A forum for reverse engineering, OS internals and malware analysis 

Search found 22 matches

 Go to advanced search

Re: LoJax(UEFI rootkit)

 by reverser ¦  Mon Nov 12, 2018 6:20 pm ¦  Forum: Malware ¦  Topic: LoJax(UEFI rootkit) ¦  Replies: 6 ¦  Views: 2677

SecDxe binary (from VT). dropped files (autoche.exe, rpcnetp.exe) are embedded in the binary.

pw: infected

Re: How to download symbol of specified file?

 by reverser ¦  Wed Dec 03, 2014 11:13 pm ¦  Forum: User-Mode Development ¦  Topic: How to download symbol of specified file? ¦  Replies: 1 ¦  Views: 7920

Re: How to download symbol file without SYM API?

 by reverser ¦  Fri Jul 25, 2014 8:10 pm ¦  Forum: User-Mode Development ¦  Topic: How to download symbol file without SYM API? ¦  Replies: 5 ¦  Views: 8351

Re: Citadel (Zeus clone)

 by reverser ¦  Tue Apr 01, 2014 10:36 pm ¦  Forum: Malware ¦  Topic: Citadel (Zeus clone) ¦  Replies: 197 ¦  Views: 398156

Apart from dumping memory and using a hex editor, is there an easy way to decrypt these configs? Are there any (semi) public tools that can be used if you have the config keys for a sample? With the volume of samples we're seeing, it's becoming hard to keep up. I'd like to be able to use something ...

Re: Campaign Targeting EFF

 by reverser ¦  Tue Jan 21, 2014 2:45 am ¦  Forum: Malware ¦  Topic: Vietnam APT ¦  Replies: 9 ¦  Views: 7994

Clean exes/docs extracted from the macro code in the word files.

Re: ZeroAccess (alias MaxPlus, Sirefef)

 by reverser ¦  Sun Jun 09, 2013 9:08 pm ¦  Forum: Malware ¦  Topic: Rootkit ZeroAccess (alias MaxPlus, Sirefef) ¦  Replies: 374 ¦  Views: 325557

Not sure what this one is yet. Pulled off a laptop that only came in for LCD repair :) VT results suggest it is Sirefef so added it here for now. MD5: 404b41370c88a06375ff7263bccdc3b8 https://www.virustotal.com/en/file/f1899c448b36fd0d7e1f1834e869e02445d14a4ff4343577270f5a1b0ed5c0a6/analysis/137073...

Re: Proxy Banker (target Korean banks)

 by reverser ¦  Sun May 19, 2013 2:04 am ¦  Forum: Malware ¦  Topic: Proxy Banker (target Korean banks) ¦  Replies: 2 ¦  Views: 3010

conime.exe handles IME (=Input Method Editor) input for console programs. In this case it means Korean text. I suspect that if it's killed you can't enter any Korean in console (e.g. a CMD shell), or maybe even no text at all.

Re: File Encrypting Ransomware

 by reverser ¦  Sat May 18, 2013 6:33 pm ¦  Forum: Malware ¦  Topic: Win32/Harasom (File Encrypting Ransomware) ¦  Replies: 24 ¦  Views: 29972

Here's the decryptor, source and precompiled. Works on the posted files.

Re: File Encrypting Ransomware

 by reverser ¦  Sat May 18, 2013 12:36 am ¦  Forum: Malware ¦  Topic: Win32/Harasom (File Encrypting Ransomware) ¦  Replies: 24 ¦  Views: 29972

For the sample posted by Xylitol, encryption seems to be RC6 and the key is: yrw^%$74@0(99GHJGK**&(^867*&^en2evwqevvnfd^&*^*&^$#$#@)**bnmccn (64 bytes including the trailing 0) Not sure yet if the key changes per client, but it doesn't look very random so probably the guy typed it manually. EDIT: ah...

Re: Windows 8 - SecureBoot really secure ?

 by reverser ¦  Sun May 05, 2013 1:52 pm ¦  Forum: Newbie Questions ¦  Topic: Windows 8 - SecureBoot really secure ? ¦  Replies: 2 ¦  Views: 5522

SecureBoot is only effective if you can guarantee that the UEFI bios is not changeable. If you can inject your code into UEFI, you can overcome all the checks.

Sebastien Kaczmarek - Dreamboot: A UEFI Bootkit
Source code: https://github.com/quarkslab/dreamboot