A forum for reverse engineering, OS internals and malware analysis 

TrojanDownloader:Win32/Karagany

Forum for analysis and discussion about malware.

Re: Malware Requests

 #12891  by EP_X0FF
 Wed Apr 25, 2012 4:20 am
kalptarunet wrote:Hi!

Not sure what is this but looks like relay interesting, let me know if some able to decode it :mrgreen:

This is trojan downloader Karagany.

InternetOpenA
InternetOpenUrlA
InternetCloseHandle
InternetReadFile
CreateProcessA
SeDebugPrivilege
notepad.exe
yUo9Ck1Io (Mutex name)
User-Agent: Opera/10.60 Presto/2.2.30
hxxp://ozclz.mldk.org/images.php?t=192882

TrojanDownloader:Win32/Karagany & payload

 #16620  by Cody Johnston
 Thu Nov 15, 2012 5:08 am
Got a new one here. Not sure what it is called, maybe one of you can enlighten me :mrgreen:

VT 5/44

https://www.virustotal.com/file/a87ef02 ... /analysis/

Image

Makes a reg key here:
Code: Select all
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WSManHTTPConfig" = %USERPROFILE%\\Local Settings\\Application Data\\Microsoft\\Windows\\912\\WSManHTTPConfig.exe
File attributes are hidden/system and it is easily removed with a reboot into safe mode.

EDIT: Forgot MD5 :shock:

MD5: 21fbc376f368f7a3374eb1ba33b0ce8d
Attachments
Password: infected
(62.33 KiB) Downloaded 75 times

Re: Trojan Ransom / FakePoliceAlert

 #16622  by rinn
 Thu Nov 15, 2012 6:21 am
thisisu wrote:Regarding MD5 21fbc376f368f7a3374eb1ba33b0ce8d
Just curious but is there a need to set a breakpoint at 004010C4 ?
Thats encrypted part of code. Its Karagany downloader with RunPE crypter. Use break on CreateProcessW and WriteProcessMemory. Here you have runpe code injection. Follow address from WriteProcessMemory argument. 00201C88 decrypted payload.
 Return to “Malware”