A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #20852  by Xylitol
 Tue Sep 17, 2013 12:05 pm
Sinergia Cleaner
https://www.virustotal.com/en/file/bc05 ... 379419031/
Code: Select all
GET /?action=resources&id=4945603f359
Host: fufel-av-2.com
---
GET /?action=install&id=4945603f359&os=xpProsp3&advertid=103
Host: fufel-av-2.com
---
GET /?action=checklic&id=4945603f359&os=xpProsp3
Host: fufel-av-2.com
---
GET /?id=4945603f359
Host: www.fufel-av.com
Attachments
infected
(505.03 KiB) Downloaded 111 times
 #20856  by Grinler
 Tue Sep 17, 2013 4:52 pm
This seems a little bugged as it does not appear to set an autorun of any sort.

Any of you reversing gurus know more about this out.pk file that is downloaded by the rogue at this url:

fufel-av-2.com/?action=resources&id=4974203f359

It appears to be a container of some sort that contains numerous image files and a config.txt file. It then stores this file as a reg_binary value in HKEY_CURRENT_USER\Software\Protection "registry_rsrc_parameter".
 #20862  by Xylitol
 Thu Sep 19, 2013 7:57 am
dumped in attach, Sinergia Cleaner is a bit tricky with anti debug he change the debug flags.
Code: Select all
Modified debug registers of main thread
DR2: old 7C91D040, new 00000000
DR3: old 00401000, new 00000000
DR7: old 00002140, new 00000000
https://www.virustotal.com/en/file/cc71 ... 379577426/
Attachments
infected
(90.17 KiB) Downloaded 71 times
 #20875  by jumbofreak
 Fri Sep 20, 2013 3:48 pm
>>It appears to be a container of some sort that contains numerous image files and a config.txt file. It then stores this file as a reg_binary value in HKEY_CURRENT_USER\Software\Protection "registry_rsrc_parameter".[/quote]

Looks like its encrypted config file , with resoucrce and image info for different flavours to pull, You can decrypt that reg binary with Xor key 44.
 #20881  by Xylitol
 Fri Sep 20, 2013 7:37 pm
Mobile Defender (Android FakeAV)
https://www.virustotal.com/en/file/4732 ... 379705657/
Code: Select all
payement: hxtp://robomerch.com/p/?group=amd&ver=0001&ps=85000
Attachments
infected
(78.37 KiB) Downloaded 67 times
infected
(2.5 MiB) Downloaded 95 times
  • 1
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15