Calls home to http://ownefloadpconverter.info/
Forks into svchost.exe
Have fun :)
Forks into svchost.exe
Code: Select all
Dropper, decrypted + downloaded xp boot rec attachedIAT CodeHooks:
svchost.exe-->advapi32.dll-->RegQueryValueExW
svchost.exe-->advapi32.dll-->SetSecurityDescriptorDacl
svchost.exe-->advapi32.dll-->SetEntriesInAclW
svchost.exe-->advapi32.dll-->SetSecurityDescriptorGroup
svchost.exe-->advapi32.dll-->SetSecurityDescriptorOwner
svchost.exe-->advapi32.dll-->InitializeSecurityDescriptor
svchost.exe-->advapi32.dll-->GetTokenInformation
svchost.exe-->advapi32.dll-->OpenProcessToken
svchost.exe-->advapi32.dll-->OpenThreadToken
svchost.exe-->advapi32.dll-->SetServiceStatus
svchost.exe-->advapi32.dll-->RegisterServiceCtrlHandlerW
svchost.exe-->advapi32.dll-->RegCloseKey
svchost.exe-->advapi32.dll-->RegOpenKeyExW
svchost.exe-->advapi32.dll-->StartServiceCtrlDispatcherW
svchost.exe-->kernel32.dll-->WideCharToMultiByte
svchost.exe-->kernel32.dll-->lstrlenW
svchost.exe-->kernel32.dll-->LocalFree
svchost.exe-->kernel32.dll-->GetCurrentProcess
svchost.exe-->kernel32.dll-->GetCurrentThread
svchost.exe-->kernel32.dll-->GetProcAddress
svchost.exe-->kernel32.dll-->LCMapStringW
svchost.exe-->kernel32.dll-->FreeLibrary
svchost.exe-->kernel32.dll-->lstrcpyW
svchost.exe-->kernel32.dll-->ExpandEnvironmentStringsW
svchost.exe-->kernel32.dll-->lstrcmpiW
svchost.exe-->kernel32.dll-->ExitProcess
svchost.exe-->kernel32.dll-->GetCommandLineW
svchost.exe-->kernel32.dll-->InitializeCriticalSection
svchost.exe-->kernel32.dll-->GetProcessHeap
svchost.exe-->kernel32.dll-->SetErrorMode
svchost.exe-->kernel32.dll-->SetUnhandledExceptionFilter
svchost.exe-->kernel32.dll-->RegisterWaitForSingleObject
svchost.exe-->kernel32.dll-->InterlockedCompareExchange
svchost.exe-->kernel32.dll-->QueryPerformanceCounter
svchost.exe-->kernel32.dll-->GetTickCount
svchost.exe-->kernel32.dll-->GetCurrentThreadId
svchost.exe-->kernel32.dll-->GetCurrentProcessId
svchost.exe-->kernel32.dll-->UnhandledExceptionFilter
svchost.exe-->kernel32.dll-->LocalAlloc
svchost.exe-->kernel32.dll-->lstrcmpW
svchost.exe-->kernel32.dll-->DelayLoadFailureHook
svchost.exe-->ntdll.dll-->NtQuerySecurityObject
svchost.exe-->ntdll.dll-->RtlFreeHeap
svchost.exe-->ntdll.dll-->NtOpenKey
svchost.exe-->ntdll.dll-->wcscat
svchost.exe-->ntdll.dll-->wcscpy
svchost.exe-->ntdll.dll-->RtlAllocateHeap
svchost.exe-->ntdll.dll-->RtlCompareUnicodeString
svchost.exe-->ntdll.dll-->RtlInitializeSid
svchost.exe-->ntdll.dll-->RtlLengthRequiredSid
svchost.exe-->ntdll.dll-->RtlSubAuthoritySid
svchost.exe-->ntdll.dll-->NtClose
svchost.exe-->ntdll.dll-->RtlSubAuthorityCountSid
svchost.exe-->ntdll.dll-->RtlGetDaclSecurityDescriptor
svchost.exe-->ntdll.dll-->RtlQueryInformationAcl
svchost.exe-->ntdll.dll-->RtlGetAce
svchost.exe-->ntdll.dll-->RtlImageNtHeader
svchost.exe-->ntdll.dll-->wcslen
svchost.exe-->ntdll.dll-->RtlUnhandledExceptionFilter
svchost.exe-->ntdll.dll-->RtlCopySid
P:\obmen_x\_wws\server04\Builder\Build\t1.exe
%MASHINE_ID%
%VERSION%
%OS%
%AV%
%X64%
%ACCESS%
%PLUGINS%
%CGGD%
%GROUP%
%BKINST%
%SOCKSLOG%
%NOTE%
%DOMEAN%
AntiVM/Debug:
55274-640-2673064-23950
76487-644-3177037-23510
76487-337-8429955-22614
ZYYd
DAEMON
QSVW
ZYYd
kernel32.dll
OLLYDBG
DEBUG
IDAG
W32DSM
DBGHELP
drivers\sice.sys
drivers\ntice.sys
drivers\syser.sys
drivers\winice.sys
drivers\sice.vxd
drivers\winice.vxd
winice.vxd
vmm32\winice.vxd
sice.vxd
vmm32\sice.vxd
\\.\SICE
\\.\SIWVID
\\.\NTICE
\\.\TRW
\\.\TWX
\\.\ICEEXT
\\.\Syser
\\.\SyserDbgMsg
\\.\SyserBoot
joeboxcontrol.exe
joeboxserver.exe
wireshark.exe
regmon.exe
filemon.exe
procmon.exe
SandboxieRpcSs.exe
SandboxieDcomLaunch.exe
SbieDll.dll
api_log.dll
dir_watch.dll
dbghelp.dll
username
USER
user
currentuser
c:\insidetm
C:\analysis
VBoxService.exe
VMwareTray.exe
VMwareService.exe
VMwareUser.exe
Have fun :)
Attachments
pwd: infected
(130.52 KiB) Downloaded 87 times
(130.52 KiB) Downloaded 87 times