Recomendados
Más contenido relacionado
Similar a TS/NOFORN
Similar a TS/NOFORN (20)
Último
Último (20)
TS/NOFORN
- 1. MARIONMARSCHALEK@PINKFLAWDMARION@CYPHORT.COMBCC0 7607 2FFA BCA8 9048 D648 D169 73AF F372 F2CA
- 2. Welcome to the keynote circuit –I thought that‘s where old people like me go to die? ;) -Halvar Flake, Oct.14 2014
- 7. http://www.fanpop.com/ SOPHISTICATEDWEAPONRY WITH SUPERPOWERS
- 12. SUSPECT #1 •FILESIZE:192512•COMPILETIME: 2010:05:06 •C&C: CALLIENTEFEVER.INFO•HTTP ACCEPT-LANGUAGE: FR
- 14. PING EXEC HTTPFASPFLOODTCPFLOODWEBFLOODPOSTFLOODATCLEAR STATISTICSKILLSET UPLOAD UPDATE PLUGIN SUSPECT #1 FLOODING ALL THE THINGS
- 15. SUSPECT #1
- 16. OMG!!
- 17. SUSPECTS #[2-4] •FILESIZE: 184320 •CODESIZE: 139264 •COMPILETIME: 2010:02:16 18:05:54+01:00 •FILESIZE: 184320 •CODESIZE: 139264 •COMPILETIME: 2010:03:11 17:55:03+01:00 •FILESIZE: 792064 •CODESIZE: 583680 •COMPILETIME: 2011:10:2520:28:39+01:00
- 18. SUSPECT #4 •FILESIZE: 792064 •COMPILETIME: 2011:10:2520:28:39+01:00•API NAMEHASHINGKEYAB34CD77H•HTTP://1.9.32.11/BUNNY/TEST.PHP?REC=NVISTAANTI-ANALYSIS| THREADS& FILES| CPU DATA| C&C COMMANDS| LUA
- 19. Not funny.
- 20. AV PRODUCTENUMERATIONFIREWALLPRODUCTENUMERATIONSANDBOXCHECK"KLAVME", "MYAPP", "TESTAPP", "AFYJEVMV.EXE“, TIMINGCONDITIONSUSPECT #4SELECT * FROM ANTIVIRUSPRODUCTSELECT * FROM FIREWALLPRODUCT
- 21. SUSPECT #4Big BossWorker2Worker1Worker0Worker3MainThreadPerfMon CommandParsing ScriptExecution Manage Worker ThreadsFileMan/Inet
- 23. LUA ThreadCmd ParsingExecute CommandStart LUA ThreadSUSPECT #4 Advanced Command and Script Parsing
- 24. SUSPECT #4 Advanced Command and Script Parsing4 WORKERTHREADSEXECUTINGLUA SCRIPTSLUA 5.1 + C/INVOKECODECALLBACKFROMLUA TOC++
- 26. Vulnerability Summary for CVE-2011-4369 Original release date: 12/16/2011 Last revised: 01/29/2013 Source: US-CERT/NIST http://blog.9bplus.com/analyzing-cve-2011-4369-part-one/
- 27. SUSPECT #5 •FILESIZE: 966144 •CODESIZE: 128512 •COMPILETIME: 2011:10:2519:28:00+01:00 •DROPPERFORSUSPECT#4 •SAMEC&CSASSUSPECT#4
- 28. ACRORD32INFO.EXE Location Remote Host Port Number Oakville, Canada 69.90.160.65 80 Montréal,Canada 70.38.107.13 80 Montréal,Canada 70.38.12.10 80 http://www.threatexpert.com/report.aspx?md5=c40e3ee23cf95d992b7cd0b7c01b8599SUSPECT #5
- 29. SRSLY?
- 32. SWISS CHEESE ATTRIBUTION•PROJECTNAMEDBUNNY, VERSION2.3.2•DDOS BOTNETOPERATORS•ACCEPT-LANGUAGE: FR•C&C SERVERSHOSTEDINCANADA•C&C DOMAINSRESEMBLEFRENCH/IRANIANWEBSITES•AUTHORNOENGLISHNATIVE-SPEAKER... •LUA? MUSTBEFLAME
- 33. Wars not make one great.
- 39. Viperis a binary management and analysis frameworkdedicated to malware and exploit researchers. http://viper.li/
- 40. ACKNOWLEDGEMENTS•MR. WHITE, MR. ORANGE, MR. BLONDE& MR. PINK•MORGANMARQUIS-BOIRE•INBARRAZ•NICOLASBRULEZ•@EMERGENCYKITTENS
- 41. Thank you! Marion Marschalek @pinkflawd marion@cyphort.com http://karmadecay.com/