd28edc3ab8448434d851f6b2b268ec072c5da92ade\r\nssdeep 3072:HPHvQByUS7Yqy7UKJm1Y3a3v/z61dmh9f3b/LAaulNA7:HPHqyUS7YqyIKH3aHz61Mh9jZulNC\r\nVirusTotal results for sample C\r\nAV product Result\r\nMcAfee Generic.dx!wel\r\nK7AntiVirus Riskware\r\nSymantec Backdoor.Pfinet\r\nNorman W32/Suspicious_Gen3.UANR\r\nAvast Win32:Malware-gen\r\neSafe Win32.TRATRAPS\r\nBitDefender Backdoor.Generic.429659\r\nF-Secure Backdoor.Generic.429659\r\nVIPRE Trojan.Win32.Generic!BT\r\nAntiVir TR/ATRAPS.Gen\r\nMcAfee-GW-Edition Generic.dx!wel\r\nEmsisoft Backdoor.SuspectCRC!IK\r\nAntiy-AVL Trojan/win32.agent.gen\r\nGData Backdoor.Generic.429659\r\nAhnLab-V3 Backdoor/Win32.Pfinet\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 11 of 51\n\nAV product Result\r\nPCTools Backdoor.Pfinet\r\nIkarus Backdoor.SuspectCRC\r\nPanda Trj/CI.A\r\nAvast5 Win32:Malware-gen\r\nScanned: 2011-07-07 04:43:10 - 43 scans - 19 detections (44.0%)\r\nFile characteristics\r\nMeta data\r\nSize: 118784 bytes\r\nType: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nDate: 0x4AC5A6A4 [Fri Oct 2 07:07:16 2009 UTC]\r\nEP: 0x20013857 .text 0/5\r\nCRC: Claimed: 0x0, Actual: 0x2cb10 [SUSPICIOUS]\r\nSections\r\nName VirtAddr VirtSize RawSize Entropy\r\n--------------------------------------------------------------------------------\r\n.text 0x1000 0x12976 0x13000 6.509133\r\n.basein 0x14000 0x97 0x1000 0.418760 [SUSPICIOUS]\r\n.rdata 0x15000 0x4ede 0x5000 7.011329 [SUSPICIOUS]\r\n.data 0x1a000 0x15f0 0x1000 5.453684\r\n.reloc 0x1c000 0x152a 0x2000 4.423836\r\nExports\r\nFlags : 00000000\r\nTime stamp : Fri Oct 2 09:07:16 2009\r\nVersion : 0.0\r\nDLL name : CARBON.dll\r\nOrdinals base : 1. (00000001)\r\n# of Addresses: 2. (00000002)\r\n# of Names : 2. (00000002)\r\n 1. 00002CB9 ModuleStart\r\n 2. 0000266C ModuleStop\r\nStrings\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 12 of 51\n\n\\\\.\\IdeDrive1\\\\config.txt\r\nReceiveTimeout\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\r\nNAME\r\nobject_id\r\nVERSION\r\nUser\r\nCarbon v3.51\r\nOPER|Wrong config: bad address|\r\nMozilla/4.0 (compatible; MSIE 6.0)\r\nOPER|Wrong config: no port|\r\nOPER|Wrong config: empty address|\r\naddress\r\nCW_INET\r\nquantity\r\nuser_winmax\r\nuser_winmin\r\nST|Carbon v3.51|\r\n\\\\.\\IdeDrive1\\\\log.txt\r\nGlobal\\MSMMC.StartupEnvironment.PPT\r\nGlobal\\411A5195CD73A8a710E4BB16842FA42C\r\nGlobal\\881F0621AC59C4c035A5DC92158AB85E\r\nGlobal\\MSCTF.Shared.MUTEX.RPM\r\nGlobal\\WindowsShellHWDetection\r\nGlobal\\MSDBG.Global.MUTEX.ATF\r\nTR|%d|\r\n$Id: hide_module_win32.c 10189 2008-11-25 14:25:41Z gilg $\r\nZwWow64ReadVirtualMemory64\r\n$Id: load_lib_win32.c 10180 2008-11-20 12:13:01Z gilg $\r\n\\SysWOW64\\\r\n\\System32\\\r\nCreateRemoteThread\r\nZwTerminateThread\r\nLdrGetProcedureAddress\r\nExitThread\r\n$Id: mutex.c 3940 2006-03-20 16:47:16Z vlad $\r\n$Id: rw_lock.c 4482 2006-08-30 13:07:14Z vlad $\r\n%x-%x-%x-%x\r\n%02d/%02d/%02d|%02d:%02d:%02d|%s|u|\r\nsearch.google.com\r\nwww.easports.com\r\nwww.sun.com\r\nwww.dell.com\r\nwww.3com.com\r\nwww.altavista.com\r\nwww.hp.com\r\nsearch.microsoft.com\r\nwindowsupdate.microsoft.com\r\nwww.microsoft.com\r\nwww.asus.com\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 13 of 51\n\nwww.eagames.com\r\nwww.google.com\r\nwww.astalavista.com\r\nwww.bbc.com\r\nwww.yahoo.com\r\nCreateToolhelp32Snapshot() failed: %d\r\nOPER|Sniffer '%s' running... ooopppsss...|\r\nsnoop.exe\r\nettercap.exe\r\nwireshark.exe\r\nethereal.exe\r\nwindump.exe\r\ntcpdump.exe\r\nHTTP/1.1\r\n%sauth.cgi?mode=query\u0026id=%u:%u:%u:%u\u0026serv=%s\u0026lang=en\u0026q=%u-%u\u0026date=%s\r\n%Y-%m-%d\r\n%sdefault.asp?act=%u\u0026id=%u\u0026item=%u\u0026event_id=%u\u0026cln=%u\u0026flt=%u\u0026serv=%s\u0026t=%ld\u0026mode=query\u0026lang=en\u0026date=%s\r\nlastconnect\r\ntimestop\r\n.bak\r\n\\\\.\\IdeDrive1\\\\\r\nD:AI\r\n@OPER|Wrong timeout: high \u003c low|\r\nMem alloc err\r\nP|-1|%d|NULL|%d|\r\nP|0|%s|%d|HC=%d\r\nHC|%d|\r\nP|-1|%d|%s|%d|\r\n\\\\.\\IdeDrive1\\\\Results\\result.txt\r\nPOST\r\nHTTP/1.0\r\nA|-1|%u|%s|%s|\r\n%u|%s|%s\r\nTask %d failed %s,%d\r\n\\\\.\\IdeDrive1\\\\Results\\\r\n207.46.249.57\r\n207.46.249.56\r\n207.46.250.119\r\nmicrosoft.com\r\n207.46.253.125\r\n207.46.18.94\r\nupdate.microsoft.com\r\nG|0|%d|%d|\r\n%u|%s|%s|%s\r\nOPER|Wrong config|\r\nS|0|%s|\r\nS|-1|%d|%s|\r\nlogperiod\r\nlastsend\r\nlogmax\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 14 of 51\n\nlogmin\r\nCopyFile(%s, %s):%d\r\nCrPr(),WL(),AU() error: %d\r\nCrPr() WaitForSingleObject() error: %d\r\nCrPr() wait timeout %d msec exceeded: %d\r\nT|-1|%d|%d|\r\nTask not execute. Arg file failed.\r\nWORKDATA\r\nrun_task\r\nDELETE\r\nCOMPRESSION\r\nRESULT\r\nstdout\r\nCONFIG\r\ncmd.exe\r\ntime2task\r\nm_recv() RESULT failed.\r\nA|-1|%u|%s|%d|\r\nactive_con\r\nm_send() TASK failed.\r\nOBJECT ACK failed.\r\nInternal task %d obj %s not equal robj %s... very strange!!!\r\nm_recv() OBJECT failed.\r\nm_send() OBJECT failed.\r\nm_send() WHO failed.\r\nAUTH failed.\r\nm_recv() AUTH failed.\r\nm_send() AUTH failed.\r\nm_connect() failed.\r\nm_setoptlist() failed.\r\nnet_password=\r\nnet_user=\r\nallow=*everyone\r\nwrite_peer_nfo=%c%s%c\r\nfrag_no_scrambling=1\r\nfrag_size=32768\r\nm_create() failed.\r\nfrag.np\r\n\\\\%s\\pipe\\comnode\r\nW|2|%s|%d|\r\n127.0.0.1\r\nm_send() ZERO failed.\r\nTrans task %d obj %s ACTIVE fail robj %s\r\nnet_password=%s\r\nnet_user=%s\r\n\\\\%s\\pipe\\%s\r\nfrag.tcp\r\n%s:%d\r\nW|1|%s|%d|\r\n%u|%s|%s|%s|%s|%d|%s|%s\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 15 of 51\n\n\\\\.\\IdeDrive1\\\\Tasks\\task_system.txt\r\n%u|%s|%s|%s|%s|%d\r\n\\\\.\\IdeDrive1\\\\Tasks\\task.txt\r\n%u|%s|%s|%s|%s\r\n\\\\.\\IdeDrive1\\\\Tasks\\\r\nW|0|%s|%d|\r\nW|-1|%s|%d|\r\nstart\r\nT|e|%d|\r\nT|s|%d|\r\ntask_max\r\ntask_min\r\nI|%d|\r\n reconstructing block ...\r\n%6d unresolved strings\r\n depth %6d has\r\n bucket sorting ...\r\n %d pointers, %d sorted, %d scanned\r\n qsort [0x%x, 0x%x] done %d this %d\r\n main sort initialise ...\r\n too repetitive; using fallback sorting algorithm\r\n %d work, %d block, ratio %5.2f\r\nCONFIG_ERROR\r\nOUTBUFF_FULL\r\nUNEXPECTED_EOF\r\nIO_ERROR\r\nDATA_ERROR_MAGIC\r\nDATA_ERROR\r\nMEM_ERROR\r\nPARAM_ERROR\r\nSEQUENCE_ERROR\r\ncodes %d\r\ncode lengths %d,\r\nselectors %d,\r\n bytes: mapping %d,\r\n pass %d: size is %d, grp uses are\r\n initial group %d, [%d .. %d], has %d syms (%4.1f%%)\r\nY@ %d in block, %d after MTF \u0026 1-2 coding, %d+2 syms in use\r\n final combined CRC = 0x%x\r\n block %d: crc = 0x%8x, combined CRC = 0x%8x, size = %d\r\n$Id: b2_to_m2_stub.c 5273 2007-01-23 17:41:15Z vlad $\r\n$Id: b_tcp.c 8474 2007-09-19 15:40:39Z vlad $\r\nTCP: closed.\r\nTCP: connecting...\r\nY1N0\r\nnodelay\r\nTCP: send\r\nTCP: recv\r\n%s:%u\r\nnodelay=1\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 16 of 51\n\nTCP: resolved %s\r\nTCP: resolving host name...\r\n$Id: l1_check.c 4477 2006-08-28 15:58:21Z vlad $\r\n$Id: m2_to_b2_stub.c 4477 2006-08-28 15:58:21Z vlad $\r\n$Id: m_frag.c 8715 2007-11-29 16:04:46Z urik $\r\npeer_frag_size\r\nfrag_no_scrambling\r\nfrag_size\r\nFrag: send\r\n$Id: m_np.c 8825 2008-01-10 13:13:15Z vlad $\r\n\\\\.