Phoenix 2.0 Exploit kit

I normally do not post exploit packs, even partial but I am posting it in this case as it appears to be the source of the java files analyzed by InReverse.  Read this for more details and Java analysis.

The other possibility is the Crimepack. Let me know if there are others, I may post them too.

 Download  Phoenix2.zip as a password protected archive (contact me if you need the password)

   

List of included files


AdgredY.java    11895    416ff21ed3ddb4ce5665a4917964c5ce
all.js    5167    9432b83d52fc325f5bda83d58598e825  -- All listed except newplayer cve-2009-4324
deie.html    15097    a88f45102b57595d6c7b1cf2c2b4b241  --
flash.as    2746    718803346bbbed11e934c63af99c4a9f
ie.html    14939    1c8bd04644942a0f1832844ee4b44e63
newplayer.js    2595    a2344d3a54f26ae863011323a0973ac8 newplayer cve-2009-4324

Filename	MD5	File Size		Extension
flash.swf	C643C2B8E901E52C14A8D6CE8096E327	1,645		swf
all.pdf	66BDB0DC68294890E359E91F1EF18D9E	2,677		pdf
allv7.pdf	B948321DE93582951598F3BDDDCC5735	2,465		pdf
collab.pdf	EF68F7B0018EDA2C149EF92EAAA666E2	2,012	CVE-2007-5659	pdf
geticon.pdf	1ED11F0EEE47135067F36E73FD5E889E	2,003	CVE-2009-0927	pdf
libtiff.pdf	E1E581CC0D817A808DC33CEB230F91B4	3,514	CVE-2010-0188	pdf
newplayer.pdf	37F28E5BE542AD2E32DA19EE5C44967C	1,975	CVE-2009-4324	pdf
printf.pdf	AF680ECCA07B3294553F672F78554588	1,907	CVE-2008-2992	pdf
index.js	B07E39D831F8EA3F8BCD84DCC9A60FFF	14,272		js
des.jar	98F5ACDB21E8B8116FE5C7B4BA17D0E9	8,539		jar
ie.html	30C1A7B87C419A1427932773642FEEE7	14,929	CVE-2009-3867	html
index.html	9939596B9BA5ECD4EE5FD648171EF01C	14,462		html
vistaie7.html	E8888E4EDA75F6CE016A5FBA9BE02FA3	14,415		html
vistan7ie8.html	6D11908E6CCC01B14ED0097561853F86	8,747		html
vistan7other.html	3E4B94ED2A6ED5F7FF42165BB165A46B	13,734		html
xpie7.html	EDE58120D8C76212E458898B348D2B80	14,420		html
xpie8.html	A18CCEEE89E13B137C77F88688668CED	8,714		html
xpother.html	355A809F8B5BDE1E511C628DD75CD871	14,129		html

Flash exploits are

CVE-2009-1869
CVE-2007-0071

PDF exploits
 CVE-2007-5659
 CVE-2009-0927
 CVE-2010-0188
 CVE-2009-4324
 CVE-2008-2992

Internet Explorer Exploits
CVE-2009-0806

Java Exploits
CVE-2009-3867
CVE-2008-5353

Let me know if i missed any

Java exploit GetSoundBank Read inReverse Ratsoul's posts for more information here or on their new blog here 
Also, see some malware links with this exploit here

deie.html
MDAC exploit

 Flashloader - using object and embed for different browsers. Read this article for more details http://borodin.livejournal.com/10471.html

Actionscript

 

IE 2010-0806

ESET Nod32 detection of CVE-2010-0806

March 30, 2010 ESET quickly corrected the false positive and there should be no more alarms. Please update your AV definitions.

The following links are being detected by ESET Nod32 as JS/Exploit.CVE-2010-0806 trojan. However, I looked at the js files and i do not see the CVE-2010-0806 exploit in them. They seem to be false positives - some sort of ads scripts.


