9687
Group for Malware Analysts. Pinned message with resources and rules: https://t.me/MalwareResearch/38033
Hello Spider, welcome to the Malware Research group! Please read the pinned message before you post!
Читать полностью…
Users and their contacts receive threatening messages or calls including death threats.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/spyloan-a-global-threat-exploiting-social-engineering/
https://drive.google.com/file/d/1m7H9MvByWDX8BLr-oAq85FNxGjLJ3rCq/view?usp=sharing link for video
Читать полностью…
Introducing Dr01dc4ll C2 Framewrok
Dr01dc4ll is C2 Framework i have developed currently , it is a powerfull c2 framework supporting postexploitation modules for android cause it has many abilities , it,s not a rat or spyware or just simple c&c - it was differ from any c2 implemented cause :
It uses his own protocol which i named it droidcall protocol it can deliver :
Commands , RPC calls ,Modules , packets i will explain this below
So the app contain just one class which is Dropper can be injected easy inside any other app if u reverse engineer it, dropper connect to http server (payload deliver) and retrieve agent module which is the main module and execute it in memory, that is responsible about communications and loading or unloading modules from memory doesn't contain any thing else , droidcall protocol messages sent over TCP or WebSocket cause of this we have 2 agents and the server is configured to deliver the right one TCP module agent is very small just 14kb as we will see in videos cause it doesn't contain any dependencies at all
Main post exploitation modules developed :
1. PermX.dex that request Permissions when running others apps as we will see in videos , tricking user to grant permissions needed easy
2. AppControl.dex start Activities , install , uninstall apps and show apps that running to spy on which app currently is run , send notifications and broadcast intents and so on,
3. FileSystem.dex provide commands like ls , pwd , mkdir ,upload , download ... etc similar
4. Spy.dex provide ability to Captures photos from cams, record voice from available mics get gps location and so on
5. Dumper.dex provide ability to dump sms , call logs , contacts , apps installed , net interfaces info, sim number and current connect ssid if it connected to a wifi network
6. HijackView.dex provide ability to capture credentials from user phishing from current running App without act with like a fake servers to capture creds instead we act with real one as we see in videos ,
7. TunnelLocal.dex provide ability to employ droidcall protocol to deliver packets and send packets using the same host and port connected by agent to apply tunneling and access private hosts in the same target network all of this custom implementation from 0 and have a so tiny size in bytes , mean server can handle thousands of clients and can handle thousands of tunnel using just one port listening on
8. SSHTunnel.dex provide ability to tunneling over ssh instead of built in droidcall tunnelling in Module Tunnel.dex , the con is size increased the con is size increased size of this module is 442K cause of dependencies
9. Socks4Proxy.dex provide ability to use target as proxy so our traffic can routed by target , the con is size increased size of this module is 94kb cause of dependency
All of this modules can send over droidcall protocol messages which can send over tcp or WebSocket
And in final there is a jdroidcall repl that is a java repl different from the C2 servre repl it make you interact with client using RPCcalls , and if you developed your custom module to perform new functions or exploit vulnerable apps or any thing similar u can use jdroidcall repl to perform RPCcalls with your module after you load it u can enter jdroidcall repl per client you load it on
If malware analysis is analyze your app you can detect emulators or rooted devices before loading any module and also you can unload modules u want from memory
So as summary we have once class call Start it is the main dropper and this dropper communicate http server to recieve the suitable agent payload (communitcat with droidcall over TCP or WebSocket depends on agent payload) as stage2 which use them as just abridge to establish droidcall protocol which allow custom tunneling , modules , RPCcalls , commands and so on and we load modules that we need as stage 3 and we can unload it from memory when necessary
It could be under an hardware breakpoint.. which triggers an exception on execute.
Читать полностью…
Freemium, but regardless, a large ad is not what this group is for
Читать полностью…
Is an ad for a free online malware analysis tool?
Читать полностью…
Launch of PEScan! 😜
After much effort and dedication, we are thrilled to present PEScan, an online static analysis tool designed to examine Microsoft Windows files in the Portable Executable (PE) format, such as .exe, .dll, .sys, .ocx, .scr, .drv, and .cpl.
