Sunday 27 January 2013

Trojan.Win32/Spy.Ranbyus

 Received a mail with an interesting exe
https://www.virustotal.com/file/17a3ee51492b9b2ba155f54be61f2c305b090cee8d604d1df616ca3ba881b372/analysis/1359049655/
Thanks creep.
This bot is used by one group of Russian carders and is not for sale, they call it 'triton'

IDA Map file imported to Olly, without IDA i got huge problem to understand the exe:

Injects:

Decoded strings (some, not everything):
&pp=1
reg add "
&files=1
nabagent.exe
putty.exe
[MOUSE R %dx%d]
POST
SeShutdownPrivilege
UniStream.exe
cbsmain.exe
HKLM\
jawt.dll
&net=1
disk%u.xml
&scrn=1
&cmd=1
UZ.DB3
GET
iexplore.exe
ThunderRT6FormDC
com.bifit.harver.core.DocumentBrowserFrame
drweb.exe
nabwatcher.exe
WINNT
bc_loader.exe
avfwsvc.exe
[VK_END]
.iBank*
aswupdsv.exe
%s\tmp%xa%04d.$$$
\/servlets\/ibc
bclient.exe
EnableLUA
secring
client7.exe
Western Union® Translink™
Tiny Client-Bank
/bsi.dll
Content-type: multipart/form-data, boundary=%s
Edit
java.exe
sign.key
\\.\PhysicalDrive0
inbank-start-ff.exe
http://([^:/]+):*([^/]*)(.+)
Content-Disposition: form-data; name="data"; filename="1"
clbank.exe
BBClient.exe
WS2_32.DLL
ComSpec
iscc.exe
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
avengine.exe
https:\/\/ibank.alfabank.ru
WebMoney Keeper Classic » Âõîä
a:\keys.dat
https:\/\/ibank.prbb.ru
oncbcli.exe
logs
nortonantibot.exe
ContactNG.exe
BUTTON
wclnt.exe
ashwebsv.exe
mj=%u&mi=%u&pt=%u&b=%u&dc=%u
sgbclient.exe
cbsmain.dll
avmailc.exe
Software\Microsoft\Windows NT\CurrentVersion\
winlogon.exe
webmoney.exe
egui.exe
/c del
--%s--
auth-attr-\d+-param1=.*&auth-attr-\d+-param2=.*
intpro.exe
vshwin32.exe
firefox.exe
mcshield.exe
Password:
nabmonitor.exe
UNIStream®. Àóòåíòèôèêàöèÿ.
Software\Microsoft\Windows\CurrentVersion\Policies\System
&file=2
http://e71koapi.org/lc5dx/index.php
rclient.exe
.jks
cfp.exe
translink.exe
http://pulden376-seven3.in/doEst71beG/index.php

Content-Transfer-Encoding: binary
ntvdm.exe
SysDebug32
%s?id=%s&session=%u&v=%u&name=%s
&av=
avp.exe
System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
cmdagent.exe
WINSCARD.DLL
" /v EnableLUA /t REG_DWORD /d 0 /f
bankcl.exe
Software\Microsoft\Windows\CurrentVersion
safari.exe
avconsol.exe
elbank.exe
username=.*&password=.*
pubring=(.*)
javax.swing.JFrame
secring=(.*)
javaw.exe
ISClient.exe
JVM.DLL
bk.exe
http://([^:/]+)/.+
auth-attr-\d+-param1=(.*)&auth-attr-\d+-param2=([^&]*)
ekrn.exe
sched.exe
avgnt.exe
avwebgrd.exe
startclient7.exe
master.key
avsynmgr.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Aleksandr Matrosov know better than me this threat go have a look his article: http://blog.eset.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs

Let's do directly to the panel...

Login:

Statistics:

Active bots with smartcard:

Screenshots (SR):

Clicking on a random day:

A screenshot took by the bot:

Filelist (FL):

 File (F):

 Keys (K):

 Bot informations:

 Orders to send:


Download list:

Some task urls:
hxxp://whispers.ru/upload/term.exe
hxxp://178.18.249.11/cono.exe
hxxp://hoombauls.com/cono.exe
hxxp://deluxe1924.com/cc/d.exe
hxxp://deluxe1924.com/cc/car2.exe
hxxp://hoombauls.com/cono.exe
hxxp://gramma.pro/update.exe
hxxp://girgrozn.narod2.ru/01/CONO.exe
hxxp://deluxe1924.com/cc/picpic.exe
hxxp://gramma.pro/update.exe
hxxp://deluxe1924.com/cc/fun2101.exe
hxxp://www.mobi-sys.ru/en/lox.exe
hxxp://likeme.pro/update.exe
hxxp://ejdovberk.org/MRD.exe
hxxp://www.enmtp.com/admin/lunt30.exe
hxxp://178.18.249.10/exel.exe
hxxp://deluxe1924.com/cc/picpic.exe
hxxp://orlik.pro/update1.exe
hxxp://whispers.ru/upload/MLN1.exe
hxxp://www.enmtp.com/admin/termclean.exe
hxxp://www.enmtp.com/admin/IMRD.exe
Some files can be found here: http://vxvault.siri-urz.net/ViriList.php?IP=209.61.202.242

 Hide:

 Lookup:

 add:

 Banks:

Download:

 Comments:

 Others:

 Search via IP:

Search via ID:

 Daemon:

Update:

Settings:

4 comments:

  1. How the fuck u got login & password of control panel?

    ReplyDelete
  2. "Hack the planet take your money" :)

    ReplyDelete
  3. Dictionnary BruteForce i think,or maybe a fail with connection form but not very sur 'CuZ it's a control panel and it must be prevent from this fail

    ReplyDelete
  4. My bet would be SQL injection, if I'm not mistaken Steven used to be a blackhat.

    ReplyDelete