    * hxxp://assets.loomia.com/js/clixdom.js
    * hxxp://widget-cache.loomia.com/js/onewidget_clix.js
    * hxxp://a.l.yimg.com/a/lib/s5/searchpad_core_metro_js_200911061221.js

http://www.virustotal.com/analisis/66fda6e512a0900224cec2ed93c2facac2ba80ef7e1c62d866c7b0d46af9cd15-1269964297%20

 File clixdom.js received on 2010.03.30 15:51:37 (UTC)
Result: 1/42 (2.38%)
NOD32     4985     2010.03.30     JS/Exploit.CVE-2010-0806

Let me know if I am wrong.

Thanks -M

P.S. I just found this discussion related to it JS/EXploit.CVE-2010-0806 trojan on Yahoo

Mar 30 CVE-2010-0806 IE 0-day hxxp://bbs.vgl.co.kr/bbs/icon/ie.html

hxxp://bbs.vgl.co.kr/bbs/icon/ie.html   - malicious link

Download ie.html as a password protected archive (or you can get it from the link above) Please contact me if you need the password

Details ie.html 

http://www.virustotal.com/analisis/6827df1e55c9d7bbbf80272a919606aa7d5ee7b90fd049d67c6b2c0e2f458819-1269977772
 File ie.html received on 2010.03.30 19:36:12 (UTC)
Result: 19/42 (45.24%)
Antivirus     Version     Last Update     Result
a-squared    4.5.0.50    2010.03.30    Exploit.JS.CVE-2010-0806!IK
Authentium    5.2.0.5    2010.03.30    JS/Cosmu.A
Avast    4.8.1351.0    2010.03.30    JS:CVE-2010-0806-C
Avast5    5.0.332.0    2010.03.30    JS:CVE-2010-0806-C
AVG    9.0.0.787    2010.03.29    Exploit
BitDefender    7.2    2010.03.30    Exploit.Cosmu.A
eSafe    7.0.17.0    2010.03.28    JS.CVE2010-0806
eTrust-Vet    35.2.7396    2010.03.30    JS/Dish!exploit
F-Prot    4.5.1.85    2010.03.30    JS/Cosmu.A
F-Secure    9.0.15370.0    2010.03.30    Exploit.Cosmu.A
Fortinet    4.0.14.0    2010.03.30    JS/CVE20100806.B!exploit
GData    19    2010.03.30    Exploit.Cosmu.A
Ikarus    T3.1.1.80.0    2010.03.30    Exploit.JS.CVE-2010-0806
Kaspersky    7.0.0.125    2010.03.30    Exploit.JS.CVE-2010-0806.b
Microsoft    1.5605    2010.03.30    Exploit:JS/CVE-2010-0806
nProtect    2009.1.8.0    2010.03.30    Exploit.Cosmu.A
Sophos    4.52.0    2010.03.30    Troj/ExpJS-R
Sunbelt    6117    2010.03.30    Trojan.JS.BOFExploit (v)
VirusBuster    5.0.27.0    2010.03.30    JS.BOFExploit.Gen
Additional information
File size: 6494 bytes
MD5...: fcfeb0287f172a2c58f680fcd120ea48

bbs.vgl.co.kr has one IP number , which is the same as for vgl.co.kr, but the reverse is 211-115-80-207.kidc.net. vgl.co.kr and http://www.robtex.com/dns/www.vgl.co.kr.html point to the same IP. vgl.co.kr is delegated to two nameservers, however one delegated nameserver is missing in the zone. Incoming mail for vgl.co.kr is handled by seven mailservers having a total of 28 IP numbers. Some of them are on the same IP network. bbs.vgl.co.kr is hosted on a server in Korea. It is not listed in any blacklists.

