A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #10675  by EP_X0FF
 Thu Dec 29, 2011 5:43 am
Not really useful dump. Regshot uses its own hive format. Use regedit instead or tell me how to extract compatible reg data or mount this hive.
Additionally regshot crashed when proceeding this dump
AppName: regshot.exe AppVer: 1.8.3.0 ModName: regshot.exe
ModVer: 1.8.3.0 Offset: 0000298d
what I want is shown on figure below

Image
 #10738  by EP_X0FF
 Mon Jan 02, 2012 2:30 am
markusg wrote:sorry for mistake in deleted post.
http://www.file-upload.net/download-398 ... s.reg.html
this is reg export. he was not able to find the CLSID
Sorry for delay in reply.

aptwiypzp.dll replaces ServiceDll registry path for LanmanWorkstation service (originally here should be wkssvc.dll). After restart this dll will work in address space of one of the svchost.exe processes.
aptwiypzp.dll contains strings
wkssvc.dll SysEvtC \\.\ \\.\Global\ \ntdll.dll 31st.exe
+x86 +x64 &sys=unknown &sys=windows+%d.%d
Also it has some CLSID registration data inside for something under CLSID {97A33157-2988-42BE-B4D5-93B7E823CAB8} with name "bundle". Overall it's suspicious behavior and likely this can be a part of malware. What kind of part - well without other components it's hard to say, because reconstruction of whole aptwiypzp workflow is overhead. To play with this dll all you need - put this dll to system32, change ServiceDll path for LanmanWorkstation to this dll path and do reboot.
 #10764  by markusg
 Tue Jan 03, 2012 3:19 pm
ok, perhaps we will find more on other infected pc, as soon as i have one, i will post back in this thread :-)
thx for all your work
 #12138  by cjbi
 Thu Mar 15, 2012 2:09 pm
Attachments
deactivated.png
Mediyes's digital certificate is deactivated.
deactivated.png (9.53 KiB) Viewed 803 times
 #18576  by R136a1
 Mon Mar 18, 2013 6:17 pm
Two (older) Mediyes samples signed with another stolen certificate!

x86 dropper
https://www.virustotal.com/de/file/79f6 ... 362944267/
signers: taylorMed AG; GlobalSign CodeSigning CA - G2; GlobalSign Root CA
signing date: 4:23 AM 12/29/2011

x64 dropper
https://www.virustotal.com/de/file/5b84 ... 362944312/
signers: taylorMed AG; GlobalSign CodeSigning CA - G2; GlobalSign Root CA
signing date: 3:22 AM 12/29/2011

They were signed around the same time as the samples described in Kaspersky article (https://www.securelist.com/en/blog/682/ ... _signature).

Note
Conpavi AG and taylorMed AG (now Mellon Capital Investment AG) share the same location in Switzerland:
Seestrasse 93
6052 Hergiswil
 #18602  by rkhunter
 Wed Mar 20, 2013 8:24 am
R136a1 wrote:Two (older) Mediyes samples signed with another stolen certificate!

x86 dropper
https://www.virustotal.com/de/file/79f6 ... 362944267/
signers: taylorMed AG; GlobalSign CodeSigning CA - G2; GlobalSign Root CA
signing date: 4:23 AM 12/29/2011

x64 dropper
https://www.virustotal.com/de/file/5b84 ... 362944312/
signers: taylorMed AG; GlobalSign CodeSigning CA - G2; GlobalSign Root CA
signing date: 3:22 AM 12/29/2011
Samples in attach.
Attachments
pass:infected
(723.97 KiB) Downloaded 62 times
pass:infected
(368.67 KiB) Downloaded 65 times
 #19138  by R136a1
 Wed May 01, 2013 1:00 pm
Bunch of Mediyes droppers and components:

https://www.virustotal.com/de/file/c5c6 ... /analysis/
https://www.virustotal.com/de/file/2b45 ... /analysis/
https://www.virustotal.com/en/file/4e70 ... /analysis/
https://www.virustotal.com/en/file/b590 ... /analysis/
https://www.virustotal.com/en/file/8821 ... /analysis/
https://www.virustotal.com/en/file/0328 ... /analysis/
https://www.virustotal.com/en/file/b8a0 ... /analysis/
https://www.virustotal.com/en/file/98f7 ... /analysis/
https://www.virustotal.com/en/file/e24a ... /analysis/
https://www.virustotal.com/en/file/4662 ... /analysis/
https://www.virustotal.com/en/file/67b5 ... /analysis/ (Attached)
https://www.virustotal.com/en/file/7d0d ... /analysis/
https://www.virustotal.com/en/file/6808 ... /analysis/
https://www.virustotal.com/en/file/4c76 ... /analysis/
https://www.virustotal.com/en/file/bc83 ... /analysis/ (Attached)
https://www.virustotal.com/en/file/92cd ... /analysis/
https://www.virustotal.com/en/file/29fb ... /analysis/
https://www.virustotal.com/en/file/767f ... /analysis/
https://www.virustotal.com/en/file/d5af ... /analysis/
https://www.virustotal.com/en/file/b3b9 ... /analysis/ (Attached)
https://www.virustotal.com/en/file/1669 ... /analysis/
https://www.virustotal.com/en/file/d71d ... /analysis/
https://www.virustotal.com/en/file/5915 ... /analysis/
https://www.virustotal.com/en/file/8292 ... /analysis/
https://www.virustotal.com/en/file/333b ... /analysis/
https://www.virustotal.com/en/file/7757 ... /analysis/
https://www.virustotal.com/en/file/2ec4 ... /analysis/
https://www.virustotal.com/en/file/fb96 ... /analysis/
Attachments
(287.39 KiB) Downloaded 49 times
(677.7 KiB) Downloaded 46 times
(316.53 KiB) Downloaded 46 times