Search found 224 matches

by R136a1
Wed Jul 27, 2016 5:16 pm
Forum: Malware
Topic: Duqu 2.0
Replies: 18
Views: 33882

Re: Duqu 2.0

Here is the exploit known as CVE-2015-2360. It wasn't publicly released yet, so I thought to upload it before it gets lost in my archive. The compilation time stamp is a bit newer than the samples described by Kaspersky, though I don't think there is a big difference in the functionality, if at all....
by R136a1
Sat Jul 02, 2016 8:26 am
Forum: User-Mode Development
Topic: EnumDisplayMonitors
Replies: 2
Views: 9338

Re: EnumDisplayMonitors

Funny, there is not sanity check for the pointer of the callback function at all. Windows XP is also affected, probably nothing was done since its implementation in Windows 2000.
by R136a1
Fri Jun 24, 2016 11:41 am
Forum: Malware
Topic: PbBot bootkit (alias Plite, GBPBoot)
Replies: 22
Views: 27315

Re: PbBot bootkit (alias Plite, GBPBoot)

Hi folks, here is a fresh sample from 2016. After a brief comparison it shows there are only some minor updates, presumably for compatibility reasons. However, I haven't checked in detail. Strings from 16-bit loader: -------------- ReadInitData ------------ ------- IsPMSInstalled ------------- C:\Wi...
by R136a1
Tue Jun 14, 2016 2:32 pm
Forum: Malware
Topic: TrojanDropper:W97M/Miskip.(A/B)
Replies: 0
Views: 3961

TrojanDropper:W97M/Miskip.(A/B)

Hi folks,

attached are the Word documents and the malware files which are used in targeted attacks. It's nothing advanced, but the campaign is interesting none the less.

An analysis can be found here: http://www.malware-reversing.com/2016/0 ... os-in.html
by R136a1
Mon May 23, 2016 3:17 pm
Forum: Malware
Topic: Win32/Furtim
Replies: 22
Views: 50781

Re: Win32/Furtim

Some victim statistics and a bit of promotion for my new blog: http://www.malware-reversing.com/2016/0 ... urtim.html :)
by R136a1
Wed Apr 27, 2016 10:30 am
Forum: Malware
Topic: Win32/Furtim
Replies: 22
Views: 50781

Re: Malware with heavy virtual machine and sandbox detection

The C&C server of the first sample exposes over 1 GB of victim's data due to misconfigured directory listing. Internet service provider was informed.
by R136a1
Mon Apr 25, 2016 8:18 pm
Forum: Malware
Topic: Win32/Furtim
Replies: 22
Views: 50781

Re: Malware with heavy virtual machine and sandbox detection

Attached is another sample with slightly newer compilation time stamp which was downloaded with new version of Godzilla Loader.
by R136a1
Tue Apr 19, 2016 2:13 pm
Forum: Malware
Topic: Trojan.GodzillaLoader (alias Godzilla Loader)
Replies: 3
Views: 10823

Trojan.GodzillaLoader (alias Godzilla Loader)

In January of 2016, a tiny downloader named Godzilla Loader was advertised in the Damagelab forum. Despite its small size of 6 KB, this downloader didn't look very special at first. However, a closer look into a sample showed an interesting downloading method which I haven't seen before. A translati...
by R136a1
Mon Apr 18, 2016 5:38 pm
Forum: Malware
Topic: Gozi & GMBot Source Code
Replies: 2
Views: 4249

Re: Gozi & GMBot Source Code

by R136a1
Thu Apr 14, 2016 9:05 am
Forum: Malware
Topic: My files were compressed and password protected
Replies: 6
Views: 7398

Re: My files were compressed and password protected

Since this ransomware uses WinRAR self-extracting files protected with a password (symmetric encryption), you have a good chance to get your files back: - The password is generated on-the-fly (e.g. from computer specific data from the victim) and send to C&C server - The password is included in the ...