tag:blogger.com,1999:blog-694927654418634223.post7137820835199326307..comments2023-08-02T05:31:43.340-05:00Comments on No Pryor Knowledge: Interesting Malware TrickKen Pryorhttp://www.blogger.com/profile/06777221347861058406noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-694927654418634223.post-64204948872407017762011-11-29T15:50:49.881-06:002011-11-29T15:50:49.881-06:00This comment has been removed by a blog administrator.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-694927654418634223.post-83330919260391843112011-08-16T12:04:52.051-05:002011-08-16T12:04:52.051-05:00@KP -- could you please contact me offline.
abran...@KP -- could you please contact me offline.<br /><br />abrandt (at) webroot (dot) com<br /><br />Cheers!<br /><br />-=AAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-694927654418634223.post-12126262366706358592011-08-14T12:17:59.666-05:002011-08-14T12:17:59.666-05:00@ Ran2
Very cool, thanks for the info! I still ha...@ Ran2<br /><br />Very cool, thanks for the info! I still have very much to learn in the area of malware analysis, but am fascinated by the subject. I haven't had time the last couple days to work with this, but hoping on my days off to experiment some more. I appreciate the info!Ken Pryorhttps://www.blogger.com/profile/06777221347861058406noreply@blogger.comtag:blogger.com,1999:blog-694927654418634223.post-39614953634011371002011-08-14T11:34:48.227-05:002011-08-14T11:34:48.227-05:00I guess it is the dropper. It performs no material...I guess it is the dropper. It performs no materials malicious functions, but only create a droppee. <br /><br />I have similar sample, Check here: http://www.threatexpert.com/report.aspx?md5=073e9de932d0094b18cde2a1eb383fbd<br /><br />After the code analysis, I found it first create a DLL, then inject the DLL into explorer.exe. It sends encrypted HTTP traffic to a C&C. After a while, (Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-694927654418634223.post-24282244425323100222011-08-13T16:28:52.478-05:002011-08-13T16:28:52.478-05:00Looks like I need to do a part 2 covering more Vol...Looks like I need to do a part 2 covering more Volatility use. I'm not overly confident in my memory analysis abilities, but Volatility 2.0 sure makes it a lot easier. I just need to learn more about interpreting the data I get from RAM.<br />KPKen Pryorhttps://www.blogger.com/profile/06777221347861058406noreply@blogger.comtag:blogger.com,1999:blog-694927654418634223.post-32570455726089225122011-08-13T15:43:06.216-05:002011-08-13T15:43:06.216-05:00Anything else interesting from Volatility? :-)Anything else interesting from Volatility? :-)Jamie Levyhttps://www.blogger.com/profile/16089000750284843256noreply@blogger.comtag:blogger.com,1999:blog-694927654418634223.post-22947322609743312802011-08-13T11:15:43.405-05:002011-08-13T11:15:43.405-05:00I posted the issue on Google Plus. I then looked ...I posted the issue on Google Plus. I then looked at the source code. All user entered words, after the .doc file name (which had been cut and pasted and therefore retained the unicode) was backwards!<br /><br />Note: Jared Myers analyzed the code and said that it resolves to the URL armaturan.ru.Lubyhttps://www.blogger.com/profile/13055459225344167154noreply@blogger.com