\\pipe\\\r\nno_server_hijack\r\nimp_level\r\nnet_password\r\nnet_user\r\nwrite_peer_nfo\r\nread_peer_nfo\r\n*everyone\r\nallow\r\n$Id: np_win32_common.c 4483 2006-08-30 13:13:51Z vlad $\r\nanonymous\r\nevery1\r\n\\ipc$\r\n\\pipe\\\r\n$Id: t_byte1.c 5324 2007-01-30 12:45:35Z vlad $\r\nfrag\r\n$Id: t_manager.c 8715 2007-11-29 16:04:46Z urik $\r\ntransports\r\n$Id: t_message1.c 5290 2007-01-26 11:15:03Z vlad $\r\nlicence error\r\nSample D - cryptoapi.dll (Resource: 105)\r\nHashes\r\nType of Hash Hash\r\nMD5 a67311ec502593630307a5f3c220dc59\r\nSHA1 74b0c62737f43b0138cfae0d0972178a14fbea10\r\nSHA-256 67bc775cc1a58930201ef247ace86cc5c8569057d4911a8e910ac2263c8eb880\r\nssdeep 3072:/eZCuX04e/tmjQFFTNna3bFy99f3bay/FjIJA:/eZbUIj4zaLFw9/JI+\r\nVirusTotal results for sample D\r\nAV product Result\r\nCAT-QuickHeal Backdoor.Pfinet\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 17 of 51\n\nAV product Result\r\nMcAfee Generic.dx!ueu\r\nK7AntiVirus Riskware\r\nVirusBuster Backdoor.Agent!JK8atQHb1PQ\r\nSymantec Backdoor.Pfinet\r\nNorman W32/Suspicious_Gen3.JVLR\r\nTrendMicro-HouseCall TROJ_GEN.R47C3JS\r\nAvast Win32:Malware-gen\r\nKaspersky UDS:DangerousObject.Multi.Generic\r\nBitDefender Backdoor.Generic.264016\r\nEmsisoft Backdoor.SuspectCRC!IK\r\nComodo UnclassifiedMalware\r\nF-Secure Backdoor.Generic.264016\r\nVIPRE Trojan.Win32.Generic!BT\r\nAntiVir TR/ATRAPS.Gen\r\nTrendMicro TROJ_GEN.R47C3JS\r\nMcAfee-GW-Edition Heuristic.BehavesLike.Win32.Suspicious.H\r\nGData Backdoor.Generic.264016\r\nAhnLab-V3 Backdoor/Win32.Pfinet\r\nPCTools Backdoor.Pfinet\r\nIkarus Backdoor.SuspectCRC\r\nPanda Trj/CI.A\r\nAvast5 Win32:Malware-gen\r\nScanned: 2011-05-08 11:16:36 - 42 scans - 23 detections (54.0%)\r\nFile characteristics\r\nMeta data\r\nSize: 135168 bytes\r\nType: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nDate: 0x4AC5A662 [Fri Oct 2 07:06:10 2009 UTC]\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 18 of 51\n\nEP: 0x20015d85 .text 0/5\r\nCRC: Claimed: 0x0, Actual: 0x2ccd6 [SUSPICIOUS]\r\nExports\r\nFlags : 00000000\r\nTime stamp : Fri Oct 2 09:06:07 2009\r\nVersion : 0.0\r\nDLL name : carbon_system.dll\r\nOrdinals base : 1. (00000001)\r\n# of Addresses: 1. (00000001)\r\n# of Names : 1. (00000001)\r\n 1. 00002655 ModuleStart\r\nSections\r\nName VirtAddr VirtSize RawSize Entropy\r\n--------------------------------------------------------------------------------\r\n.text 0x1000 0x150d5 0x16000 6.417399\r\n.basein 0x17000 0x97 0x1000 0.418760 [SUSPICIOUS]\r\n.rdata 0x18000 0x5380 0x6000 6.450645\r\n.data 0x1e000 0x15e0 0x1000 5.450370\r\n.reloc 0x20000 0x15e4 0x2000 4.991237\r\nStrings\r\n$Id: t_utils.c 5503 2007-02-26 13:14:30Z vlad $\r\n$Id: t_status.c 5666 2007-03-19 16:18:00Z vlad $\r\n$Id: t_message1.c 5290 2007-01-26 11:15:03Z vlad $\r\n$Id: t_manager.c 8715 2007-11-29 16:04:46Z urik $\r\n$Id: t_byte1.c 5324 2007-01-30 12:45:35Z vlad $\r\n$Id: np_win32_common.c 4483 2006-08-30 13:13:51Z vlad $\r\n$Id: m_np.c 8825 2008-01-10 13:13:15Z vlad $\r\n$Id: m_frag.c 8715 2007-11-29 16:04:46Z urik $\r\n$Id: m2_to_b2_stub.c 4477 2006-08-28 15:58:21Z vlad $\r\n$Id: l1_check.c 4477 2006-08-28 15:58:21Z vlad $\r\n$Id: b_tcp.c 8474 2007-09-19 15:40:39Z vlad $\r\n$Id: b2_to_m2_stub.c 5273 2007-01-23 17:41:15Z vlad $\r\n$Id: thread.c 4593 2006-10-12 11:43:29Z urik $\r\n$Id: rw_lock.c 4482 2006-08-30 13:07:14Z vlad $\r\n$Id: mutex.c 3940 2006-03-20 16:47:16Z vlad $\r\n$Id: load_lib_win32.c 10180 2008-11-20 12:13:01Z gilg $\r\n$Id: hide_module_win32.c 10189 2008-11-25 14:25:41Z gilg $\r\n\\\\.\\IdeDrive1\\\\Tasks\\\r\n\\\\.\\IdeDrive1\\\\Results\\\r\nGlobal\\MSDBG.Global.MUTEX.ATF\r\nGlobal\\WindowsShellHWDetection\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 19 of 51\n\nGlobal\\MSCTF.Shared.MUTEX.RPM\r\nGlobal\\881F0621AC59C4c035A5DC92158AB85E\r\nGlobal\\411A5195CD73A8a710E4BB16842FA42C\r\nGlobal\\MSMMC.StartupEnvironment.PPT\r\n\\\\.\\IdeDrive1\\\\log.txt\r\nTR|%d|\r\nSR|%d|\r\nST|Carbon v3.61|\r\n\\\\.\\IdeDrive1\\\\*.bak\r\n\\\\.\\IdeDrive1\\\\\r\n\\\\.\\IdeDrive1\\\\Tasks\\task.txt\r\n\\\\.\\IdeDrive1\\\\Tasks\\task_system.txt\r\n\\\\.\\IdeDrive1\\\\Tasks\\*.tmp\r\n\\\\.\\IdeDrive1\\\\config.txt\r\nsys_winmin\r\nTIME\r\nsys_winmax\r\n\\\\.\\IdeDrive1\\\\restrans.txt\r\nquantity\r\nCW_LOCAL\r\naddress\r\nobject\r\nD:(A;OICIID;GRGWGX;;;WD)\r\nCarbon v3.61\r\nSystem\r\nVERSION\r\nobject_id\r\nNAME\r\nCW_INET\r\nlogperiod\r\nOPER|Survive me, i`m close to death... free space less than 5%%...|\r\nOPER|Low space... free space less than 10%%...|\r\nZwWow64ReadVirtualMemory64\r\nExitThread\r\nLdrGetProcedureAddress\r\nZwTerminateThread\r\nCreateRemoteThread\r\n\\System32\\\r\n\\SysWOW64\\\r\nOPER|Wrong timeout: high \u003c low|\r\n%02d/%02d/%02d|%02d:%02d:%02d|%s|s|\r\nCreateToolhelp32Snapshot() failed: %d\r\ntcpdump.exe\r\nwindump.exe\r\nethereal.exe\r\nwireshark.exe\r\nettercap.exe\r\nsnoop.exe\r\nOPER|Sniffer '%s' running... ooopppsss...|\r\n%x-%x-%x-%x\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 20 of 51\n\nrun_task_system\r\nWORKDATA\r\n\\\\.\\IdeDrive1\\\\Results\\result.txt\r\nI|%d|\r\ntask_min\r\ntask_max\r\nT|s|%d|\r\n%u|1|%s|%s\r\n%u|2|%s|%s|%s\r\nT|e|%d|\r\nstart\r\ntime2task\r\ncmd.exe\r\nCONFIG\r\nstdout\r\nRESULT\r\nCOMPRESSION\r\nDELETE\r\n%u|%s|%s\r\n%u|%s|%s|%s\r\nTask not execute. Arg file failed.\r\nT|-1|%d|%d|\r\nAS_USER:LogonUser():%d\r\nAS_USER:DuplicateTokenEx():%d\r\nexplorer.exe\r\nAS_CUR_USER:OpenProcessToken():%d\r\nAS_CUR_USER:DuplicateTokenEx():%d\r\nCrPr() wait timeout %d msec exceeded: %d\r\nCrPr() WaitForSingleObject() error: %d\r\nCrPr(),WL(),AU():%d\r\nCopyFile(%s, %s):%d\r\nMemory allocation error. Use no compression\r\nfrag.np\r\n\\\\.\\Global\\PIPE\\comnode\r\nfrag_size=32768\r\nfrag_no_scrambling=1\r\nallow=*everyone\r\nactive_con\r\nfrag.tcp/%s:445\r\nfrag.np/%s\r\n\\\\.\\IdeDrive1\\\\logtrans.txt\r\nA|2|%s|\r\nW|%s|%s|\r\nm_send() ZERO1 failed\r\nW|%s|%s|%s|\r\n\\*.tmp\r\nm_send() ZERO2 failed\r\nR|%s|%d|\r\n\\\\%s\\pipe\\comnode\r\nfrag.tcp\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 21 of 51\n\nnet_user=\r\nnet_password=\r\nwrite_peer_nfo=%c%s%c\r\nP|0|%s|%d|\r\nP|-1|%d|%s|%d|\r\nP|-1|%d|%d|\r\nnodelay=N\r\nW|-1|%d|%s|\r\nSEND AUTH\r\nW|-1|%d|%s|%s|\r\nRECV AUTH\r\nAUTH FAILED\r\nSEND WHO\r\nSEND OBJECT_ID\r\nlogmin\r\nlogmax\r\nlastsend\r\nS|0|%s|\r\nS|-1|%d|%s|\r\nTask %d failed %s, %d\r\nA|-1|%u|%s|%s|\r\ntimestop\r\nlastconnect\r\n.bak\r\n%u:%u:%u:%u:%u\r\nFreeze Ok.\r\n\\$NtUninstallQ722833$\\usbdev.sys\r\n\\\\.\\IdeDrive1\\\\usbdev.bak\r\n\\\\.\\IdeDrive1\\\\inetpub.bak\r\n\\\\.\\IdeDrive1\\\\inetpub.dll\r\n\\\\.\\IdeDrive1\\\\cryptoapi.bak\r\n\\\\.\\IdeDrive1\\\\cryptoapi.dll\r\nUpdate Ok.\r\nUpdate failed =(( Can`t create file.\r\n\\\\.\\IdeDrive1\\\\Plugins\\\r\nCan't create file '%s', error %d =((\r\nCreate plugin '%s' OK.\r\nCreate plugin '%s' failed. Write error, %d.\r\nPLUGINS\r\nFind existing record.\r\nnot_started|%d\r\nConfig update success.\r\nenable%s\r\nConfig record error: %s = %s.\r\nPlugin not found in config.\r\nPlugin already loaded.\r\nModuleStart\r\ncan`t find entry point.\r\nloadlibrary() failed.\r\nPlugin start failed, %d\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 22 of 51\n\ntry to run dll with user priv.\r\ncan`t get characs.\r\nPlugin not PE format.\r\nPlugin start success.\r\nPlugin start failed.