A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #29408  by xors
 Fri Oct 14, 2016 3:19 pm
I am a bit confused, is that somethiing that you made or you found it somewhere?

PDB paths: C:\Users\fotis\Documents\Visual Studio 2015\Projects\EnisaMalware2016\Release\BootStrapper.pdb

C:\Users\fotis\Documents\Visual Studio 2015\Projects\EnisaMalware2016\x64\Release\PackManDLL.pdb.

fotis = greek name (?)
 #29428  by xors
 Sun Oct 16, 2016 1:39 pm
Hi again,

I had a quick look at it. It looks like a ransomware from a cyber security challenge (Enisa Cyber Europe 2016?). Powershell script, kemel32.dll (a dll which is dropped to %appdata%) and the payload (ransomware?) in the attachment.


Image


Image

Image
Attachments
Password:infected
(839.73 KiB) Downloaded 42 times
 #29430  by TSION
 Mon Oct 17, 2016 12:29 am
xors wrote:Hi again,

I had a quick look at it. It looks like a ransomware from a cyber security challenge (Enisa Cyber Europe 2016?). Powershell script, kemel32.dll (a dll which is dropped to %appdata%) and the payload (ransomware?) in the attachment.

If you wanted to know if he made it himself why don't you just bindiff the files.