Twitter | Search | |
Matt Suiche
A patched (non recompiled) variant with *NO* kill-switch is out there too. Patched jump and zeroed the URL. See screenshots below.
7:19 AM - 14 May 2017
Twitter
by: Matt Suiche @msuiche
Reply Retweet Like More
Matt Suiche May 14
Replying to @craiu
Thanks to for sharing the 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd hash.
View conversation · Reply Retweet Like
Mitja Kolsek May 14
Replying to @msuiche @craiu
Puzzled as to why was "jnz $+2" in the original code. Looks like a placeholder for patching out the kill switch.
View conversation · Reply Retweet Like
Costin Raiu May 14
Replying to @mkolsek @msuiche
that is the patched code, not the original one. The original was 75 15 hex.
View conversation · Reply Retweet Like
R0bert R0senb0rg May 14
Replying to @msuiche @craiu
isn't this some testing version that a researcher patched to use after sinkholing killswitch?
View conversation · Reply Retweet Like
Mitja Kolsek May 14
Replying to @craiu @msuiche
Oh, that makes sense.
View conversation · Reply Retweet Like
Mark Steward May 14
Replying to @msuiche @craiu
Ugh. And given the number of historic builds out there, the person who did this is unlikely very to be the malware author.
View conversation · Reply Retweet Like
# malware mapper # May 14
Replying to @msuiche
Is it spreading wild or just for testing purpose ?
View conversation · Reply Retweet Like
Aaron Shelmire May 14
Replying to @msuiche @craiu
View conversation · Reply Retweet Like
Mark Steward May 14
Replying to @msuiche @craiu
Is that version viable? The payload looks different and doesn't have a zip directory.
View conversation · Reply Retweet Like
Aaron Shelmire May 14
Replying to @drProct0r @msuiche @craiu
while it may be a testing version, think of how many sandboxes pull files from virustotal and run them in the wild, leading to spread
View conversation · Reply Retweet Like
Thanh Bình May 14
Replying to @msuiche
How you can do that ? I would like to help
View conversation · Reply Retweet Like
R0bert R0senb0rg May 14
Replying to @AShelmire @msuiche @craiu
I know,that's why researchers should be careful and use patched versions only in a way it can't spread,definitely not upload to VT or SBox
View conversation · Reply Retweet Like
Adam May 14
Replying to @msuiche
Are the bitcoin addresses the same, or have they been changed?
View conversation · Reply Retweet Like
GalBit May 14
Replying to @msuiche
Legit malware development process :D
View conversation · Reply Retweet Like
R0bert R0senb0rg May 14
Replying to @AShelmire @msuiche @craiu
this thead sums it up:
View conversation · Reply Retweet Like
Aaron Shelmire May 14
Replying to @drProct0r @msuiche @craiu
agree, but it's on vt since 90 minutes ago:
View conversation · Reply Retweet Like
mndg May 14
Replying to @msuiche
What is now in the resources? The same ?
View conversation · Reply Retweet Like
Mark Steward May 14
Replying to @msuiche @craiu
That payload has two parents and this is the difference between them
View conversation · Reply Retweet Like