[Emerging-Sigs] [Emerging-sandbox] Obfuscated .exe ?

Kevin Ross kevross33 at googlemail.com
Mon Oct 3 08:06:03 EDT 2011


Yeah. Certainly not any single byte XOR string obfuscated EXE anyway as ran
PCAP through those sigs.


On 3 October 2011 13:00, Matthew Jonkman <jonkman at emergingthreatspro.com>wrote:

> Very interesting!
>
> Anyone recognize the technique? Appears to be a lot more than just some
> xor.
>
> Matt
>
>
> On Oct 3, 2011, at 7:18 AM, Edward Fjellskål wrote:
>
> > Looking at:
> >
> https://sandnet.emergingthreats.net/index.php?q=c63719a9f4c3dc222511da93d4de1458
> >
> > and
> >
> >
> https://sandnet.emergingthreats.net/chaosreader/c/c63719a9f4c3dc222511da93d4de1458/session_0008.www.html
> >
> > "TH.. .rogR.. .annO..b. ruNI.n at DOS...d.."
> >
> > Looks like a the binary has been piped through some obfuscater... would
> it be worth a sig ?
> >
> > E
> > _______________________________________________
> > Emerging-sandbox mailing list
> > Emerging-sandbox at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sandbox
>
>
> ----------------------------------------------------
> Matt Jonkman
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 866-504-2523 x110
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
>
> _______________________________________________
> Emerging-sandbox mailing list
> Emerging-sandbox at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sandbox
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111003/a9fef3f1/attachment.html


More information about the Emerging-sigs mailing list