Search found 12 matches

by aaSSfxxx
Wed Oct 08, 2014 3:14 pm
Forum: Malware
Topic: Linux/Bash0day alias Shellshock alias Bashdoor
Replies: 42
Views: 110614

Re: Linux/Bash0day alias Shellshock alias Bashdoor

Hello, I'm fine :)

Sorry, I forgot to link of the post I was talking to, so here it is: http://www.kernelmode.info/forum/viewto ... 505#p23989

I tried to make sigfiles to detect glibc's functions linked with that malware but I didn't find the proper glibc version used :(
by aaSSfxxx
Tue Oct 07, 2014 11:43 am
Forum: Malware
Topic: Linux/Bash0day alias Shellshock alias Bashdoor
Replies: 42
Views: 110614

Re: Linux/Bash0day alias Shellshock alias Bashdoor

Hello,

The project file list you give is just glibc's stuff as the nginx malware is statically-linked with it, so it's useless for detection unfortunately
by aaSSfxxx
Wed Sep 04, 2013 8:32 am
Forum: Tools/Software
Topic: DarkComet Data Extractor
Replies: 4
Views: 6956

Re: DarkComet Data Extractor

The key changes depending of the version of darkcomet.

For a darkcomet 4, the key will be #KCMDDC4#-890, for darkcomet 5, it's #KCMDDC5#-890 and for darkcomet >= 5.1, the key becomes #KCMDDC51#-890
by aaSSfxxx
Tue Mar 26, 2013 6:57 pm
Forum: Malware
Topic: Backdoor Andromeda (waahoo, alias Gamarue)
Replies: 128
Views: 132429

Re: Backdoor Andromeda (alias Gamarue)

As promised, I wrote an article about this sample (which is really a andromeda 2.07 sample) which you can read here: http://aassfxxx.infos.st/article22/andromeda-2-07-analysis (feel free to ask me question here on in comments about this article ;) ). In this version, nothing really new, just some fu...
by aaSSfxxx
Wed Mar 20, 2013 7:00 pm
Forum: Malware
Topic: Backdoor Andromeda (waahoo, alias Gamarue)
Replies: 128
Views: 132429

Re: Backdoor Andromeda (alias Gamarue)

That's an old or different build of Andromeda, variant "I". In this thread mostly attached "F" variant. Analyze code, not how and where it connects. Usual Andromeda encrypted strings related to AntiVM/SandboxIE. Ќ…ЊюяяPяuґяUр…А…pяяяяuґяUмhdll hdll.hsbie‹ДPяUьѓД…А…© З…|юяя j h.dllhpi32hadva‹ДPяUи‰EА...
by aaSSfxxx
Thu Feb 21, 2013 10:01 am
Forum: Malware
Topic: Backdoor Andromeda (waahoo, alias Gamarue)
Replies: 128
Views: 132429

Re: Backdoor Andromeda (alias Gamarue)

I think pcap traffic is a little bit useless for andromeda, since the bot traffic is encrypted (with the bot key). The bot key is stored with url list, and I wrote some tools (in python 2) which allow to extract andromeda config from an unpacked sample and query c&c co get stuff dropped by andromeda...
by aaSSfxxx
Sun Feb 03, 2013 8:36 pm
Forum: Malware
Topic: Point-of-Sale malwares / RAM scrapers
Replies: 244
Views: 769342

Re: Point-of-Sale malwares / RAM scrapers

No, it seems to store data into a local sql server database (new sample seems to have the same structure than the other ones)
by aaSSfxxx
Sun Feb 03, 2013 5:32 pm
Forum: Malware
Topic: Point-of-Sale malwares / RAM scrapers
Replies: 244
Views: 769342

Re: Point-of-Sale malwares / RAM scrapers

Btw got new stuff on hXXp://royjamesinsurance.com/images/ .

This time, no sql server creds in command strings :( (malware attached).
Same shit than the sample i posted before.
https://www.virustotal.com/file/6d4d91f ... 359968332/ > 10/46
by aaSSfxxx
Sat Feb 02, 2013 12:02 pm
Forum: Malware
Topic: Point-of-Sale malwares / RAM scrapers
Replies: 244
Views: 769342

Re: Point-of-Sale malwares / RAM scrapers

Btw, I saw the comment of unixfreakjp on my blog, so I'll answer the two questions asked (I have to create another post since I can't edit my previous post) : 1. What was the "weird string" you talk about? The string I found was BLC.bdR3S% 1!rA2l"h=EDWOwf6oU,s0Nec8muMk4Ttp-IiaQP',27h,';)v(xF , used ...
by aaSSfxxx
Fri Feb 01, 2013 9:42 pm
Forum: Malware
Topic: Point-of-Sale malwares / RAM scrapers
Replies: 244
Views: 769342

Re: Point-of-Sale malwares / RAM scrapers

@unixfreakjp: first, I think the "Security" key you found won't help to decode data because it's just windows service manager crap (the malware creates its service of not installer, and then launches the service with the command round above. Then, for the ugly string I found, it doesn't seem to be a...