Blog
Keylogger.BRKBL
Today I will take a quick look at a keystroke logger whose unpacked version has a much lower detection rate on VT then its UPX packed version, and which uses RC4 encryption and Base64 encoding with a custom alphabet. We picked up this file recently while observing some APT activity on a victim’s network, and ...
Trojan.GTalk
Trojan.GTalk Today I am going to write about an interesting Trojan, whose concept (controlling malware via instant messaging) has been used for some time. However Christmas came early this year and during one of our recent engagements we came across the C2 portion of this Trojan (screen shots are located at the end of this ...
Trojan.Prime
Trojan.Prime Today I am going to write about an interesting Trojan that our company came across. The dropper/installer file for this sample is a self extracting executable (with a Windows folder icon), which is old news. The sample itself though it pretty interesting. The sample works, in principle, the same way that ...
Poison Ivy
Poison Ivy Today I am going to look at a Trojan called Poison Ivy, which is old news for those of you who have worked in this field. However because of its efficiency this Trojan continues to be used time and time again in attacks. This specific sample was used in a campaign to ...
Trojan.Matryoshka and Trojan.Einstein
Trojan. Matryoshka Today I am going to look at two different pieces of malware and the carrier file that delivered it all. The carrier file is pretty straightforward and as designed it will drop a malicious file. I am going to refer to this dropped file as Trojan. Matryoshka, because like nesting ...
Trojan.Boxnet
In one of our recent engagements we found an interesting Trojan that we thought was worth blogging about, not because of its capability but rather because of the way it was being controlled. Jared and I looked at this Trojan together and named it Trojan.Boxnet. Summary Trojan.Boxnet uses the file sharing site www.box.net as a ...
Trojan.Cookies
Today I will take a look at a sample that is known internally as Trojan.Cookies. This Trojan is a basic but effective Trojan. This sample is capable of uploading and downloading files as well as a reverse shell. The information for this Trojan is listed below. File Name: AcroRD32.exe File Size: 147456 bytes MD5: 2c4cabb4ca19ddf87c7f11bad44bdf05 ...
Trojan.Foxy
Today I will write about a sample that I will refer to as Trojan.Foxy. Trojan.Foxy requests and parses .JPG images that contain encoded instructions. The encoding algorithm used by this Trojan is loosely based off of the Vigenère cipher; however there is a deviation in how the cipher is applied. The Trojan that will ...
Trojan.Letsgo analysis
Today I will write about a Trojan that I will refer to as Trojan.Letsgo and some interesting artifacts I was able to recover from its C2 node located in China. However, before I write about Trojan.Letsgo, I have to talk about another Trojan that is very similar to other samples I have blogged about, that ...
Login.exe analysis (Trojan.PipCreat)
Today I will take a look at a Trojan that was dropped from a malicious Word document with the following characteristics: File Name: SKY Perfect JSAT Launches ExBird Satellite IP Network Service.doc File Size: 160822 bytes MD5: ab35199de232bfbb99a676cf881e9a85 SHA1: b9953ca586709bf6ddb98fe0c2d164f9f48f02e9 There is nothing too interesting with the document, just the normal stuff as it is ...
Questions?