[Xylitol]

Thanks a lot. This sample has the same name but is a little bit different to ones described in Kaspersky report

KL talk about 92e724291056a5e30eca038ee637a23f here: https://securelist.com/blog/research/70 ... ce-module/

[t4L]

@xylit0l:

Yeah, they're different by the trigger string, the sample KL posted is the one that is based on passthru.

I just want to take a look at the other sample in first KL Duqu report to see it has anything interesting.

[Cr4sh]

Can anyone share a full sample including VFS image? I'm interested mostly in two files that called “CTwoPENC.dll" and “KMART.dll” (unfortunately don't know it's MD5 hashes, idiots from Kaspersky can't even write an adequate analysis report).

[t4L]

That is their intention.

[wayitech]

Is there other information about Duqu.

[Haruhi]

I have found this analysis of DUQU 2.0, maybe useful maybe not, Is attached in this post.

Cheers.

[Black1024]

Thanks for your sample

[R136a1]

Here is the exploit known as CVE-2015-2360. It wasn't publicly released yet, so I thought to upload it before it gets lost in my archive.

The compilation time stamp is a bit newer than the samples described by Kaspersky, though I don't think there is a big difference in the functionality, if at all. Unfortunately, as Kaspersky didn't release the samples, I couldn't make a comparison.

For me, it's always interesting to find a possible connection to other binaries, so I did a comprehensive search. Also, I have asked several people to look at their databases and services for any similarities. At the end, I haven't found anything...

[rgster002]

which one note that duqu2 start execution by MSI package, long time ago ,I haven't find the MSI sample. so , anyone can find it and who can share the sample on this？
md5:14712103ddf9f6e77fa5c9a3288bd5ee