Doqu 2.0 analysis

[Anticode]

https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf

[Insid3Code]

Duqu 2.0 please correct topic title!

Malware samples (Indicators of compromise) from kernelmode.info

PHP Code:

http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3900 


Archive Password: infected

[an0rma1]

great articles, i've read all the docs this monday, INCREDIBLE WORK here

They think this software is worth 50M$.... hats off for this work, they are truly hero coders... even when they work coding APTs

[maktm]

What really surprised me was the fact that it has signed drivers. That was pretty entertaining to read about

[gigaman]

Well, signed drivers are not that surprising, there were quite a few of those already.

However, is there a sample (of the signed driver) available here? The files posted on kernelmode.info don't seem to be signed.

[Insid3Code]

Quote:

Originally Posted by gigaman

Well, signed drivers are not that surprising, there were quite a few of those already.

However, is there a sample (of the signed driver) available here? The files posted on kernelmode.info don't seem to be signed.

MD5: 92e724291056a5e30eca038ee637a23f
Certificate Serial number of Foxconn: ‎256541e204619033f8b09f9eb7c88ef8

Attached from kernelmode.info

[gigaman]

Ah, my bad, I was checking only the first batch in the beginning of the thread.
Thanks a lot.

[dyn!o]

Still wondering why the developers did not transform classic machine code into custom architecture run on custom interpreter (security of critical places).

Considering such a step the analysis we read would be nearly impossible to complete (in reasonable time)...