Doqu 2.0 analysis
 

https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf

Duqu 2.0 please correct topic title!

Malware samples (Indicators of compromise) from kernelmode.info
Archive Password: infected

great articles, i've read all the docs this monday, INCREDIBLE WORK here

They think this software is worth 50M$.... hats off for this work, they are truly hero coders... even when they work coding APTs :D

What really surprised me was the fact that it has signed drivers. That was pretty entertaining to read about :)

Well, signed drivers are not that surprising, there were quite a few of those already.

However, is there a sample (of the signed driver) available here? The files posted on kernelmode.info don't seem to be signed.

MD5: 92e724291056a5e30eca038ee637a23f
Certificate Serial number of Foxconn: ‎256541e204619033f8b09f9eb7c88ef8

Attached from kernelmode.info

Ah, my bad, I was checking only the first batch in the beginning of the thread.
Thanks a lot.

Still wondering why the developers did not transform classic machine code into custom architecture run on custom interpreter (security of critical places).

Considering such a step the analysis we read would be nearly impossible to complete (in reasonable time)...

Maybe such non-x86 blocks (or the corresponding interpreters) are more likely to trigger antivirus heuristics... so while analysis would certainly be harder, the probability of earlier detection could also be higher.

You might be right, but then they could implement at least custom virtualization (maintaining actual architecture) + stronger data encryption. Anything, which could slow-down the analysis.

Can you elaborate how this could be done by linking books/tutorials/topic about making it harder to analysis? (I'm not much but new on this area..)
Hope I would get a detailed answer.

-Stitch