A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #29397  by xors
 Tue Oct 11, 2016 9:52 pm
Saw this one on Twitter. I managed to find a sample. Sample and the unpacked of it in the attachment.

Article:http://www.symantec.com/connect/blogs/o ... al-attacks


Didn't find anything interesting. If anyone has more samples, please post them.
Attachments
password:infected
(35.81 KiB) Downloaded 65 times
 #29399  by p1nk
 Tue Oct 11, 2016 10:38 pm
I really dig the """Microsponge Corporation""" in the metadata.

I also see a hard coded address of: https://188.166.3.58/Wa6fh/

C2 server looks like its redirecting:
< HTTP/1.1 301 Moved Permanently
< Server: nginx
< Date: Tue, 11 Oct 2016 22:38:09 GMT
< Content-Type: text/html; charset=UTF-8
< Content-Length: 0
< Connection: keep-alive
< X-Pingback: https://lesfascinateurs.be/xmlrpc.php
< Location: https://lesfascinateurs.be/
< Vary: User-Agent
< Age: 20
< X-Cache: HIT
<
 #29401  by Xylitol
 Wed Oct 12, 2016 1:17 am
second sample of odinaff in attachment
neutrino binaries seem relatively old

https://www.virustotal.com/en/file/22be ... 476234907/
https://www.virustotal.com/en/file/84d3 ... 476234908/
Attachments
infected
(3.63 KiB) Downloaded 59 times
infected
(17.64 KiB) Downloaded 68 times