how to decode Kovter registry data

Discussion on reverse-engineering and debugging.
Post Reply
heart888
Posts: 19
Joined: Tue Mar 01, 2016 11:04 pm

how to decode Kovter registry data

Post by heart888 » Wed Jun 08, 2016 5:38 am

I was trying to de-obfuscate data created in registry key by Kovter mawalre. I tried to use JSDetox but failed. Have someone tried to do it?Iappreciate any help to decode it. thanks. I attached a sample.
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: how to decode Kovter registry data

Post by EP_X0FF » Wed Jun 08, 2016 3:50 pm

Attach dropper.
Ring0 - the source of inspiration

heart888
Posts: 19
Joined: Tue Mar 01, 2016 11:04 pm

Re: how to decode Kovter registry data

Post by heart888 » Wed Jun 08, 2016 11:32 pm

please see attached.
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: how to decode Kovter registry data

Post by EP_X0FF » Fri Jun 10, 2016 9:13 am

There not so many RegSetValueEx calls in the final payload. Probably you should bp at them. This malware is a container type: VB crypter -> Dropper with encrypted payload in resource -> Actual Delphi Kovter with some encrypted stuff in resource (probably cfg). So get the actual malware from dropper and run under debugger.
Ring0 - the source of inspiration

Post Reply