A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #17849  by fixrogues
 Fri Jan 25, 2013 7:40 am
I'm looking to infect my machine with moneypak malware to see how it works. I've downloaded most samples and couldn't get any sample to work. Could somebody guide me?

I've downloaded most sames including

Revetons_Mostly_from08_to_20_jan_2013.zip

But I get error that not a valid 32 application. Could somebody help me? If this is not the right place to post, I apologize.
 #17850  by EP_X0FF
 Fri Jan 25, 2013 7:54 am
fixrogues wrote:But I get error that not a valid 32 application. Could somebody help me? If this is not the right place to post, I apologize.
They are dlls.
 #17851  by fixrogues
 Fri Jan 25, 2013 7:57 am
EP_X0FF wrote:
fixrogues wrote:But I get error that not a valid 32 application. Could somebody help me? If this is not the right place to post, I apologize.
They are dlls.
Yes, they are. I got the error when I renamed them to .exe and that was my mistake. How can I make these dlls run and actually lock my computer? Any help would be appreciated.

I tried searching the internet for how to run dlls as application but didn't find anything. I see that there is some "Code" in several posta. I copied that code, placed the files in appropriate locations, changed the username and tried to run the command using "Run" in windows to no joy.
 #17852  by EP_X0FF
 Fri Jan 25, 2013 8:15 am
fixrogues wrote:
EP_X0FF wrote:
fixrogues wrote:But I get error that not a valid 32 application. Could somebody help me? If this is not the right place to post, I apologize.
They are dlls.
Yes, they are. I got the error when I renamed them to .exe and that was my mistake. How can I make these dlls run and actually lock my computer? Any help would be appreciated.

I tried searching the internet for how to run dlls as application but didn't find anything. I see that there is some "Code" in several posta. I copied that code, placed the files in appropriate locations, changed the username and tried to run the command using "Run" in windows to no joy.
7db987f299b86ab8913c8de716f79296 from the above pack as example.

Rundll32 dllname,exportname

Export names are random.

As for sample I just decrypted it, and executed as rundll32 C:\decrypted.dll,H1N1 and got my lock screen. Take it and try.
Attachments
pass: malware
(53.61 KiB) Downloaded 78 times
 #17853  by fixrogues
 Fri Jan 25, 2013 8:26 am
7db987f299b86ab8913c8de716f79296 from the above pack as example.

Rundll32 dllname,exportname

Export names are random.

As for sample I just decrypted it, and executed as rundll32 C:\decrypted.dll,H1N1 and got my lock screen. Take it and try.
Thanks! It worked and I got the lock screen. Two questions :

1. How can I know which export names are going to working with different files?
2. When you say "I just decrypted it", It means that you unzipped the folder and renamed the hash file to .dll?

Your answers have been an amazing help for me and I highly appreciate it. Thanks for taking the time to answer my noob questions.
 #17854  by EP_X0FF
 Fri Jan 25, 2013 8:34 am
fixrogues wrote:1. How can I know which export names are going to working with different files?
No how, brute force them. They called (during initial infection) from loaders or (as I assume) from shellcode. Usually there two exported names. If there no alive C&C they will do nothing (maybe this changed in current Reveton version, idk).
2. When you say "I just decrypted it", It means that you unzipped the folder and renamed the hash file to .dll?
It meant I unzipped it, loaded into debugger, did a little tracing, dumped reveton container from rundll32 memory to file, corrected result binary if it needed. I doubt you can do this without basic knowledge of reverse-engineering.
 #17855  by fixrogues
 Fri Jan 25, 2013 8:41 am
Thanks! It does sound a little complicated. I'll try to figure this out and If you know some kind of tutorial online on this topic, please direct me to that. Thanks a lot for all the help!
 #17856  by EP_X0FF
 Fri Jan 25, 2013 8:48 am
fixrogues wrote:Thanks! It does sound a little complicated. I'll try to figure this out and If you know some kind of tutorial online on this topic, please direct me to that. Thanks a lot for all the help!
Well if you want to deal with malware as researcher, you will have to learn it anyway.

http://www.kernelmode.info/forum/viewto ... ?f=13&t=31
 #17857  by fixrogues
 Fri Jan 25, 2013 9:49 am
EP_X0FF wrote:
fixrogues wrote:Thanks! It does sound a little complicated. I'll try to figure this out and If you know some kind of tutorial online on this topic, please direct me to that. Thanks a lot for all the help!
Well if you want to deal with malware as researcher, you will have to learn it anyway.

http://www.kernelmode.info/forum/viewto ... ?f=13&t=31

Thanks! I'll read the above thread carefully and try to figure out things. Thanks for the help :)
  • 1
  • 7
  • 8
  • 9
  • 10
  • 11
  • 16