[Kafeine]

Samples.

[fixrogues]

I'm looking to infect my machine with moneypak malware to see how it works. I've downloaded most samples and couldn't get any sample to work. Could somebody guide me?

I've downloaded most sames including

Revetons_Mostly_from08_to_20_jan_2013.zip

But I get error that not a valid 32 application. Could somebody help me? If this is not the right place to post, I apologize.

[EP_X0FF]

But I get error that not a valid 32 application. Could somebody help me? If this is not the right place to post, I apologize.

They are dlls.

[fixrogues]

But I get error that not a valid 32 application. Could somebody help me? If this is not the right place to post, I apologize.

They are dlls.

Yes, they are. I got the error when I renamed them to .exe and that was my mistake. How can I make these dlls run and actually lock my computer? Any help would be appreciated.

I tried searching the internet for how to run dlls as application but didn't find anything. I see that there is some "Code" in several posta. I copied that code, placed the files in appropriate locations, changed the username and tried to run the command using "Run" in windows to no joy.

[EP_X0FF]

But I get error that not a valid 32 application. Could somebody help me? If this is not the right place to post, I apologize.

They are dlls.

Yes, they are. I got the error when I renamed them to .exe and that was my mistake. How can I make these dlls run and actually lock my computer? Any help would be appreciated.

I tried searching the internet for how to run dlls as application but didn't find anything. I see that there is some "Code" in several posta. I copied that code, placed the files in appropriate locations, changed the username and tried to run the command using "Run" in windows to no joy.

7db987f299b86ab8913c8de716f79296 from the above pack as example.

Rundll32 dllname,exportname

Export names are random.

As for sample I just decrypted it, and executed as rundll32 C:\decrypted.dll,H1N1 and got my lock screen. Take it and try.

[fixrogues]

7db987f299b86ab8913c8de716f79296 from the above pack as example.

Rundll32 dllname,exportname

Export names are random.

As for sample I just decrypted it, and executed as rundll32 C:\decrypted.dll,H1N1 and got my lock screen. Take it and try.

Thanks! It worked and I got the lock screen. Two questions :

1. How can I know which export names are going to working with different files?
2. When you say "I just decrypted it", It means that you unzipped the folder and renamed the hash file to .dll?

Your answers have been an amazing help for me and I highly appreciate it. Thanks for taking the time to answer my noob questions.

[EP_X0FF]

1. How can I know which export names are going to working with different files?

No how, brute force them. They called (during initial infection) from loaders or (as I assume) from shellcode. Usually there two exported names. If there no alive C&C they will do nothing (maybe this changed in current Reveton version, idk).

2. When you say "I just decrypted it", It means that you unzipped the folder and renamed the hash file to .dll?

It meant I unzipped it, loaded into debugger, did a little tracing, dumped reveton container from rundll32 memory to file, corrected result binary if it needed. I doubt you can do this without basic knowledge of reverse-engineering.

[fixrogues]

Thanks! It does sound a little complicated. I'll try to figure this out and If you know some kind of tutorial online on this topic, please direct me to that. Thanks a lot for all the help!

[EP_X0FF]

Thanks! It does sound a little complicated. I'll try to figure this out and If you know some kind of tutorial online on this topic, please direct me to that. Thanks a lot for all the help!

Well if you want to deal with malware as researcher, you will have to learn it anyway.

http://www.kernelmode.info/forum/viewto ... ?f=13&t=31

[fixrogues]

Thanks! It does sound a little complicated. I'll try to figure this out and If you know some kind of tutorial online on this topic, please direct me to that. Thanks a lot for all the help!

Well if you want to deal with malware as researcher, you will have to learn it anyway.

http://www.kernelmode.info/forum/viewto ... ?f=13&t=31

Thanks! I'll read the above thread carefully and try to figure out things. Thanks for the help :)