A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #4659  by Xylitol
 Sun Jan 23, 2011 11:38 am
Well i present you my tiny malware bot
Who need to be improved..
I use it for follow the evolution of ransomwares mainly.
Here a screenshot:
Image

Every X time it will download your files in a folder called "Malware" he also modify the extension of downloaded malware like this: ".exe.ViR" or ".dll.ViR" etc...
You can load a malware list or save it. (malcode.txt)
You can reduce it in the systemtray and if the sample was updated you will be notified with a the systemtray baloon like here on the 1.5 version:
Image

He write also a file called 'Information.txt' who contain information about downloaded files
Here the information file on the 1.0 version (logs are a 48hours of homoblocker ransomware tracking):
Image
The MD5 have changed alot :)

The version 1.6 include a tiny php website support for see 'online' the new samples who get updated

PHP Builder option:
Image

The website:
Image

The folder '/Help/' about how to setup your site online
Image
Attachments
version 1.6 revision 1
(1.05 MiB) Downloaded 110 times
 #5037  by Xylitol
 Sun Feb 13, 2011 12:07 pm
Finally the 1.7 is released.

What's new ?
- IRC bot
- PHP ACP (edit/del/add)
- PE infos (*.exe, *.dll, *.src only)
- Send PE infos to the php site
- Timeout system configurable
- Open Source (feel free to modify it)

Image
Image
Image
Image
Image
Image
Image

PHP Malware Monitoring Center:
Image
Image
Image
Image

sourceforge: https://sourceforge.net/projects/malwar ... MAD%201.7/
Attachments
MAD Source Code 1.7 (vb6)
(2.25 MiB) Downloaded 57 times
MAD Binary 1.7.zip
(3.08 MiB) Downloaded 66 times
 #5042  by EP_X0FF
 Sun Feb 13, 2011 4:10 pm
Yeah, sound seems to be killed program.
 #5046  by EP_X0FF
 Sun Feb 13, 2011 8:14 pm
Xylitol wrote:hmm maybe a problem with uFMOD lib.
I run in WinXP SP3 and i dont have the problem (wut?)
can you retest with this exe ?
This one works.
 #5062  by Xylitol
 Mon Feb 14, 2011 10:13 pm
Malware Auto-downloader v1.7 Revision 3
Some minor bugs fixed concerning the PHP Panel and the program himself.
MAD update page: Now generated with a random name for more security.
Admin Control Panel page: You can choose the name you want for the PHP file or generate also a random name.
Admin Control Panel page: Added a captcha to the login form (And dont worry captcha.fct.php is easy to understand if you want make it custom)
SourceForge ~ https://sourceforge.net/projects/malwar ... MAD%201.7/

Image
Image
Image
Image
Attachments
MAD 1.7.3 Source Code+Binary
(3.8 MiB) Downloaded 81 times
 #7978  by EP_X0FF
 Sat Aug 13, 2011 11:06 am
I've some sort of bug-report :)

Once started on Windows 7 first time program displays the following error dialog - "Component 'MSCOMCTL.ocx' or one of its dependencies not correctly registered: a file is missing or invalid".
To solve this, program needs to be started one time with elevated rights. Another thing - I think your manifest does not working.

Below is screenshot - MAD at the left is customized exe (I put a valid manifest resource inside), MAD at the right - is original executable.

Image
Code: Select all
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
   <assemblyIdentity
      name="MAD"
      processorArchitecture="x86"
      version="1.7.0.4"
      type="win32"/>
   <description>MAD</description>
   <dependency>
      <dependentAssembly>
         <assemblyIdentity
            type="win32"
            name="Microsoft.Windows.Common-Controls"
            version="6.0.0.0"
            processorArchitecture="x86"
            publicKeyToken="6595b64144ccf1df"
            language="*"
         />
      </dependentAssembly>
   </dependency>
   <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
      <security>
         <requestedPrivileges>
            <requestedExecutionLevel
               level="asInvoker"
               uiAccess="False"/>
         </requestedPrivileges>
      </security>
   </trustInfo>
</assembly>
and btw, Sophos "AV" does not like your program :)