Search found 22 matches

by reverser
Mon Nov 12, 2018 6:20 pm
Forum: Malware
Topic: LoJax(UEFI rootkit)
Replies: 6
Views: 2454

Re: LoJax(UEFI rootkit)

SecDxe binary (from VT). dropped files (autoche.exe, rpcnetp.exe) are embedded in the binary.

pw: infected
by reverser
Tue Apr 01, 2014 10:36 pm
Forum: Malware
Topic: Citadel (Zeus clone)
Replies: 197
Views: 392730

Re: Citadel (Zeus clone)

Apart from dumping memory and using a hex editor, is there an easy way to decrypt these configs? Are there any (semi) public tools that can be used if you have the config keys for a sample? With the volume of samples we're seeing, it's becoming hard to keep up. I'd like to be able to use something ...
by reverser
Tue Jan 21, 2014 2:45 am
Forum: Malware
Topic: Vietnam APT
Replies: 9
Views: 7807

Re: Campaign Targeting EFF

Clean exes/docs extracted from the macro code in the word files.
by reverser
Sun Jun 09, 2013 9:08 pm
Forum: Malware
Topic: Rootkit ZeroAccess (alias MaxPlus, Sirefef)
Replies: 374
Views: 320252

Re: ZeroAccess (alias MaxPlus, Sirefef)

Not sure what this one is yet. Pulled off a laptop that only came in for LCD repair :) VT results suggest it is Sirefef so added it here for now. MD5: 404b41370c88a06375ff7263bccdc3b8 https://www.virustotal.com/en/file/f1899c448b36fd0d7e1f1834e869e02445d14a4ff4343577270f5a1b0ed5c0a6/analysis/137073...
by reverser
Sun May 19, 2013 2:04 am
Forum: Malware
Topic: Proxy Banker (target Korean banks)
Replies: 2
Views: 2794

Re: Proxy Banker (target Korean banks)

conime.exe handles IME (=Input Method Editor) input for console programs. In this case it means Korean text. I suspect that if it's killed you can't enter any Korean in console (e.g. a CMD shell), or maybe even no text at all.
by reverser
Sat May 18, 2013 6:33 pm
Forum: Malware
Topic: Win32/Harasom (File Encrypting Ransomware)
Replies: 24
Views: 29001

Re: File Encrypting Ransomware

Here's the decryptor, source and precompiled. Works on the posted files.
by reverser
Sat May 18, 2013 12:36 am
Forum: Malware
Topic: Win32/Harasom (File Encrypting Ransomware)
Replies: 24
Views: 29001

Re: File Encrypting Ransomware

For the sample posted by Xylitol, encryption seems to be RC6 and the key is: yrw^%$74@0(99GHJGK**&(^867*&^en2evwqevvnfd^&*^*&^$#$#@)**bnmccn (64 bytes including the trailing 0) Not sure yet if the key changes per client, but it doesn't look very random so probably the guy typed it manually. EDIT: ah...
by reverser
Sun May 05, 2013 1:52 pm
Forum: Newbie Questions
Topic: Windows 8 - SecureBoot really secure ?
Replies: 2
Views: 5475

Re: Windows 8 - SecureBoot really secure ?

SecureBoot is only effective if you can guarantee that the UEFI bios is not changeable. If you can inject your code into UEFI, you can overcome all the checks.

Sebastien Kaczmarek - Dreamboot: A UEFI Bootkit
Source code: https://github.com/quarkslab/dreamboot