Hi all. Found this trojan downloaded via JDB Exploit Kit Infection.
Background:
You'll see all aspect of the infection here http://malwaremustdie.blogspot.jp/2013/ ... ector.html
The problem is, innocent people has to be satisfied with antivirus products who detected this sample as either DarkKomet or Zusy or maybe Bublik < signature detection by all means.
The fact is, it was compiled by VB .Net, dropped c:\MyTest.txt with zerobyte, containing music Genre as per below snip:
Target:
What I really want to know is, the verdict of AV signature are strong trojan detection: as per you know, Dark Komet and or Zusy are dropper, backdoor, PWS, maybe downloader etc. But this one doesn't even opening a network socket. Oh, yes in memory dump you'll see interesting stuff, but that's it. Anyone can advice me in gaining a crime evidence of this payload? Rgds,
Research Reference:
Background:
You'll see all aspect of the infection here http://malwaremustdie.blogspot.jp/2013/ ... ector.html
The problem is, innocent people has to be satisfied with antivirus products who detected this sample as either DarkKomet or Zusy or maybe Bublik < signature detection by all means.
The fact is, it was compiled by VB .Net, dropped c:\MyTest.txt with zerobyte, containing music Genre as per below snip:
Code: Select all
Registry only shows the clearance of cache:
0x0050C7 Blues 0x00561D Folk/Rock 0x005369 Meditative 0x005871 Tango
0x0050D3 Classic Rock 0x005631 National Folk 0x00537F Instrumental Pop 0x00587D Samba
0x0050ED Country 0x00564D Swing 0x0053A1 Instrumental Rock 0x005889 Folklore
etc etc etcCode: Select all
With no networking exist...I cannot see malicious act on it.Deleted:
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013012120130122
Added:
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013013020130131
(etc)Target:
What I really want to know is, the verdict of AV signature are strong trojan detection: as per you know, Dark Komet and or Zusy are dropper, backdoor, PWS, maybe downloader etc. But this one doesn't even opening a network socket. Oh, yes in memory dump you'll see interesting stuff, but that's it. Anyone can advice me in gaining a crime evidence of this payload? Rgds,
Research Reference:
Memory DUMP: http://www.mediafire.com/?27eyhso8luqj4f7#MalwareMUSTDie!
Memory strings DUMP: http://www.mediafire.com/?m1k621sj6n7565b
Regshot: http://pastebin.com/raw.php?i=tyyjjHFh
File Activity of this malware PID: http://pastebin.com/raw.php?i=cdR0gKuU
Virus Total: https://www.virustotal.com/file/90359af ... /analysis/
Sample Downloads: http://www.mediafire.com/?km2a3zaeusvard9
Last edited by Xylitol on Fri Feb 01, 2013 11:04 pm, edited 1 time in total.
Reason: Changed title
