A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #26896  by malwarelabs
 Thu Oct 08, 2015 6:32 am
yeah yeah I know " Moker applied sophisticated anti-debugging techniques to avoid malware dissection and deceive researchers" with NtGlobalFlags and IsDebuggerPresent ^^
 #26897  by EP_X0FF
 Thu Oct 08, 2015 6:43 am
What does it do, what makes it "advanced", except vb crypter with primitive antidebugging, veh abusing in loader and dll injection - UAC exploit from 2009?
 #26992  by amanaksu
 Sat Oct 17, 2015 2:13 pm
I have been analyzing the current Moker. But this analysis has not been conducted because of anti-debugging. Why can not know that the failure of the part. Have you ever knows?
Attachments
error.png
error.png (120.63 KiB) Viewed 791 times
 #26996  by EP_X0FF
 Sun Oct 18, 2015 5:52 am
amanaksu wrote:I have been analyzing the current Moker. But this analysis has not been conducted because of anti-debugging. Why can not know that the failure of the part. Have you ever knows?
Use olly with antidebugging plugin. Everything described in above linked article.
 #27006  by amanaksu
 Mon Oct 19, 2015 3:01 am
EP_X0FF wrote:
amanaksu wrote:I have been analyzing the current Moker. But this analysis has not been conducted because of anti-debugging. Why can not know that the failure of the part. Have you ever knows?
Use olly with antidebugging plugin. Everything described in above linked article.
First thanks for the reply.

As well as analysis on the blog before writing this article looked out all the information.
When the EIP has come to a position to run by VEH (figure on the 0x4D41DC) "Step into" exception occurs when you run and pops up a window like the one shown above.
I would wonder why if an exception occurs in normal code.
StrongOD used by the plugin.
Invite comments please.
 #27009  by EP_X0FF
 Mon Oct 19, 2015 6:43 am
You pay too much attention to things which are irrelevant at all in case of this malware. Second stage exactly like in article, free from vbcrypt, in attach.
Attachments
pass: infected
(20.27 KiB) Downloaded 59 times