\r\ndisable%s\r\nremoved%s\r\nPlugin not loaded.\r\nPlugin deleted.\r\nPlugin delete failed, %d.\r\nPlugin terminated.\r\nPlugin terminate failed, %d.\r\nModuleStop\r\nPlugin dll stop success.\r\nPlugin dll stop failed.\r\nPlugin freelib success.\r\nPlugin freelib failed, %d.\r\nInternal command not support =((\r\n%u|1|%s\r\nG|0|%d|%d|\r\nW|0|%s|%d|\r\nA|0|%s|%d|\r\n%u|%s|%s|%s|%s\r\n%u|%s|%s|%s|%s|%d|%s|%s\r\n%u|%s|%s|%s|%s|%d\r\nW|1|%s|%d|\r\nA|1|%s|%d|\r\n%s:%d\r\n\\\\%s\\pipe\\%s\r\nm_create() failed.\r\nnet_user=%s\r\nnet_password=%s\r\nm_setoptlist() failed.\r\nm_connect() failed.\r\nm_send() AUTH failed.\r\nm_recv() AUTH failed.\r\nAUTH failed.\r\nm_send() WHO failed.\r\nm_send() OBJECT failed.\r\nm_recv() OBJECT failed.\r\nTrans task %d for obj %s ACTIVE fail robj=%s\r\nOBJECT ACK failed.\r\nm_send() TASK failed.\r\nm_recv() WIN RESULT failed.\r\nm_recv() ACT RESULT failed.\r\nm_send() ACT RESULT failed.\r\nenable\r\nL|-1|can`t find entry point %s|\r\nL|-1|loadlibrary() failed %d|\r\nL|-1|%s|%d|\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 23 of 51\n\nL|-1|try to run dll %s with user priv|\r\nL|-1|can`t get characs %s|\r\nL|-1|not PE format %s|\r\nL|-1| parse error %s|\r\nL|-1| parse error %s|\r\nL|0|%s|\r\nL|-1|AS_CUR_USER:OpenProcessToken():%d, %s|\r\nL|-1|AS_CUR_USER:DuplicateTokenEx():%d, %s|\r\nL|-1|AS_CUR_USER:LogonUser():%d, %s|\r\nL|-1|wrong priv %s|\r\nL|-1|CreateProcessAsUser():%d, %s|\r\nD:AI\r\nTCP: resolving host name...\r\nTCP: resolved %s\r\nTCP: closed.\r\nTCP: connecting...\r\nnodelay\r\nY1N0\r\nTCP: send\r\nTCP: recv\r\n%s:%u\r\nFrag: send\r\nfrag_size\r\nfrag_no_scrambling\r\npeer_frag_size\r\n\\\\.\\pipe\\\r\nallow\r\n*everyone\r\nread_peer_nfo\r\nwrite_peer_nfo\r\nnet_user\r\nnet_password\r\nimp_level\r\nno_server_hijack\r\nevery1\r\nanonymous\r\n\\pipe\\\r\n\\ipc$\r\nfrag\r\ntransports\r\nlicence error\r\nSample E - usbdev.sys - x64 - (Resouce: 161)\r\nHashes\r\nType of Hash Hash\r\nMD5 62e9839bf0b81d7774a3606112b318e8\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 24 of 51\n\nType of Hash Hash\r\nSHA1 6f2e50c5f03e73e77484d5845d64d952b038a12b\r\nSHA-256 39050386f17b2d34bdbd118eec62ed6b2f386e21500a740362454ed73ea362e8\r\nssdeep 3072:S9f3buYUVKa6a1206K55kL+tkA3qkQQ0dwZATH:S9iYUImo06KXkL+qA6kf0dwK\r\nVirusTotal results for sample E\r\nAV product Result\r\nMcAfee+Artemis Pfinet\r\nnProtect Trojan/W32.Agent.228352.W\r\nMcAfee Pfinet\r\nF-Prot W32/Pfinet.A\r\na-squared Backdoor.Pfinet!IK\r\nAvast Win32:Malware-gen\r\nClamAV Trojan.Agent-126457\r\nKaspersky Trojan.Win32.Agent.czua\r\nBitDefender Trojan.Generic.2617254\r\nComodo TrojWare.Win32.Agent.czua\r\nF-Secure Trojan:W64/Carbys.gen!A\r\nDrWeb Trojan.Siggen.27969\r\nTrendMicro TROJ_PFINET.A\r\nAuthentium W32/Pfinet.A\r\nJiangmin Trojan/Agent.dcrw\r\nAntiy-AVL Trojan/Win32.Agent.gen\r\nSymantec Backdoor.Pfinet\r\nMicrosoft Backdoor:WinNT/Pfinet.B\r\nGData Trojan.Generic.2617254\r\nVBA32 Trojan.Win32.Agent.czua\r\nPCTools Backdoor.Pfinet\r\nIkarus Backdoor.Pfinet\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 25 of 51\n\nAV product Result\r\nAVG Agent2.YKW\r\nPanda Rootkit/Agent.MXI\r\nScanned: 2009-12-27 12:15:01 - 40 scans - 24 detections (60.0%)\r\nFile characteristics\r\nMeta data\r\nSize: 228352 bytes\r\nType: PE32+ executable (DLL) (native) x86-64, for MS Windows\r\nDate: 0x4AC48FE7 [Thu Oct 1 11:17:59 2009 UTC]\r\nEP: 0x21454 .text 0/6\r\nCRC: Claimed: 0x397f7, Actual: 0x397f7\r\nSections\r\nName VirtAddr VirtSize RawSize Entropy\r\n--------------------------------------------------------------------------------\r\n.text 0x1000 0x2126c 0x21400 6.518352\r\n.basein 0x23000 0xc7 0x200 2.902918\r\n.data 0x24000 0x23a3c 0x13400 1.284443\r\n.pdata 0x48000 0x10b0 0x1200 5.035513\r\nINIT 0x4a000 0x10ce 0x1200 4.944873\r\n.reloc 0x4c000 0x99a 0xa00 4.576183\r\nStrings\r\nThe strings correspond mostly to the ones of Sample B.\r\nSample F - inetpub.dll - x64 (Resource: 162)\r\nHashes\r\nType\r\nof\r\nHash\r\nHash\r\nMD5 e1ee88eda1d399822587eb58eac9b347\r\nSHA1 32287d26656587c6848902dbed8086c153d94ee7\r\nSHA-256\r\n92c2023095420de3ca7d53a55ed689e7c0086195dc06a4369e0ee58a803c17bb\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 26 of 51\n\nType\r\nof\r\nHash\r\nHash\r\nssdeep 3072:vr84EaVK9B9MklzeALxqS6kcLyHFQ+vYnb9f3bkrlESXdMQyFc8:QPp9B9MkllLMScLmsb9IKrF1\r\nVirusTotal results for sample F\r\nAV product Result\r\nSymantec Backdoor.Pfinet\r\nScanned: 2014-03-23 21:27:06 - 51 scans - 1 detections (1.0%)\r\nFile characteristics\r\nMeta data\r\nSize: 113664 bytes\r\nType: PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nDate: 0x4AC5A6C2 [Fri Oct 2 07:07:46 2009 UTC]\r\nEP: 0x200149d0 .text 0/5\r\nCRC: Claimed: 0x0, Actual: 0x1e6b8 [SUSPICIOUS]\r\nSections\r\nName VirtAddr VirtSize RawSize Entropy\r\n--------------------------------------------------------------------------------\r\n.text 0x1000 0x13b8d 0x13c00 6.247940\r\n.rdata 0x15000 0x582e 0x5a00 6.692290\r\n.data 0x1b000 0x1ae0 0x1400 4.598089\r\n.pdata 0x1d000 0x8c4 0xa00 4.522066\r\n.reloc 0x1e000 0x248 0x400 2.325587\r\nStrings\r\nThe strings correspond mostly to the ones of Sample C.\r\nSample G - cryptoapi.dll - x64 (Resource: 165)\r\nHashes\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 27 of 51\n\nType\r\nof\r\nHash\r\nHash\r\nMD5 a7853bab983ede28959a30653baec74a\r\nSHA1 eee11da421c7268e799bd938937e7ef754a895bf\r\nSHA-256\r\n0e3842bd092db5c0c70c62e8351649d6e3f75e97d39bbfd0c0975b8c462a65ca\r\nssdeep 3072:U/ylCK5WUZFspUjcF65zlEzEOflC9Pw6OPEH66kcXF9f3b6ivgCUHXM:1gWWUrg3ANOP+6cXF9/u\r\nVirusTotal results for sample G\r\nAV product Result\r\nSymantec Backdoor.Pfinet\r\nAntiVir TR/ATRAPS.Gen2\r\nScanned: 2014-03-23 21:26:59 - 51 scans - 2 detections (3.0%)\r\nFile characteristics\r\nMeta data\r\nSize: 147968 bytes\r\nType: PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nDate: 0x4AC5A685 [Fri Oct 2 07:06:45 2009 UTC]\r\nEP: 0x2001bd80 .text 0/6\r\nCRC: Claimed: 0x0, Actual: 0x32c9f [SUSPICIOUS]\r\nSections\r\nName VirtAddr VirtSize RawSize Entropy\r\n--------------------------------------------------------------------------------\r\n.text 0x1000 0x1af6d 0x1b000 6.195387\r\n.basein 0x1c000 0xc7 0x200 2.902918\r\n.rdata 0x1d000 0x66f0 0x6800 6.585248\r\n.data 0x24000 0x1b00 0x1400 4.647566\r\n.pdata 0x26000 0xad4 0xc00 4.848795\r\n.reloc 0x27000 0x2a6 0x400 2.344107\r\nStrings\r\nThe strings correspond mostly to the ones of Sample D.\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 28 of 51\n\nSample H - config.txt\r\nHashes\r\nType of Hash Hash\r\nMD5 08cbc46302179c4cda4ec2f41fc9a965\r\nSHA1 6a905818f9473835ac90fc38b9ce3958bfb664d6\r\nSHA-256 3576035105b4714433331dff1f39a50d55f4548701b6ab8343a16869903ebc3c\r\nContent\r\n 1[NAME]\r\n 2object_id=\r\n 3\r\n 4\r\n 5[TIME]\r\n 6user_winmin = 600000\r\n 7user_winmax = 1200000\r\n 8sys_winmin = 3600000\r\n 9sys_winmax = 3700000\r\n10task_min = 20000\r\n11task_max = 30000\r\n12checkmin = 60000\r\n13checkmax = 70000\r\n14logmin = 600000\r\n15logmax = 1200000\r\n16lastconnect=\r\n17timestop=\r\n18active_con = 900000\r\n19time2task=3600000\r\n20\r\n21\r\n22[CW_LOCAL]\r\n23quantity = 0\r\n24\r\n25[CW_INET]\r\n26quantity = 0\r\n27\r\n28\r\n29[TRANSPORT]\r\n30user_pipe = \\\\.