Sep 25, 2015reverse engineering

Ranbyus's DGA, RevisitedA second version of the Domain Generation Algorithm

In May I wrote about the Domain Generation Algorithm (DGA) of the banking trojan Ranbyus. This week I stumbled on some new Ranbyus samples that use a significant modification of the DGA. For simplicity’s sake I call the DGA from the previous post the May DGA, and the DGA in this post the

Jul 19, 2015reverse engineering

The Faulty Precursor of Pykspa's DGA

Pyskpa is a worm that spreads over Skype. The malware has been relying on a domain generation algorithm (DGA) to contact its command and control targets since at least October 2013. Even though the C2 infrastructure seems to be long abandoned, there are still many infected clients. Virustracker,

Jun 20, 2015reverse engineering

Win32/Upatre.BI - Part FourPayload Format

This last article is all about the second stage payload of Upatre. The first part shows how the download handler decrypts and parses payload. The analysis leads to a description of the payload’s format. It also shows how the unpacking stub of the payload decompresses, prepares and launches the... read

Jun 16, 2015reverse engineering

Win32/Upatre.BI - Part ThreeMain Loop

This blog post analyzes the core routine of Upatre. It is covered in only one of my four parts on Upatre, because it honestly doesn’t do much. The ultimate goal of Upatre is to download second stage payload, which will do the real damage. As already touched on at the discussion of Upatre’s configurationread


see all