A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #20733  by patriq
 Fri Sep 06, 2013 2:59 pm
Was looking for a C&C panel.

A bit more on Win32/DirCrypt deobfuscated sample from EP_X0FF

http://anubis.iseclab.org/?action=resul ... bed8b2a1c4

https://malwr.com/analysis/Njc4NmZkYTA4 ... Q5ZGI3MzI/

Looks like some domain generating algorithm, still trying to phone home to sinkhole.

Some respond with a 200 OK and this:
X-Sinkhole: Malware sinkhole\r\n

I dont see any "normal" bot/C&C communication anymore.
.pcap attached

Anyone seen any panels for this strain?
no password
(17.94 KiB) Downloaded 67 times
 #20809  by EP_X0FF
 Fri Sep 13, 2013 3:04 am
Decrypthackers scam advertising has been removed. Use "Report" button next time so we can faster deal with such kind of posts.
 #22727  by Fabian Wosar
 Thu Apr 24, 2014 6:04 pm
It looks like a new variant of this particular malware family is spreading at the moment. Infection scheme changed slightly. Instead of various different file formats, all files are encrypted into RTF documents with the *.enc.rtf extension now.

Please find the original as well as the unpacked sample attached.
Attachments
infected
(153.5 KiB) Downloaded 135 times