Twitter | Search | |
Matt Suiche
A patched (non recompiled) variant with *NO* kill-switch is out there too. Patched jump and zeroed the URL. See screenshots below.
Reply Retweet Like More
Matt Suiche 14 May 17
Replying to @craiu
Thanks to for sharing the 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd hash.
Reply Retweet Like
Mitja Kolsek 14 May 17
Replying to @msuiche @craiu
Puzzled as to why was "jnz $+2" in the original code. Looks like a placeholder for patching out the kill switch.
Reply Retweet Like
Costin Raiu 14 May 17
Replying to @mkolsek @msuiche
that is the patched code, not the original one. The original was 75 15 hex.
Reply Retweet Like
R0bert R0senb0rg 14 May 17
Replying to @msuiche @craiu
isn't this some testing version that a researcher patched to use after sinkholing killswitch?
Reply Retweet Like
Mitja Kolsek 14 May 17
Replying to @craiu @msuiche
Oh, that makes sense.
Reply Retweet Like
Mark Steward 14 May 17
Replying to @msuiche @craiu
Ugh. And given the number of historic builds out there, the person who did this is unlikely very to be the malware author.
Reply Retweet Like
# malware mapper # 14 May 17
Replying to @msuiche
Is it spreading wild or just for testing purpose ?
Reply Retweet Like
Aaron Shelmire 14 May 17
Replying to @msuiche @craiu
Reply Retweet Like
Mark Steward 14 May 17
Replying to @msuiche @craiu
Is that version viable? The payload looks different and doesn't have a zip directory.
Reply Retweet Like
Aaron Shelmire 14 May 17
while it may be a testing version, think of how many sandboxes pull files from virustotal and run them in the wild, leading to spread
Reply Retweet Like
Thanh Bình 14 May 17
Replying to @msuiche
How you can do that ? I would like to help
Reply Retweet Like
R0bert R0senb0rg 14 May 17
I know,that's why researchers should be careful and use patched versions only in a way it can't spread,definitely not upload to VT or SBox
Reply Retweet Like
Adam Chester 14 May 17
Replying to @msuiche
Are the bitcoin addresses the same, or have they been changed?
Reply Retweet Like
GalBit 14 May 17
Replying to @msuiche
Legit malware development process :D
Reply Retweet Like
R0bert R0senb0rg 14 May 17
this thead sums it up:
Reply Retweet Like
Aaron Shelmire 14 May 17
agree, but it's on vt since 90 minutes ago:
Reply Retweet Like
mndg 14 May 17
Replying to @msuiche
What is now in the resources? The same ?
Reply Retweet Like
Mark Steward 14 May 17
Replying to @msuiche @craiu
That payload has two parents and this is the difference between them
Reply Retweet Like