What does PEScan do?
PEScan specializes in extracting key information from PE files to identify threats and generate highly effective Indicators of Compromise (IOCs). It offers a unique ability to inspect PE headers, internal structures, and detect irregularities.
Why is PEScan unique?
It’s the first online scanner capable of detecting irregularities directly in PE headers, providing an advanced and specific level of analysis that you won’t find in any other tool.
Where is it used?
PEScan is an indispensable tool for:
Reverse engineering and malware research.
Computer Emergency Response Teams.
Security Operations Centers.
Digital Forensics Labs.
Easy to use, yet powerful
With an intuitive interface, simply drag and drop your files and click "Analyze." Within seconds, you’ll receive a detailed analysis, including critical information for threat detection and prevention.
A project made with passion
PEScan isn’t just a tool. It’s the result of a decade of development and commitment to malware research. I hope it’s as useful for you as it is for those seeking practical and effective solutions in malware analysis.
Discover it today!: https://pescan.io
hello everyone
Does anyone have any experience using flare-emu for malware analysis?
Hi, any suggestions to clear fresh Confuser please? Anybody have modded deobfuscator? I tried few public tools, however they can't untangle functions body (or failed to read signature), other public tools quite hard to compile for me.
Читать полностью…
hey is newrelic x-insert-key or insight key is meant to be public?
Читать полностью…
there is a thing called Google Calendar and Google Sheets that can combine together and do wonders without $25
Читать полностью…
Hi everyone, I have I Sony xz2 that I tried to root 6 months ago and the problem is that the bootloader is just impossible to unlock I already try all methods like use the code for unclock and even see in xda forums what I can do and I found just one thing is that to pay 25$ for use a specific app that work for 5 peoples but I don't have money for it
What I can do to unclock it without pay anything?
If you mean malware in email attachments, here's a site with some samples
https://malware-traffic-analysis.net/index.html
And also, ask your questions directly. Don't ask to ask
There could be a few reasons for this, but it’s hard to say without checking things first. My guess is that it might be an access violation, maybe the app is trying to R/W memory where it shouldn’t. A good starting point could be checking with valgrind for any mem leaks or invalid accesses or whatever it may that be when it comes to mem.
Читать полностью…
New FedBan
Fed: Libra's Empire
FedAdmin: Libra
User: Sysc4ll3r
User ID: 5327899413
Reason: maldev ad
Dropper not set to use custom port or host for the c2 server except the main url for http server that deliver agent payloads and ip and port is produced by them and protocol send from http server with payload and the agent have ability to disconnect and connect to different c2 server or port beside able to load any new module that can perform new functionality
and finally I’d love to hear ur thoughts on this. If u have any feedback, feel free to drop a comment or ping me directly. thx for reading ❤️
Hello zhaoyihao, welcome to the Malware Research group! Please read the pinned message before you post!
Читать полностью…
Hello everyone I have a question regarding NtWriteVirtualMemory API call. Sometimes when I run my program I get STATUS_BREAKPOINT 0x80000003 error. I have tried looking for answers but still no idea why sometimes fails
Читать полностью…
Hello @mariopozo13, welcome to the Malware Research group! Please read the pinned message before you post!
Читать полностью…
User 4n0nym0us has 1/3 warnings; be careful!
Reason:
this is not the place to run ads
Hello María, welcome to the Malware Research group! Please read the pinned message before you post!
Читать полностью…
The affected version is VSPC 8.1.0.21377 and presumably the earlier ones. The CVSS is on fire — like 9.9
https://www.veeam.com/kb4679
The success of this campaign lies in its exploitation of the gap between how operating systems process damaged files and how security tools analyze them.
https://www.infosecurity-magazine.com/news/corrupted-word-files-fuel-phishing/
User Jeremie has 1/3 warnings; be careful!
Reason:
last warning - no piracy, or the next is a ban
Does Anyone know a Ai that is similar to white rabbit Neo??
Читать полностью…
eyou, anyone have seen the malware of outlook?, where by a link you got remote access?, i have some questions
Читать полностью…