A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #24129  by rkhunter
 Sun Oct 12, 2014 1:17 pm
FinFisher Malware Analysis

Part 1 https://www.codeandsec.com/FinFisher-Ma ... r-Analysis
Part 2 https://www.codeandsec.com/FinFisher-Ma ... sis-Part-2
Part 3 https://www.codeandsec.com/FinFisher-Ma ... sis-Part-3

Dropper in attach.

MD5: 074919f13d07cd6ce92bb0738971afc7
SHA1: 9f9a18e81e9b39bd2f047004b8e3b4cb0fb505c9
SHA256: f827c92fbe832db3f09f47fe0dcaafd89b40c7064ab90833a1f418f2d1e75e8e
Attachments
pass:infected
(723.64 KiB) Downloaded 55 times
 #24146  by Haruhi
 Wed Oct 15, 2014 12:18 am
@rkhunter:
Awesome. This comes handy in my case. (I am learning malware reversing).

Thank you. :shock:
 #24157  by CloneRanger
 Thu Oct 16, 2014 5:41 am
The analysis, that i don't pretend to understand, @ https://www.codeandsec.com shows this IP
184.82.101.234 - http://whois.domaintools.com/184.82.101.234 =

Backlog Capital, LLC
Pilot Mountain
NC
USA

RegDate: 2014-07-02
Updated: 2014-09-08
But the Real one is,
www.backlogcapital.com = 206.188.193.106

Pilot Mountain
NC
US

Creation Date: 02-nov-2010
Same name & address. So are/were they either unknowingly highjacked, or in some "ways" are/were knowingly involved ?