A forum for reverse engineering, OS internals and malware analysis 

Search found 47 matches

 Go to advanced search

Re: Malware Requests - Xpaj

 by Flopik ¦  Tue Apr 24, 2012 12:29 pm ¦  Forum: Malware ¦  Topic: W32.Xpaj.B ¦  Replies: 10 ¦  Views: 13434

Hello all, I'm looking for a sample of the Xpaj botnet. Kaspersky labels it W32.Xpaj.B, referenced here http://www.symantec.com/connect/blogs/xpaj-botnet-intercepts-87-million-searches-year I have no MD5 and couldn't find reference to it anywhere on this site, or elsewhere. TIA A new analysis is av...

Re: Darkmegi

 by Flopik ¦  Fri Apr 20, 2012 12:51 pm ¦  Forum: Malware ¦  Topic: Darkmegi ¦  Replies: 5 ¦  Views: 4894

Darkmegi

 by Flopik ¦  Tue Apr 17, 2012 12:17 pm ¦  Forum: Malware ¦  Topic: Darkmegi ¦  Replies: 5 ¦  Views: 4894

Darkmegi: This is Not the Rootkit You’re Looking For
https://blogs.mcafee.com/mcafee-labs/da ... ooking-for

Sample?

Re: Malware Requests

 by Flopik ¦  Tue Mar 20, 2012 6:03 pm ¦  Forum: Completed Malware Requests ¦  Topic: TrojanSpy:Win32/Lurk ¦  Replies: 4 ¦  Views: 3483

Trojan-Spy.Win32.Lurk.ja

Mentioned in :
http://www.theregister.co.uk/2012/03/18 ... are_found/

Java exploit infection , maybe a website ?

Re: Citadel (Zeus clone)

 by Flopik ¦  Mon Feb 20, 2012 2:41 pm ¦  Forum: Malware ¦  Topic: Citadel (Zeus clone) ¦  Replies: 197 ¦  Views: 398843

Thanks!

Xylitol wrote:Sample old ~15 Jan

Re: Malware Requests

 by Flopik ¦  Mon Feb 13, 2012 1:28 pm ¦  Forum: Completed Malware Requests ¦  Topic: Malware Requests ¦  Replies: 97 ¦  Views: 121303

Im looking for the malware Chupa Cabra , also called Trojan-Spy.Win32.SPSniffer

http://www.securelist.com/en/blog/20819 ... nt_devices

Re: Citadel (Zeus clone)

 by Flopik ¦  Sat Feb 11, 2012 1:55 am ¦  Forum: Malware ¦  Topic: Citadel (Zeus clone) ¦  Replies: 197 ¦  Views: 398843

Im interested in a sample too

Re: W32.Duqu

 by Flopik ¦  Mon Oct 24, 2011 3:33 pm ¦  Forum: Malware ¦  Topic: W32.Duqu ¦  Replies: 55 ¦  Views: 56662

From the sample under [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmi4432]
You dont need a dropper, the only thing in order to run is to place the cmi4432.PNF in C:\WINDOWS\inf and remove the key Enum after that the service should start fine.

Re: Rootkit ZeroAccess (aka MAX++)

 by Flopik ¦  Wed Oct 19, 2011 4:37 pm ¦  Forum: Malware ¦  Topic: Rootkit ZeroAccess (alias MaxPlus, Sirefef) ¦  Replies: 374 ¦  Views: 326174

Any clue how it can be detected in kernel land?

Re: Rootkit ZeroAccess (aka MAX++)

 by Flopik ¦  Wed Oct 19, 2011 3:06 pm ¦  Forum: Malware ¦  Topic: Rootkit ZeroAccess (alias MaxPlus, Sirefef) ¦  Replies: 374 ¦  Views: 326174

Sample MD5 : 88753E004EF0A8A57D5632613CAC7EFA They use ntfs ads in service process: !process 81959B58 0 PROCESS 81959b58 SessionId: 0 Cid: 0314 Peb: 7ffd8000 ParentCid: 02a0 DirBase: 048003c0 ObjectTable: e13281e8 HandleCount: 5. Image: 3972565216:527906579.exe lkd> dt _FILE_OBJECT 0x819720e0 +0x030...