Ta!0n wrote:Attached sampleYour post is empty.
Ring0 - the source of inspiration
A forum for reverse engineering, OS internals and malware analysis
hi guys ,which one note that who inject to dllhost process use APC ways ?
I see that the poweliks , powershell , dllhost those process start each other.
I see that the poweliks , powershell , dllhost those process start each other.
I heard Poweliks has been dead since 2014, but I have what looks like a Poweliks sample from ~2015 and the C2 servers are still working. It does the same loader tactics, performs click fraud, and even visits Expendablesearch.com (just like the Symantec report on it). With that said..is this still a variant? I would like to know what to properly call this piece of malware.
DMEW wrote:I heard Poweliks has been dead since 2014, but I have what looks like a Poweliks sample from ~2015 and the C2 servers are still working. It does the same loader tactics, performs click fraud, and even visits Expendablesearch.com (just like the Symantec report on it). With that said..is this still a variant? I would like to know what to properly call this piece of malware.Attach your sample please.
Ring0 - the source of inspiration
This is a sample I got from July 2015, but I still see it working today although not as well. (one of the main ad fraud servers are not responding correctly anymore and cutting down the ad traffic).
Attachments
pw: infected
(41.41 KiB) Downloaded 59 times
(41.41 KiB) Downloaded 59 times
Last edited by Xylitol on Sat Feb 06, 2016 1:13 pm, edited 1 time in total.
Reason: Archive password
Timestamp of payload suggest it is from late 2014. More precise this -> http://www.kernelmode.info/forum/viewto ... 919#p23919
Ring0 - the source of inspiration