A forum for reverse engineering, OS internals and malware analysis 

Search found 501 matches

 Go to advanced search

Re: DMA Locker 4.0

 by unixfreaxjp ¦  Sun Jun 05, 2016 5:35 pm ¦  Forum: Malware ¦  Topic: DMA Locker 4.0 ¦  Replies: 7 ¦  Views: 9033

Nothing interesting, its just obfuscated loader which runs main ransom hardcoded executable from %temp% multiple times until it finally starts normally. What a trash. Thank you. Was also seeing cerber from these but the actor switched to DMA locker it seems? hxxp://avtomatika-dv[.]ru/image/data/ava...

Re: DMA Locker 4.0

 by unixfreaxjp ¦  Sat Jun 04, 2016 9:44 am ¦  Forum: Malware ¦  Topic: DMA Locker 4.0 ¦  Replies: 7 ¦  Views: 9033

Forensics data of : Today's campaign details, picture and etc report is here: http://imgur.com/a/CZKzt Finally could run it well : <Screenshot> <Screenshot> <Screenshot> Info: Domains : actioncompass.online BTC: 16hHkyuzCDRFzoejVuqajqrnbmKHSmEfQM Emails: dma4004@zerobit.email and team4004@gmx.com CN...

Re: DMA Locker 4.0

 by unixfreaxjp ¦  Fri Jun 03, 2016 10:09 pm ¦  Forum: Malware ¦  Topic: DMA Locker 4.0 ¦  Replies: 7 ¦  Views: 9033

Today's campaign details, picture and etc report is here: http://imgur.com/a/CZKzt The PE downloader (downloaded by vbs) is downloading payloads, are x32 & x64 loader, with the ransomware binary bbv.exe all fours are attached. https://lh3.googleusercontent.com/-Y2UKE2mdjEo/V1H-LXpN53I/AAAAAAAAVPw/Al...

Re: Cerber

 by unixfreaxjp ¦  Thu Jun 02, 2016 10:52 am ¦  Forum: Malware ¦  Topic: Win32/Cerber ¦  Replies: 76 ¦  Views: 164381

SHA256: 25e830aa008e88c8f5cd2414b567b0968254630cb545bf41e7f0d70b96923abd A bit hard to know how to recognize it until I found this: https://lh3.googleusercontent.com/-HODpJ97Z1vQ/V1APp28RdtI/AAAAAAAAVPg/NBaBpiYFRZUceKwotd0yHlvluMxN3TjBwCLcB/s620/Untitled.png # Cerber server: { "ip": "178.175.128.50...

Re: Win32/Kelihos

 by unixfreaxjp ¦  Mon May 09, 2016 7:09 am ¦  Forum: Malware ¦  Topic: Win32/Kelihos (+Waledac downloader) ¦  Replies: 94 ¦  Views: 131088

See the slides from page 53,
it gives good intelligence information on what's "behind" the Kelihos botnet.

Re: Malware collection

 by unixfreaxjp ¦  Fri May 06, 2016 1:56 am ¦  Forum: Malware ¦  Topic: Linux/Bash0day alias Shellshock alias Bashdoor ¦  Replies: 42 ¦  Views: 127999

ref: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3966&start=60#p28247 https://www.virustotal.com/en/file/35fabc7ccfa3a97128c27872258a20d314cfd210a2e4cc37fe2f939312f4383e/analysis/1460136599/ This is actually an interesting sample, unusual build. I have two reasons for it: (1) This is the l...

Re: Malware collection

 by unixfreaxjp ¦  Thu May 05, 2016 9:55 pm ¦  Forum: Malware ¦  Topic: Linux/Bash0day alias Shellshock alias Bashdoor ¦  Replies: 42 ¦  Views: 127999

https://www.virustotal.com/en/file/8fb01aca13b98dc8d16338a840ebd490f2dcdedc55fe5c4b703bee6654752cdf/analysis/1462464664/ Hello. Poked by @Xylit0l , I checked your sample the powerpc one. It is what young collective group of punk hacktivists (read:skiddos) who loves to ddos call it: Torlus or LizKeb...

Re: Linux/Bash0day alias Shellshock alias Bashdoor

 by unixfreaxjp ¦  Mon May 02, 2016 3:45 pm ¦  Forum: Malware ¦  Topic: Linux/Bash0day alias Shellshock alias Bashdoor ¦  Replies: 42 ¦  Views: 127999

Another GayFgt "BadLuckJosh" (BLJ) an obfuscated modification in some function name and strings . Made a video on how to dissect it easier . The reference for this particular "encrypted" type is here . Sadly the plan works to fool AV products who doesn't aware of this version exists, make more sigs ...

Re: Linux/Bash0day alias Shellshock alias Bashdoor

 by unixfreaxjp ¦  Sat Apr 30, 2016 9:05 am ¦  Forum: Malware ¦  Topic: Linux/Bash0day alias Shellshock alias Bashdoor ¦  Replies: 42 ¦  Views: 127999

Some insights of this malware is posted as additional here:
http://blog.malwaremustdie.org/2016/02/ ... tml#gayfgt

Re: Linux/AES.DDoS (alias Dofloo, MrBlack)

 by unixfreaxjp ¦  Mon Apr 18, 2016 11:23 am ¦  Forum: Malware ¦  Topic: Linux/AES.DDoS (alias Dofloo, MrBlack) ¦  Replies: 48 ¦  Views: 93628
  • 1
  • 2
  • 3
  • 4
  • 5
  • 51