I’ve already seen many strange things inside malware packers, but there’s always something surprising. Last time, it was during the analysis of packer used to wrap Zbot, LockScreen and similar binaries (detected under various MalOb-* [Cryp] names). There’s a block of allocated memory with a long list of names. But these names are not used to anything related to malware execution, they’re not visible to the user (unless you emulate/trace the sample), they have no special purpose. But why they are there? And where’s the Czech footprint?
dump of memory block
The highlited name – Zatopek – belongs to the famous Czech long-distance runner (wiki). It’s somehow mysterious (at least for me) how and why he did make it to the list. This list is different from sample to sample and Zatopek doesn’t seem to appear in all of them. Does anyone of you, readers, know something what would put all the names from the list to relation? And which name from the list is interesting for you and why?
Unexpected Czech footprint
I’ve already seen many strange things inside malware packers, but there’s always something surprising. Last time, it was during the analysis of packer used to wrap Zbot, LockScreen and similar binaries (detected under various MalOb-* [Cryp] names). There’s a block of allocated memory with a long list of names. But these names are not used to anything related to malware execution, they’re not visible to the user (unless you emulate/trace the sample), they have no special purpose. But why they are there? And where’s the Czech footprint?
dump of memory block
The highlited name – Zatopek – belongs to the famous Czech long-distance runner (wiki). It’s somehow mysterious (at least for me) how and why he did make it to the list. This list is different from sample to sample and Zatopek doesn’t seem to appear in all of them. Does anyone of you, readers, know something what would put all the names from the list to relation? And which name from the list is interesting for you and why?
Visit link:
Unexpected Czech footprint