DOCSLIB.ORG

Sample2.Js Malware Summary

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Sample2.Js Malware Summary Threat Analysis Report Summary Threat Malicious Level File Name sample2.js MD5 Hash 580E637B97B16698CC750B445223D5C0 Identifier SHA-1 Hash 07E507426F72522DABFECF91181D7F64DC3B8D23 Identifier SHA-256 Hash 790999F47B2FA4396FF6B0A6916E295D832A12B3495A87590C859A1FE9D73245 Identifier File Size 3586 bytes File Type ASCII text File 2015-11-06 09:26:23 Submitted Duration 38 seconds Sandbox 27 seconds Replication Engine Analysis Engine Threat Name Severity GTI File Reputation --- Unverified Gateway Anti-Malware JS/Downloader.gen.f Very High Anti-Malware JS/Downloader.gen.f Very High YARA Custom Rules Sandbox Malware.Dynamic Very High Final Very High Sample is malicious: f inal severit y level 5 Behavior Classif icat ion Networking Very High Exploiting, Shellcode High Security Solution / Mechanism bypass, termination and removal, Anti Unverified Debugging, VM Detection Spreading Unverified Persistence, Installation Boot Survival Unverified Hiding, Camouflage, Stealthiness, Detection and Removal Protection Unverified Data spying, Sniffing, Keylogging, Ebanking Fraud Unverified Dynamic Analysis Action Severity Malware behavior: networking activities from non-executable file Very High ATTENTION: connection made to a malicious website (see Web/URL Very High reputation for details) Detected suspicious Java Script content High Downloaded data from a webserver Low Modified INTERNET_OPTION_CONNECT_RETRIES: number of times that Low WinInet attempts to resolve and connect to a host Connected to a specific service provider Low Cracks a URL into its component parts Informational GTI Web/URL Reput at ion Connected Sites: 2 URL Port Reputation Category Name Risk Group Functional Group Medium REVAULT .ME 80 --- --- --- Risk Hig h Malicious REVAULT .ME/DOC.CSS 80 Security Risk/Fraud/Crime Risk Sites Processes Analyzed Name Reason Severity sample2.js loaded by MATD Analyzer Very High sample2.js Run-T ime Dlls: 2 advapi32.dll kernel32.dll File Operations: 7 Files Opened File Name Access Mode File Attributes C:\Prog ram Files\...\T emp\fd5cc082-4041-4915- Read 8000000 96fc-a43c32cfbc0d.js C:\Users\ADMINI~1\AppData\Local\T emp\install.js Read 8000000 Files Read C:\Prog ram Files\...\T emp\fd5cc082-4041-4915-96fc-a43c32cfbc0d.js C:\Users\ADMINI~1\AppData\Local\T emp\install.js Memory Mapped Files Created a file that can be used for memory mapping Other Obtained the path of the Windows system directory Retrieved the full path for the module Reg istry Operations: 21 Reg istry Created HKCU\Software\Microsoft\Windows Script Host\Setting s HKLM\Software\Microsoft\Windows Script Host\Setting s Reg istry Opened HKCR\.js HKCR\JSFile\ScriptEng ine HKCU\Software\Microsoft\Windows Script Host\Setting s HKLM\Software\Microsoft\Windows Script Host\Setting s Reg istry Read HKCR\.js HKCR\JSFile\ScriptEng ine HKCU\Software\Microsoft\Windows Script Host\Setting s DisplayLog o HKCU\Software\Microsoft\Windows Script Host\Setting s Enabled HKCU\Software\Microsoft\Windows Script Host\Setting s Log SecuritySuccesses HKCU\Software\Microsoft\Windows Script Host\Setting s T imeout HKCU\Software\Microsoft\Windows Script Host\Setting s T rustPolicy HKCU\Software\Microsoft\Windows Script Host\Setting s UseWINSAFER HKLM\Software\Microsoft\Windows Script Host\Setting s DisplayLog o HKLM\Software\Microsoft\Windows Script Host\Setting s Enabled HKLM\Software\Microsoft\Windows Script Host\Setting s Ig noreUserSetting s HKLM\Software\Microsoft\Windows Script Host\Setting s Log SecuritySuccesses HKLM\Software\Microsoft\Windows Script Host\Setting s T imeout HKLM\Software\Microsoft\Windows Script Host\Setting