A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19068  by R136a1
 Wed Apr 24, 2013 4:21 pm
A few weeks ago, I started to reverse engineer a malicious x64 .dll (see Parts section below, No. 2) to begin to learn x64 (dis)assembly. From analysis it became apparent that the .dll was part of a bigger malware package. After a while searching on the Internet, I found some Droppers which contained similar files to the one I was analyzing. Luckily some of the files of these Droppers contained .pdb debug strings. At the same time there were the "South Korean Cyber Attacks" on banks and broadcasting organizations (see: http://www.symantec.com/connect/blogs/s ... ber-attack and http://www.symantec.com/connect/blogs/a ... ks-related). As it turned out, the Droppers I found are from the same attackers like described in the Symantec article.
Blogpost: http://thegoldenmessenger.blogspot.de/2 ... lware.html

The samples can be found here (ZIP Password = "infected"):
Concealment Troy - https://www.dropbox.com/s/w1892v0hzjgti ... xer%29.zip
Http Dr0pper - https://www.dropbox.com/s/fzk9bkn6fk5kl ... r0pper.zip
Http Troy - https://www.dropbox.com/s/n6h6vgnoihy59 ... 20Troy.zip
PDF Exploit - https://www.dropbox.com/s/lvzj14261bbaj ... xploit.zip
TDrop - https://www.dropbox.com/s/wn5a1jruatpq3x5/TDrop.zip
Parts (of additional packages) - https://www.dropbox.com/s/mqp1bvhuacoakcq/Parts.zip
 #19886  by R136a1
 Sun Jun 30, 2013 6:04 pm
You do not have the required permissions to view the files attached to this post.