      Hostname:    211-115-80-207.kidc.net
      ISP:    KRNIC
      Organization:    Hanbiro, Inc.
       Country:    Korea, Republic of
      State/Region:    Soul-t'ukpyolsi
      City:    Seoul

Mar 28 CVE-2010-0806 IE 0-day U.S.-ROK ALLIANCE... In Korea, Divide and be Conquered from richard.mark45@yahoo.com

• CVE-2010-0806 Use-after-free vulnerability in the Peer Objects component (aka iepeers.dll) in Microsoft Internet Explorer 6, 6 SP1, and 7 allows remote attackers to execute arbitrary code via vectors involving access to an invalid pointer after the deletion of an object, as exploited in the wild in March 2010. 
• Microsoft Security Advisory (981374) and fix - kb 981374 Microsoft Security Advisory: Vulnerability in Internet Explorer could allow remote code execution 

Malicious link hxxp://spot-news.com/spot/news.html

Details hxxp://spot-news.com/spot/news.html

 
Here is more more piece of news from the same source as earlier today. Maybe they hope we abandon BBC World News and switch to their agency.

From: Richard Mark [mailto:richard.mark45@yahoo.com]
Sent: Sunday, March 28, 2010 11:17 PM
To: XXXXXXXXXXXXXX
Subject: U.S.-ROK ALLIANCE... In Korea, Divide and be Conquered

U.S.-ROK ALLIANCE

In Korea, Divide and be Conquered

Brookings Senior Fellow Michael O'Hanlon argues that, for a number of practical
reasons, 2012 may prove too soon to transfer wartime operational control of
South Korean forces to Korean command. O'Hanlon writes that if there is a
need to evaluate the 2012 plan afresh, that should happen without apology,
without undue haste and without any predetermined conclusion.

Read More

Header info
Received: from [123.125.156.136] by web114509.mail.gq1.yahoo.com via HTTP;
 Sun, 28 Mar 2010 20:17:26 PDT
X-Mailer: YahooMailRC/324.3 YahooMailWebService/0.8.100.260964
Date: Sun, 28 Mar 2010 20:17:26 -0700
From: Richard Mark
Subject: U.S.-ROK ALLIANCE... In Korea, Divide and be Conquered


Sender ip info        Hostname:    123.125.156.151
      ISP:    China Unicom Beijing Province Network
      Organization:    China Unicom Beijing Province Network
      Proxy:    Suspected network sharing device.
      Country:    China
      State/Region:    Beijing
      City:    Beijing

The exploit and all other details are the same as in this post from earlier today

Mar 27 CVE-2010-0806 IE 0-day Dozens missing after ship sinks near North Korea from kevin.bohn33@hotmail.com

• CVE-2010-0806 Use-after-free vulnerability in the Peer Objects component (aka iepeers.dll) in Microsoft Internet Explorer 6, 6 SP1, and 7 allows remote attackers to execute arbitrary code via vectors involving access to an invalid pointer after the deletion of an object, as exploited in the wild in March 2010. 
• Microsoft Security Advisory (981374) and fix - kb 981374 Microsoft Security Advisory: Vulnerability in Internet Explorer could allow remote code execution 

Malicious link  hxxp://spot-news.com/test/test.html (still active on March 27, 2010) -  Internet Explorer Zero day exploit

Download  043d308bfda76e35122567cf933e1b2a winint32.exe and test.htm as a password protected archive (please contact me if you need the password)

Details on the link and files

Update March 30, 2010 - Cisco issued  a Threat Outbreak Alert alert related to this particular threat.

From: Kevin Bohn [mailto:kevin.bohn33@hotmail.com]
Sent: Saturday, March 27, 2010 7:35 AM
To: XXXXXXXXXXX
Subject: Dozens missing after ship sinks near North Korea


Dozens missing after ship sinks near North Korea
a navy ship sank in tense Yellow Sea waters off the coast of North Korea.

Detail Story   http://www.mofat.go.kr/press/breifing
_______________________________________
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. Sign up now.