\\pipe\\userpipe\r\n31system_pipe = \\\\.\\pipe\\iehelper\r\n32\r\n33\r\n34[DHCP]\r\n35server = 135\r\n36\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 29 of 51\n\n37\r\n38[LOG]\r\n39lastsend =\r\n40logperiod = 7200\r\n41\r\n42[WORKDATA]\r\n43run_task=\r\n44run_task_system=\r\nAnalysis - Payload\r\nSample B - usbdev.sys (Resource: 101)\r\nA very extensive analysis of a similar kernel module of Sample B (usbdev.sys) has been documented in ‘Uroburos: the\r\nsnake rootkit’\r\n2\r\n by deresz and tecamac.\r\nSample B also checks for the presence of infection markers in form of events:\r\n.text:00023210 push ebp\r\n.text:00023211 mov ebp, esp\r\n.text:00023213 sub esp, 130h\r\n.text:00023219 mov [ebp+string.Length], 70h\r\n.text:0002321F mov [ebp+string.MaximumLength], 72h\r\n.text:00023225 mov [ebp+string.Buffer], offset aBasenamedobjec ; \"\\\\BaseNamedObjects\\\\{B93DFED5-9A3B\r\n.text:0002322C lea eax, [ebp+var_110]\r\n.text:00023232 mov [ebp+SecurityDescriptor], eax\r\n.text:00023235 mov [ebp+ObjectAttributes.Length], 18h\r\n.text:0002323F mov [ebp+ObjectAttributes.RootDirectory], 0\r\n.text:00023249 mov [ebp+ObjectAttributes.Attributes], 40h\r\n.text:00023253 lea ecx, [ebp+string]\r\n.text:00023256 mov [ebp+ObjectAttributes.ObjectName], ecx\r\n.text:0002325C mov [ebp+ObjectAttributes.SecurityDescriptor], 0\r\n.text:00023266 mov [ebp+ObjectAttributes.SecurityQualityOfService], 0\r\n.text:00023270 lea edx, [ebp+ObjectAttributes]\r\n.text:00023276 push edx ; ObjectAttributes\r\n.text:00023277 push 1F0003h ; DesiredAccess\r\n.text:0002327C lea eax, [ebp+EventHandle]\r\n.text:00023282 push eax ; EventHandle\r\n.text:00023283 call ZwOpenEvent\r\nor as pseudo-code:\r\n 1 string.Length = 0x70;\r\n 2 string.MaximumLength = 0x72;\r\n 3 string.Buffer = L\"\\\\BaseNamedObjects\\\\{B93DFED5-9A3B-459b-A617-59FD9FAD693E}\";\r\n 4 SecurityDescriptor = \u0026v4;\r\n 5 ObjectAttributes.Length = 24;\r\n 6 ObjectAttributes.RootDirectory = 0;\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 30 of 51\n\n7 ObjectAttributes.Attributes = OBJ_CASE_INSENSITIVE;\r\n 8 ObjectAttributes.ObjectName = \u0026string;\r\n 9 ObjectAttributes.SecurityDescriptor = 0;\r\n10 ObjectAttributes.SecurityQualityOfService = 0;\r\n11 if ( ZwOpenEvent(\u0026EventHandle, 0x1F0003u, \u0026ObjectAttributes) )\r\n12 {\r\n13 ...\r\nThat means, the famous Agent.btz marker\r\n\\BaseNamedObjects\\{B93DFED5-9A3B-459b-A617-59FD9FAD693E}\r\nis checked directly using a UNICODE_STRING structure without using RtlInitUnicodeString(). A brief comparison with\r\nother samples, like\r\nType of Hash Hash\r\nMD5 57770d70b704811e8ac13893337cea32\r\nSHA1 0e6dff1007b6a5f744b2bc90978496328c95ed11\r\nSHA-256 65fdaf08e562611ce58f1d427f198f8743d88a68e1c4d92afe6dc6251e8a3112\r\nor\r\nType of Hash Hash\r\nMD5 06a3f5df6ac23db15ba52581a38c725b\r\nSHA1 a6cc9d9034637192d264cb4e9b6b83b70cc36da9\r\nSHA-256 43e71b993d6e7c977caaf2ed7610a71758734d87ec2ceb20a84e573ea05a01b3\r\nshows, that this marker is checked in the same way.\r\nThe analysis of this kernel module by deresz and tecamac is very detailed. We advise the interested reader to work through\r\ntheir document to understand all the details.\r\nImplemented transports\r\nIn this module, the following transport or communication modules are present:\r\nType 1: tcp\r\nType 2: np, m2b\r\n-\u003e TODO: Compare this with the observed transports in\r\nuserland modules\r\nmodules described in other reports\r\nDisassembler Library\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 31 of 51\n\nThis sample contains a large chunk of code taken from the Udis86 Disassembler Library for x86 / x86-64 project6\r\nRawDisk1, RawDisk2 and fixdata.dat\r\nThe devices\r\n\\Device\\RawDisk1\r\n\\Device\\RawDisk2\r\nand the file\r\n\\SystemRoot\\$NtUninstallQ722833$\\fixdata.dat\r\nare already known from other reports.\r\nIf the file fixdata.dat could successfully be created within the function\r\n 1NTSTATUS create\\_fixdata_dat()\r\n 2{\r\n 3 char v1;\r\n 4 NTSTATUS error;\r\n 5 OBJECT_ATTRIBUTES ObjectAttributes;\r\n 6 LARGE_INTEGER AllocationSize;\r\n 7 UNICODE_STRING Name;\r\n 8 UINT_PTR ViewSize;\r\n 9 __int64 FileInformation;\r\n10 struct _IO_STATUS_BLOCK IoStatusBlock;\r\n11\r\n12 Name.Length = 0x58;\r\n13 Name.MaximumLength = 0x5A;\r\n14 Name.Buffer = L\"\\\\SystemRoot\\\\$NtUninstallQ722833$\\\\fixdata.dat\";\r\n15 ObjectAttributes.Length = 24;\r\n16 ObjectAttributes.RootDirectory = 0;\r\n17 ObjectAttributes.Attributes = OBJ_CASE_INSENSITIVE;\r\n18 ObjectAttributes.ObjectName = \u0026Name;\r\n19 ObjectAttributes.SecurityDescriptor = 0;\r\n20 ObjectAttributes.SecurityQualityOfService = 0;\r\n21 AllocationSize = 0x6400000i64;\r\n22 error = call_IoCreateFile(\r\n23 \u0026FileHandle,\r\n24 FILE_ADD_FILE|FILE_LIST_DIRECTORY,\r\n25 \u0026ObjectAttributes,\r\n26 \u0026IoStatusBlock,\r\n27 \u0026AllocationSize,\r\n28 FILE_ATTRIBUTE_NORMAL,\r\n29 0,\r\n30 FILE_OPEN_IF,\r\n31 FILE_RANDOM_ACCESS|FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_NO_INTERMEDIATE_B\r\n32 0,\r\n33 0);\r\n34 if ( !error )\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 32 of 51\n\n35 {\r\n36 dword_5BDEC = FileHandle;\r\n37 if ( IoStatusBlock.Information == 2 )\r\n38 {\r\n39 FileInformation = AllocationSize.QuadPart;\r\n40 error = ZwSetInformationFile(FileHandle, \u0026IoStatusBlock, \u0026FileInformation, 8u, FileEndOfFileInformat\r\n41 if ( error )\r\n42 goto LABEL_10;\r\n43 v1 = 1;\r\n44 }\r\n45 else\r\n46 {\r\n47 v1 = 0;\r\n48 }\r\n49 ObjectAttributes.Length = 24;\r\n50 ObjectAttributes.RootDirectory = 0;\r\n51 ObjectAttributes.Attributes = 0;\r\n52 ObjectAttributes.ObjectName = 0;\r\n53 ObjectAttributes.SecurityDescriptor = 0;\r\n54 ObjectAttributes.SecurityQualityOfService = 0;\r\n55 error = ZwCreateSection(\u0026gSectionHandle, 6u, \u0026ObjectAttributes, 0, 4u, 0x18000000u, FileHandle);\r\n56 if ( !error )\r\n57 {\r\n58 ViewSize = 0;\r\n59 error = ZwMapViewOfSection(gSectionHandle, 0xFFFFFFFF, \u0026BaseAddress_0, 0, 0, 0, \u0026ViewSize, ViewUnmap\r\n60 if ( !error )\r\n61 {\r\n62 gViewSize = ViewSize;\r\n63 dword_4FBD4[0] = 0;\r\n64 if ( v1 )\r\n65 sub_2F6E0(0, gViewSize, 2, gViewSize \u003e\u003e 15, 32, 0x200u);\r\n66 }\r\n67 }\r\n68 }\r\n69LABEL_10:\r\n70 if ( error )\r\n71 {\r\n72 if ( BaseAddress_0 )\r\n73 {\r\n74 ZwUnmapViewOfSection(0xFFFFFFFF, BaseAddress_0);\r\n75 BaseAddress_0 = 0;\r\n76 }\r\n77 if ( gSectionHandle )\r\n78 {\r\n79 ZwClose_1(gSectionHandle);\r\n80 gSectionHandle = 0;\r\n81 }\r\n82 ZwClose_1(FileHandle);\r\n83 FileHandle = 0;\r\n84 }\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 33 of 51\n\n85 return error;\r\n86}\r\nalso the devices are created within this function:\r\n 1NTSTATUS create_file_rawdisk()\r\n 2{\r\n 3 NTSTATUS ERROR;\r\n 4 OBJECT_ATTRIBUTES ObjectAttributes;\r\n 5 LSA_UNICODE_STRING DestinationString;\r\n 6 UINT_PTR ViewSize;\r\n 7\r\n 8 if ( disks_initialized )\r\n 9 {\r\n 10 ERROR = 0;\r\n 11 }\r\n 12 else if ( DriverObject )\r\n 13 {\r\n 14 sub_2DFD0(\u0026Lock);\r\n 15 KeInitializeEvent(\u0026Event, SynchronizationEvent, 0);\r\n 16 sub_2DFB0(\u0026ListHead);\r\n 17 ERROR = sub_2F490();\r\n 18 if ( !ERROR )\r\n 19 {\r\n 20 RtlInitUnicodeString(\u0026DestinationString, L\"\\\\Device\\\\RawDisk1\");\r\n 21 