A forum for reverse engineering, OS internals and malware analysis 

Search found 87 matches

 Go to advanced search

Re: Petya malware

 by Fabian Wosar ¦  Sat Mar 26, 2016 5:25 pm ¦  Forum: Malware ¦  Topic: Petya malware ¦  Replies: 16 ¦  Views: 42804

Just some notes, that may or may not be helpful. Take all the information with a huge pinch of salt, as I have never done much boot loader reversing. Expect inaccuracies and some info may just be plain wrong. The malicious MBR will essentially read 32 sectors starting from sector 0x22 to address 0x8...

Re: Ransomware ACCDFISA

 by Fabian Wosar ¦  Tue Feb 23, 2016 12:47 pm ¦  Forum: Malware ¦  Topic: Ransomware ACCDFISA ¦  Replies: 51 ¦  Views: 62596

There you go: rule AccdfisaDropper { strings: $a = "sfxrar.pdb" nocase $b = "nsf.exe" nocase $c = "NoSafeMode.dll" nocase condition: $a and $b and $c } rule AccdfisaCrypter { strings: $a = ".xml" nocase $b = ".txt" nocase $c = ".png" nocase $d = " -dh -ep2 -hp" nocase condition: $a and $b and $c and...

Re: Ransom.Radamant

 by Fabian Wosar ¦  Thu Jan 28, 2016 11:27 am ¦  Forum: Malware ¦  Topic: Ransom.Radamant ¦  Replies: 10 ¦  Views: 17350

Kind of lol, but this malware with all symbol names inside, e.g. Yes, that gave me a chuckle, too. If you really want to laugh, take a look at the encryptFile function and look at the convoluted mess they introduced in an attempt to stop my decrypter. They still didn't fix the original issue. I can...

Re: PClock ransomware

 by Fabian Wosar ¦  Fri Jan 09, 2015 12:46 pm ¦  Forum: Malware ¦  Topic: PClock ransomware ¦  Replies: 7 ¦  Views: 9604

Okay, the algorithm used to encrypt the block appears to be standard RC4.

Re: PClock ransomware

 by Fabian Wosar ¦  Fri Jan 09, 2015 10:33 am ¦  Forum: Malware ¦  Topic: PClock ransomware ¦  Replies: 7 ¦  Views: 9604

Mohamed Shetta wrote:Nope, I thought everything is clear over there so I didn't check. is there something vague over there?
Don't know yet to be honest as I haven't had time to look into it yet :).

Re: PClock ransomware

 by Fabian Wosar ¦  Thu Jan 08, 2015 7:10 pm ¦  Forum: Malware ¦  Topic: PClock ransomware ¦  Replies: 7 ¦  Views: 9604

I doubt that the key gets deleted as the ransomware doesn't import the function rtcDeleteSetting. While it is not deleted, there at least exists code that will set it to an empty string again. Take a look around 0x0042F422. It calls the method that sets the value you mentioned with an empty string....

PClock ransomware

 by Fabian Wosar ¦  Wed Jan 07, 2015 2:30 pm ¦  Forum: Malware ¦  Topic: PClock ransomware ¦  Replies: 7 ¦  Views: 9604

Attached are two variants of a new crypto malware that first showed up a few days ago. The encryption of the first variant is rather simplistic. It just does a simple XOR using a static key that is used on every system. The key used is 0x30353533316231396262383436623138633039663937396565623432396164...

Re: Win32/Dircrypt (File Encrypting Ransomware)

 by Fabian Wosar ¦  Thu Apr 24, 2014 6:04 pm ¦  Forum: Malware ¦  Topic: Win32/Dircrypt (File Encrypting Ransomware) ¦  Replies: 14 ¦  Views: 25353

It looks like a new variant of this particular malware family is spreading at the moment. Infection scheme changed slightly. Instead of various different file formats, all files are encrypted into RTF documents with the *.enc.rtf extension now. Please find the original as well as the unpacked sample...

Re: CryptoDefense

 by Fabian Wosar ¦  Fri Apr 04, 2014 2:52 am ¦  Forum: Malware ¦  Topic: CryptoDefense ¦  Replies: 8 ¦  Views: 11860

The malware author released a new variant of his malware using different C2 domains and fixing his mistake of saving the private key on the victim's PC that Symantec conveniently pointed out to him roughly 24 hours before this new version was compiled. I also included the unpacked malware. It has be...

Re: CryptoLocker (Trojan:Win32/Crilock.A)

 by Fabian Wosar ¦  Mon Jan 13, 2014 11:01 am ¦  Forum: Malware ¦  Topic: CryptoLocker (Trojan:Win32/Crilock.A) ¦  Replies: 118 ¦  Views: 204159

I still can't run CryptoLocker. I've created a special VM for malware without additions, renamed devices and registry keys. What am I doing wrong? How are guys testing it? CryptoLocker is not VM aware. Most likely your infection has a hard time finding a valid C2 server as the vast majority of doma...

  • 1
  • 2
  • 3
  • 4
  • 5
  • 9