Headers

Received: from SNT112-W16 ([65.55.90.199]) by snt0-omc4-s20.snt0.hotmail.com
 with Microsoft SMTPSVC(6.0.3790.3959);     Sat, 27 Mar 2010 04:34:39 -0700
Message-ID:
Return-Path: kevin.bohn33@hotmail.com
Content-Type: multipart/alternative;
    boundary="_2fd4e512-5e88-49c3-96eb-4fc20039c8d1_"
X-Originating-IP: [123.125.156.151]
From: Kevin Bohn
Sender ip info 

      Hostname:    123.125.156.151
      ISP:    China Unicom Beijing Province Network
      Organization:    China Unicom Beijing Province Network
      Proxy:    Suspected network sharing device.
      Country:    China
      State/Region:    Beijing
      City:    Beijing



Site host info from robtex.com hxxp://spot-news.com/test/test.html
124.217.255.232 

satpalast.com, oxidesale.com, serendipity.li, http://www.blogger.com/dns/www.satpalast.com.html, teenz-info-ms.net and at least two other hosts point to 124.217.255.232. It is blacklisted in one list.

Hostname: 124.217.255.232
ISP: PIRADIUS NET
Organization: PIRADIUS NET
Country: Malaysia
State/Region: Johor
City: Johor Bahru

Exploit info
Please see Trancer's post with more details about the exploit and explanation by Praetorian Prefect

hxxp://spot-news.com/test/test.html 

Tested on Windows XP SP2 Internet Explorer  7

The following files were created:

%USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\J742EA2Y\test.htm

%USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5NRUWTV44\winint32.exe

Virustotal

test.htm

http://www.virustotal.com/analisis/276b1482b3c59c80d4d0ee9987203f6ded5452b805425eb5c5ebe4439fc8071f-1269725177

File test.htm received on 2010.03.27 21:26:17 (UTC)
Result: 3/42 (7.14%)
Print results Print results
AVG     9.0.0.787     2010.03.27     Script/Exploit
Microsoft     1.5605     2010.03.27     Exploit:JS/CVE-2010-0806
Sunbelt     6101     2010.03.26     Trojan.JS.BOFExploit (v)

winint32.exe

http://www.virustotal.com/analisis/2db8a9c401911c7317e8a89c35d979d0e8e9ba718ae13a0a0cfedd957654ec10-1269725346

  File winint32.exe received on 2010.03.27 21:29:06 (UTC)
Result: 3/42 (7.15%)
Microsoft    1.5605    2010.03.27    Trojan:Win32/Tapaoux.A
Panda    10.0.2.2    2010.03.27    Suspicious file
Symantec    20091.2.0.41    2010.03.27    Suspicious.Insight
File size: 357344 bytes
MD5...: 043d308bfda76e35122567cf933e1b2a

