A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #17984  by Xylitol
 Sat Feb 02, 2013 9:08 am
Image
VT: 0/46 ( :| )
https://www.virustotal.com/file/924e769 ... 359795787/
Code: Select all
2013-02-01 00:06     114     112  b7849a40  META-INF\MANIFEST.MF
2013-02-01 00:06     319     252  3f79c021  META-INF\READER.SF
2013-02-01 00:06    1061     796  f6fa5839  META-INF\READER.DSA
2013-01-31 23:51    2646    1532  9fc215b7  FlashReader.class
Code: Select all
hxtp://94.23.116.220/z/JavaPlayer.jar
Attachments
 #17987  by EP_X0FF
 Sat Feb 02, 2013 11:24 am
svchost.exe, what it was? Seems unavailable.
 #17992  by Xylitol
 Sat Feb 02, 2013 12:56 pm
In attach.
svchost: https://www.virustotal.com/file/727e5e9 ... 359809117/ (19/46)
Dll: https://www.virustotal.com/file/71bf787 ... 359809080/ (3/46)
Code: Select all
C:\Users\FloppyBomb\Desktop\Kernel32\Kernel32\Kernel32\obj\Release\Kernel32.pdb
FileVersion: 1.3.3.7
At least they have a sense of humor.
http://malwaredb.malekal.com/index.php? ... 23.116.220
Attachments
infected
(2 MiB) Downloaded 55 times
infected
(2 MiB) Downloaded 55 times
infected
(1.82 MiB) Downloaded 54 times
 #17993  by EP_X0FF
 Sat Feb 02, 2013 1:16 pm
Yes, script kiddie dotnet trash. HF mad skillz level.
Code: Select all
call     bool [mscorlib]System.Diagnostics.Debugger::get_IsAttached()
or
call     bool [mscorlib]System.Diagnostics.Debugger::IsLogging()
or
brfalse.s loc_29B
ldstr    "FUCKYOU@DEBUG1"
Code: Select all
ldstr    "IsDebuggerPresent"
ldstr    "FUCKYOU@DEBUG2"
Code: Select all
System.AppDomain::get_CurrentDomain
ldstr    "sandbox"
ldstr    "FUCKYOU@SANDBOX"