Monday, September 9, 2013

Back to the future - Analysis of an old Downloader

This article is an analysis of a Downloader first discovered ITW in 2006. It is widely detected by Anti-Virus vendors, also several reports are available:

It uses a couple of interesting techniques, although it later showed some were implemented in a sloppy way:

- Uses some sort of code obfuscation
- Sensitive strings are encrypted
- uses a kernelmode driver to hide its process

Virustotal statistics indicate this downloader is still in use, although the server of the sample I have analyzed isn't available anymore (more samples see Appendix).

Sample (UPX packed)
Target machine: x86
Size: 13.824 bytes
Compilation timestamp: 2006-11-25 19:29:09
SHA1: f18803def56bf6bfb067459ee6a9589d9f135c29
Download (pw: infected):
Appendix samples (pw: infected):


Sunday, August 11, 2013

Brief description of a signed Adware/PUP Downloader

To publish articles more frequently and thus making this Blog a bit more interesting, I decided to drop my intention to only write "in-depth" analyses about "special" malware. From today, I start to also release information about my "every day" discoveries, which in the past always ended up in the trash (and there was a lot of them :-)). Of course, these "every day" Blogposts can not be that technical and detailed as a complete malware analysis, but I hope it's interesting anyway.

To start with, this Blogpost is something like a warming phase to my upcoming article about a cross-platform (x86/x64) "Adware" family with some interesting techniques.

So let's go...

The downloader comes in two different sizes (376.9 KB, 381.5 KB) and with a lot of instances (see list of hashes at the end). Two samples of each size can be downloaded here:

Sample - 376.9 KB
VT Report:
Download (PW: infected):

Sample - 381.5 KB
VT Report:
Download (PW: infected):


Wednesday, June 19, 2013

South Korea Incident - Analysis of a tiny Downloader

In this short Blogpost I am going to dissect a Downloader which is part of the ongoing "1Mission" campaign against targets in South Korea (thanks Chae Jong Bin for pointing me at). The Downloader comes in the form of a DLL and has the small size of 4 KB. What remains unknown is the way the DLL gets executed (through exploit/loader/...). Except its small size there isn't anything special about this malware. Unfortunately the file it wanted to download isn't available anymore, so there is no chance to dig deeper...

DLL sample
Size: 4.096 Bytes
Timestamp: 2013-05-30 03:54:37
MD5: 17e3e09c27d26c81c9f33882279d6319
SHA1: c467f59cddba2d029044f6f2b22b6b2123b341b6


Wednesday, April 24, 2013

South Korea Incident - New Malware samples

A few weeks ago, I started to reverse engineer a malicious x64 .dll (see Parts section below, No. 2) to begin to learn x64 (dis)assembly. From analysis it became apparent that the .dll was part of a bigger malware package. After a while searching on the Internet, I found some Droppers which contained similar files to the one I was analyzing. Luckily some of the files of these Droppers contained .pdb debug strings. At the same time there were the "South Korean Cyber Attacks" on banks and broadcasting organizations (see: and As it turned out, the Droppers I found are from the same attackers like described in the Symantec article. So I did another search on the Internet to find more malware samples which I will now present in this article. For me, it would take a long time to analyze all these samples, so I release them now that other people can also take a look at them.

To make it clear, this Blogpost is just an overview of the various malware samples and no analysis! Therefore all credit goes to the people who provided me the samples: Chae Jong Bin (MD5 hashes), Artem Baranov (samples), Xylitol (samples).


Sunday, January 20, 2013

Analysis of an uncommon Downloader

This will be a quick analysis of a Downloader I recently came across (thanks to Artem for providing the sample!). What makes this malware special is the uncommon programming language which it uses to accomplish its tasks (actually a scripting language). The malware itself is very rudimentary, only the actual Downloader (spawns a shellcode) is a bit more advanced. Unfortunately the server isn't responding to the requests from the Downloader, so it is unclear what final purpose this malware has. I think the scripting languages and the shellcode were chosen to evade AV (heuristic) detections. The detection rates of the Dropper are still very low (6/46), even 2 years after its creation:

I haven't uploaded the dropped files, but I guess detections rates are also very low if at all. This task is left to the reader. ;-)

What is interesting about this malware:
- Makes use of Gentee scripting language (actually uses CreateInstall, which was coded in Gentee)
- Makes use of AutoIt scripting language
- Spawns a shell to download additional component(s)

A dynamic analysis of this malware can be found at

I try to give some additional information, so let's start with the Dropper.

Note: All files of this malware have the extension ".com", but they are all .exe files (just renamed to .com).