Microsoft information about Trojan:Win32/Tapaoux.A

Threatexpert report

Anubis Report

[#############################################################################] Anubis Analysis Report for winint32.exe MD5: 043d308bfda76e35122567cf933e1b2a [#############################################################################] Summary: - Autostart capabilities: This executable registers processes to be executed at system start. This could result in unwanted actions to be performed automatically. - Creates files in the Windows system directory: Malware often keepscopies of itself in the Windows directory to stay undetected by users. - Performs File Modification and Destruction: The executable modifiesand destructs files which are not temporary. - Spawns Processes: The executable produces processes during the execution. - Performs Registry Activities: The executable reads and modifies registry values. It also creates and monitors registry keys. [=============================================================================] Table of Contents [=============================================================================] - General information - winint32.exe a) Registry Activities b) File Activities c) Windows Service Activities d) Process Activities e) Other Activities - services.exe a) Registry Activities b) File Activities c) Other Activities - cmd.exe a) Registry Activities b) File Activities [#############################################################################] 1. General Information [#############################################################################] [=============================================================================] Information about Anubis' invocation [=============================================================================] Time needed: 60 s Report created: 03/27/10, 17:53:24 UTC Termination reason: All tracked processes have exited Program version: 1.74.2681 [#############################################################################] 2. winint32.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Primary Analysis Subject Filename: winint32.exe MD5: 043d308bfda76e35122567cf933e1b2a SHA-1: 0d941f58d554a9970e50adb353193ea3525f9c8f File Size: 357344 Bytes Command Line: "C:\winint32.exe" Process-status at analysis end: dead Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\comdlg32.dll ], Base Address: [0x763B0000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\COMCTL32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\WINSPOOL.DRV ], Base Address: [0x73000000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntoskrnl.exe ], Base Address: [0x00B60000 ], Size: [0x00216680 ] Module Name: [ C:\WINDOWS\system32\MSCTF.dll ], Base Address: [0x74720000 ], Size: [0x0004C000 ] Module Name: [ C:\WINDOWS\system32\Apphelp.dll ], Base Address: [0x77B40000 ], Size: [0x00022000 ] [=============================================================================] 2.a) winint32.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Keys Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{75053DE3-294C-12CE-1CDF-1BF4CE6CD741} ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Active Setup\Installed Components\{75053DE3-294C-12CE-1CDF-1BF4CE6CD741} ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{75053DE3-294C-12CE-1CDF-1BF4CE6CD741} ], Value Name: [ ], New Value: [ Microsoft Explorer ] Key: [ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{75053DE3-294C-12CE-1CDF-1BF4CE6CD741} ], Value Name: [ IsInstalled ], New Value: [ 1 ] Key: [ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{75053DE3-294C-12CE-1CDF-1BF4CE6CD741} ], Value Name: [ StubPath ], New Value: [ "C:\WINDOWS\system32\inetcpl.exe" SystemBasicTools ] Key: [ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{75053DE3-294C-12CE-1CDF-1BF4CE6CD741} ], Value Name: [ Version ], New Value: [ 1,0,0,1 ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Active Setup\Installed Components\{75053DE3-294C-12CE-1CDF-1BF4CE6CD741} ], Value Name: [ Version ], New Value: [ 1,0,0,0 ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ AppData ], New Value: [ C:\Documents and Settings\Administrator\Application Data ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Startup ], New Value: [ C:\Documents and Settings\Administrator\Start Menu\Programs\Startup ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{75053DE3-294C-12CE-1CDF-1BF4CE6CD741} ], Value Name: [ Version ], Value: [ 1,0,0,1 ], 2 times Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ], Value Name: [ CUAS ], Value: [ 0 ], 1 time Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time Key: [ HKLM\SYSTEM\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time Key: [ HKLM\SYSTEM\WPA\MediaCenter ], Value Name: [ Installed ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ PolicyScope ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ TransparentEnabled ], Value: [ 1 ], 2 times Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemSize ], Value: [ 779 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemSize ], Value: [ 517 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemSize ], Value: [ 918 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemSize ], Value: [ 229 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemSize ], Value: [ 370 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ AppData ], Value: [ %USERPROFILE%\Application Data ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Startup ], Value: [ %USERPROFILE%\Start Menu\Programs\Startup ], 1 time [=============================================================================] 2.b) winint32.