ERROR = IoCreateDevice(\r\n 22 DriverObject,\r\n 23 0,\r\n 24 \u0026DestinationString,\r\n 25 FILE_DEVICE_DISK,\r\n 26 FILE_REMOVABLE_MEDIA,\r\n 27 0,\r\n 28 \u0026DeviceObject_RawDisk1);\r\n 29 if ( !ERROR )\r\n 30 {\r\n 31 ERROR = call_SeSetSecurityDescriptorInfo(DeviceObject_RawDisk1);\r\n 32 if ( !ERROR )\r\n 33 {\r\n 34 DeviceObject_RawDisk1-\u003eFlags = (DeviceObject_RawDisk1-\u003eFlags | 0x10);\r\n 35 DeviceObject_RawDisk1-\u003eFlags = DeviceObject_RawDisk1-\u003eFlags \u0026 0xFFFFFF7F;\r\n 36 ObjectAttributes.Length = 24;\r\n 37 ObjectAttributes.RootDirectory = 0;\r\n 38 ObjectAttributes.Attributes = 0;\r\n 39 ObjectAttributes.ObjectName = 0;\r\n 40 ObjectAttributes.SecurityDescriptor = 0;\r\n 41 ObjectAttributes.SecurityQualityOfService = 0;\r\n 42 MaximumSize = 0x1000000i64;\r\n 43 ERROR = ZwCreateSection(\u0026SectionHandle, 6u, \u0026ObjectAttributes, \u0026MaximumSize, 4u, 0x18000000u, 0\r\n 44 if ( !ERROR )\r\n 45 {\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 34 of 51\n\n46 ViewSize = MaximumSize.LowPart;\r\n 47 ERROR = ZwMapViewOfSection(SectionHandle, 0xFFFFFFFF, \u0026BaseAddress, 0, 0, 0, \u0026ViewSize, ViewU\r\n 48 if ( !ERROR )\r\n 49 {\r\n 50 MaximumSize = ViewSize;\r\n 51 RtlInitUnicodeString(\u0026DestinationString, L\"\\\\Device\\\\RawDisk2\");\r\n 52 ERROR = IoCreateDevice(\r\n 53 DriverObject,\r\n 54 0,\r\n 55 \u0026DestinationString,\r\n 56 FILE_DEVICE_DISK,\r\n 57 FILE_REMOVABLE_MEDIA,\r\n 58 0,\r\n 59 \u0026DeviceObject_RawDisk2);\r\n 60 if ( !ERROR )\r\n 61 {\r\n 62 ERROR = call_SeSetSecurityDescriptorInfo(DeviceObject_RawDisk2);\r\n 63 if ( !ERROR )\r\n 64 {\r\n 65 DeviceObject_RawDisk2-\u003eFlags = (DeviceObject_RawDisk2-\u003eFlags | 0x10);\r\n 66 DeviceObject_RawDisk2-\u003eFlags = DeviceObject_RawDisk2-\u003eFlags \u0026 0xFFFFFF7F;\r\n 67 sub_2F6E0(1, MaximumSize.LowPart, 2, MaximumSize.LowPart \u003e\u003e 15, 32, 0x200u);\r\n 68 byte_4FBBD = 0;\r\n 69 ERROR = create_system_threads(\u0026handle, sub_2EFB0, 0, 0);\r\n 70 disks_initialized = 1;\r\n 71 }\r\n 72 }\r\n 73 }\r\n 74 }\r\n 75 }\r\n 76 }\r\n 77 }\r\n 78 if ( ERROR )\r\n 79 {\r\n 80 if ( DeviceObject_RawDisk1 )\r\n 81 {\r\n 82 IoDeleteDevice(DeviceObject_RawDisk1);\r\n 83 DeviceObject_RawDisk1 = 0;\r\n 84 }\r\n 85 if ( DeviceObject_RawDisk2 )\r\n 86 {\r\n 87 IoDeleteDevice(DeviceObject_RawDisk2);\r\n 88 DeviceObject_RawDisk2 = 0;\r\n 89 }\r\n 90 if ( BaseAddress )\r\n 91 {\r\n 92 ZwUnmapViewOfSection(0xFFFFFFFF, BaseAddress);\r\n 93 BaseAddress = 0;\r\n 94 }\r\n 95 if ( SectionHandle )\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 35 of 51\n\n96 {\r\n 97 ZwClose_1(SectionHandle);\r\n 98 SectionHandle = 0;\r\n 99 }\r\n100 }\r\n101 }\r\n102 else\r\n103 {\r\n104 ERROR = 0xC0000001;\r\n105 }\r\n106 return ERROR;\r\n107}\r\nDecryption of string for VFS drive\r\nThe authors demonstrate that they have a sense of humor. In the following example, they decrypt (XOR) the strings used to\r\nassemble the locations of where to drop the other components of the malware to. The final destinations are:\r\n\\.\\IdeDrive1\\cryptoapi.dll\r\n\\.\\IdeDrive1\\inetpub.dll\r\nBut have a closer look at how they decrypt the string:\r\n[...]\r\n.text:0001E122 mov [ebp+xor_key], 4E415341h ; key\r\n.text:0001E129 mov [ebp+part_1], 7253605h ; part 1 encrypted\r\n.text:0001E130 mov [ebp+part_2], 3C282524h ; part 2 encrypted\r\n[...]\r\n.text:0001E17B mov eax, [ebp+part_1]\r\n.text:0001E17E xor eax, [ebp+xor_key] ; decrypt part 1: IdeD\r\n.text:0001E181 mov [ebp+part_1], eax\r\n[...]\r\n.text:0001E184 mov ecx, [ebp+part_2]\r\n.text:0001E18A xor ecx, [ebp+xor_key] ; decrypt part 2: rive\r\n.text:0001E18D mov [ebp+part_2], ecx\r\n[...]\r\nThey are seriously using a key 0x4E415341 to decrypt the string. 0x4E415341 is ASCII for ‘NASA’. That’s how they\r\ndecrypt and assemble the string IdeDrive, appending a ‘1’ in the next step and using if for creating the destination. Full\r\nexcerpt below:\r\n[...]\r\n.text:0001E11B mov [ebp+var_20], 0\r\n.text:0001E122 mov [ebp+xor_key], 4E415341h\r\n.text:0001E129 mov [ebp+part_1], 7253605h\r\n.text:0001E130 mov [ebp+part_2], 3C282524h\r\n.text:0001E13A xor eax, eax\r\n.text:0001E13C mov [ebp+drive], eax\r\n.text:0001E142 mov [ebp+var_338], eax\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 36 of 51\n\n.text:0001E148 mov [ebp+var_334], ax\r\n.text:0001E14F push 104h ; size_t\r\n.text:0001E154 push 0 ; int\r\n.text:0001E156 lea ecx, [ebp+cryptoapi.dll]\r\n.text:0001E15C push ecx ; void *\r\n.text:0001E15D call memset\r\n.text:0001E162 add esp, 0Ch\r\n.text:0001E165 push 104h ; size_t\r\n.text:0001E16A push 0 ; int\r\n.text:0001E16C lea edx, [ebp+inetpub.dll]\r\n.text:0001E172 push edx ; void *\r\n.text:0001E173 call memset\r\n.text:0001E178 add esp, 0Ch\r\n.text:0001E17B mov eax, [ebp+part_1]\r\n.text:0001E17E xor eax, [ebp+xor_key]\r\n.text:0001E181 mov [ebp+part_1], eax\r\n.text:0001E184 mov ecx, [ebp+part_2]\r\n.text:0001E18A xor ecx, [ebp+xor_key]\r\n.text:0001E18D mov [ebp+part_2], ecx\r\n.text:0001E193 mov edx, [ebp+part_1]\r\n.text:0001E196 push edx\r\n.text:0001E197 call order_bytes\r\n.text:0001E19C mov [ebp+part_1], eax\r\n.text:0001E19F mov eax, [ebp+part_1]\r\n.text:0001E1A2 mov [ebp+part_1], eax\r\n.text:0001E1A5 mov ecx, [ebp+part_2]\r\n.text:0001E1AB push ecx\r\n.text:0001E1AC call order_bytes\r\n.text:0001E1B1 mov [ebp+part_2], eax\r\n.text:0001E1B7 mov edx, [ebp+part_2]\r\n.text:0001E1BD mov [ebp+part_2], edx\r\n.text:0001E1C3 mov eax, [ebp+part_1]\r\n.text:0001E1C6 mov [ebp+drive], eax\r\n.text:0001E1CC mov ecx, [ebp+part_2]\r\n.text:0001E1D2 mov [ebp+var_338], ecx\r\n.text:0001E1D8 lea edx, [ebp+drive]\r\n.text:0001E1DE add edx, 0FFFFFFFFh\r\n.text:0001E1E1 mov [ebp+var_454], edx\r\n.text:0001E1E7 mov eax, [ebp+var_454]\r\n.text:0001E1ED mov cl, [eax+1]\r\n.text:0001E1F0 mov [ebp+var_455], cl\r\n.text:0001E1F6 add [ebp+var_454], 1\r\n.text:0001E1FD cmp [ebp+var_455], 0\r\n.text:0001E204 jnz short loc_1E1E7\r\n.text:0001E206 mov edi, [ebp+var_454]\r\n.text:0001E20C mov dx, word ptr ds:a1 ; \"1\"\r\n.text:0001E213 mov [edi], dx\r\n.text:0001E216 lea eax, [ebp+drive]\r\n.text:0001E21C push eax\r\n.text:0001E21D push offset a??SCryptoapi_d ; \"\\\\??\\\\%s\\\\cryptoapi.dll\"\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 37 of 51\n\n.text:0001E222 lea ecx, [ebp+cryptoapi.dll]\r\n.text:0001E228 push ecx ; char *\r\n.text:0001E229 call sprintf\r\n.text:0001E22E add esp, 0Ch\r\n.text:0001E231 lea edx, [ebp+drive]\r\n.text:0001E237 push edx\r\n.text:0001E238 push offset a??SInetpub_dll ; \"\\\\??\\\\%s\\\\inetpub.dll\"\r\n.text:0001E23D lea eax, [ebp+inetpub.dll]\r\n.text:0001E243 push eax ; char *\r\n.text:0001E244 call sprintf\r\n[...]\r\nTo describe\r\n\\Registry\\Machine\\usblink_export\r\nHKEY_LOCAL_MACHINE\\usblink_export\r\n(also LEGACY_usblink and usblink?)\r\nPotentially old code\r\nThe malware checks if the queried process has one of the following names\r\n 1bool __stdcall match_list_of_programs_by_name(char *a1)\r\n 2{\r\n 3 return !stricmp(a1, \"iexplore.exe\")\r\n 4 || !stricmp(a1, \"firefox.exe\")\r\n 5 || !stricmp(a1, \"opera.exe\")\r\n 6 || !stricmp(a1, \"netscape.exe\")\r\n 7 || !stricmp(a1, \"mozilla.exe\")\r\n 8 || !stricmp(a1, \"msimn.exe\")\r\n 9 || !stricmp(a1, \"outlook.exe\")\r\n10 || !stricmp(a1, \"adobeupdater.exe\");\r\n11}\r\nand if so, it would call pulse_event_wininet_activate().