Custom search

Wednesday, March 1, 2017

Karthik Nagarajan- An Actor and our author:

Karthik Nagarajan

Karthik Nagarajan is an actor, known for Yeto Vellipoyindhi Manasu (2012), Iru Mugan (2016) and Lightman (2017). Karthik Nagarajan is also life coach, keynote speaker and corporate trainer. Karthik has been highly successful with audiences across all industries and live event formats. Whatever the event, Karthik consistently delivers that one-of-a-kind factor with a unique ability to deliver his audience Energy, Entertainment and Inspiration in an expert manner. He also started foundation called "the solution guy foundation".

The Solution Guy Foundation is established to support the financially underprivileged students with their educational needs. The Solution Guy Foundation collect funds to support the needs of the students by paying their fees, buying them books and dresses. Also they conduct free seminars in and around the city of Chennai to empower students with valuable life skills, management skills and soft skills. That makes the students to face the future with confident.

His imdb link:
The solution guy foundation FB page: 

Image may contain: 1 person, eyeglasses and text
Karthik Nagarajan in his film 'Lightman'

MD5 Collision:

MD5 collision is very interesting topic in the field of cryptography. If you browse on this topic you will find good research articles on the collision and even you able to think about what is the future. Very recently google came up with SHA-1 collision.

Google said "We then leveraged Google’s technical expertise and cloud infrastructure to compute the collision which is one of the largest computations ever completed."
 Here are some numbers that give a sense of how large scale this computation was:
  • Nine quintillion (9,223,372,036,854,775,808) SHA1 computations in total
  • 6,500 years of CPU computation to complete the attack first phase
  • 110 years of GPU computation to complete the second phase

Lets go back to our topic MD5 collision:

Each of these blocks has MD5 hash 79054025255fb1a26e4bc422aef54eb4.                              

 This above pair was found in 2005 by researchers from Shandong university in China.


We got two set of executable files: one set for windows and other set for Linux.
MD5 for windows file: cdc47d670159eef60916ca03a9d4a007

MD5 for Linux file: da5c61e1edc0f18337e46418e48c1290

                                                                                                                                                                         Post made by

Comments for Explorer.exe in Virustotal:

This post is kind of random one. When we seen legit explorer.exe file in virustotal (popular online scanner for malware), it is flagged as clean (obviously clean, since it is legit file).

Interesting part in this submission is the comment section. A good amount of comments which we seen and we love to share it here.

exe has been exploited by varient of Trojan.backdoor and Trojan.VBS.Autorun Should be considered malicious in this instance. Executable is legit by default and belongs to the windows operating system, the trojan leaves little indication of its presence. Picked up in the wild, known to infect usb drives and spread through copying itself to usb, also picked up from malicious webpages, worm is usually dropped by the trojan after it gains entry. Tries to modify Regkey for SuperHidden to hide itself even if see hidden files is checked in settings. Also infects network drives and can spread through the network. Drops malicious code to any file it choses on the file system, esculates privliges, deletes files. Not known to damage hardware, copies itself to the root of every disk volume, replaces autorun.inf file so that it loads next time volume is mounted. Manual removal recommendation none, although most antivirus programs detect the worm itself and remove it, the damage created to the file system can not be fixed as easily. Recommendation for removal; Full format with windows disk , disconnect all devices from network, flush router, reset router, full reinstall on computers before connecting back to network. As with any worm of this type the risk for this infection is severe.

Additional Comments: Antivirus software is only an added layer of protection, when infected with Backdoors and Worms, the antivirus software may claim they are able to remove the threat (which in part is true), what are they are not able to do is repair the damage that the infection has created. When a system has been backdoored, the attacker then usually creates multiple backdoors by exploiting legit windows applications, along with creating new backdoors. Without being an NT/IT or having some other extensive knowledge about the windows file system and operating system, it is very hard to find and fix each exploit. While the original infection may be gone, there may be new infections still hiding, or worse while infected the attacker may have installed a rootkit which is nearly impossible to fix with a simple antivirus program, as many advanced rootkits can call on and modify data at the kernal level. They can intercept and modify system calls directly, or use hooks to catch the calls and then replace that with its own. Most antivirus say they can find rootkits, but that is what we tend to call "OverHype". Most rootkits avoid antivirus scan detection because they can read when the call is sent to run the antivirus engine, the rootkit can then temporarly replace the infect files with the original files, try to delay or stop the engine itself, replace the scan results of the antivirus with previous logged scans of a clean system, when it was still undetected, etc.

Antiviruses should never be considered a safe solution for bad habits. Users need to be careful of what they do online, just because you have a good antivirus does not mean you are safe. Prevention is the best solution. In my honest opinion, detection is only good for future prevention. Once a worm or virus is detected, it can then be reverse engineered to see how it works, and what it does. Once we know how it gains access and propagates, we can then find ways to restrict its access method, but for this to happen, someone/many someones will have to be infected first, then those someones will have to wait until either they show noticable symptoms and start requesting help from online sources such as or other help stations by performing multiple scans with multiple tools to fully diagnose the issue, or someone with computer knowledge notices subtle changes and starts investigating. Both of these situations could take days, to weeks, to months, to years. Then waiting for Microsoft to create a security patch could take years. This is why prevention is the key.        


