Skip navigation.

[Crimeware] Researches and Reversing about Eleonore Exploit Pack


Today we will see how works Eleonore Exploit Pack directly from an infected website.

Essentially Eleonore Exploit Pack is a collection of Exploits and Data Statistics Collectors, this is the 'marketing' presentation of the exploit pack:

I present new actual russian exploits pack "Eleonore Exp v1.2"

Exploits on pack:
> MS009-02
> Telnet - Opera
> Font tags - FireFox
> PDF collab.getIcon
> PDF Util.Printf
> PDF collab.collectEmailInfo
> DirectX DirectShow
> Spreadsheet

installs on traffic:
> on usa: 5-15%
> on mix: 10-25%
[size=1]* Piercing indicates approximate, may vary and depends directly on the type and quality of traffic. size]

> Eleonore Exp Pack 1.2 = 700$
> Cleans cryptor on AV = 50$
> Rebild on another domain = 50$
* PACK is binding on domain.
> Eleonore Exp Pack 1.2 with not binding domain(free on domain) = 1500$


Here you can read a discussion where there is the direct author of this pack

Eleonore Exp. Pack exists two versions of Eleonore Exploit Pack:

1. Eleonore Exp v1.1
2. Eleonore Exp v1.2
3. Eleonore Exp v1.3B

The last version (1.3B) presents new exploits, connectivity and optimization improvements in the intelligence process for obtaining data statistics related to zombies (countries, navegadote, OS, etc.).

By watching the URL we can immediately extract a list of most interesting links:

1. http://*****.cn/sv/x.x
2. http://*****.cn/sv/Client2.jar
3. http://*****.cn/sv/pdf.php
4. http://*****.cn/sv/?spl=2&br=MSIE&vers=7.0&s=ec445bc5411c202a8361c7db463e84b4
5. http://*****.cn/sv/load.php?spl=ActiveX_pack
6. http://*****.cn/sv/stat.php

As you can see all is contained int /sv/ directory, now let's check for example load.php link,
when accessing this link is downloaded an executable called load.exe with

MD5: 50AC484D4775B783D70D87A21BBFAA36

That submitted to the various online AV scanners results to be free from infections, we have 4 sections:

.text 0x1000 0x48B0 0x4A00 7.39 5135f06000479a5b2e378caa2c4fd8a9
.rdata 0x6000 0x26D 0x400 3.07 8492531c69aab5794ba61207842ba4d6
.data 0x7000 0x2AA7 0x2C00 6.71 092b8e63ebe1ac83d571aba964e041d1
.rsrc 0xA000 0x46C 0x600 4.07 aceb78467d14ed7c7023da0ff5fc59ef

and this is the Import Table list

kernel32.dll: SetFilePointer, HeapUnlock, VerifyVersionInfoA, GetLongPathNameA, _lclose, GetEnvironmentStringsW, HeapDestroy, GetLocaleInfoW, HeapAlloc, GetFileType, HeapCreate, WaitForSingleObjectEx, lstrcmpiA, SetCalendarInfoA, HeapFree, lstrcatW, ExitProcess, SetLastError, VirtualProtect, GetFullPathNameA, SetUnhandledExceptionFilter, lstrcpyW, GlobalFindAtomA

Application presents a Number of Hidden (Packing) Layers of 3.

This is a quick list of operations performed by load.exe

First Thread
71a370df RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\WinSock2\Parameters)
71a37cc4 RegOpenKeyExA (Protocol_Catalog9)
71a3737e RegOpenKeyExA (0000000B)
71a3724d RegOpenKeyExA (Catalog_Entries)

Application accesses Winsock2 parameters.

Second Thread
401129 CreateFileA(C:\DOCUME~1\evilcry\IMPOST~1\Temp\2A.tmp)
401561 LoadLibraryA(C:\DOCUME~1\evilcry\IMPOST~1\Temp\2A.tmp)=602c0000

Creates 2A.tmp

602c4955 LoadLibraryA(kernel32.dll)=7c800000
602c4cbb LoadLibraryA(ntdll.dll)=7c910000
602c4d13 LoadLibraryA(ws2_32.dll)=71a30000
602c4e52 LoadLibraryA(advapi32.dll)=77f40000
76d2563d GetVersionExA()
76d258ef CreateFileA(\\.\Ip)