s T rustPolicy HKLM\Software\Microsoft\Windows Script Host\Setting s UseWINSAFER Process Operations: 14 Process Created Process Name Module "c:\windows\system32\wscript.exe" c:\windows\system32\wscript.exe "c:\users\admini~1\appdata\local\temp\install.js" {00000323-0000-0000-C000- 000000000046} {0000032A-0000-0000-C000- 000000000046} {06290BD1-48AA-11D2-8432- 006008C3FBFC} {0D43FE01-F093-11CF-8940- 00A0C9054228} {1F486A52-3CB1-48FD-8F50- B8DC300D9F9D} {6C736DB1-BD94-11D0-8A23- 00AA00B58E10} {7B8A2D94-0AC9-11D1-896C- 00C04FB6BFC4} {A47979D2-C419-11D9-A5B4- 001185AD2B89} {C39EE728-D419-4BD4-A3EF- EDA059DBD935} {DCB00C01-570F-4A9B-8D69- 199FDBA5723B} {F414C260-6AC0-11CF-B6D1- 00AA00BBBB58} Process killed Ended itself and all of its threads T hread Created e2f25 Network Operations: 23 Other Cracked the URL into its component parts: HT T P://REVAULT .ME/DOC.CSS Headers: , HeaderLeng th: 0, Optional: , OptionalLeng th: 0 Initialized the WinINet functions, Ag ent name: mozilla/4.0 (compatible; msie 7.0; windows nt 6.1; wow64; trident/7.0; slcc2; .net clr 2.0.50727; .net clr 3.5.30729; .net clr 3.0.30729; media center pc 6.0; .net4.0c; .net4.0e), Access type: PRECONFIG Flag s: PORT _NUMBER Opened a HT T P or FT P session for a g iven site: REVAULT .ME Set an Internet option: 2 Set an Internet option: 2d Set an Internet option: 3a Set an Internet option: 3e Set an Internet option: 41 Set an Internet option: 44 Set an Internet option: 5 Set an Internet option: 56 Set an Internet option: 58 Set an Internet option: 6 Set an Internet option: 64 Set an Internet option: 65 Set an Internet option: 66 Set an Internet option: 6c Set an Internet option: 7a Set an Internet option: 7b Set an Internet option: 8c Set an Internet option: 9b Verb: g et, ObjectName: /doc.css, Version: , Referer: , Flag s: 400000, Context: 793ed8 Analysis Environment Microsoft Windows 7 Enterprise Edition Service Pack 1 (build 7601, version 6.1.7601), 64-bit Internet Explorer version: 9 Microsoft Office version: 2013 PDF Reader version: 9.0 No Flash player installed Flash player plugin version: 13.0.0.231 Platform Version 3.4.8.96.50610 Copyright © 2015 McAfee, Inc., 2821 Mission College Blvd, Santa Clara, CA 95054, www.intelsecurity.com.
Load more

Recommended publications
  • Exploring the X64
    Exploring the x64 Junichi Murakami Executive Officer, Director of Research Fourteenforty Research Institute, Inc. Who am I? • Junichi Murakami – @Fourteenforty Research Institute, Inc. – Both Windows and Linux kernel development – Reversing malware and P2P software, etc. – Speaker at: • Black Hat 2008 US and Japan, AVAR 2009, RSA Conference(2009-) – Instructor at Security & Programming Camp(2006-) 2 Environment • Windows 7 x64 Edition • Visual Studio 2008 • Windbg • IDA Pro Advanced – STD doesn’t support x64, an offering is needed! 4 Agenda • Windows x64 • ABI(Application Binary Interface) • API Hooking • Code Injection 5 Windows x64 • Native x64 and WoW64 • Virtual Address Space – 2^64 = 16 Exa Byte ( Exa: 10^18) – but, limited to 16TB by Microsoft • File/Registry reflection • New 64-bit APIs – IsWow64Process, GetNativeSystemInfo, etc. 6 ABI • Binary Format • Register • Calling Convention • Exception Handling • Systemcall(x64, WoW64) 11 Binary Format(Cont.) • Some fields were extended to 64-bits – IMAGE_NT_HEADERS.IMAGE_OPTIONAL_HEADER • ImageBase • SizeOfStackReserve • SizeOfStackCommit • SizeOfHeapReserve • SizeOfHeapCommit 13 Calling Convention • first 4 parameters are passed by RCX, RDX, R8, R9 – 5th and later are passed on the stack • caller allocates register home space on the stack • RAX is used for return values • leaf / non-leaf function – leaf function: never use stack – PE32+ contains non-leaf function’s information in its EXCEPTION DIRECTORY • Register’s volatility – volatile: RAX, RCX, RDX, R8-R11 15 Exception Handling •
