Gauss

Forum for analysis and discussion about malware.

Re: Gauss

Postby Xylitol » Thu Aug 09, 2012 9:40 pm

In attach, some samples detected by Kaspersky as 'Gauss'
and.. http://gauss.crysys.hu/
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Re: Gauss

Postby Waves97 » Fri Aug 10, 2012 9:09 am

MD5:
Code: Select all
C3B8AD4ECA93114947C777B19D3C6059
08D7DDB11E16B86544E0C3E677A60E10
055AE6B8070DF0B3521D78E1B8D2FCE4
FA54A8D31E1434539FBB9A412F4D32FF
01567CA73862056304BB87CBF797B899
23D956C297C67D94F591FCB574D9325F
ED5559B0C554055380D75C1D7F9C4424
E379270F53BA148D333134011AA3600C
EF83394D9600F6D2808E0E99B5F932CA
5604A86CE596A239DD5B232AE32E02C6
90F5C45420C295C73067AF44028CE0DD
9CA4A49135BCCDB09931CF0DBE25B5A9
ED2B439708F204666370337AF2A9E18F
CBB982032AED60B133225A2715D94458
EF6451FDE3751F698B49C8D4975A58B5
7AC2799B5337B4BE54E5D5B03B214572
4FB4D2EB303160C5F419CEC2E9F57850
DE2D0D6C340C75EB415F726338835125
User avatar
Waves97
 
Posts: 33
Joined: Sat Jun 02, 2012 4:41 pm
Location: Poland
Reputation point: 5

Re: Gauss

Postby Xylitol » Fri Aug 10, 2012 10:04 am

Waves97 wrote:MD5:
Code: Select all
C3B8AD4ECA93114947C777B19D3C6059
08D7DDB11E16B86544E0C3E677A60E10
055AE6B8070DF0B3521D78E1B8D2FCE4
FA54A8D31E1434539FBB9A412F4D32FF
01567CA73862056304BB87CBF797B899
23D956C297C67D94F591FCB574D9325F
ED5559B0C554055380D75C1D7F9C4424
E379270F53BA148D333134011AA3600C
EF83394D9600F6D2808E0E99B5F932CA
5604A86CE596A239DD5B232AE32E02C6
90F5C45420C295C73067AF44028CE0DD
9CA4A49135BCCDB09931CF0DBE25B5A9
ED2B439708F204666370337AF2A9E18F
CBB982032AED60B133225A2715D94458
EF6451FDE3751F698B49C8D4975A58B5
7AC2799B5337B4BE54E5D5B03B214572
4FB4D2EB303160C5F419CEC2E9F57850
DE2D0D6C340C75EB415F726338835125

Not found:
C3B8AD4ECA93114947C777B19D3C6059
055AE6B8070DF0B3521D78E1B8D2FCE4
01567CA73862056304BB87CBF797B899
ED2B439708F204666370337AF2A9E18F
Rest is in attach.
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Re: Gauss

Postby rkhunter » Fri Aug 10, 2012 2:28 pm

I'm already not surprised that some files belonging to Gauss were at VT already 3 month with FUD detection ratio. lol
User avatar
rkhunter
 
Posts: 1148
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Gauss

Postby Xylitol » Sun Aug 12, 2012 9:18 am

You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Re: Gauss

Postby retrogad » Sun Aug 12, 2012 10:28 am

hey
can u plz guide me how to run those samples? as i understand it is enough to open the files and explorer will execute them,i have downloaded samples but nothing happens when i explore the usb stick,the files dont have any extension

tnx!
retrogad
 
Posts: 10
Joined: Tue May 01, 2012 7:35 am
Reputation point: 0

Re: Gauss

Postby dfine » Sun Aug 12, 2012 11:02 am

Some (or all) of the samples are DLL's. So if u want to run them use rundll. Use dumpbin or debugger to find out the exports of the DLL's. See http://support.microsoft.com/kb/164787 for more info about running a DLL.
dfine
 
Posts: 4
Joined: Fri Aug 10, 2012 2:11 pm
Reputation point: 0

Re: Gauss

Postby retrogad » Sun Aug 12, 2012 11:38 am

dfine wrote:Some (or all) of the samples are DLL's. So if u want to run them use rundll. Use dumpbin or debugger to find out the exports of the DLL's. See http://support.microsoft.com/kb/164787 for more info about running a DLL.


tnx for the answering

the first sample (Trojan-Spy.Win32.Gauss.zip) contains SMDK,WMI,WINSHELL,WINDIG and other files
so its not actually DLL'S ,should i rename them to DLL ?
sorry the questions i am beginner researcher so can u explainm or give a link what do you mean "exports of the DLL" what info should it provide me?

my goal is to infect the machine and to investigate how it works especially how it infects the USB stick with his payload
retrogad
 
Posts: 10
Joined: Tue May 01, 2012 7:35 am
Reputation point: 0

Re: Gauss

Postby dfine » Sun Aug 12, 2012 11:46 am

dumpbin is a tool thats part of the Windows Debugging Tools. install Visual C++ Express and u r settled

rename them to .dll en start 'dumpbin /exports sayhellotomylittlefriend.dll' to see the exports

the previous MS link will help you with running the DLL
dfine
 
Posts: 4
Joined: Fri Aug 10, 2012 2:11 pm
Reputation point: 0

Next

Return to Malware

Who is online

Users browsing this forum: Ludvig and 15 guests