EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-12-2018, 12:07
Aesculapius Aesculapius is offline
Family
 
Join Date: Jun 2016
Location: USA
Posts: 118
Rept. Given: 0
Rept. Rcvd 38 Times in 24 Posts
Thanks Given: 17
Thanks Rcvd at 286 Times in 74 Posts
Aesculapius Reputation: 38
Malware Sample analysis

I took my time these last weekends to evaluate a malware sample that was handed to me for that purpose. I took interest because it is packed with Shielden. Although I haven't finished the characterization because its complex and fully VMed, I've been able to unpack, de-virtualize, decompile, retrieve some of the resources, create the pseudocode and recreate the main payload.

The package contains the original sample, the compiled payload (some nasty stuff removed, like persistence in memory, blocking user tools, etc), some recovered resources, and the recreated main payload source code.

You can run the attenuated payload, which will only change the windows wallpaper, close any instance of regedit and task manager. It will do it only once and terminate itself because I modified it to do so. The real sample, will continue to change back the wallpaper if you try to set it to your default one, closing task manager and regedit every few seconds to block any termination attempts. It will also partially cripple ESET nod32 (which will eventually close itself).

The original sample also deploys several files which I'm still studying. All are VMed. Although no information is lost by running it I discourage you from doing so, unless you are versed in malware analysis and in a safe controlled environment.

The recreated main payload source code is probably not 100% accurate if compared with the original source code but I'm pretty confident it should be very alike.

Again, this is only for people that know what they are doing, if by any chance you get infected, then restart your PC in safe mode and simply eliminate the sample from memory and disk (put back your wallpaper) and no harm done, but if you are not sure, then don't try except for the harmless payload and the source code.

Package:

https://mega.co.nz/#!EQgCEbYK!VssYEm...MngGxlsPFkKf7k

Last edited by Aesculapius; 02-12-2018 at 22:19.
Reply With Quote
The Following 2 Users Say Thank You to Aesculapius For This Useful Post:
Stingered (02-12-2018), Zipdecode (02-26-2018)
  #2  
Old 02-12-2018, 12:23
Stingered Stingered is offline
Friend
 
Join Date: Dec 2017
Posts: 71
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 100
Thanks Rcvd at 48 Times in 21 Posts
Stingered Reputation: 2
Quote:
Originally Posted by Aesculapius View Post
I took my time this weekend to evaluate a malware sample that was handed to me for that purpose. I took interest because it is packed with Shielden. Although I haven't finished the characterization because its complex and fully VMed, I've been able to unpack, de-virtualize, decompile, retrieve some of the resources, create the pseudocode and recreate the main payload.

The package contains the original sample, the compiled payload (some nasty stuff removed, like persistence in memory, blocking user tools, etc), some recovered resources, and the recreated main payload source code.

You can run the attenuated payload, which will only change the windows wallpaper, close any instance of regedit and task manager. It will do it only once and terminate itself because I modified it to do so. The real sample, will continue to change back the wallpaper if you try to set it to your default one, closing task manager and regedit every few seconds to block any termination attempts. It will also partially cripple ESET nod32 (which will eventually close itself).

The original sample also deploys several files which I'm still studying. All are VMed. Although no information is lost by running it I discourage you from doing so, unless you are versed in malware analysis and in a safe controlled environment.

The recreated main payload source code is probably not 100% accurate if compared with the original source code but I'm pretty confident it should be very alike.

Again, this is only for people that know what they are doing, if by any chance you get infected, then restart your PC in safe mode and eliminate the sample from memory but if you are not sure, then don't try except for the harmless payload and the source code.

Package:

https://mega.co.nz/#!EQgCEbYK!VssYEm...MngGxlsPFkKf7k
A write-up would be awesome if you're up to it. Would be a nice read, I'm certain.
Reply With Quote
  #3  
Old 02-13-2018, 19:35
foosaa foosaa is offline
Friend
 
Join Date: Dec 2005
Posts: 67
Rept. Given: 34
Rept. Rcvd 11 Times in 9 Posts
Thanks Given: 90
Thanks Rcvd at 54 Times in 18 Posts
foosaa Reputation: 11
Thumbs up

Yep. I agree. A write-up will surely be very good!!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On



All times are GMT +8. The time now is 14:35.


ICP05004977
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX