A forum for reverse engineering, OS internals and malware analysis 

Search found 12 matches

 Go to advanced search

Re: Linux/Bash0day alias Shellshock alias Bashdoor

 by aaSSfxxx ¦  Wed Oct 08, 2014 3:14 pm ¦  Forum: Malware ¦  Topic: Linux/Bash0day alias Shellshock alias Bashdoor ¦  Replies: 42 ¦  Views: 127989

Hello, I'm fine :)

Sorry, I forgot to link of the post I was talking to, so here it is: http://www.kernelmode.info/forum/viewto ... 505#p23989

I tried to make sigfiles to detect glibc's functions linked with that malware but I didn't find the proper glibc version used :(

Re: Linux/Bash0day alias Shellshock alias Bashdoor

 by aaSSfxxx ¦  Tue Oct 07, 2014 11:43 am ¦  Forum: Malware ¦  Topic: Linux/Bash0day alias Shellshock alias Bashdoor ¦  Replies: 42 ¦  Views: 127989


The project file list you give is just glibc's stuff as the nginx malware is statically-linked with it, so it's useless for detection unfortunately

Re: DarkComet Data Extractor

 by aaSSfxxx ¦  Wed Sep 04, 2013 8:32 am ¦  Forum: Tools/Software ¦  Topic: DarkComet Data Extractor ¦  Replies: 4 ¦  Views: 8402

The key changes depending of the version of darkcomet.

For a darkcomet 4, the key will be #KCMDDC4#-890, for darkcomet 5, it's #KCMDDC5#-890 and for darkcomet >= 5.1, the key becomes #KCMDDC51#-890

Re: Backdoor Andromeda (alias Gamarue)

 by aaSSfxxx ¦  Tue Mar 26, 2013 6:57 pm ¦  Forum: Malware ¦  Topic: Backdoor Andromeda (waahoo, alias Gamarue) ¦  Replies: 129 ¦  Views: 194301

As promised, I wrote an article about this sample (which is really a andromeda 2.07 sample) which you can read here: http://aassfxxx.infos.st/article22/andromeda-2-07-analysis (feel free to ask me question here on in comments about this article ;) ). In this version, nothing really new, just some fu...

Re: Backdoor Andromeda (alias Gamarue)

 by aaSSfxxx ¦  Wed Mar 20, 2013 7:00 pm ¦  Forum: Malware ¦  Topic: Backdoor Andromeda (waahoo, alias Gamarue) ¦  Replies: 129 ¦  Views: 194301

That's an old or different build of Andromeda, variant "I". In this thread mostly attached "F" variant. Analyze code, not how and where it connects. Usual Andromeda encrypted strings related to AntiVM/SandboxIE. Ќ…ЊюяяPяuґяUр…А…pяяяяuґяUмhdll hdll.hsbie‹ДPяUьѓД…А…© З…|юяя j h.dllhpi32hadva‹ДPяUи‰EА...

Re: Backdoor Andromeda (alias Gamarue)

 by aaSSfxxx ¦  Thu Feb 21, 2013 10:01 am ¦  Forum: Malware ¦  Topic: Backdoor Andromeda (waahoo, alias Gamarue) ¦  Replies: 129 ¦  Views: 194301

I think pcap traffic is a little bit useless for andromeda, since the bot traffic is encrypted (with the bot key). The bot key is stored with url list, and I wrote some tools (in python 2) which allow to extract andromeda config from an unpacked sample and query c&c co get stuff dropped by andromeda...

Re: Point-of-Sale malwares / RAM scrapers

 by aaSSfxxx ¦  Sun Feb 03, 2013 8:36 pm ¦  Forum: Malware ¦  Topic: Point-of-Sale malwares / RAM scrapers ¦  Replies: 244 ¦  Views: 864109

No, it seems to store data into a local sql server database (new sample seems to have the same structure than the other ones)

Re: Point-of-Sale malwares / RAM scrapers

 by aaSSfxxx ¦  Sun Feb 03, 2013 5:32 pm ¦  Forum: Malware ¦  Topic: Point-of-Sale malwares / RAM scrapers ¦  Replies: 244 ¦  Views: 864109

Btw got new stuff on hXXp://royjamesinsurance.com/images/ .

This time, no sql server creds in command strings :( (malware attached).
Same shit than the sample i posted before.
https://www.virustotal.com/file/6d4d91f ... 359968332/ > 10/46

Re: Point-of-Sale malwares / RAM scrapers

 by aaSSfxxx ¦  Sat Feb 02, 2013 12:02 pm ¦  Forum: Malware ¦  Topic: Point-of-Sale malwares / RAM scrapers ¦  Replies: 244 ¦  Views: 864109

Btw, I saw the comment of unixfreakjp on my blog, so I'll answer the two questions asked (I have to create another post since I can't edit my previous post) : 1. What was the "weird string" you talk about? The string I found was BLC.bdR3S% 1!rA2l"h=EDWOwf6oU,s0Nec8muMk4Ttp-IiaQP',27h,';)v(xF , used ...

Re: Point-of-Sale malwares / RAM scrapers

 by aaSSfxxx ¦  Fri Feb 01, 2013 9:42 pm ¦  Forum: Malware ¦  Topic: Point-of-Sale malwares / RAM scrapers ¦  Replies: 244 ¦  Views: 864109

@unixfreakjp: first, I think the "Security" key you found won't help to decode data because it's just windows service manager crap (the malware creates its service of not installer, and then launches the service with the command round above. Then, for the ugly string I found, it doesn't seem to be a...