[slipstream]

Hi Guys,

As the titile suggests, I've been investigating an attack for the past few days, However I'm hitting some brick walls in terms of functionality.

I've done thorough dynamic analysis and it seems that the malware is just doing the following.

Step (1) Drop new executable.

Step (2) Disable windows Defender

Step (3) Add Persistence

Step (4) Call Home

I also believe I have discovered a password hardcoded via static analysis using strings, anyone willing to help further the investigation would be greatly thanked!

[Xylitol]

don't ask to ask, attach the binary.

[slipstream]

Hi Xylitol,

I thought someone may say that!

There's abit of an issue, I want to have someone analyse with me before I allow the sample to go public. If this is absolutely not possible of course I will just post it :(

I understand I'm new to the community hence my somewhat silly questions.

Would you be interested in analysing this with me offline over xmpp/icq ?

Thanks for the quick reply ~

[tx707]

Just post the binary. I'm sure others will tell you what you must do to get it to that stage after all it is a kind community :)

[EP_X0FF]

@slipstream

Decide what you want from web forum:

1) icq style live chating
2) forum posts based conversation

Attach your sample and I'm sure somebody will help you. KernelMode.info does not have any official or unofficial (afaik) irc channels and so on.

If you don't want to share your sample with wide public - then announce this and wait when somebody will be interested to contact you privately via PM.

[slipstream]

Firstly,

@EP_X0FF,

Thank you for your kindness, I will take your advice and announce this as a private analysis due to the nature of the file as I believe it may compromise my own security as this file was suspected to be tailored for my own network.

@tjcoder,

Please keep those kind of obligatory observations to yourself, If not, then try to understand my position.

However I do appreciate your concern about other people infected with this malware.

[slipstream]

Anyone interested in collaborating in a temporarily private analysis?

So far I've been able to discover that the said malware is creating it's own IPC (Interprocess communications) However I'm having a-lot of trouble trying to locate this communication on the local system. C&C is live however uses some kind of proxy auth mixed with specific USER-AGENT parameters which are available to examine via static analysis.

If anyone is interested please PM me.

Again, I'm sorry that I've had to make the difficult choice not to share this sample (YET).