Trojan-Ransom.Win32.Toxic.a

Forum for analysis and discussion about malware.

Trojan-Ransom.Win32.Toxic.a

Postby Xylitol » Tue May 26, 2015 8:38 am

You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Re: Trojan-Ransom.Win32.Toxic.a

Postby Snakebyte » Thu May 28, 2015 2:20 pm

"Out of the gate, the standard of antimalware evasion is fairly high, meaning the malware’s targets would need additional controls in place (HIPS, whitelisting, sandboxing) to catch or prevent this."

Am I missing something? where is the fairly high part? UPX?
User avatar
Snakebyte
 
Posts: 12
Joined: Tue Oct 07, 2014 9:33 am
Reputation point: 1

Re: Trojan-Ransom.Win32.Toxic.a

Postby maddog4012 » Fri May 29, 2015 12:54 pm

the only thing I can see are

Attempts to detect sandbox characteristics Info:
Sample attempted to detect Sandbox using the following string: Failed to create syscall sandbox filter
Sample attempted to detect Sandbox using the following string: Sandbox
Sample attempted to detect Sandbox using the following string: ...Sandbox; at most one can be set
Sample attempted to detect Sandbox using the following string: ...Sandbox is not allowed.
Sample attempted to detect Sandbox using the following string: Can't change PidFile while Sandbox is active
Sample attempted to detect Sandbox using the following string: ...Sandbox is active
Sample attempted to detect Sandbox using the following string: Can't change Logs while Sandbox is active
Sample attempted to detect Sandbox using the following string: Can't change ConnLimit while Sandbox is active
Sample attempted to detect Sandbox using the following string: ...Sandbox mode.(%sTransportPlugin line was %s)
Sample attempted to detect Sandbox using the following string: ...sandboxing is only implemented on Linux. The featu...
Sample attempted to detect Sandbox using the following string: sandbox_init
Sample attempted to detect Sandbox using the following string: ...sandbox.h

and Deletes files to compromise the system or to remove traces of the infection

other then that and UPX that is all I am seeing I would not use the term fairly high for evasion

here are a few more samples
You do not have the required permissions to view the files attached to this post.
User avatar
maddog4012
 
Posts: 54
Joined: Mon Aug 04, 2014 6:53 pm
Reputation point: 47


Return to Malware

Who is online

Users browsing this forum: No registered users and 9 guests