    [Show full text]
  • Through the Looking Glass: Webcam Interception and Protection in Kernel
    VIRUS BULLETIN www.virusbulletin.com Covering the global threat landscape THROUGH THE LOOKING GLASS: and WIA (Windows Image Acquisition), which provides a WEBCAM INTERCEPTION AND still image acquisition API. PROTECTION IN KERNEL MODE ATTACK VECTORS Ronen Slavin & Michael Maltsev Reason Software, USA Let’s pretend for a moment that we’re the bad guys. We have gained control of a victim’s computer and we can run any code on it. We would like to use his camera to get a photo or a video to use for our nefarious purposes. What are our INTRODUCTION options? When we talk about digital privacy, the computer’s webcam The simplest option is just to use one of the user-mode APIs is one of the most relevant components. We all have a tiny mentioned previously. By default, Windows allows every fear that someone might be looking through our computer’s app to access the computer’s camera, with the exception of camera, spying on us and watching our every move [1]. And Store apps on Windows 10. The downside for the attackers is while some of us think this scenario is restricted to the realm that camera access will turn on the indicator LED, giving the of movies, the reality is that malware authors and threat victim an indication that somebody is watching him. actors don’t shy away from incorporating such capabilities A sneakier method is to spy on the victim when he turns on into their malware arsenals [2]. the camera himself. Patrick Wardle described a technique Camera manufacturers protect their customers by incorporating like this for Mac [8], but there’s no reason the principle into their devices an indicator LED that illuminates when can’t be applied to Windows, albeit with a slightly different the camera is in use.
    [Show full text]
  • Trident Development Framework
    Trident Development Framework Tom MacAdam Jim Covill Kathleen Svendsen Martec Limited Prepared By: Martec Limited 1800 Brunswick Street, Suite 400 Halifax, Nova Scotia B3J 3J8 Canada Contractor's Document Number: TR-14-85 (Control Number: 14.28008.1110) Contract Project Manager: David Whitehouse, 902-425-5101 PWGSC Contract Number: W7707-145679/001/HAL CSA: Malcolm Smith, Warship Performance, 902-426-3100 x383 The scientific or technical validity of this Contract Report is entirely the responsibility of the Contractor and the contents do not necessarily have the approval or endorsement of the Department of National Defence of Canada. Contract Report DRDC-RDDC-2014-C328 December 2014 © Her Majesty the Queen in Right of Canada, as represented by the Minister of National Defence, 2014 © Sa Majesté la Reine (en droit du Canada), telle que représentée par le ministre de la Défense nationale, 2014 Working together for a safer world Trident Development Framework Martec Technical Report # TR-14-85 Control Number: 14.28008.1110 December 2014 Prepared for: DRDC Atlantic 9 Grove Street Dartmouth, Nova Scotia B2Y 3Z7 Martec Limited tel. 902.425.5101 1888 Brunswick Street, Suite 400 fax. 902.421.1923 Halifax, Nova Scotia B3J 3J8 Canada email. [email protected] www.martec.com REVISION CONTROL REVISION REVISION DATE Draft Release 0.1 10 Nov 2014 Draft Release 0.2 2 Dec 2014 Final Release 10 Dec 2014 PROPRIETARY NOTICE This report was prepared under Contract W7707-145679/001/HAL, Defence R&D Canada (DRDC) Atlantic and contains information proprietary to Martec Limited. The information contained herein may be used and/or further developed by DRDC Atlantic for their purposes only.