\r\n1char __stdcall check_proces_and_activate_wininet(int a1, int a2, int a3)\r\n2{\r\n3[...]\r\n4 if ( match_list_of_programs_by_name(\u0026program_name) )\r\n5 pulse_event_wininet_activate();\r\n6[...]\r\n7}\r\nThe event \\BaseNamedObjects\\wininet_activate is then created and pulsed.\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 38 of 51\n\n1NTSTATUS pulse_event_wininet_activate()\r\n 2{\r\n 3 NTSTATUS result;\r\n 4 LSA_UNICODE_STRING DestinationString;\r\n 5 OBJECT_ATTRIBUTES ObjectAttributes;\r\n 6 HANDLE EventHandle;\r\n 7 wchar_t SourceString;\r\n 8\r\n 9 swprintf(\u0026SourceString, L\"\\\\BaseNamedObjects\\\\%S\", \"wininet_activate\");\r\n10 RtlInitUnicodeString(\u0026DestinationString, \u0026SourceString);\r\n11 ObjectAttributes.Length = 24;\r\n12 ObjectAttributes.RootDirectory = 0;\r\n13 ObjectAttributes.Attributes = 0;\r\n14 ObjectAttributes.ObjectName = \u0026DestinationString;\r\n15 ObjectAttributes.SecurityDescriptor = 0;\r\n16 ObjectAttributes.SecurityQualityOfService = 0;\r\n17 result = ZwOpenEvent(\u0026EventHandle, 2u, \u0026ObjectAttributes);\r\n18 if ( !result )\r\n19 {\r\n20 result = ZwPulseEvent(EventHandle, 0);\r\n21 ZwClose_1(EventHandle);\r\n22 }\r\n23 return result;\r\n24}\r\nThere are no references to this event, neither in this module nor in the other analyzed modules. Microsoft mentions in the\r\ndocumentation of the PulseEvent function 7:\r\nNote This function is unreliable and should not be used. It exists mainly for backward compatibility. For more\r\ninformation, see Remarks.\r\nSo it could well be that this part is old code and was forgotten to be removed.\r\nApplying work-around for bugs related to AMD Athlon and AGP graphics port\r\nFrom Microsoft Support article AGP program may hang when using page size extension on Athlon processor\r\n8\r\n the\r\nfollowing excerpt:\r\nThe following workaround for this issue prevents Memory Manager from using the processor’s Page Size\r\nExtension feature and may affect the performance of some programs, depending on the paging behavior. This\r\nregistry value also limits non-paged pool to a maximum of 128 megabytes (MB) instead of 256 MB.\r\n 1int __stdcall disable_processors_page_size_extension_feature(int a1)\r\n 2{\r\n 3 name[0] = 0xA8;\r\n 4 name[1] = 0xAA;\r\n 5 *\u0026name[2] = L\"\\\\Registry\\\\Machine\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\Memory Managemen\r\n 6 ValueName.Length = 32;\r\n 7 ValueName.MaximumLength = 34;\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 39 of 51\n\n8 ValueName.Buffer = L\"LargePageMinimum\";\r\n 9 Data = -1;\r\n10 v2 = sub_19110();\r\n11 if ( !v2 )\r\n12 {\r\n13 ObjectAttributes.Length = 24;\r\n14 ObjectAttributes.RootDirectory = 0;\r\n15 ObjectAttributes.Attributes = OBJ_CASE_INSENSITIVE;\r\n16 ObjectAttributes.ObjectName = name;\r\n17 ObjectAttributes.SecurityDescriptor = 0;\r\n18 ObjectAttributes.SecurityQualityOfService = 0;\r\n19 if ( !ZwOpenKey(\u0026KeyHandle, 2u, \u0026ObjectAttributes) )\r\n20 {\r\n21 ZwSetValueKey(KeyHandle, \u0026ValueName, 0, 4u, \u0026Data, 4u);\r\n22 ZwClose_1(KeyHandle);\r\n23 }\r\n24}\r\n25\r\nSample D - cryptoapi.dll (Resource: 105)\r\nOriginal filename: carbon_system.dll\r\nInternal name: Carbon v3.61\r\nThis component first initializes the winsock subsystem by calling WSAStartup. Right after it creates directories on the\r\nVFS:\r\n CreateDirectoryA(\"\\\\\\\\.\\\\IdeDrive1\\\\\\\\Tasks\\\\\", (LPSECURITY_ATTRIBUTES)\u0026Dst);\r\n CreateDirectoryA(\"\\\\\\\\.\\\\IdeDrive1\\\\\\\\Results\\\\\", (LPSECURITY_ATTRIBUTES)\u0026Dst);\r\nSample D is the next file in the logical execution order, as it creates the following mutexes, which are also accessed by\r\nSample E. Sample D can be considered the main userland module, a control unit that sets up the communication with the\r\nkernel module and has the ability to load plugins dynamically during runtime. The internal name of this module,\r\ncarbon_system.dll, supports this observation.\r\nMutexes from cryptoapi.dll\r\nGlobal\\\\MSMMC.StartupEnvironment.PPT\r\nGlobal\\\\411A5195CD73A8a710E4BB16842FA42C\r\nGlobal\\\\881F0621AC59C4c035A5DC92158AB85E\r\nGlobal\\\\MSCTF.Shared.MUTEX.RPM\r\nGlobal\\\\WindowsShellHWDetection\r\nGlobal\\\\MSDBG.Global.MUTEX.ATF\r\nFor reading or writing operations on files, exclusive access is ensured by locking them with mutexes:\r\nGlobal\\MSMMC.StartupEnvironment.PPT is used for operations on the configuration file.\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 40 of 51\n\nGlobal\\411A5195CD73A8a710E4BB16842FA42C is used to exclusively access temporary files\r\nGlobal\\MSDBG.Global.MUTEX.ATF is used to exclusively access \\.\\IdeDrive1\\log.txt\r\nGlobal\\WindowsShellHWDetection is used to exclusively access \\.\\IdeDrive1\\Results\\result.txt\r\nGlobal\\MSCTF.Shared.MUTEX.RPM is used to exclusively access \\.\\IdeDrive1\\Tasks\\task.txt\r\nGlobal\\881F0621AC59C4c035A5DC92158AB85E is used to exclusively access \\.\\IdeDrive1\\Tasks\\task_system.txt\r\nDuring the startup of the ModuleStart() function, 6 threads are being started. The first two are:\r\nget_initialization_parameters_create_GUID_and_check_Packet_Capturing()\r\nperiodic_free_space_check_and_write_log()\r\nThese serve the purpose of initializing the environment for the malware and running maintenance and log tasks.\r\nThen a function load_transports() is called (more later), and then four more threads are started:\r\nread_config_start_thread_start()\r\nthread 5 - handles frag.np/frag.tcp requests\r\nthread 6 - handles frag.np/frag.tcp requests\r\nexecute_plugin() - starts a new thread, calling a DLLs export ModuleStart from the \\.\\IdeDrive1\\\\Plugins\\ directory\r\nload_transports()\r\nIn this module, the following transport or communication modules are present:\r\nType 1: tcp, b2m\r\nType 2: np, frag, m2b\r\neach associated with a bunch of functions:\r\nnp_functions func_obj_3 \u003c44h, offset sub_2000FAF9, offset sub_2000FB13, \\\r\n.data:2001EE30 offset sub_2000FB2B, offset sub_2000FC37, \\\r\n.data:2001EE30 offset sub_2000FC91, offset sub_2000FD8E, \\\r\n.data:2001EE30 offset sub_2000FECC, offset sub_20010798, \\\r\n.data:2001EE30 offset sub_20010046, offset sub_2001030F, \\\r\n.data:2001EE30 offset sub_200103BA, offset sub_200103DB, \\\r\n.data:2001EE30 offset sub_2000EB1A, offset sub_2001077D, \\\r\n.data:2001EE30 offset sub_20010798, offset sub_2001079E\u003e\r\nfrag_functions func_obj \u003c4Ch, offset sub_2000DA6E, offset return, \\\r\n.data:2001EE78 offset sub_2000EC14, offset sub_2000EC9E, \\\r\n.data:2001EE78 offset sub_2000ECB2, offset sub_2000ECF3, \\\r\n.data:2001EE78 offset sub_2000ED69, offset sub_2000F5D4, \\\r\n.data:2001EE78 offset sub_2000F4F9, offset sub_2000EDF5, \\\r\n.data:2001EE78 offset sub_2000F185, offset sub_2000F5EB, \\\r\n.data:2001EE78 offset sub_2000EB1A, offset sub_2001077D, \\\r\n.data:2001EE78 offset sub_2000F48B, offset sub_2000F4DA, 0, 0, 0\u003e\r\nm2b_functions func_obj \u003c4Ch, offset sub_2000DA6E, offset return, \\\r\n.data:2001EEC8 offset sub_2000E8C8, offset sub_2000E93B, \\\r\n.data:2001EEC8 