Search found 27 matches

by rnd.usr
Thu Dec 11, 2014 5:08 pm
Forum: Malware
Topic: Automated Malware Environments
Replies: 12
Views: 9481

Re: Automated Malware Environments

Drakvuf - https://tklengyel.github.io/drakvuf/
DRAKVUF is an agentless dynamic malware analysis system built on Xen, LibVMI, Volatility and Rekall.
It allows for in-depth execution tracing of malware samples, extracting deleted files from memory and more.
by rnd.usr
Tue Dec 09, 2014 2:40 pm
Forum: Malware
Topic: WinNT/Phase - fileless trojan
Replies: 28
Views: 26781

WinNT/Phase - fileless trojan

Hi, found a new trojan which call itself fileless. It injects RC4 encrypted code into explorer.exe, hooks NtQueryDirectoryFile with HLT-hook for hiding, uses (base64-decoded) Powershell stored in regedit and it's encrypted with RC4 and random key. Uses same technique as Poweliks for startup in reged...
by rnd.usr
Wed Nov 19, 2014 3:58 pm
Forum: Malware
Topic: Win32/Poweliks
Replies: 36
Views: 108493

Re: Win32/Poweliks

Anyone have a sample that is detected as "Poweliks.B"?

Thanks
by rnd.usr
Sat Nov 15, 2014 11:13 am
Forum: Malware
Topic: OnionDuke APT
Replies: 1
Views: 2912

Re: OnionDuke APT

The data in the parameter is encrypted and then base64-encoded, the key can be found in the config.

The question is: what encryption is OnionDuke using here, RC4? XOR?
by rnd.usr
Wed Oct 29, 2014 6:22 pm
Forum: General Discussion
Topic: Patching SSDT using Sign Driver
Replies: 4
Views: 6852

Re: Patching SSDT using Sign Driver

AV engines can just look at the driver filters list. Each device will have a .sys-file linked to it.

This is correct, right?
by rnd.usr
Fri Sep 05, 2014 11:56 am
Forum: Newbie Questions
Topic: Can you cahnge the memory protection?
Replies: 5
Views: 6190

Re: Can you cahnge the memory protection?

I think so. Or does VirtualProtect(Ex) reports you an error when you try it? Why don't you wipe out the MZ signature (and probably other parts of the PE structure that are not relevant after its startup)? Hi, sorry for late answer. No, I'am not coding anything yet, I was just thinking for a method ...
by rnd.usr
Thu Aug 28, 2014 1:14 pm
Forum: Malware
Topic: Malware infecting 'restore points' and recovery(re.wim)
Replies: 3
Views: 3062

Re: Malware infecting 'restore points' and recovery(re.wim)

If I'am correct the late Cryptolocker family does this.
by rnd.usr
Sun Aug 24, 2014 12:40 pm
Forum: Newbie Questions
Topic: Can you cahnge the memory protection?
Replies: 5
Views: 6190

Re: Can you cahnge the memory protection?

Hello, if you mean a code (or a DLL) injected into a user mode process, there is a function named VirtualProtect (or VirtualProtectEx) that is capable of changing memory protection (on the paging basis). However, I am not sure how you want to use this function to make the malware undetectable. In t...
by rnd.usr
Sun Aug 24, 2014 7:07 am
Forum: Newbie Questions
Topic: Can you cahnge the memory protection?
Replies: 5
Views: 6190

Can you cahnge the memory protection?

Hello. Is it possible to change the protection in the newly injected memory in a process? Let's say from RWX to RX. If it's possible, can you name a malware that does this? I know it's possible to strip the "MZ" header but if you also change the protection there should be no way to detect an injecte...