View Single Post
Old 02-12-2018, 12:23
Stingered Stingered is offline
Join Date: Dec 2017
Posts: 114
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 145
Thanks Rcvd at 73 Times in 38 Posts
Stingered Reputation: 2
Originally Posted by Aesculapius View Post
I took my time this weekend to evaluate a malware sample that was handed to me for that purpose. I took interest because it is packed with Shielden. Although I haven't finished the characterization because its complex and fully VMed, I've been able to unpack, de-virtualize, decompile, retrieve some of the resources, create the pseudocode and recreate the main payload.

The package contains the original sample, the compiled payload (some nasty stuff removed, like persistence in memory, blocking user tools, etc), some recovered resources, and the recreated main payload source code.

You can run the attenuated payload, which will only change the windows wallpaper, close any instance of regedit and task manager. It will do it only once and terminate itself because I modified it to do so. The real sample, will continue to change back the wallpaper if you try to set it to your default one, closing task manager and regedit every few seconds to block any termination attempts. It will also partially cripple ESET nod32 (which will eventually close itself).

The original sample also deploys several files which I'm still studying. All are VMed. Although no information is lost by running it I discourage you from doing so, unless you are versed in malware analysis and in a safe controlled environment.

The recreated main payload source code is probably not 100% accurate if compared with the original source code but I'm pretty confident it should be very alike.

Again, this is only for people that know what they are doing, if by any chance you get infected, then restart your PC in safe mode and eliminate the sample from memory but if you are not sure, then don't try except for the harmless payload and the source code.

A write-up would be awesome if you're up to it. Would be a nice read, I'm certain.
Reply With Quote