A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #28742  by slipstream-
 Wed Jun 22, 2016 5:59 pm
ikolor wrote:next..

https://www.virustotal.com/en/file/e6f6 ... 466614271/


https://www.virustotal.com/en/file/47f4 ... 466617536/

scesrv.exe: NSIS wrapper, unpacks a ton of junk, and ProxySettings.dll whose dllmain decrypts contents of "Practician.m2N" (one of the dropped files) and loads it via RunPE.
(It also decrypts some strings from "AlyssumNeology.F", another file it drops, which are dll names / exported functions used for dynamic API resolving, contains the usual suspects virtualalloc/virtualallocex, createprocessa, ntunmapviewofsection etc etc)

This is a second stage loader which decrypts a "setup.dat" from the same directory as scesrv.exe (a PE file), and then loads it manually and calls its entry point.

Unless I'm missing something, this means final payload is missing.

Unpacked second stage loader in attach.

edit: I did miss something: the default payload it uses if setup.dat is missing.

Unpacked final / default payload in attach. Looks like some PUP extension installer. With a shit ton of antis, including massive blacklist of process/driver name hashes etc.
Attachments
(39.51 KiB) Downloaded 36 times
(45.67 KiB) Downloaded 34 times