offset sub_2000DB2B, offset sub_2000E94A, \\\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 41 of 51\n\n.data:2001EEC8 offset sub_2000E956, offset sub_2000E9B5, \\\r\n.data:2001EEC8 offset sub_2000E9C7, offset sub_2000E9D9, \\\r\n.data:2001EEC8 offset sub_2000EA0C, offset sub_2000EADE, \\\r\n.data:2001EEC8 offset sub_2000EB1A, offset sub_2000EB26, \\\r\n.data:2001EEC8 offset sub_2000EB47, offset sub_2000EB66, \\\r\n.data:2001EEC8 offset sub_2000EB85, offset sub_2000EBE5, 0\u003e\r\ntcp_functions func_obj_2 \u003c40h, offset sub_2000DDD6, offset WSACleanup, \\\r\n.data:2001EF18 offset sub_2000DE03, offset sub_2000E0FE, \\\r\n.data:2001EF18 offset sub_2000E14A, offset sub_2000E156, \\\r\n.data:2001EF18 offset sub_2000E1D3, offset sub_20010798, \\\r\n.data:2001EF18 offset sub_2000E288, offset sub_2000E31F, \\\r\n.data:2001EF18 offset sub_2000E499, offset sub_2001077D, \\\r\n.data:2001EF18 offset sub_2000E634, offset sub_2000E661, \\\r\n.data:2001EF18 offset sub_2000E715\u003e\r\nb2m_functions func_obj_2 \u003c40h, offset sub_2000DA6E, offset return, \\\r\n.data:2001EF58 offset sub_2000DA71, offset sub_2000DAF9, \\\r\n.data:2001EF58 offset sub_2000DB2B, offset sub_2000DB44, \\\r\n.data:2001EF58 offset sub_2000DB54, offset sub_2000DBB2, \\\r\n.data:2001EF58 offset sub_2000DBC7, offset sub_2000DBDC, \\\r\n.data:2001EF58 offset sub_2000DBF6, offset sub_2000DD63, \\\r\n.data:2001EF58 offset sub_2000DD84, offset sub_2000DDA2, \\\r\n.data:2001EF58 offset sub_2000DDC0\u003e\r\nTODO: these functions need to be analyzed and described\r\nOther reports mention different other transports that are not present in this collection.\r\nTransport (Type) CIRCL BAE deresz/tecamac\r\ntcp (1) x   x\r\nb2m (1) x    \r\nnp (2) x   x\r\nenc (2)     x\r\nreliable (2)     x\r\nfrag x x x\r\nm2b (2) x   x\r\nm2d (2)     x\r\nt2m (3)     x\r\nudp (4)     x\r\ndoms (4)     x\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 42 of 51\n\nTransport (Type) CIRCL BAE deresz/tecamac\r\ndomc (4)     x\r\nfrag.np and frag.tcp replies:\r\nSEND AUTH\r\nRECV AUTH\r\nAUTH FAILED\r\nSEND WHO\r\nSEND OBJECT_ID\r\nfrag.np/frag.tcp options:\r\nfrag_size=32768\r\nfrag_no_scrambling=1\r\nallow=*everyone\r\nactive_con\r\nnet_user=\r\nnet_password=\r\nwrite_peer_nfo=%c%s%c\r\nnodelay=N\r\nFiles from cryptoapi.dll\r\n\\\\.\\IdeDrive1\\\r\n\\\\.\\IdeDrive1\\log.txt\r\n\\\\.\\IdeDrive1\\*.bak\r\n\\\\.\\IdeDrive1\\Tasks\\\\task.txt\r\n\\\\.\\IdeDrive1\\Tasks\\\\task_system.txt\r\n\\\\.\\IdeDrive1\\Tasks\\\\*.tmp\r\n\\\\.\\IdeDrive1\\config.txt\r\n\\\\.\\IdeDrive1\\restrans.txt\r\n\\\\.\\IdeDrive1\\Tasks\\\\\r\n\\\\.\\IdeDrive1\\Results\\\\\r\n\\\\.\\IdeDrive1\\logtrans.txt\r\n\\\\.\\IdeDrive1\\usbdev.bak\r\n\\\\.\\IdeDrive1\\inetpub.bak\r\n\\\\.\\IdeDrive1\\inetpub.dll\r\n\\\\.\\IdeDrive1\\cryptoapi.bak\r\n\\\\.\\IdeDrive1\\cryptoapi.dll\r\n\\\\.\\IdeDrive1\\Plugins\\\\\r\nPipes from cryptoapi.dll\r\n\\\\\\\\.\\\\Global\\\\PIPE\\\\comnode\r\n\\\\\\\\%s\\\\pipe\\\\comnode\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 43 of 51\n\n\\\\\\\\%s\\\\pipe\\\\%s\r\nCustom error codes, shared in sample B, C and D (E and F to be check)\r\n CUSTOM_ERROR_01 = 21590001h\r\n CUSTOM_ERROR_02 = 21590002h ; WAIT_TIMEOUT?\r\n CUSTOM_ERROR_03 = 21590003h ; BROKEN_PIPE?\r\n CUSTOM_ERROR_04 = 21590004h\r\n CUSTOM_ERROR_05 = 21590005h\r\n CUSTOM_ERROR_06 = 21590006h\r\n CUSTOM_ERROR_07 = 21590007h\r\n CUSTOM_ERROR_08 = 21590008h\r\n CUSTOM_ERROR_09 = 21590009h\r\n CUSTOM_ERROR_0A = 2159000Ah\r\n CUSTOM_ERROR_0B = 2159000Bh ; INVALID_USER_BUFFER?\r\n CUSTOM_ERROR_0D = 2159000Dh\r\n CUSTOM_ERROR_64 = 21590064h\r\n CUSTOM_ERROR_65 = 21590065h\r\n CUSTOM_ERROR_66 = 21590066h\r\n CUSTOM_ERROR_67 = 21590067h\r\n CUSTOM_ERROR_68 = 21590068h\r\n CUSTOM_ERROR_69 = 21590069h\r\n CUSTOM_ERROR_C9 = 215900C9h ; NO_VALID_ADDR?\r\n CUSTOM_ERROR_CA = 215900CAh ; NO_VALID_PORT?\r\n CUSTOM_ERROR_CB = 215900CBh\r\n CUSTOM_ERROR_CC = 215900CCh\r\nSample C - inetpub.dll (Resource: 102)\r\nOriginal filename: CARBON.dll\r\nInternal name: Carbon v3.51\r\nFiles from inetpub.dll\r\n\\\\.\\IdeDrive1\\config.txt\r\n\\\\.\\IdeDrive1\\Tasks\\\\task.txt\r\n\\\\.\\IdeDrive1\\Tasks\\\\task_system.txt\r\n\\\\.\\IdeDrive1\\log.txt\r\n\\\\.\\IdeDrive1\\Results\\result.txt\r\nMutexes from inetpub.dll\r\nGlobal\\\\MSMMC.StartupEnvironment.PPT\r\nGlobal\\\\411A5195CD73A8a710E4BB16842FA42C\r\nGlobal\\\\881F0621AC59C4c035A5DC92158AB85E\r\nGlobal\\\\MSCTF.Shared.MUTEX.RPM\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 44 of 51\n\nGlobal\\\\WindowsShellHWDetection\r\nGlobal\\\\MSDBG.Global.MUTEX.ATF\r\nthread 2:\r\nIn a 10 minutes loop check server availability by doing a HTTP POST (HTTP/1.0) to a server/port configured in\r\n\\\\.\\IdeDrive1\\config.txt\r\nin CW_INET section address with user agent\r\nMozilla/4.0 (compatible; MSIE 6.0)\r\nbut only if a valid internet connection was successfully probed:\r\n 1char isInternetConnectionWorking()\r\n 2{\r\n 3 char result;\r\n 4 HINTERNET hInternetOpen;\r\n 5\r\n 6 result = 0;\r\n 7 if ( InternetAttemptConnect(0) )\r\n 8 {\r\n 9 result = 0;\r\n10 }\r\n11 else\r\n12 {\r\n13 hInternetOpen = InternetOpenA(\"Mozilla/4.0 (compatible; MSIE 6.0)\", 0, 0, 0, 0);\r\n14 if ( hInternetOpen )\r\n15 {\r\n16 if ( HttpConnect(hInternetOpen, \"update.microsoft.com\")\r\n17 || HttpConnect(hInternetOpen, \"windowsupdate.microsoft.com\")\r\n18 || HttpConnect(hInternetOpen, \"207.46.18.94\")\r\n19 || HttpConnect(hInternetOpen, \"207.46.253.125\")\r\n20 || HttpConnect(hInternetOpen, \"microsoft.com\")\r\n21 || HttpConnect(hInternetOpen, \"207.46.250.119\")\r\n22 || HttpConnect(hInternetOpen, \"207.46.249.56\")\r\n23 || HttpConnect(hInternetOpen, \"207.46.249.57\") )\r\n24 result = 1;\r\n25 InternetCloseHandle(hInternetOpen);\r\n26 }\r\n27 else\r\n28 {\r\n29 result = 0;\r\n30 }\r\n31 }\r\n32 return result;\r\n33}\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 45 of 51\n\nthread 3:\r\nThe actions described below are only taken if the following programs are not running\r\ntcpdump.exe\r\nwindump.exe\r\nethereal.exe\r\nwireshark.exe\r\nettercap.exe\r\nsnoop.exe\r\nThe following is the main (endless) loop of this thread:\r\n 1LOOP:\r\n 2 if ( do_HTTP_GET(hInternetConnect, \u0026base_string) )\r\n 3 {\r\n 4 while ( isCapturingPackets() == 1 )\r\n 5 Sleep(0xEA60u);\r\n 6 while ( sub_20009871(hInternetConnect, ::Dest, \u0026lpszServerName, \u0026base_string) )\r\n 7 ;\r\n 8 while ( sub_200075C0(hInternetConnect, ::Dest, \u0026lpszServerName, \u0026base_string) )\r\n 9 Sleep(0x3E8u);\r\n10 goto LOOP;\r\n11 }\r\nIt starts in do_HTTP_GET() with a HTTP GET (HTTP/1.1) to server/port taken from\r\n\\\\.\\IdeDrive1\\config.txt\r\nin CW_INET section address with user agent\r\nMozilla/4.0 (compatible; MSIE 6.0)\r\nwith script name and query as follows:\r\nauth.cgi?mode=query\u0026id=%u:%u:%u:%u\u0026serv=%s\u0026lang=en\u0026q=%u-%u\u0026date=%s\r\nwhere the format strings are filled in accordingly.\r\nserv=\r\nis filled pseudorandomly with a host from the following list:\r\nwww.yahoo.com\r\nwww.bbc.com\r\nwww.astalavista.com\r\nwww.google.com\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 46 of 51\n\nwww.eagames.com\r\nwww.asus.com\r\nwww.microsoft.com\r\nwindowsupdate.microsoft.com\r\nsearch.microsoft.com\r\nwww.hp.com\r\nwww.altavista.com\r\nwww.3com.com\r\nwww.dell.com\r\nwww.sun.com\r\nwww.easports.com\r\nsearch.google.com\r\nperhaps to make a reasonable appearance or to mislead log analysts who filter out common domain names.