Attachments
(118.63 KiB) Downloaded 60 times
dll.exe
http://www.virustotal.com/file-scan/rep ... 1300823199
A forum for reverse engineering, OS internals and malware analysis
Attachments
(118.63 KiB) Downloaded 50 times
markusg wrote:dll.exeTDL4, nothing unusual or new.
http://www.virustotal.com/file-scan/report.html?id=768eb0f794e102591616c9bc41012bbfaf845bfe8c60ce98b99adc76d2915e30-1300823199
[main]
version=0.03
aid=30041
sid=0
builddate=351
rnd=1960408961
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://lo4undreyk.com/;hxxps://sh01cilewk.com/;hxxps://cap01tchaa.com/;hxxps://kur1k0nona.com/;hxxps://u101mnay2k.com/
wsrv=hxxp://gnarenyawr.com/;hxxp://rinderwayr.com/;hxxp://jukdoout0.com/;hxxp://swltcho0.com/;hxxp://ranmjyuke.com/
psrv=hxxp://crj71ki813ck.com/
version=0.15
Ring0 - the source of inspiration
Attachments
(118.63 KiB) Downloaded 58 times
markusg wrote:bc86222.exeUsual TDL4.
http://www.virustotal.com/file-scan/report.html?id=cc4a2781af5ca19ba8cdd9fc8d6183195682fdcba5a37a4569f7f85103e62caa-1300962936
[main]
version=0.03
aid=30185
sid=0
builddate=351
rnd=1085031214
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://lo4undreyk.com/;hxxps://sh01cilewk.com/;hxxps://cap01tchaa.com/;hxxps://kur1k0nona.com/;hxxps://u101mnay2k.com/
wsrv=hxxp://gnarenyawr.com/;hxxp://rinderwayr.com/;hxxp://jukdoout0.com/;hxxp://swltcho0.com/;hxxp://ranmjyuke.com/
psrv=hxxp://crj71ki813ck.com/
version=0.15
Ring0 - the source of inspiration
Attachments
(118.59 KiB) Downloaded 60 times
Attachments
(118.89 KiB) Downloaded 51 times
d55cf73.rar
[main]I think there is no sense to upload another identical droppers. The odds are that rootkit part of TDL4 will stay unchanged for a long time...
version=0.03
aid=30185
sid=0
builddate=351
rnd=839522115
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=https://lo4undreyk.com/;https://sh01cil ... nay2k.com/
wsrv=http://gnarenyawr.com/;http://rinderway ... jyuke.com/
psrv=http://crj71ki813ck.com/
version=0.15
I am Jack's NULL pointer (actual e-mail contact.ntinternals_at_gmail.com)
can anyone explain a way to extract the parts of rootkit without using of static unpacking procedure?
maybe there is some tool you could advice.
I have failed to unpack dropper too. All seems to go ok, I see a simple stub and am on the entry point:
but as a result I have a broken exe on the import table and the code is poorly recognizable in IDA.
As a result I can study exe only in Olly.
maybe there is some tool you could advice.
I have failed to unpack dropper too. All seems to go ok, I see a simple stub and am on the entry point:
Code: Select all
then I'm trying to make a dump in Olly using of OllyDmp, OllyDbg Pe Dumper, push esi
xor esi,esi
cmp dword prt:[esp+8], esi
...
but as a result I have a broken exe on the import table and the code is poorly recognizable in IDA.
As a result I can study exe only in Olly.
@freyr: The easiest to to unpack the dropper is when you get to the decompression(aPlib?) code which is decrypted into some allocated memory, note the address after the MOV EDI, ... instruction. Then BP POPAD and go to that address you noted in a hex dump. Right click the hex dump and select backup to file(you may need to trim off some bytes from the beginning of the dump). Then just fix the sections and you have a working executable.
http://i54.tinypic.com/2yv2vyo.png
http://i55.tinypic.com/2guaxqd.png
http://rapidshare.com/files/455126556/f ... ctions.rar
:)
http://i54.tinypic.com/2yv2vyo.png
http://i55.tinypic.com/2guaxqd.png
http://rapidshare.com/files/455126556/f ... ctions.rar
:)