A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #271  by gjf
 Wed Mar 17, 2010 2:28 pm
And one more info for those who tries to analyse it: I am not sure, but some versions of this malware detects locale which differs from Russian and does not infect system in this case, possibly because of extortion habit.
 #310  by EP_X0FF
 Thu Mar 18, 2010 6:03 pm
No, I actually tried only Install_Digital-Access_v.9251.exe :)
 #311  by gjf
 Thu Mar 18, 2010 6:28 pm
Houston, we have a problem. Unfortunately my colleague just told me that this rootkit during installation asks some host for activation. Without activation the installation process fails. It should be noted the code/sms number comes with this activation as well.

So - too bad, but I believe the investigation of this is too complicated :(
 #313  by EP_X0FF
 Thu Mar 18, 2010 6:33 pm
Below is analysis made by one of sandbox I'm using. Process seems to be executed and some actions were done.
Attachments
(22.83 KiB) Downloaded 56 times
 #315  by gjf
 Thu Mar 18, 2010 6:43 pm
EP_X0FF wrote:Below is analysis made by one of sandbox I'm using. Process seems to be executed and some actions were done.
Sure they have to be done: connect to host, show the error window :)
  • 1
  • 2
  • 3
  • 4
  • 5
  • 38