    [Show full text]
  • Minimum Hardware and Operating System
    Hardware and OS Specifications File Stream Document Management Software – System Requirements for v4.5 NB: please read through carefully, as it contains 4 separate specifications for a Workstation PC, a Web PC, a Server and a Web Server. Further notes are at the foot of this document. If you are in any doubt as to which specification is applicable, please contact our Document Management Technical Support team – we will be pleased to help. www.filestreamsystems.co.uk T Support +44 (0) 118 989 3771 E Support [email protected] For an in-depth list of all our features and specifications, please visit: http://www.filestreamsystems.co.uk/document-management-specification.htm Workstation PC Processor (CPU) ⁴ Supported AMD/Intel x86 (32bit) or x64 (64bit) Compatible Minimum Intel Pentium IV single core 1.0 GHz Recommended Intel Core 2 Duo E8400 3.0 GHz or better Operating System ⁴ Supported Windows 8, Windows 8 Pro, Windows 8 Enterprise (32bit, 64bit) Windows 10 (32bit, 64bit) Memory (RAM) ⁵ Minimum 2.0 GB Recommended 4.0 GB Storage Space (Disk) Minimum 50 GB Recommended 100 GB Disk Format NTFS Format Recommended Graphics Card Minimum 128 MB DirectX 9 Compatible Recommended 128 MB DirectX 9 Compatible Display Minimum 1024 x 768 16bit colour Recommended 1280 x 1024 32bit colour Widescreen Format Yes (minimum vertical resolution 800) Dual Monitor Yes Font Settings Only 96 DPI font settings are supported Explorer Internet Minimum Microsoft Internet Explorer 11 Network (LAN) Minimum 100 MB Ethernet (not required on standalone PC) Recommended
    [Show full text]
  • Understanding the Attack Surface and Attack Resilience of Project Spartan’S (Edge) New Edgehtml Rendering Engine
    Understanding the Attack Surface and Attack Resilience of Project Spartan’s (Edge) New EdgeHTML Rendering Engine Mark Vincent Yason IBM X-Force Advanced Research yasonm[at]ph[dot]ibm[dot]com @MarkYason [v2] © 2015 IBM Corporation Agenda . Overview . Attack Surface . Exploit Mitigations . Conclusion © 2015 IBM Corporation 2 Notes . Detailed whitepaper is available . All information is based on Microsoft Edge running on 64-bit Windows 10 build 10240 (edgehtml.dll version 11.0.10240.16384) © 2015 IBM Corporation 3 Overview © 2015 IBM Corporation Overview > EdgeHTML Rendering Engine © 2015 IBM Corporation 5 Overview > EdgeHTML Attack Surface Map & Exploit Mitigations © 2015 IBM Corporation 6 Overview > Initial Recon: MSHTML and EdgeHTML . EdgeHTML is forked from Trident (MSHTML) . Problem: Quickly identify major code changes (features/functionalities) from MSHTML to EdgeHTML . One option: Diff class names and namespaces © 2015 IBM Corporation 7 Overview > Initial Recon: Diffing MSHTML and EdgeHTML (Method) © 2015 IBM Corporation 8 Overview > Initial Recon: Diffing MSHTML and EdgeHTML (Examples) . Suggests change in image support: . Suggests new DOM object types: © 2015 IBM Corporation 9 Overview > Initial Recon: Diffing MSHTML and EdgeHTML (Examples) . Suggests ported code from another rendering engine (Blink) for Web Audio support: © 2015 IBM Corporation 10 Overview > Initial Recon: Diffing MSHTML and EdgeHTML (Notes) . Further analysis needed –Renamed class/namespace results into a new namespace plus a deleted namespace . Requires availability
    [Show full text]
  • Nessus 8.3 User Guide
    Nessus 8.3.x User Guide Last Updated: September 24, 2021 Table of Contents Welcome to Nessus 8.3.x 12 Get Started with Nessus 15 Navigate Nessus 16 System Requirements 17 Hardware Requirements 18 Software Requirements 22 Customize SELinux Enforcing Mode Policies 25 Licensing Requirements 26 Deployment Considerations 27 Host-Based Firewalls 28 IPv6 Support 29 Virtual Machines 30 Antivirus Software 31 Security Warnings 32 Certificates and Certificate Authorities 33 Custom SSL Server Certificates 35 Create a New Server Certificate and CA Certificate 37 Upload a Custom Server Certificate and CA Certificate 39 Trust a Custom CA 41 Create SSL Client Certificates for Login 43 Nessus Manager Certificates and Nessus Agent 46 Install Nessus 48 Copyright © 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trade- marks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective Download Nessus 49 Install Nessus 51 Install Nessus on Linux 52 Install Nessus on Windows 54 Install Nessus on Mac OS X 56 Install Nessus Agents 58 Retrieve the Linking Key 59 Install a Nessus Agent on Linux 60 Install a Nessus Agent on Windows 64 Install a Nessus Agent on Mac OS X 70 Upgrade Nessus and Nessus Agents 74 Upgrade Nessus 75 Upgrade from Evaluation 76 Upgrade Nessus on Linux 77 Upgrade Nessus on Windows 78 Upgrade Nessus on Mac OS X 79 Upgrade a Nessus Agent 80 Configure Nessus 86 Install Nessus Home, Professional, or Manager 87 Link to Tenable.io 88 Link to Industrial Security 89 Link to Nessus Manager 90 Managed by Tenable.sc 92 Manage Activation Code 93 Copyright © 2021 Tenable, Inc.
