Search found 501 matches

by unixfreaxjp
Sun Jun 05, 2016 5:35 pm
Forum: Malware
Topic: DMA Locker 4.0
Replies: 7
Views: 7405

Re: DMA Locker 4.0

Nothing interesting, its just obfuscated loader which runs main ransom hardcoded executable from %temp% multiple times until it finally starts normally. What a trash. Thank you. Was also seeing cerber from these but the actor switched to DMA locker it seems? hxxp://avtomatika-dv[.]ru/image/data/ava...
by unixfreaxjp
Sat Jun 04, 2016 9:44 am
Forum: Malware
Topic: DMA Locker 4.0
Replies: 7
Views: 7405

Re: DMA Locker 4.0

Forensics data of : Today's campaign details, picture and etc report is here: http://imgur.com/a/CZKzt Finally could run it well : <Screenshot> <Screenshot> <Screenshot> Info: Domains : actioncompass.online BTC: 16hHkyuzCDRFzoejVuqajqrnbmKHSmEfQM Emails: dma4004@zerobit.email and team4004@gmx.com CN...
by unixfreaxjp
Fri Jun 03, 2016 10:09 pm
Forum: Malware
Topic: DMA Locker 4.0
Replies: 7
Views: 7405

Re: DMA Locker 4.0

Today's campaign details, picture and etc report is here: http://imgur.com/a/CZKzt The PE downloader (downloaded by vbs) is downloading payloads, are x32 & x64 loader, with the ransomware binary bbv.exe all fours are attached. https://lh3.googleusercontent.com/-Y2UKE2mdjEo/V1H-LXpN53I/AAAAAAAAVPw/Al...
by unixfreaxjp
Thu Jun 02, 2016 10:52 am
Forum: Malware
Topic: Win32/Cerber
Replies: 71
Views: 141384

Re: Cerber

SHA256: 25e830aa008e88c8f5cd2414b567b0968254630cb545bf41e7f0d70b96923abd A bit hard to know how to recognize it until I found this: https://lh3.googleusercontent.com/-HODpJ97Z1vQ/V1APp28RdtI/AAAAAAAAVPg/NBaBpiYFRZUceKwotd0yHlvluMxN3TjBwCLcB/s620/Untitled.png # Cerber server: { "ip": "178.175.128.50...
by unixfreaxjp
Mon May 09, 2016 7:09 am
Forum: Malware
Topic: Win32/Kelihos (+Waledac downloader)
Replies: 94
Views: 100943

Re: Win32/Kelihos

See the slides from page 53,
it gives good intelligence information on what's "behind" the Kelihos botnet.
by unixfreaxjp
Fri May 06, 2016 1:56 am
Forum: Malware
Topic: Linux/Bash0day alias Shellshock alias Bashdoor
Replies: 42
Views: 113364

Re: Malware collection

ref: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3966&start=60#p28247 https://www.virustotal.com/en/file/35fabc7ccfa3a97128c27872258a20d314cfd210a2e4cc37fe2f939312f4383e/analysis/1460136599/ This is actually an interesting sample, unusual build. I have two reasons for it: (1) This is the l...
by unixfreaxjp
Thu May 05, 2016 9:55 pm
Forum: Malware
Topic: Linux/Bash0day alias Shellshock alias Bashdoor
Replies: 42
Views: 113364

Re: Malware collection

https://www.virustotal.com/en/file/8fb01aca13b98dc8d16338a840ebd490f2dcdedc55fe5c4b703bee6654752cdf/analysis/1462464664/ Hello. Poked by @Xylit0l , I checked your sample the powerpc one. It is what young collective group of punk hacktivists (read:skiddos) who loves to ddos call it: Torlus or LizKeb...
by unixfreaxjp
Mon May 02, 2016 3:45 pm
Forum: Malware
Topic: Linux/Bash0day alias Shellshock alias Bashdoor
Replies: 42
Views: 113364

Re: Linux/Bash0day alias Shellshock alias Bashdoor

Another GayFgt "BadLuckJosh" (BLJ) an obfuscated modification in some function name and strings . Made a video on how to dissect it easier . The reference for this particular "encrypted" type is here . Sadly the plan works to fool AV products who doesn't aware of this version exists, make more sigs ...
by unixfreaxjp
Sat Apr 30, 2016 9:05 am
Forum: Malware
Topic: Linux/Bash0day alias Shellshock alias Bashdoor
Replies: 42
Views: 113364

Re: Linux/Bash0day alias Shellshock alias Bashdoor

Some insights of this malware is posted as additional here:
http://blog.malwaremustdie.org/2016/02/ ... tml#gayfgt