A forum for reverse engineering, OS internals and malware analysis 

Search found 501 matches

 Go to advanced search

Re: Linux/AES.DDoS (alias Dofloo, MrBlack)

 by unixfreaxjp ¦  Wed Feb 10, 2016 8:08 am ¦  Forum: Malware ¦  Topic: Linux/AES.DDoS (alias Dofloo, MrBlack) ¦  Replies: 48 ¦  Views: 93628

Memo: AES.DDoS attack switch latest version (case switch 0x01 to 0x0C ) https://lh3.googleusercontent.com/-lToiPY0ztMQ/Vrru_fpsflI/AAAAAAAAUYs/47zUsroAGDE/s600/pic002.PNG Typical MO: /etc/sed[a-zA-Z0-9]{5} /etc/rc.d/rc.local /etc/init.d/boot.local Network: CNC: 115.231.219.147:48080 (ip base) AS4134...

Re: Linux/Tsunami

 by unixfreaxjp ¦  Sun Feb 07, 2016 12:52 pm ¦  Forum: Malware ¦  Topic: Linux/Tsunami ¦  Replies: 28 ¦  Views: 56824

If anyone need samples directly from the source, the list is here↓

http://blog.malwaremustdie.org/2016/02/ ... ution.html

Re: Win32/Brazil Drivers? I don't know this..

 by unixfreaxjp ¦  Fri Feb 05, 2016 8:35 am ¦  Forum: Malware ¦  Topic: WinNT/Banbra (Brazilian banker) ¦  Replies: 8 ¦  Views: 14152

Same stealer crook, using this bin w/ the same driver's drop: https://lh3.googleusercontent.com/-sNJMOK4nmzE/VrRccanCOMI/AAAAAAAAUXg/VSGhfZEQDq0/s600/008.PNG HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hookmgr This time they stopped using .NET and switched to DelPhi compiled PE but used the sam...

Linux/shell.elf | Re: Linux/binsh

 by unixfreaxjp ¦  Wed Feb 03, 2016 10:41 am ¦  Forum: Malware ¦  Topic: Linux/binsh ¦  Replies: 3 ¦  Views: 8534

This is the variant of the sample that I posted here in September 2014. The infection vector is the same shellshock. The sample is new. And this sample is also based on shellcode compiled as a tiny ELF. The functionality is connecting to te remote machine, opening to the backdoor and write anything ...

Re: Linux/ChinaZ.DDoS

 by unixfreaxjp ¦  Tue Feb 02, 2016 4:30 pm ¦  Forum: Malware ¦  Topic: Linux/ChinaZ.DDoS ¦  Replies: 10 ¦  Views: 20969

The ChinaZ edition/version2 (they called it), with modified codes in many places. Attack main function as initial too is DNS-AMP. This time it doesn't need to load amp.dat or Config.ini to perform an attack, a PONG traffic can be used to trigger a specific DNS AMP attack to traffic's hard coded DNS ...

Re: Win32/Brazil Drivers? I don't know this..

 by unixfreaxjp ¦  Sun Jan 31, 2016 9:27 am ¦  Forum: Malware ¦  Topic: WinNT/Banbra (Brazilian banker) ¦  Replies: 8 ¦  Views: 14152

This switch is part of dispatch routine for controls codes sent from user mode via DeviceIoControl. There three commands which are for copy memory and return pointers to PsGetCurrentThreadId and PsGetCurrentThreadProcessId to the user mode caller. :) Thank you very much, this explains a lot of expl...

WinNT/Banbra (Brazilian banker)

 by unixfreaxjp ¦  Sun Jan 31, 2016 7:47 am ¦  Forum: Malware ¦  Topic: WinNT/Banbra (Brazilian banker) ¦  Replies: 8 ¦  Views: 14152

Hello @EP_X0FF Someone sent me a binary to be investigated as a banking trojan with 37Mb size - the point is it installed the small windows driver and I don't know what is the purpose, except grabbing process ID (and its installation) https://www.virustotal.com/en/file/57a2dd99dd0c153a45b52f065645a8...

Re: Linux/Tsunami

 by unixfreaxjp ¦  Wed Jan 13, 2016 9:15 pm ¦  Forum: Malware ¦  Topic: Linux/Tsunami ¦  Replies: 28 ¦  Views: 56824

loonysquad uses "lame way" to :lol: encode :roll: the strings in the version of Tsunami/kaiten base they called STD bot. And using encrypted communication to poke CNC (checkin) Samples: https://www.virustotal.com/en/file/4ef73b1edac441bff5d024714c044da1b078d5bd65e5c40b8299bfe71309add1/analysis/ … ht...

Linux/Torte (spooler) ELF

 by unixfreaxjp ¦  Tue Jan 12, 2016 3:00 am ¦  Forum: Malware ¦  Topic: Linux/Torte (spooler) ELF ¦  Replies: 0 ¦  Views: 3882

An incident report & analysis (MMD): http://blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html The threat report (Akamai): https://www.stateoftheinternet.com/downloads/pdfs/SpamBot-Investigation-whitepaper-R3.pdf x32: https://www.virustotal.com/en/file/800f8b125345784d532b29465b5...

Win32/Bulta

 by unixfreaxjp ¦  Mon Jan 11, 2016 8:31 am ¦  Forum: Malware ¦  Topic: Win32/Bulta ¦  Replies: 2 ¦  Views: 5037

The malware was spotted as payload in HFS watering hole <PIC> CNC: kugo.f3322.net (58.128.228.168)port 51012 Origin is PRC/China. Many analysis evasion like: packed,check mouse,aiming specific OS,antivirus process detection, etc. Drops two files: \Common Files\ppt\symet.exe (self-copy) \C:\2370.vbs ...

  • 1
  • 2
  • 3
  • 4
  • 5
  • 51