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\SystemCheck.bat ] File Name: [ C:\WINDOWS\system32\bitcheck.dll ] File Name: [ C:\WINDOWS\system32\inetcpl.exe ] File Name: [ C:\WINDOWS\system32\inetcpl.sys ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\bitcheck.dll ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\SystemCheck.bat ] File Name: [ C:\WINDOWS\system32\bitcheck.dll ] File Name: [ C:\WINDOWS\system32\inetcpl.exe ] File Name: [ C:\WINDOWS\system32\inetcpl.sys ] File Name: [ WinChkDrv77 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Device Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times File: [ WinChkDrv77 ], Control Code: [ 0x0022E660 ], 1 time File: [ WinChkDrv77 ], Control Code: [ 0x0022E65C ], 2 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\SystemCheck.bat ] File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ] File Name: [ C:\WINDOWS\WindowsShell.Manifest ] File Name: [ C:\WINDOWS\system32\Apphelp.dll ] File Name: [ C:\WINDOWS\system32\COMCTL32.dll ] File Name: [ C:\WINDOWS\system32\MSCTF.dll ] File Name: [ C:\WINDOWS\system32\SHELL32.dll ] File Name: [ C:\WINDOWS\system32\WINSPOOL.DRV ] File Name: [ C:\WINDOWS\system32\cmd.exe ] File Name: [ C:\WINDOWS\system32\imm32.dll ] File Name: [ C:\WINDOWS\system32\ntoskrnl.exe ] File Name: [ C:\WINDOWS\system32\rpcss.dll ] File Name: [ C:\Windows\AppPatch\sysmain.sdb ] [=============================================================================] 2.c) winint32.exe - Windows Service Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Services Started: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Service: [ WinChkDrv77 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Services Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Name: [ WinChkDrv77 ], Type: [ SERVICE_DEMAND_START ], Path: [ C:\WINDOWS\system32\inetcpl.sys ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Services Deleted: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Service: [ WinChkDrv77 ] [=============================================================================] 2.d) winint32.exe - Process Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Processes Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Executable: [ C:\WINDOWS\system32\cmd.exe ], Command Line: [ ] Executable: [ ], Command Line: [ C:\SystemCheck.bat ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Remote Threads Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Affected Process: [ C:\WINDOWS\system32\cmd.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\WINDOWS\system32\cmd.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Written: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\WINDOWS\system32\cmd.exe ] [=============================================================================] 2.e) winint32.exe - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutexes Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutex: [ CTF.Asm.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.LBES.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.TMD.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.TimListCache.FMPDefaultS-1-5-21-842925246-1425521274-308236825-500MUTEX.DefaultS-1-5-21-842925246-1425521274-308236825-500 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Windows SEH exceptions: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Description: [ Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x40b4d9 ], 1 time Description: [ Exception 0xc0000096 (STATUS_PRIVILEGED_INSTRUCTION) at 0x40b57b ], 1 time [#############################################################################] 3. services.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: A service was started. Filename: services.exe MD5: 0e776ed5f7cc9f94299e70461b7b8185 SHA-1: cb5a33cec4c7b8ef4bd5dc8c241005b66b26cbbf File Size: 108544 Bytes Command Line: C:\WINDOWS\system32\services.exe Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\NCObjAPI.DLL ], Base Address: [0x5F770000 ], Size: [0x0000C000 ] Module Name: [ C:\WINDOWS\system32\MSVCP60.dll ], Base Address: [0x76080000 ], Size: [0x00065000 ] Module Name: [ C:\WINDOWS\system32\SCESRV.dll ], Base Address: [0x7DBD0000 ], Size: [0x00051000 ] Module Name: [ C:\WINDOWS\system32\AUTHZ.dll ], Base Address: [0x776C0000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\umpnpmgr.dll ], Base Address: [0x7DBA0000 ], Size: [0x00021000 ] Module Name: [ C:\WINDOWS\system32\WINSTA.dll ], Base Address: [0x76360000 ], Size: [0x00010000 ] Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcAdProc.dll ], Base Address: [0x47260000 ], Size: [0x0000F000 ] Module Name: [ C:\WINDOWS\system32\Apphelp.dll ], Base Address: [0x77B40000 ], Size: [0x00022000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\eventlog.dll ], Base Address: [0x77B70000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ], Base Address: [0x76BF0000 ], Size: [0x0000B000 ] Module Name: [ C:\WINDOWS\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\wtsapi32.dll ], Base Address: [0x76F50000 ], Size: [0x00008000 ] [=============================================================================] 3.a) services.