A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #13601  by kmd
 Fri Jun 01, 2012 5:42 am
rkhunter wrote:
EP_X0FF wrote:Hehe dr.web fails again.
I'm not surprised, think you too.
why? i thought everybody has same hashes and samples from maher/crysys no?
 #13602  by EP_X0FF
 Fri Jun 01, 2012 5:52 am
kmd wrote:
rkhunter wrote:
EP_X0FF wrote:Hehe dr.web fails again.
I'm not surprised, think you too.
why? i thought everybody has same hashes and samples from maher/crysys no?
I think they got initial pack (maybe incomplete, based on crysys hashes) - created detection, and then did not even bothered to do any kind of dynamic analysis ("it is not interested" - lolwut, AV company not interested in malware, facepalm) and successfully forgot about the rest.

In attach both dat files decrypted (if something failed - decrypt yourself, algo on previous page)
Attachments
pass: malware
(2.71 MiB) Downloaded 105 times
 #13603  by kmd
 Fri Jun 01, 2012 7:22 am
ok
mscrypt contains

4 files inside. 2 well detected and 2 not so good.

1 unknown service module
1 unknown dll
rpcns4.ocx
indsvc32.ocx (c:\Projects\Jimmy\jimmydll_v2.0\JimmyForClan\Jimmy\bin\srelease\jimmydll\indsvc32.pdb)
 #13605  by rkhunter
 Fri Jun 01, 2012 8:16 am
EP_X0FF wrote:In attach both dat files decrypted
In attach cutted pe.

https://www.virustotal.com/file/04c84a3 ... /analysis/
https://www.virustotal.com/file/333875e ... 338538419/
https://www.virustotal.com/file/7d2c220 ... 338538426/
https://www.virustotal.com/file/d3b0e0d ... /analysis/

Just saw, 2.piece and 3.piece with file align 0x200, last section a little more in result, so it easy for correct; does not affect to correct detection
Attachments
pass:infected
(514.5 KiB) Downloaded 92 times
Last edited by rkhunter on Fri Jun 01, 2012 9:03 am, edited 1 time in total.
 #13606  by rkhunter
 Fri Jun 01, 2012 8:22 am
1.piece with hash bddbc6974eb8279613b833804eda12f9 is a service and timestamp - 2008.

Image
Image
 #13609  by rkhunter
 Fri Jun 01, 2012 11:38 am
As CrySys said, it patches shell32.dll in memory of infected processes and performs some manipulations with PEB (insert faked items).
Image
 #13622  by kareldjag/michk
 Fri Jun 01, 2012 8:46 pm
hi
Like Natasha Morozova with the Borodines Polovtsian Dances, it is a sexy remix of a known chorus...
Even if the size and the use of an exotic scripting language are quite unusual for such attack toolkit.
Perhaps a cyberweapon made in Israel...or perhaps not... http://hackmageddon.com/2012/05/29/isra ... ddle-east/

Legal cyberweapons already exists; the Spyworld site ( http://www.spyfiles.org/ )provides an idea of that statement, the Hackinteam from Italy sells a law enforcement Rat http://www.hackingteam.it/index.php/rem ... rol-system

The time stamp is not reliable as it can easily be faked by anti-forensics techniques and tools
http://www.anti-forensics.com/modify-nt ... -timestomp

Well...interesting in all cases...

rgds
 #13624  by EP_X0FF
 Sat Jun 02, 2012 2:52 am
rkhunter wrote:Just for fun - another apocalypse from Hypponen http://www.wired.com/threatlevel/2012/0 ... rity-fail/
I seems to be missed something in time perspective. When did this guy turned into full of hysterics little girl? Is it global trend out there?

Main goal of this blahblahblah "article".
We really should have been able to do better. But we didn’t.
So I have advice for author - how about start doing better right now by stopping publishing such idiotic summaries? :)
  • 1
  • 4
  • 5
  • 6
  • 7
  • 8
  • 14