Authenticode signature block and FileVersionInfo properties
Copyright© Microsoft Corporation. All rights reserved.
Product Microsoft® Windows® Operating System
Original name EXPLORER.EXE
Internal name explorer
File version 6.1.7601.17567 (win7sp1_gdr.110224-1502)
Description Windows Explorer
Signature verification Signed file, verified signature
Signing date 8:16 PM 2/28/2011
Microsoft Windows
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Windows Verification PCA
Valid from 10:57 PM 12/7/2009
Valid to 10:57 PM 3/7/2011
Valid usage Code Signing, NT5 Crypto
Algorithm sha1RSA
Thumbprint 02ECEEA9D5E0A9F3E39B6F4EC3F7131ED4E352C4
Serial number 61 15 23 0F 00 00 00 00 00 0A
Microsoft Windows Verification PCA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Root Certificate Authority
Valid from 10:55 PM 9/15/2005
Valid to 11:05 PM 3/15/2016
Valid usage Code Signing, NT5 Crypto
Algorithm sha1RSA
Thumbprint 5DF0D7571B0780783960C68B78571FFD7EDAF021
Serial number 61 07 02 DC 00 00 00 00 00 0B
Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 12:19 AM 5/10/2001
Valid to 12:28 AM 5/10/2021
Valid usage All
Algorithm sha1RSA
Thumbprint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65    


Post made by

Tuesday, February 21, 2017

Malicious IP analysis

We don't know the following Ip address is malicious or not: 103.224.212(.)222
How to proceed our analysis?
Possible approach: try the search in Virus Total.
We got no one flagged it.
VT link:
Detection: 0/65.
Additional info:

Possible approach: try it in IPvoid or urlvoid.
In this case, IPvoid is our option since we are dealing with the Ip address. We got three results as black listed.

IP Address Information

Analysis Date2017-02-21 03:53:30
Blacklist StatusBLACKLISTED 3/83
IP Address103.224.212.222 (Find Websites)
ASN OwnerTrellian Pty. Limited
ISPTrellian Pty. Limited
Country CodeFlag (AU) Australia
Latitude / Longitude-33.494 / 143.2104

Possible approach: try the search in threat crowd
Now, we found plenty and which marks to two malicious files.
Threat crowd link:
First file:
MD5: c98dc3be0c7fa850ad1a3161c3f8014a
Filename:  _b4c61441.tmp
VT link:
Detection as Potentially unwanted application/ Adware.

Second file:
MD5: e8e956637f36a97f251746016be22c30
Filename diaiomjykaxu.exe
VT link:
Detection as Ransomware locky/ Teslacrypt filedecoder.
Another possible approach is simple google search:
We found the following url-
It says that Ip belongs to locky ransomware.


It is advised to block this Ip address in the firewall, also need to add this Ip address in blacklist for future verification. If you found this Ip address in your network logs (any connection established with this Ip address), is having more chances of ransomware infection in the network. Advised to follow the general recommendation for ransomware infection.

We will see the analysis of those two files in the future post.

Post created by

Monday, February 20, 2017

Analysis of suspicious pdf

Analysis of suspicious pdf:
SWIFT CONFIRMATION.pdf – this pdf file is looks to be suspicious. It came for analysis, we started to look in to the code.

MD5: 524BAE85DB8BA5E6B161BC52D5B34113

(I searched this MD5 in Virustotal, which is uploaded to VT just 7 hours back, when I am writing this post.

Clean result. Zero detection)

This pdf sample connects to the following url:

All these urls are suspicious.



Execution of the pdf:

I executed the pdf file and attached the screenshot below:

They masked the content and ask us to view adobe online. Again this follows to the dropbox link and leads to download the file named as swift confirmation.scr.

(View on Adobe is linking to dropbox url)

Conversion of shorten url to long url:

hxxp://  -  hxxp://

(Searched that in google, it goes to virustotal results-   - Flagged as malicious site)


hxxp://  -  hxxp://

Finally we got dropbox link:


Downloaded the swift confirmation.scr file by accessing that dropbox link in controlled environment at different network.

Executable file and which is not regular scr files. Pretty suspicious.  

Version info:

Looks it contain digital signatures, and version info says the file goes belongs to Samsung Electronics co. ltd.  
Digital signature is not matching, just check the below snapshot:

All these properties claims the file is suspicious. Let’s dive more into the code level:
We checked for compiler information, and it says Microsoft Visual Basic 5.0 / 6.0.
Compiler: Microsoft Visual Basic 5.0 / 6.0 . The file is packed one.



Search results

Google Ads

Google Plus:


Total Pageviews


Hard work never fails!

Hard work never fails!