bomblader Posted September 30, 2015 Posted September 30, 2015 (edited) Looks like I was infected by some virus, no idea where I got it.It's .NET You have to run it like this in order to run:adobe_flash_player.exe /00000017 Anyone can decompile this and find out what's doing? Looks like a custom obfuscator was used. De4Dot is cleaning it up but strings and other data is still encrypted. Thanks!adobe_flash_player.rar Edited September 30, 2015 by bomblader
Sweden Posted September 30, 2015 Posted September 30, 2015 "Malware" lol Whatever protection was used, this looks like some seriously skidded shit
kao Posted September 30, 2015 Posted September 30, 2015 Pretty boring and ordinary malware, calls home, download commands, does some downloads (pay-per-click scam?), uploads stuff and other boring crap. Deobfuscate only inside VMware using this command-line: de4dot adobe_flash_player.exe --strtyp delegate --strtok 06000195 1
bomblader Posted September 30, 2015 Author Posted September 30, 2015 (edited) I think it's some kind of shitty thing that visits webpages. The problem is, I have absolutely no idea where I got this. I always run executables sandboxed and it also added itself to HKLM startup (I ran the infected .exe as administrator, wtf) Also, what decompiler you are using? (Sweden) Edited September 30, 2015 by bomblader
kao Posted September 30, 2015 Posted September 30, 2015 Only you can figure out where it came from, as that information is only present on your computer. I would start with information from NTFS LastWriteTime and registry key LastWriteTime, then move on to Prefetch folder, firewall logs, browser cache and other forensic information. But if you deleted it already, well... tough luck!
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now