\r\nWhen a successful handle is returned, a file is being downloaded and stored in the virtual file system.\r\nWhat follows is a GET in HTTP/1.0 on\r\ndefault.asp?act=%u\u0026id=%u\u0026item=%u\u0026event_id=%u\u0026cln=%u\u0026flt=%u\u0026serv=%s\u0026t=%ld\u0026mode=query\u0026lang=en\u0026date=%s\r\nThis code is part of sub_20009871, which continues to serve the frag.np/frag.tcp part.\r\nIn sub_200075C0 another POST in HTTP/1.0 to\r\ndefault.asp?act=%u\u0026id=%u\u0026item=%u\u0026event_id=%u\u0026cln=%u\u0026flt=%u\u0026serv=%s\u0026t=%ld\u0026mode=query\u0026lang=en\u0026date=%s\r\nfollows.\r\nThe purpose of the two functions is not clear, yet.\r\nload_transports()\r\nIn this module, the following transport or communication modules are present:\r\nType 1: tcp, b2m\r\nType 2: np, frag, m2b\r\nThis corresponds to the transports found in Sample D.\r\n3rd party code\r\nbzip2/libbzip2\r\nThe compiled code of bzip2/libbzip2, a program and library for lossless block-sorting data compression, was identified,\r\ncoming from http://svn.apache.org/repos/asf/labs/axmake/trunk/src/libuc++/srclib/bzip2/compress.c.\r\nbzip2/libbzip2 version 1.0.5 of 10 December 2007\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 47 of 51\n\nCopyright (C) 1996-2007 Julian Seward jseward@bzip.org\r\nUsing the source code without including the author’s Copyright statement, the conditions and the disclaimer is an\r\ninfringement of the software license:\r\nhttp://svn.apache.org/repos/asf/labs/axmake/trunk/src/libuc++/srclib/bzip2/LICENSE\r\nOther analysis\r\nAnalysis of check-in messages\r\nCheck-in messages of Sample C and D (unique)\r\n$Id: b2_to_m2_stub.c 5273 2007-01-23 17:41:15Z vlad $\r\n$Id: b_tcp.c 8474 2007-09-19 15:40:39Z vlad $\r\n$Id: hide_module_win32.c 10189 2008-11-25 14:25:41Z gilg $\r\n$Id: l1_check.c 4477 2006-08-28 15:58:21Z vlad $\r\n$Id: load_lib_win32.c 10180 2008-11-20 12:13:01Z gilg $\r\n$Id: m2_to_b2_stub.c 4477 2006-08-28 15:58:21Z vlad $\r\n$Id: m_frag.c 8715 2007-11-29 16:04:46Z urik $\r\n$Id: m_np.c 8825 2008-01-10 13:13:15Z vlad $\r\n$Id: mutex.c 3940 2006-03-20 16:47:16Z vlad $\r\n$Id: np_win32_common.c 4483 2006-08-30 13:13:51Z vlad $\r\n$Id: rw_lock.c 4482 2006-08-30 13:07:14Z vlad $\r\n$Id: t_byte1.c 5324 2007-01-30 12:45:35Z vlad $\r\n$Id: t_manager.c 8715 2007-11-29 16:04:46Z urik $\r\n$Id: t_message1.c 5290 2007-01-26 11:15:03Z vlad $\r\n$Id: t_status.c 5666 2007-03-19 16:18:00Z vlad $\r\n$Id: t_utils.c 5503 2007-02-26 13:14:30Z vlad $\r\n$Id: thread.c 4593 2006-10-12 11:43:29Z urik $\r\nDevelopers\r\nSample C and D contain author names of three people:\r\nvlad\r\ngilg\r\nurik\r\nNewer samples, for instance the one from BAE, contain only two:\r\nvlad\r\ngilg\r\nCheck-in period\r\nFirst check-in: 2006-03-20\r\nLast check-in: 2008-11-25\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 48 of 51\n\nCheck-in dates\r\nWhen incorporating the check-in dates of the BAE sample, the following graph shows that someone checked-in a file once\r\nduring a Saturday.\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 49 of 51\n\nLanguage deficits\r\nA small collection of strings demonstrates the language deficits, mainly distinguishable as:\r\nUse of backticks instead of apostrophes by some of the developers\r\nProblems using past tense by some developers\r\nSpelling\r\nMistranslated terms\r\nOversights\r\nExamples:\r\nwin32 detect...\r\nx64 detect...\r\nCretaFileA(%s):\r\nCan`t open SERVICES key\r\nerror has been suddenly occured\r\ntimeout condition has been occured inside call of function\r\nOPER|Survive me, i`m close to death... free space less than 5%%...|\\n\r\nOPER|Sniffer '%s' running... ooopppsss...|\\n\r\nTask not execute. Arg file failed.\r\nUpdate failed =(( Can`t create file.\r\ncan`t get characs.\\n\r\nInternal command not support =((\\n\r\nL|-1|can`t get characs %s|\\n\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 50 of 51\n\nRecommendations\r\nCIRCL recommends to review the IOCs of this report and compare them with servers in the infrastructure of your\r\norganization which produce log files including proxies, A/V and system logs. As this family of malware might be\r\ndifficult to detect from a network perspective, we recommend to perform check of the indicators at the system level.\r\nClassification of this document\r\nTLP:WHITE information may be distributed without restriction, subject to copyright controls.\r\nRevision\r\nVersion 0.9 July 10, 2014 work-in-progress (not a final release) (TLP:WHITE)\r\nReferences\r\nSource: https://www.circl.lu/pub/tr-25/\r\nhttps://www.circl.lu/pub/tr-25/\r\nPage 51 of 51\n\nAV product Symantec Result Backdoor.Pfinet\nScanned: 2014-03-23 21:27:06-51 scans-1 detections (1.0%)\nFile characteristics \nMeta data \nSize: 113664 bytes \nType: PE32+ executable (DLL) (GUI) x86-64, for MS Windows\nDate: 0x4AC5A6C2 [Fri Oct 2 07:07:46 2009 UTC]\nEP: 0x200149d0 .text 0/5 \nCRC: Claimed: 0x0, Actual: 0x1e6b8 [SUSPICIOUS] \nSections \nName VirtAddr VirtSize RawSize Entropy\n-------------------------------------------------------------------------------- \n.text 0x1000 0x13b8d 0x13c00 6.247940\n.rdata 0x15000 0x582e 0x5a00 6.692290\n.data 0x1b000 0x1ae0 0x1400 4.598089\n.pdata 0x1d000 0x8c4 0xa00 4.522066\n.reloc 0x1e000 0x248 0x400 2.325587\nStrings \nThe strings correspond mostly to the ones of Sample C.\nSample G -cryptoapi.dll -x64 (Resource: 165)\nHashes \n Page 27 of 51\n\nSymantec AntiVir Backdoor.Pfinet TR/ATRAPS.Gen2\nScanned: 2014-03-23 21:26:59-51 scans-2 detections (3.0%)\nFile characteristics \nMeta data \nSize: 147968 bytes \nType: PE32+ executable (DLL) (GUI) x86-64, for MS Windows\nDate: 0x4AC5A685 [Fri Oct 2 07:06:45 2009 UTC]\nEP: 0x2001bd80 .text 0/6 \nCRC: Claimed: 0x0, Actual: 0x32c9f [SUSPICIOUS] \nSections \nName VirtAddr VirtSize RawSize Entropy\n-------------------------------------------------------------------------------- \n.text 0x1000 0x1af6d 0x1b000 6.195387\n.basein 0x1c000 0xc7 0x200 2.902918\n.rdata 0x1d000 0x66f0 0x6800 6.585248\n.data 0x24000 0x1b00 0x1400 4.647566\n.pdata 0x26000 0xad4 0xc00 4.848795\n.reloc 0x27000 0x2a6 0x400 2.344107\nStrings \nThe strings correspond mostly to the ones of Sample D.\n Page 28 of 51\n\nThe compiled code of coming from http://svn.apache.org/repos/asf/labs/axmake/trunk/src/libuc++/srclib/bzip2/compress.c. bzip2/libbzip2, a program and library for lossless block-sorting data compression, was identified,\nbzip2/libbzip2 version 1.0.5 of 10 December 2007 \n Page 47 of 51", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.circl.lu/pub/tr-25/" ], "report_names": [ "tr-25" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434411, "ts_updated_at": 1775826704, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3415c6fb5f013db840d3c0b04f1496fb8ccd222c.pdf", "text": "https://archive.orkl.eu/3415c6fb5f013db840d3c0b04f1496fb8ccd222c.txt", "img": "https://archive.orkl.eu/3415c6fb5f013db840d3c0b04f1496fb8ccd222c.jpg" } }