    [Show full text]
  • Programming Model Intel Itanium 64
    11/11/2003 64-bit computing AMD Opteron 64 Application of Win32 Executable File Legacy 64 bit platforms Inbuilt 128-bit bus DDR memory controller with memory bandwidth speed up to 5.3GB/s. Infectors on Intel Itanium and AMD Benefits of 64-bit processors Opteron Based Win64 Systems Use of hyper transport protocol, “glueless” architecture. Oleg Petrovsky and Shali Hsieh Increased integer dynamic range Computer Associates International Inc. Available in up to 8 way configuration with the clock speeds 1 Computer Associates Plaza, Islandia, NY 11749, Much larger addressable memory space of 1.4 GHz, 1.6 GHz and 1.8 GHz . USA Benefits to database, scientific and cryptography Reuses already familiar 32-bit x86 instruction set and applications extends it to support 64-bit operands, registers and memory pointers. AMD64 Programming Model AMD64: Programming model Intel Itanium 64 X86 32-64 64 bit Itanium line of processors is being developed by Intel XMM8 X86 80-Bit Extends general use registers to 64-bit, adds additional eight 64-Bit X87 general purpose 64-bit registers. Itanium - 800 MHz, no on die L3 cache, Itanium 2 - 1GHz, RAX EAX AX 3MB L3 on die, Itanium 2003 (Madison) - 1.5 GHz, 6MB L3 on die cache, 410M transistors, largest integration on a RBX Reuses x86 instruction set. single silicon crystal today. XMM15 RCX Runs 32-bit code without emulation or translation to a native Itanium line of processors utilizes more efficient and robust XMM0 than legacy x86 instruction set architecture F instruction set. R8 L A Itanium has to use x86-to-IA-64 decoder a specifically Minimizes learning curve.
    [Show full text]
  • Automated Malware Analysis Report For
    ID: 310931 Sample Name: 44S5D444F55G8222Y55UU44S4S.vbs Cookbook: default.jbs Time: 07:32:12 Date: 07/11/2020 Version: 31.0.0 Red Diamond Table of Contents Table of Contents 2 Analysis Report 44S5D444F55G8222Y55UU44S4S.vbs 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 AV Detection: 5 Data Obfuscation: 5 Persistence and Installation Behavior: 5 Malware Analysis System Evasion: 5 HIPS / PFW / Operating System Protection Evasion: 5 Mitre Att&ck Matrix 5 Behavior Graph 6 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 8 Contacted Domains 8 Contacted URLs 8 URLs from Memory and Binaries 8 Contacted IPs 8 Public 9 General Information 9 Simulations 10 Behavior and APIs 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 11 Dropped Files 11 Created / dropped Files 11 Static File Info 11 General 11 File Icon 12 Network Behavior 12 TCP Packets 12 HTTP Request Dependency Graph 12 HTTP Packets 12 Code Manipulations 13 Statistics 13 Behavior 13 System Behavior 14 Analysis Process: wscript.exe PID: 6124 Parent PID: 3388 14 Copyright null 2020 Page 2 of 15 General 14 File Activities 14 File Created 14 File Written 14 Registry Activities 15 Analysis Process: wscript.exe PID: 5560 Parent PID: 6124 15 General 15 File Activities 15 Disassembly 15 Code Analysis 15 Copyright null 2020 Page 3 of
    [Show full text]
  • Oracle Database Platform Guide for Windows
    Oracle® Database Platform Guide 10g Release 1 (10.1) for Windows Part No. B10113-01 December 2003 Oracle Database Platform Guide, 10g Release 1 (10.1) for Windows Part No. B10113-01 Copyright © 1996, 2003 Oracle Corporation. All rights reserved. Primary Author: Craig B. Foch Contributing Author: Mark Kennedy and Helen Slattery Contributor: David Collelo The Programs (which include both the software and documentation) contain proprietary information of Oracle Corporation; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent and other intellectual and industrial property laws. Reverse engineering, disassembly or decompilation of the Programs, except to the extent required to obtain interoperability with other independently created software or as specified by law, is prohibited. The information contained in this document is subject to change without notice. If you find any problems in the documentation, please report them to us in writing. This document is not warranted to be error-free. Except as may be expressly permitted in your license agreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose. If the Programs are delivered to the U.S. Government or anyone licensing or using the programs on behalf of the U.S. Government, the following notice is applicable: Restricted Rights Notice Programs delivered subject to the DOD FAR Supplement are "commercial computer software" and use, duplication, and disclosure of the Programs, including documentation, shall be subject to the licensing restrictions set forth in the applicable Oracle license agreement.
