Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Malware Analysis

    Hochgeladen von

    Viren Choudhari
    65 Ansichten3 Seiten
    The servicemain_exe file contains functionality for modifying services, modifying execution of threads in other processes, querying local/system time and windows version, starting windows services, reading software policies, checking if a debugger is present, and injecting threads into other processes. It also references several files, registry keys, and performs an outbound HTTP request.

    Originalbeschreibung:

    ma

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    DOCX, PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    The servicemain_exe file contains functionality for modifying services, modifying execution of threads in other processes, querying local/system time and windows version, starting windows services, reading software policies, checking if a debugger is present, and injecting threads into other processes. It also references several files, registry keys, and performs an outbound HTTP request.

    Copyright:

    © All Rights Reserved
    Als DOCX, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    65 Ansichten3 Seiten

    Malware Analysis

    Hochgeladen von

    Viren Choudhari
    The servicemain_exe file contains functionality for modifying services, modifying execution of threads in other processes, querying local/system time and windows version, starting windows services, reading software policies, checking if a debugger is present, and injecting threads into other processes. It also references several files, registry keys, and performs an outbound HTTP request.

    Copyright:

    © All Rights Reserved
    Als DOCX, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 3

    servicemain_exe file analysis

     Contains functionality to modify services (start/stop/modify)


    StartServiceCtrlDispatcherA,

     Contains functionality to modify the execution of threads in other processes


    OpenProcess,GetLastError,wsprintfA,MessageBoxA,lstrlenA,VirtualAllocEx,WriteProcessMemory
    ,GetModuleHandleA,GetProcAddress,CreateRemoteThread,CloseHandle,

     Contains functionality to query local / system time


    GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,RtlQueryPerf
    ormanceCounter,

     Contains functionality to query windows version


    HeapCreate,GetVersion,HeapSetInformation,

     Contains functionality to start windows services


    StartServiceCtrlDispatcherA,

     Reads software policies


    Value HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdenti􀃒ers

     Contains functionality to check if a debugger is running (IsDebuggerPresent)


    RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledE
    xceptionFilter,UnhandledExceptionFilter,

     Contains functionality to inject threads in other processes


    OpenProcess,GetLastError,wsprintfA,MessageBoxA,lstrlenA,VirtualAllocEx,WriteProcessMemory
    ,GetModuleHandleA,GetProcAddress,CreateRemoteThread,CloseHandle,

    FILES

    C:\Windows\SYSTEM32\sechost.dll

    C:\Users\user\Desktop
    C:\Windows\system32\IMM32.DLL

    C:\Users\user\Desktop\

    REGISTRY KEYS

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics

    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc

    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Sorting\Versions

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution


    Options

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Error Message Instrument\

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Srp\GP\DLL

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

    unknown

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

    HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName

    HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers

    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows

    HKEY_LOCAL_MACHINE\SYSTEM\Setup

    HKEY_LOCAL_MACHINE

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName

    HKEY_LOCAL_MACHINE\System\Setup

    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows

    Treygen_dll file analysis

    Outbound HTTP GET --


    http://www.zeff.jp:80/image/about/image_bs.php?rsv_bk=UUEzNDAxNzI0REIzQTU=&wds=NjQxMmFuZFN1blNoaW
    5l0e2da

    Executable Imported the IsDebuggerPresent Symbol

    Das könnte Ihnen auch gefallen