[malwarelabs]

source: http://breakingmalware.com/malware/moke ... icroscope/

https://www.virustotal.com/en/file/c6ee ... /analysis/

Attached

[xstrim]

loooooooool

[malwarelabs]

yeah yeah I know " Moker applied sophisticated anti-debugging techniques to avoid malware dissection and deceive researchers" with NtGlobalFlags and IsDebuggerPresent ^^

[EP_X0FF]

What does it do, what makes it "advanced", except vb crypter with primitive antidebugging, veh abusing in loader and dll injection - UAC exploit from 2009?

[flir]

More Info @
http://www.net-security.org/malware_news.php?id=3124

[Snakebyte]

The full blog is here - http://breakingmalware.com/malware/moke ... icroscope/

[amanaksu]

I have been analyzing the current Moker. But this analysis has not been conducted because of anti-debugging. Why can not know that the failure of the part. Have you ever knows?

[EP_X0FF]

I have been analyzing the current Moker. But this analysis has not been conducted because of anti-debugging. Why can not know that the failure of the part. Have you ever knows?

Use olly with antidebugging plugin. Everything described in above linked article.

[amanaksu]

I have been analyzing the current Moker. But this analysis has not been conducted because of anti-debugging. Why can not know that the failure of the part. Have you ever knows?

Use olly with antidebugging plugin. Everything described in above linked article.

First thanks for the reply.

As well as analysis on the blog before writing this article looked out all the information.
When the EIP has come to a position to run by VEH (figure on the 0x4D41DC) "Step into" exception occurs when you run and pops up a window like the one shown above.
I would wonder why if an exception occurs in normal code.
StrongOD used by the plugin.
Invite comments please.

[EP_X0FF]

You pay too much attention to things which are irrelevant at all in case of this malware. Second stage exactly like in article, free from vbcrypt, in attach.