A forum for reverse engineering, OS internals and malware analysis 

Search found 233 matches

 Go to advanced search

Re: EnumDisplayMonitors

 by R136a1 ¦  Sat Jul 02, 2016 8:26 am ¦  Forum: User-Mode Development ¦  Topic: EnumDisplayMonitors ¦  Replies: 2 ¦  Views: 9676

Funny, there is not sanity check for the pointer of the callback function at all. Windows XP is also affected, probably nothing was done since its implementation in Windows 2000.

Re: PbBot bootkit (alias Plite, GBPBoot)

 by R136a1 ¦  Fri Jun 24, 2016 11:41 am ¦  Forum: Malware ¦  Topic: PbBot bootkit (alias Plite, GBPBoot) ¦  Replies: 22 ¦  Views: 27946

Hi folks, here is a fresh sample from 2016. After a brief comparison it shows there are only some minor updates, presumably for compatibility reasons. However, I haven't checked in detail. Strings from 16-bit loader: -------------- ReadInitData ------------ ------- IsPMSInstalled ------------- C:\Wi...

TrojanDropper:W97M/Miskip.(A/B)

 by R136a1 ¦  Tue Jun 14, 2016 2:32 pm ¦  Forum: Malware ¦  Topic: TrojanDropper:W97M/Miskip.(A/B) ¦  Replies: 0 ¦  Views: 4080

Hi folks,

attached are the Word documents and the malware files which are used in targeted attacks. It's nothing advanced, but the campaign is interesting none the less.

An analysis can be found here: http://www.malware-reversing.com/2016/0 ... os-in.html

Re: Win32/Furtim

 by R136a1 ¦  Mon May 23, 2016 3:17 pm ¦  Forum: Malware ¦  Topic: Win32/Furtim ¦  Replies: 22 ¦  Views: 52320

Some victim statistics and a bit of promotion for my new blog: http://www.malware-reversing.com/2016/0 ... urtim.html :)

Re: Malware with heavy virtual machine and sandbox detection

 by R136a1 ¦  Wed Apr 27, 2016 10:30 am ¦  Forum: Malware ¦  Topic: Win32/Furtim ¦  Replies: 22 ¦  Views: 52320

The C&C server of the first sample exposes over 1 GB of victim's data due to misconfigured directory listing. Internet service provider was informed.

Re: Malware with heavy virtual machine and sandbox detection

 by R136a1 ¦  Mon Apr 25, 2016 8:18 pm ¦  Forum: Malware ¦  Topic: Win32/Furtim ¦  Replies: 22 ¦  Views: 52320

Attached is another sample with slightly newer compilation time stamp which was downloaded with new version of Godzilla Loader.

Trojan.GodzillaLoader (alias Godzilla Loader)

 by R136a1 ¦  Tue Apr 19, 2016 2:13 pm ¦  Forum: Malware ¦  Topic: Trojan.GodzillaLoader (alias Godzilla Loader) ¦  Replies: 3 ¦  Views: 11254

In January of 2016, a tiny downloader named Godzilla Loader was advertised in the Damagelab forum. Despite its small size of 6 KB, this downloader didn't look very special at first. However, a closer look into a sample showed an interesting downloading method which I haven't seen before. A translati...

Re: Gozi & GMBot Source Code

 by R136a1 ¦  Mon Apr 18, 2016 5:38 pm ¦  Forum: Malware ¦  Topic: Gozi & GMBot Source Code ¦  Replies: 2 ¦  Views: 4409

Re: My files were compressed and password protected

 by R136a1 ¦  Thu Apr 14, 2016 9:05 am ¦  Forum: Malware ¦  Topic: My files were compressed and password protected ¦  Replies: 6 ¦  Views: 7589

Since this ransomware uses WinRAR self-extracting files protected with a password (symmetric encryption), you have a good chance to get your files back: - The password is generated on-the-fly (e.g. from computer specific data from the victim) and send to C&C server - The password is included in the ...

Re: WinNT/Turla (WinNT/Pfinet, Uroburos rootkit)

 by R136a1 ¦  Sun Apr 03, 2016 2:14 pm ¦  Forum: Malware ¦  Topic: WinNT/Turla (WinNT/Pfinet, Uroburos rootkit) ¦  Replies: 66 ¦  Views: 255902

Two days ago, I have started to analyse an unusual Turla dropper which adds an extra layer to the already known dropper and which pretends to be compiled in 2013 according to its time stamp. However, some of its final payloads have a newer compilation time stamp from 2014, leading to the assumption ...

  • 1
  • 2
  • 3
  • 4
  • 5
  • 24