Performs an access to IP Device

76d25bc2 RegOpenKeyExA (HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage)
76d25bdc RegOpenKeyExA (HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\)
76d25bf3 RegOpenKeyExA (HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces)
76d25c0d RegOpenKeyExA (HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters)

opens the most important registry entries about Networking

602c4f3a LoadLibraryA(iphlpapi.dll)=76d20000
5b19ef89 GetCurrentProcessId()=2436
5b18b1ba IsDebuggerPresent()
746b26aa GetVersionExA()
746b30a7 RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\CTF\Compatibility\load.exe)
746b30a7 RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\CTF\SystemShared\)

Checks the presence of a debugger and register itself in Compatibility and SystemShared entries

746b245b CreateMutex(CTF.LBES.MutexDefaultS-1-5-21-854245398-1229272821-725345543-1003)
746b245b CreateMutex(CTF.Compart.MutexDefaultS-1-5-21-854245398-1229272821-725345543-1003)
746b245b CreateMutex(CTF.Asm.MutexDefaultS-1-5-21-854245398-1229272821-725345543-1003)
746b245b CreateMutex(CTF.Layouts.MutexDefaultS-1-5-21-854245398-1229272821-725345543-1003)
746b245b CreateMutex(CTF.TMD.MutexDefaultS-1-5-21-854245398-1229272821-725345

Creates a list mutex, presumibly linked to keyboard ( keystroke logger)

746b30a7 RegOpenKeyExA (HKCU\Keyboard Layout\Toggle)
746b260a RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\CTF\)

Will act as a keylogger

775220b0 LoadLibraryA(CLBCATQ.DLL)=76f90000
775228a1 LoadLibraryA(CLBCATQ.DLL)=76f90000


602c214f CreateProcessA((null),svchost.exe,0,(null))
7c81628b WaitForSingleObject(6d8,64)
77b14cd7 LoadLibraryA(VERSION.dll)=77bd0000
7c818e2c LoadLibraryA(advapi32.dll)=77f40000
10001e25 LoadLibraryA(psapi.dll)=76bb0000
10001e66 GetCurrentProcessId()=2436
76bb183b ReadProcessMemory(h=6e0)
76bb185a ReadProcessMemory(h=6e0)
76bb1878 ReadProcessMemory(h=6e0)
76bb17bb ReadProcessMemory(h=6e0)
WriteProcessMemory=1 BufLen=23 BytesWritten:23

This mean that load.exe is going to infect svchost.exe surely to enstablish a channel
with malicious sites.

602c15c7 Copy(C:\DOCUME~1\evilcry\IMPOST~1\Temp\2A.tmp->C:\WINDOWS\system32\helh.oso)
7c82fa88 WriteFile(h=700)

The content of 2A.tmp is copied into \WINDOWS\system32\helh.oso

602c298f RegOpenKeyExA (HKCR\idid)
602c2d4d RegCreateKeyExA (HKCR\idid,(null))
602c2d92 RegSetValueExA (url0)
602c2c3b RegOpenKeyExA (HKCR\idid)
76d22bd0 RegOpenKeyExA (HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D1D028D3-3E11-436A-8FD8-8A4993A911A5})
602c267d gethostbyname(602c8760)

infection of svchost.exe is done and application attempt to access some URLs, that can be
revealed with a network sniff


Now let's reverse helh.oso.

By disassembling it emerges a DLL with the following entries:

* DllMain
* DllEntryPoint
* DllEntryPoint
* dxdll
* vtfeb
* ruagpi
* vlecvja

interesting strings:

'GET /%s HTTP/1.1'
'User-Agent: Opera\9.63',
'Host: %s',0Dh,

so load.exe acts like a malicious backdoor trojan that runs in the background and allows remote access to the compromised system. Interesting to note that the domain used is the same of

* Trojan.Win32.Sasfis.qri

helh.oso downloads and/or requests other files from Internet, from the following URLs


Now let's check /sv/x.x

function fokusp(Lomka,kolma)
return eval('Lom'+'ka.rep'+'lace('+'/KOHb55544 3233/g'+',kolma)');


is the login page where user is asked to insert username and password


downloads GDGCavPJwlrd.pdf a malicious pdf

Giuseppe 'Evilcry' Bonfa'

Did you get a sample of that

Did you get a sample of that .jar file? I'm interested in what it does.

Re: Did you get a sample of that

IIRC, the client2.jar file was using the Pack200 vulnerability. Or, it may be using one of the standard Java libraries to pull down an executable.

Eleonore samples.

I have found and uploaded these files of Elenore Exploit pack.
And the PDF:

Hi Giuseppe! I found more

Hi Giuseppe! I found more information on this crimeware in Spanish and English version.



Thank you for these

Thank you for these informations Carmen!