Doqu 2.0 analysis

Anticode · #1 06-11-2015, 04:41

https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf

Insid3Code · #2 06-13-2015, 03:34

Duqu 2.0 please correct topic title!

Malware samples (Indicators of compromise) from kernelmode.info

PHP Code:


			
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3900

Archive Password: infected

an0rma1 · #3 06-18-2015, 17:30

great articles, i've read all the docs this monday, INCREDIBLE WORK here

They think this software is worth 50M$.... hats off for this work, they are truly hero coders... even when they work coding APTs

maktm · #4 06-19-2015, 04:51

What really surprised me was the fact that it has signed drivers. That was pretty entertaining to read about

gigaman · #5 06-20-2015, 03:00

Well, signed drivers are not that surprising, there were quite a few of those already.

However, is there a sample (of the signed driver) available here? The files posted on kernelmode.info don't seem to be signed.

Insid3Code · #6 06-20-2015, 23:02

Quote:

Originally Posted by gigaman

Well, signed drivers are not that surprising, there were quite a few of those already.

However, is there a sample (of the signed driver) available here? The files posted on kernelmode.info don't seem to be signed.

MD5: 92e724291056a5e30eca038ee637a23f
Certificate Serial number of Foxconn: ‎256541e204619033f8b09f9eb7c88ef8

Attached from kernelmode.info

gigaman · #7 06-21-2015, 04:54

Ah, my bad, I was checking only the first batch in the beginning of the thread.
Thanks a lot.

dyn!o · #8 06-22-2015, 03:01

Still wondering why the developers did not transform classic machine code into custom architecture run on custom interpreter (security of critical places).

Considering such a step the analysis we read would be nearly impossible to complete (in reasonable time)...

gigaman · #9 06-24-2015, 01:23

Maybe such non-x86 blocks (or the corresponding interpreters) are more likely to trigger antivirus heuristics... so while analysis would certainly be harder, the probability of earlier detection could also be higher.

dyn!o · #10 06-27-2015, 05:13

You might be right, but then they could implement at least custom virtualization (maintaining actual architecture) + stronger data encryption. Anything, which could slow-down the analysis.

Stitch · #11 06-29-2015, 05:20

Quote:

Originally Posted by dyn!o

You might be right, but then they could implement at least custom virtualization (maintaining actual architecture) + stronger data encryption. Anything, which could slow-down the analysis.

Quote:

Originally Posted by gigaman

Maybe such non-x86 blocks (or the corresponding interpreters) are more likely to trigger antivirus heuristics... so while analysis would certainly be harder, the probability of earlier detection could also be higher.

Can you elaborate how this could be done by linking books/tutorials/topic about making it harder to analysis? (I'm not much but new on this area..)
Hope I would get a detailed answer.

-Stitch

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Malware Analysis	ldmd	General Discussion	7	03-09-2025 18:42
ahk malware analysis	dion	General Discussion	0	12-20-2021 08:50
About Android Apps Analysis	Mayo	General Discussion	5	07-23-2014 21:50

The Following 7 Users Say Thank You to Anticode For This Useful Post:
an0rma1 (06-18-2015), niculaita (06-11-2015), Notmex (06-18-2015), professor.frink (06-21-2015), SinaDiR (06-12-2015), TQN (06-11-2015), uranus64 (06-18-2015)

The Following User Says Thank You to Insid3Code For This Useful Post:
niculaita (06-20-2015)