KernelMode.info

A forum for reverse engineering, OS internals and malware analysis
https://www.kernelmode.info/forum/

Rogue Antimalware (FakeAV, 2013 year)

https://www.kernelmode.info/forum/viewtopic.php?f=16&t=75

Page 1 of 15

Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Sat Jan 05, 2013 7:02 am
by grum
remark start

2010 year FakeAV
2011 year FakeAV
2012 year FakeAV

remark end

super FakeAV for all research :lol: ver 2013

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Sat Jan 05, 2013 7:47 am
by EP_X0FF
Thats "XP Defender". It changes default reg ".exe" association so every time you try to launch exe this crap will popup.

Main part of FakeAV downloads from

hxxp://terminologyipadinitiating.org/

Image

"Definitions", resources and decrypted loader attached.

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Wed Jan 23, 2013 12:38 pm
by rusl
Rogue - Security Defender
password: infected
(19.71 KiB) Downloaded 183 times

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Wed Jan 23, 2013 2:09 pm
by ISergey256
rusl wrote:Rogue - Security Defender
SecurityDefender.7z
Activation Code: ?O?Z?L?W?I?T?F?Q?C?N?Y?K?V?H?S?E

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Thu Jan 31, 2013 9:54 am
by Xylitol
Disk Antivirus Professional
Image

Original: https://www.virustotal.com/file/95e4027 ... 359625432/ > 21/46
Unpack: https://www.virustotal.com/file/41fc7f7 ... 359625192/ > 12/45
Network:
Code: Select all
GET /api/urls/?ts=f3626e3f&affid=00100 HTTP/1.1
Host: 112.121.178.189
---
GET /api/stats/install/?ts=f3626e3f&affid=00100&ver=3070024&group=dap HTTP/1.1
Host: 112.121.178.189
---
GET /p/?&lid=3070024&affid=00100&nid=8065D52C&group=dap HTTP/1.1
Host: kilopaybilling.com

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Thu Jan 31, 2013 12:31 pm
by gied
Does it has Geo / VM protection?

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Sat Feb 02, 2013 11:28 am
by fixrogues
I was able to run it on a VMVare Machine.

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Sat Feb 02, 2013 11:44 am
by EP_X0FF
gied wrote:Does it has Geo / VM protection?
It has at least VPC/Vmware detection.

Vmware by cpuid "VmwareVmware" and by VMX backdoor.
VPC by invalid command.

This detection located at @0043AEB7 in Xylitol dump.

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Sat Feb 16, 2013 8:57 pm
by secObs
Another Disk Antivirus Professional.

Detection 5/46
https://www.virustotal.com/en/file/e8e4 ... 361048122/

MD5: d86062cf9c363fbe817b04665f311555
SHA-1: f4a18d4e939418133120ecdb9a959bfa4249fb10

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Wed Mar 06, 2013 12:29 pm
by Blaze
Disk Antivirus Professional

Image
All times are UTC
Page 1 of 15
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/