    [Show full text]
  • Product Name User Guide
    Smart-X Software Solutions Core Configurator User guide _______________________________________________________________ SmartX Software Solutions Core Configurator User Guide Table of content: WELCOME 4 FEATURES AND CAPABILITIES 5 MORE SYSTEM MANAGEMENT TOOLS 6 REQUIREMENTS 8 LICENSING AND INSTALLATION 8 EVALUATION VERSION LIMITATION 8 INSTALLATION 8 INSTALLING CORECONFIG ON WINDOWS 7 / 2008 R2 BETA VERSIONS 9 LICENSING 10 WORKING WITH CORE CONFIGURATOR 11 שגיאה! הסימניה אינה מוגדרת. CORE CONFIGURATOR MAIN SCREEN – 32 BIT HOW IT WORKS 11 CORE CONFIGURATOR MAIN SCREEN – 64 BIT 12 ACTIVATION SCREEN 13 HOW IT WORKS: 13 DISPLAY SETTINGS 14 HOW IT WORKS 14 TIME ZONE 15 HOW IT WORKS 15 REMOTE DESKTOP 16 HOW IT WORKS 16 ACCOUNT MANAGEMENT 17 HOW IT WORKS 17 FIREWALL 18 HOW IT WORKS 18 WINRM 19 HOW IT WORKS 19 NETWORKING 20 HOW IT WORKS 21 COMPUTER NAME 22 HOW IT WORKS 22 FEATURES 23 HOW IT WORKS 23 BACKUP PERFORMANCE 24 DCPROMO 25 HOW IT WORKS 26 AUTOMATIC UPDATES 27 HOW IT WORKS 29 REGIONAL LANGUAGES 30 HOW IT WORKS 30 REGISTRY EDITOR 31 2 SmartX Software Solutions Core Configurator User Guide HOW IT WORKS 31 TASK MANAGER 32 HOW IT WORKS 32 SERVICE 33 HOW IT WORKS 33 SYSTEM INFO 34 SHOW COMMANDS 35 3 SmartX Software Solutions Core Configurator User Guide Chapter 1 Welcome Welcome to Smart-X. Thank you for choosing Core Configurator™, one of the top tools developed by Smart-X Software Solutions expert team in an effort to optimize your everyday work. Core Configurator helps you manage your system efficiently, effortlessly and productively. This chapter describes the features and capabilities of Core Configurator, and lists additional tools in the same field that can help optimize your work environment.
    [Show full text]
  • The Evolution of TDL: Conquering X64
    The Evolution of TDL: Conquering x64 Revision 1.1 Eugene Rodionov, Malware Researcher Aleksandr Matrosov, Senior Malware Researcher 2 2 CONTENTS 3 INTRODUCTION ..................................................................................................................................................... 4 1 INVESTIGATION ............................................................................................................................................. 5 1.1 GANGSTABUCKS ............................................................................................................................................... 6 2 INSTALLATION ............................................................................................................................................. 11 2.1 INFECTING X86 SYSTEMS .................................................................................................................................. 11 2.2 INFECTING X64 SYSTEMS .................................................................................................................................. 13 2.3 THE DROPPER’S PAYLOAD ................................................................................................................................ 14 2.4 COMPARISON WITH TDL3/TDL3+..................................................................................................................... 15 3 THE BOT .....................................................................................................................................................
    [Show full text]
  • Download “The Spy Who Encrypted Me” Case Study
    April, 2020 APT41 The Spy Who Encrypted Me Contents APT41 – A spy who steals or a thief who spies ......................................................... 3 The investigation .................................................................................................. 3 The base .......................................................................................................... 4 The toolkit ........................................................................................................ 5 The point of entry .............................................................................................. 6 The initial vector of compromise .......................................................................... 8 Indicators of Compromise .................................................................................... 10 References ......................................................................................................... 11 244 Fifth Avenue, Suite 2035, New York, NY 10001 LIFARS.com (212) 222-7061 [email protected] APT41 – A SPY WHO STEALS OR A THIEF WHO SPIES An advanced persistent threat (“APT”) is, typically, either a nation-state actor and aims at benefiting its state through sabotage, espionage, or industrial espionage; or a cybercriminal and its aims are to steal money through theft, fraud, ransom or blackmail. The Chinese-based threat actor APT41 blurs the lines: known to have run financially- motivated operations against the videogame industry as early as 2012, it got its notoriety in 2013 when
    [Show full text]