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Keys Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\CONTROLSET001\CONTROL\CLASS\{8ECC055D-047F-11D1-A537-0000F8753ED1}\0000 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Keys Deleted: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\System\CurrentControlSet\Control\Class\{8ECC055D-047F-11D1-A537-0000F8753ED1}\0000 ] Key: [ HKLM\System\CurrentControlSet\Enum\Root\LEGACY_WINCHKDRV77\0000\Control ] Key: [ HKLM\System\CurrentControlSet\Enum\Root\LEGACY_WINCHKDRV77\0000 ] Key: [ HKLM\System\CurrentControlSet\Enum\Root\LEGACY_WINCHKDRV77 ] Key: [ HKLM\System\CurrentControlSet\Services\WinChkDrv77\Security ] Key: [ HKLM\System\CurrentControlSet\Services\WinChkDrv77\Enum ] Key: [ HKLM\System\CurrentControlSet\Services\WinChkDrv77 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\Root\LEGACY_WINCHKDRV77\0000 ], Value Name: [ Driver ], New Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1}\0000 ] Key: [ HKLM\System\CurrentControlSet\Services\WinChkDrv77 ], Value Name: [ DeleteFlag ], New Value: [ 1 ] Key: [ HKLM\System\CurrentControlSet\Services\WinChkDrv77 ], Value Name: [ Start ], New Value: [ 4 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\Root\LEGACY_WINCHKDRV77\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 2 times Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\Root\LEGACY_WINCHKDRV77\0000 ], Value Name: [ Driver ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1}\0000 ], 2 times Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\WinChkDrv77\Enum ], Value Name: [ 0 ], Value: [ Root\LEGACY_WINCHKDRV77\0000 ], 3 times Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\WinChkDrv77\Enum ], Value Name: [ Count ], Value: [ 1 ], 6 times [=============================================================================] 3.b) services.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER, Flags: Named pipe ] File Name: [ C:\WINDOWS\system32\config\SysEvent.Evt ] [=============================================================================] 3.c) services.exe - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Drivers Loaded: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Driver: [ HKLM\System\CurrentControlSet\Services\WinChkDrv77 ] [#############################################################################] 4. cmd.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Started by winint32.exe Filename: cmd.exe MD5: 6d778e0f95447e6546553eeea709d03c SHA-1: 811a005cf787c6ccbe0d9f1c36c1d49a9cb71fd1 File Size: 389120 Bytes Command Line: cmd /c C:\SystemCheck.bat Process-status at analysis end: dead Exit Code: 1 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] [=============================================================================] 4.a) cmd.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ AutoRun ], Value: [ ], 1 time Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ CompletionChar ], Value: [ 64 ], 1 time Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ DefaultColor ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ EnableExtensions ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ PathCompletionChar ], Value: [ 64 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ PolicyScope ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemSize ], Value: [ 779 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemSize ], Value: [ 517 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemSize ], Value: [ 918 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemSize ], Value: [ 229 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemSize ], Value: [ 370 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Nls\Language Groups ], Value Name: [ 1 ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], Value Name: [ 00000C07 ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ], Value Name: [ CompletionChar ], Value: [ 9 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ], Value Name: [ DefaultColor ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ], Value Name: [ EnableExtensions ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time [=============================================================================] 4.b) cmd.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Deleted: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\SystemCheck.bat ] File Name: [ C:\winint32.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\SystemCheck.bat ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\SystemCheck.bat ] [#############################################################################] International Secure Systems Lab http://www.iseclab.org Vienna University of Technology Eurecom France UC Santa Barbara http://www.tuwien.ac.at http://www.eurecom.fr http://www.cs.ucsb.edu Contact: anubis@iseclab.org

