Darkmegi: This is Not the Rootkit You’re Looking For
https://blogs.mcafee.com/mcafee-labs/da ... ooking-for
Sample?
https://blogs.mcafee.com/mcafee-labs/da ... ooking-for
Sample?
A forum for reverse engineering, OS internals and malware analysis
What a primitive shit. Not interesting.
Ring0 - the source of inspiration
Sample attached. Thanks to: http://contagiodump.blogspot.com/2012/0 ... indly.html
Attachments
(74.03 KiB) Downloaded 52 times
Malware Reversing
http://www.malware-reversing.com
http://www.malware-reversing.com
I found another Domain where it loads its components:
Known: ht*p://images.hananren.com
New: ht*p://999tshop.com
Dropper (MD5): b0edca4bd5c8d5fffc479aa87437f3c2
From there it loads an executable, e.g. "/20120413.exe" (year/month/day.exe) and a jpg image "/20120413.jpg" (year/month/day.jpg). The Date of the files vary, but the MD5 hashes show it is always the same package.
The executable package contains two DLLs. A modified version of imm32.dll (see Input Method Manager) and a modified version of bdcap32.dll (see Bandi Capture Library).
Known: ht*p://images.hananren.com
New: ht*p://999tshop.com
Dropper (MD5): b0edca4bd5c8d5fffc479aa87437f3c2
From there it loads an executable, e.g. "/20120413.exe" (year/month/day.exe) and a jpg image "/20120413.jpg" (year/month/day.jpg). The Date of the files vary, but the MD5 hashes show it is always the same package.
The executable package contains two DLLs. A modified version of imm32.dll (see Input Method Manager) and a modified version of bdcap32.dll (see Bandi Capture Library).
Malware Reversing
http://www.malware-reversing.com
http://www.malware-reversing.com