A forum for reverse engineering, OS internals and malware analysis 

Search found 4 matches

 Go to advanced search

Re: Win32 Rombertik

 by ebfe ¦  Fri May 15, 2015 10:47 am ¦  Forum: Malware ¦  Topic: Win32/Rombertik ¦  Replies: 27 ¦  Views: 52648

These guys are spending its time to analyze packer(or Cryptor) written in Delphi. Unpacked EXE (which only is 25600 Bytes) is wrapped with this delphi packer. The malware is old, I don't know why it is popped out now. And actually there are different versions of packers they used in the past. Here i...

Re: UACMe - Defeating Windows User Account Control

 by ebfe ¦  Sat Mar 28, 2015 2:36 pm ¦  Forum: Tools/Software ¦  Topic: UACMe - Defeating Windows User Account Control ¦  Replies: 136 ¦  Views: 440827

The wusa.exe method works flawlessly on windows 8/8.1, however I didn't check it on Win10.

Re: UACMe - Defeating Windows User Account Control

 by ebfe ¦  Sat Mar 28, 2015 1:21 pm ¦  Forum: Tools/Software ¦  Topic: UACMe - Defeating Windows User Account Control ¦  Replies: 136 ¦  Views: 440827

There is another UAC bypass method used in Carberp malware: https://github.com/hzeroo/Carberp/blob/master/source%20-%20absource/pro/all%20source/BJWJ/source/exploit/UAC_bypass.cpp Steps to reproduce: 1. Make .cab archive with your own cryptbase.dll or wdscore.dll and rename it to .MSU 2. Deploy .MSU...

Re: Backdoor Andromeda (alias Gamarue)

 by ebfe ¦  Sat Mar 30, 2013 9:58 pm ¦  Forum: Malware ¦  Topic: Backdoor Andromeda (waahoo, alias Gamarue) ¦  Replies: 129 ¦  Views: 194456

Hi, I analyzed sample from this post:
http://www.kernelmode.info/forum/viewto ... 497#p18497

And made some blog post about it, if you are interested please read it here: http://www.0xebfe.net/blog/2013/03/30/f ... andromeda/