Mar 10. CVE-2010-0806 - Internet Explorer 6/7 0-day notes by Extraexploit

 Here are are some comments by extraexploit related to the most recent Internet explorer 0-day

Feb. 1 DarkMoon-B Video.exe with 222.35.137.193 from masao_tomikawas@yahoo.com 2/1/2010 2:43 AM

This is just an exe (PE32 executable for MS Windows) in zip archive. From China and connecting back to China. Not very creative.

Download Video.exe as a password protected archive (please contact me if you need the password)

• Details: a4754be7b34ed55faff832edadac61f6 - Video.exe

From: masao_tomikawas@yahoo.com [mailto:masao_tomikawas@yahoo.com]
Sent: Monday, February 01, 2010 2:43 AM
To: 
Subject: Press(Quake aid starts to arrive for desperate Haitians)
 
PORT-AU-PRINCE, Haiti (AP) - Desperately needed aid from around the world slowly made its way Thursday into Haiti, where supply bottlenecks and a leadership vacuum left rescuers scrambling on their own to save the trapped and injured and get relief supplies into the capital.
..............

see the full text in the end of the post

Headers

Received: (qmail 17548 invoked from network); 1 Feb 2010 07:43:09 -0000
Received: from unknown (HELO fisherxp-pc.domain) (218.67.128.26)
  by XXXXXXXXXXXXXX SMTP; 1 Feb 2010 07:43:09 -0000
Received: from 1428151.com ([127.0.0.1]) by 1428151.com ([127.0.0.1]) with SMTPSVC;
     Mon, 01 Feb 2010 15:43:07 +0800
Message-ID: <6dd17374c7e8d17543324b690c0db2e7@yahoo.com>
From:
To: XXXXXXXXXXXXXXXXXXXXXXXX
Subject: =?gb2312?B?UHJlc3MoUXVha2UgYWlkIHN0YXJ0cyB0byBhcnJpdmUgZm9yIGRlcw==?=
    =?gb2312?B?cGVyYXRlIEhhaXRpYW5zKQ==?=
Date: Mon, 01 Feb 2010 15:43:07 +0800

      Hostname:    218.67.128.26
      ISP:    China Unicom Tianjin province network
      Organization:    China Unicom Tianjin province network
      Country:    China
      City:    Tianjin

Jan 17 Trojan Darkmoon.B EXE Haiti relief from santi_nidas@yahoo.com 17 Jan 2010 13:15:02 -0800 PST

This message contains a zip attachment with  ârâfâI.exe (Darkmoon.B) and a 20100118.pdf  (containing pictures).

Download the A4754BE7B34ED55FAFF832EDADAC61F6 -Darkmoonb.zip (password protected< please contact me if you need it)


The message is in Japanese

From: santi_nidas@yahoo.com [mailto:santi_nidas@yahoo.com]
Sent: Sunday, January 17, 2010 4:15 PM
To: xxxxxxxxxxx
Subject: ハイチの救援活動が難航　７千人埋葬、時間との勝負

ハイチの救援活動が難航　７千人埋葬、時間との勝負
　【ポルトープランス共同】大地震発生から２日が経過したハイチでは１４日、現地入りした欧米の救援チームが倒壊家屋の下敷きになった被災者の捜索活動を始めるなど、国際的な救援活動が本格化した。しかし、人員や医薬品が不足し活動は難航している。

　ロイター通信によると、プレバル・ハイチ大統領は同日、地震による死者約７千人が既に墓地に埋葬されたと述べた。国連の潘基文事務総長は「発生後、７２時間が鍵だ」と述べ、時間との勝負になっていることを強調した。

　国連や米ＣＮＮテレビによると、米の救援チームが１４日朝、首都ポルトープランスで倒壊した平和維持活動（ＰＫＯ）部隊の本部ビルに下敷きになっていたエストニアの警備要員の男性（３８）を救助。現地には災害救助犬を連れたフランス隊のほか、スペイン、ドミニカ共和国などの救援チームが続々と到着、活動を始めた。事務総長は「今後、各国からさらに派遣される」と語った。

　被災地では医師、医療品不足が深刻化。国連や各国は救援物資の運搬、配布に全力を挙げる方針だ。ただ、ロイター通信によると、甚大な被害を受けたポルトープランスの空港は人員や物資を運ぶ航空機で満杯状態となり、米連邦航空局（ＦＡＡ）は米国から同空港への飛行を当面見合わせるよう指示した。



Subject: Haiti relief deadlock seven people buried in 1000, race against time
  Haiti's troubled rescue seven people buried in 1000, race against time
[Co] from a large earthquake in Port au Prince in Haiti two days after the 14th, and now he will begin his search for victims buried under collapsed houses in the West entered the local rescue team, the international relief activities in earnest. However, a lack of activity and medical personnel are faced with difficulties.