You are here: start » 2005 » 12 » 12 » typos

obviously a damn typo

As a shellcode used a xor decoder nepenthes did not know, it was unrecognized. So I had a look myself and after adding the xor chain Nepenthes was able to download the file.

But some words about the file downloaded from http://rcb.medbod.com/seed/ftcn32a.exe. As it was only 6656 bytes in size, i simply ran strings on it, and voila:

strings /tmp/ftcn32a.exe 

application
TEMP6534C64A-
Z454-122E-BF
-083C2  4S55
1'http://rc.medbod.com/seed/
nwaa32.exe

seem'd like the file was upto download another file from http://rc.medbod.com/seed/nwaa32.exe.
As domain rc.medbod.com could not be resolved, i tried rcb.medbod.com as used to download the previous file, and it worked. Obviously somebody mistyped the domain where to download the next stage in the ftcn32a.exe downloader.

nwaa32.exe has 48198 bytes size and as Im lazy i just threw it in normans sandbox, it turned out nwaa32.exe was about to download http://upseek.org/u/upd_0002.exe but the domain does not resolve any longer.

This blog post was created on 2009-11-13 at 20:39 by Markus. It is tagged with .

Comments



Related

Recent Posts

Tags

alix botnet bpf carniwwwhore ctypes dataviz dionaea ftp gnuplot libemu metasploit mssql nepenthes pcap python python3 smb sqlite ssl xmpp

Comments

2005/12/12/typos.txt · Last modified: 2009/11/13 20:39 by nepenthesdev
chimeric.de = chi`s home Creative Commons License Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0