Trojan-Ransom.Win32.Toxic.a

Forum for analysis and discussion about malware.
Post Reply
User avatar
Xylitol
Global Moderator
Posts: 1665
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Trojan-Ransom.Win32.Toxic.a

Post by Xylitol » Tue May 26, 2015 8:38 am

You do not have the required permissions to view the files attached to this post.

User avatar
Snakebyte
Posts: 12
Joined: Tue Oct 07, 2014 9:33 am

Re: Trojan-Ransom.Win32.Toxic.a

Post by Snakebyte » Thu May 28, 2015 2:20 pm

"Out of the gate, the standard of antimalware evasion is fairly high, meaning the malware’s targets would need additional controls in place (HIPS, whitelisting, sandboxing) to catch or prevent this."

Am I missing something? where is the fairly high part? UPX?

User avatar
maddog4012
Posts: 67
Joined: Mon Aug 04, 2014 6:53 pm

Re: Trojan-Ransom.Win32.Toxic.a

Post by maddog4012 » Fri May 29, 2015 12:54 pm

the only thing I can see are

Attempts to detect sandbox characteristics Info:
Sample attempted to detect Sandbox using the following string: Failed to create syscall sandbox filter
Sample attempted to detect Sandbox using the following string: Sandbox
Sample attempted to detect Sandbox using the following string: ...Sandbox; at most one can be set
Sample attempted to detect Sandbox using the following string: ...Sandbox is not allowed.
Sample attempted to detect Sandbox using the following string: Can't change PidFile while Sandbox is active
Sample attempted to detect Sandbox using the following string: ...Sandbox is active
Sample attempted to detect Sandbox using the following string: Can't change Logs while Sandbox is active
Sample attempted to detect Sandbox using the following string: Can't change ConnLimit while Sandbox is active
Sample attempted to detect Sandbox using the following string: ...Sandbox mode.(%sTransportPlugin line was %s)
Sample attempted to detect Sandbox using the following string: ...sandboxing is only implemented on Linux. The featu...
Sample attempted to detect Sandbox using the following string: sandbox_init
Sample attempted to detect Sandbox using the following string: ...sandbox.h

and Deletes files to compromise the system or to remove traces of the infection

other then that and UPX that is all I am seeing I would not use the term fairly high for evasion

here are a few more samples
You do not have the required permissions to view the files attached to this post.

Post Reply