msm-code
/ paper.unk.40194f6deb5d679ccdd66f7885ad3281
Created
October 21, 2016 09:35
paper.unk.40194f6deb5d679ccdd66f7885ad3281
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <d2bf6f4a> >>> [+] [ 62 bytes]: | |
| state information: | |
| data field 0: 0x263 | |
| data field 1: 0x23426908 | |
| data field 2: 0x0 | |
| data field 3: 0x0 <- injects version | |
| data field 4: 0x0 | |
| data field 5: 0x0 | |
| data field 6: 0x0 <- webfilters version | |
| data field 7: 0x0 |
msm-code
/ paper.unk.04102ed29d239357be366ee4d8f9c164
Created
October 21, 2016 09:35
paper.unk.04102ed29d239357be366ee4d8f9c164
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <b84216c7> <<< [+] [ 4 bytes]: | |
| client ip 195.187.238.160 | |
| <be8ec514> <<< [+] [ 257 bytes]: | |
| uri found: 66.168.203.239:34352 | |
| uri found: 98.109.148.2:34352 | |
| uri found: 80.147.180.254:34352 | |
| uri found: 162.222.25.250:34352 | |
| uri found: 78.28.51.22:34352 | |
| uri found: 75.166.109.79:34352 |
msm-code
/ paper.yara.d34fac1409fd90a40b6637dbc35ac654
Created
October 21, 2016 09:35
paper.yara.d34fac1409fd90a40b6637dbc35ac654
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule nymaim: trojan | |
| { | |
| meta: | |
| author = "mak" | |
| strings: | |
| $call_obfu_xor = {55 89 E5 5? 8B ?? 04 89 ?? 10 8B ?? 0C 33 ?? 08 E9 } | |
| $call_obfu_add = {55 89 E5 5? 8B ?? 04 89 ?? 10 8B ?? 0C 03 ?? 08 E9 } | |
| $call_obfu_sub = {55 89 E5 5? 8B ?? 04 89 ?? 10 8B ?? 0C 2b ?? 08 E9 } | |
| $nym_get_cnc = {E8 [4] C7 45 ?? [4] C7 45 ?? [4] 83 ??}//3D[4] 01 74 4E E8} |
msm-code
/ paper.asm.9319e5977756b9581c4ce3f8b6c7c31c
Created
October 21, 2016 09:36
paper.asm.9319e5977756b9581c4ce3f8b6c7c31c
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| jz loc_4381B4 | |
| xchg eac, [ebp-0Ch] | |
| push 053h | |
| call sub_408D02 | |
| push 050h | |
| call sub_408D02 | |
| push edx | |
| push 8AB4BF9EH | |
| push 754A35C1H | |
| call sub_41CF77 |
msm-code
/ paper.asm.6272ef5748d45a1afee7fbb48bdc5abe
Created
October 21, 2016 09:36
paper.asm.6272ef5748d45a1afee7fbb48bdc5abe
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| mov eax, 0x8CBFB5FF | |
| call xor_eax_with_8CBFB5DA |
msm-code
/ paper.asm.d8e2b049f81c1c7c57f717b042db6bed
Created
October 21, 2016 09:36
paper.asm.d8e2b049f81c1c7c57f717b042db6bed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| jmp 0x42424242 |
msm-code
/ paper.asm.64ca36263ef4107022aa090a54c67161
Created
October 21, 2016 09:36
paper.asm.64ca36263ef4107022aa090a54c67161
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| push 0x40404040 | |
| push 0x02020202 | |
| jmp detour | |
| detour: | |
| pop eax ; oversimplification, detour can never spoil registers | |
| pop ebx | |
| add eax, ebx ; or xor, or sub, or add | |
| jmp eax |
msm-code
/ paper.asm.9f309c5f45c3c13cc5004490647f08fd
Created
October 21, 2016 09:36
paper.asm.9f309c5f45c3c13cc5004490647f08fd
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| jz loc_4381B4 | |
| xchg eac, [ebp-0Ch] | |
| push 053h | |
| call push_cpu_register ; push ebx | |
| push 050h | |
| call push_cpu_register ; push eax | |
| push edx | |
| push 8AB4BF9Eh | |
| push 754A35C1h | |
| call detour_1 ; call f(8AB4BF9Eh, 754A35C1h) |
msm-code
/ paper.asm.c8f22939397ddba9457ab4384c76379b
Created
October 21, 2016 09:36
paper.asm.c8f22939397ddba9457ab4384c76379b
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| jz loc_4381B4 | |
| xchg eac, [ebp-0Ch] | |
| ; nops | |
| push ebx | |
| ; nops | |
| push eax | |
| call sub_428b51 | |
| ; nops | |
| mov eax, 25h | |
| mov ecx, [ebp-0Ch] |
msm-code
/ paper.cpp.9fe969957d8333124adfd59d98c59b29
Created
October 21, 2016 09:36
paper.cpp.9fe969957d8333124adfd59d98c59b29
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| void encrypted_memcpy(char *to, char *from, int len) { | |
| if (is_in_encrypted_section(to)) { | |
| if (is_in_encrypted_section(from)) { | |
| memcpy(to, from, len); | |
| } else { | |
| memcpy_and_encrypt(to, from, len); | |
| } | |
| } else { | |
| if (is_in_encrypted_section(from)) { | |
| memcpy_and_decrypt(to, from, len); |