Friday, June 26, 2015

Rovnix Payload Analysis

The payload part of the Rovnix dropper i analyzed previously is the module that responsible to communicate with the C&C server and to install and load plugins.

It seems like Symantec detecting it as Carberp.C as can be seen in this blog post, i assume it is the same dropper and payload i am analyzing here because the C&C page names and the techniques used by the dropper are the same.


Payload Overview

The payload file SHA256 this analysis based on is:
08e3b7e04abe1aa43477a1befb0a05d4fd7cf1480c834f21ff2f7e894fed6a3f

As always you can download all the samples mentioned in this post and the decrypted web-injects here (Password: infected).

The payload capabilities include:
  • Communicating with the C&C 
  • Download additional C&C addresses
  • Download and run plugins
  • Download and run additional executable files