At first I will provide an overview of the current AV detection rates, almost 2 weeks after publishing the MD5 hashes of this malware. I will also release the samples, so you can analyze it by yourself, if you are interested. Thereafter I show the statuses of the (known) Servers involved in this threat and give the directory listings. Next, I try to shed some light into the origin of this malware....
Thursday, December 27, 2012
Sunday, December 16, 2012
Disclosure of another 0day malware - Analysis of the final Payload (Part 3)
In the last Part of this series I partly analyzed the final Payload. I haven't finished the analysis of the malware due to lack of time (and interest), but I will provide as much as information I have discovered. It looks like this malware is a classic spying tool (information gathering), but it would be interesting to know who is the attacker and who are the victims. Unfortunately I don't have a...
Saturday, December 15, 2012
Disclosure of another 0day malware - Analysis of 2nd Dropper and 3rd Dropper (Part 2)
In the second Part of this series we analyze the downloaded file (2nd Dropper) and the dropped file (3rd Dropper). At time of this analysis the files weren't uploaded on Virustotal, so I guess the detection rates are very low, if at all.
2nd Dropper
Sample: msmvs.exe
Size: 80.388 Bytes
Timestamp: 25.07.2012 06:51:13
MD5: 66F368CAB3D5E64475A91F636C87AF15
3rd Dropper
Sample: conhost.dll
Size: 62.976...
Disclosure of another 0day malware - Initial Dropper and Downloader (Part 1)
In this series I have analyzed an interesting malware that combines various techniques I haven't seen before. Part 1 of this series deals with the initial Dropper and the Downloader which both come in the form of a Dynamic Link Library (.dll). The initial Dropper drops and executes the Downloader (netids.dll). Part 2 deals with the downloaded file,...