First of all, I'd like to thank MalwareIntelligence where I write as a researcher for getting me this precious file.
In the Aurura attack, 1 .sys file had been used, called : msconfig32.sys.
I was pretty curious about what does this driver do, and why no one else in the world had analyzed it.
Let's first take a quick look at the file (.sys file is a PE):
Let's take a look at +- same size of other, valid, Microsoft driver :
We don't see that kind of stuff, yet we continue to see 0x20 instead of parts where there should be 0x00...
I've decided to use SCM, and load the driver using SC. So let's do it :
The command and the checks are attached in the following picture :
|ad_1_.jpg||MD5: CD36A3071A315C3BE6AC3366D80BB59C Byte Size: |
|Appears to be packed executable. Significant portion of file is|
Malware Researcher in MalwareIntelligence