A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #26090  by t4L
 Tue Jun 16, 2015 12:03 am
@xylit0l:

Yeah, they're different by the trigger string, the sample KL posted is the one that is based on passthru.

I just want to take a look at the other sample in first KL Duqu report to see it has anything interesting.
 #26155  by Cr4sh
 Mon Jun 22, 2015 5:51 pm
Can anyone share a full sample including VFS image? I'm interested mostly in two files that called “CTwoPENC.dll" and “KMART.dll” (unfortunately don't know it's MD5 hashes, idiots from Kaspersky can't even write an adequate analysis report).
 #26157  by t4L
 Mon Jun 22, 2015 11:02 pm
That is their intention.
 #28947  by R136a1
 Wed Jul 27, 2016 5:16 pm
Here is the exploit known as CVE-2015-2360. It wasn't publicly released yet, so I thought to upload it before it gets lost in my archive.

The compilation time stamp is a bit newer than the samples described by Kaspersky, though I don't think there is a big difference in the functionality, if at all. Unfortunately, as Kaspersky didn't release the samples, I couldn't make a comparison.

For me, it's always interesting to find a possible connection to other binaries, so I did a comprehensive search. Also, I have asked several people to look at their databases and services for any similarities. At the end, I haven't found anything...
Attachments
PW: infected
(9.01 KiB) Downloaded 121 times
 #31819  by rgster002
 Fri Jul 13, 2018 10:58 am
which one note that duqu2 start execution by MSI package, long time ago ,I haven't find the MSI sample. so , anyone can find it and who can share the sample on this?
md5:14712103ddf9f6e77fa5c9a3288bd5ee