Win32/Poweliks

Forum for analysis and discussion about malware.
User avatar
EP_X0FF
Global Moderator
Posts: 4860
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Win32/Poweliks

Post by EP_X0FF » Sat Jun 20, 2015 8:39 am

Ta!0n wrote:Attached sample
Your post is empty.
Ring0 - the source of inspiration

rgster002
Posts: 3
Joined: Mon Jun 27, 2011 3:33 am

Re: Win32/Poweliks

Post by rgster002 » Tue Jun 23, 2015 3:49 am

hi guys ,which one note that who inject to dllhost process use APC ways ?
I see that the poweliks , powershell , dllhost those process start each other.

DMEW
Posts: 15
Joined: Mon May 04, 2015 7:39 pm

Poweliks Question

Post by DMEW » Wed Jan 27, 2016 11:07 pm

I heard Poweliks has been dead since 2014, but I have what looks like a Poweliks sample from ~2015 and the C2 servers are still working. It does the same loader tactics, performs click fraud, and even visits Expendablesearch.com (just like the Symantec report on it). With that said..is this still a variant? I would like to know what to properly call this piece of malware.

User avatar
EP_X0FF
Global Moderator
Posts: 4860
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Poweliks Question

Post by EP_X0FF » Thu Jan 28, 2016 4:34 am

DMEW wrote:I heard Poweliks has been dead since 2014, but I have what looks like a Poweliks sample from ~2015 and the C2 servers are still working. It does the same loader tactics, performs click fraud, and even visits Expendablesearch.com (just like the Symantec report on it). With that said..is this still a variant? I would like to know what to properly call this piece of malware.
Attach your sample please.
Ring0 - the source of inspiration

DMEW
Posts: 15
Joined: Mon May 04, 2015 7:39 pm

Re: Win32/Poweliks

Post by DMEW » Thu Jan 28, 2016 5:08 am

This is a sample I got from July 2015, but I still see it working today although not as well. (one of the main ad fraud servers are not responding correctly anymore and cutting down the ad traffic).
You do not have the required permissions to view the files attached to this post.
Last edited by Xylitol on Sat Feb 06, 2016 1:13 pm, edited 1 time in total.
Reason: Archive password

User avatar
EP_X0FF
Global Moderator
Posts: 4860
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Win32/Poweliks

Post by EP_X0FF » Thu Jan 28, 2016 5:48 am

Timestamp of payload suggest it is from late 2014. More precise this -> http://www.kernelmode.info/forum/viewto ... 919#p23919
Ring0 - the source of inspiration

DMEW
Posts: 15
Joined: Mon May 04, 2015 7:39 pm

Re: Win32/Poweliks

Post by DMEW » Thu Jan 28, 2016 6:51 am

thanks for checking

Post Reply