After getting the comments I decided to post a short comparison and analysis of original malware I had and the recreated file.
The samples can be downloaded from link below for analysis....
http://www.mediafire.com/download.php?xjmcp9agma1sctl
The size of file "original malware.xls" is 109184 bytes as there is an executable attached with it of size 17536 bytes from offset 0x13e00. Also the first 1536 bytes of the executable is XOR'ed with 32 bit key 0x66778899 and byte flip was also used.
A genuine xls file was embedded with the exploit from offset 0x18280 of size 10240 bytes....
After removing the malware exe and the gnuine file from the exploit the remaining file was of 81408 bytes....
There at offset 0x13408 the shellcode was there which dropped the executable and xls file in %temp% and executed the..... Its size was 0x2552 bytes.....And the shellcode was XOR'ed with b nit key 0x01
The extracted shellcode and decoded shellcode is also in the acrhive above....
Also its requested to first analyze deeply and use google search before claiming for something..
This was a short analysis. More to come Soon .....
No comments:
Post a Comment