[Buster_BSA]

I have tried to dump the malware from this thread http://www.kernelmode.info/forum/viewto ... =21&t=2288 but the dumped binary does not contain the code.

I tried dumping with my own code and with this program http://code.google.com/p/mdmp/. None of them dumped correctly.

Why does it happen?

In this article http://blogs.avg.com/news-threats/anti- ... r-malware/ is said:

"The malicious code itself is protected by double packer layers. The top one is some custom cryptor which executes several anti emulation tricks such as calling rare API functions and decrypting the MPress packed executable to its own memory. After unpacking this inner MPress packer, we finally get the malicious code."

I guess I should be dumping other memory area, but how to notice that?

[EP_X0FF]

What you want to dump? Usual process dumper rely on PE header information, such as base address and size of image. Base address of original image and size of original image.

There no strings inside because actual bot all build on hash using and call all required routines by their pointers instead of using Import table directly.

There is 3 layers in this dropper.

First - primitive crypter. To unpack it set break in debugger on VirtualAllocEx -> @ContainerAddress = kernel32!VirtualAllocEx (in my case it was 0x00B80000 region), trace after call with ERW flags, it will dexor (whatever) container in @ContainerAddress and then call second stage.

Second - MPRESS v2.18 running from @ContainerAddress. Unpacking MPRESS is somehow similar to unpacking previous one. Result = allocated memory region with ERW flags and decompressed payload. Next control goes to third layer.

Third - actual malware running from MPRESS allocated region (again different from the original imagebase). Here all AntiVM tricks being executed.

Itself this is Backdoor:Win32/Caphaw.D
In attach MPRESS binary extracted from 1st layer. Decompress it and you will have real malware.



Use PETools or LordPe, they both can dump regions.
mdump, I dont know wtf is that honestly.

[SmilingWolf]

Attached there is the semi-final stage. The first CALL EAX will take you to the real malware that I've been unable to dump because of the IAT redirection.

[EP_X0FF]

Third - actual malware running from MPRESS allocated region (again different from the original imagebase). Here all AntiVM tricks being executed.

Itself this is Backdoor:Win32/Caphaw.D
In attach MPRESS binary extracted from 1st layer. Decompress it and you will have real malware.

Unpacked mpress in attach.
https://www.virustotal.com/file/0a6e8fc ... /analysis/

[hnpl2011]

hi, i'm looking for new varial of shylock.
MD5: 8fbeb78b06985c3188562e2f1b82d57d
https://www.virustotal.com/file/4bd9713 ... /analysis/
article: https://www.csis.dk/en/csis/blog/3811/
Thank,

[Xylitol]

Attach.

[skeptre]

Hi,

Is it possible to get more samples of the new variant for Shylock ?
There is already a sample uploaded in http://www.kernelmode.info/forum/viewto ... =21&t=2441 but wanted to check if there are more samples available.

Just have the MD5 of current sample to go by: 8fbeb78b06985c3188562e2f1b82d57d.

Thanks

[frame4-mdpro]

Hi,

Is it possible to get more samples of the new variant for Shylock ?
There is already a sample uploaded in http://www.kernelmode.info/forum/viewto ... =21&t=2441 but wanted to check if there are more samples available.

Just have the MD5 of current sample to go by: 8fbeb78b06985c3188562e2f1b82d57d.

Thanks

Et voila :)

[kmd]

https://www.virustotal.com/en/file/f71d ... /analysis/

pwd infected

[Horgh]

Backdoor:Win32/Caphaw.D aka Shylock