|
Source: SysAnalyzer, Immunity Debugger, IDA Pro File: necurs_dropper.exe Size: 97792 Bytes MD5: 6B3D2D146E683DAF0DEB906D57393E22 Mutex: PID Name * -------------------------------------------------- 1212 Instance0: ESENT Performance Data Schema Version 40 Processes: PID ParentPID User Path -------------------------------------------------- 2688 872 USER-06EF21E8DC:Administrator C:\Documents and Settings\Administrator\Desktop\dropper.exe Ports: Port PID Type Path -------------------------------------------------- 3417 2688 TCP C:\Documents and Settings\Administrator\Desktop\dropper.exe 3418 3536 TCP C:\Documents and Settings\Administrator\Desktop\dropper.exe 3419 384 TCP C:\Documents and Settings\Administrator\Desktop\dropper API Logger: 91222 CreateFileA(\\.\NtSecureSys) 912c6 GetCurrentProcessId()=2688 771bd3a9 connect( 69.50.214.54:80 )  Scanning for 19 signatures Scan Complete: 108Kb in 0 seconds Urls -------------------------------------------------- <html><head><title>504 Connect to %s failed: host unreachable.</title></head><body><h1>504 Connect to %s failed: host unreachable</h1><p>The following error occurred while trying to access <strong>http://%s%s</strong>:<br><br><strong>504 Connect to %s failed: host unreachable</strong></p></body></html> http://69.50.214.54/i.php?v=1012&affid=36411 http://69.50.214.54/i.php?v=1012&affid=36414 http://213.229.106.135/mac/mac.php?affid=00100 http://69.50.214.54/i.php?v=1012&affid=36413 http://69.50.214.54/i.php?v=1012&affid=36412 http://69.50.214.54/i.php?v=1012&affid=36410  RegKeys -------------------------------------------------- SUNBELT SOFTWARE Sunbelt Software G DATA Software CJSC Returnil Software Check Point Software Technologies Ltd Panda Software International FRISK Software International Ltd ALWIL Software SUNBELT SOFTWARE Sunbelt Software G DATA Software CJSC Returnil Software Check Point Software Technologies Ltd Panda Software International FRISK Software International Ltd ALWIL Software Software\Microsoft\Windows\CurrentVersion\RunOnce ExeRefs -------------------------------------------------- File: dropper_dmp.exe_ bcdedit.exe -set TESTSIGNING ON svchost.exe services.exe ntoskrnl.exe services.exe ntoskrnl.exe %s\%d.exe \SystemRoot\System32\winload.exe \SystemRoot\System32\winload.exe  Rootkit Sys Routines:
\??\NtSecureSys \Device\NtSecureSys \Device\Tcp Boot Bus Extender Group \SystemRoot\System32\Drivers\ ImagePath Start Type ErrorControl DisplayName \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services %s\Services\%S ControlSet \REGISTRY\MACHINE\SYSTEM \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\%S \SystemRoot\System32\Drivers\%S.sys 20101 ObRegisterCallbacks \SystemRoot\ \??\ \SystemRoot\System32\Drivers\%s.sys System32\ \SystemRoot\System32\winload.exe \bootmgr \boot.ini \ntldr \SystemRoot\System32\ *.dll \SystemRoot\System32\ntdll.dll win32k.sys BITS wuauserv KProcessHacker Sophos Plc Anti-Virus antimalware Comodo Inc kprocesshacker.sys Vba32dNT.sys v3engine.sys AntiyFW.sys AhnRec2k.sys ahnflt2k.sys KmxStart.sys KmxAMVet.sys KmxAMRT.sys KmxAgent.sys ssfmonm.sys rvsmon.sys lbd.sys klif.sys kldtool.sys kldlinf.sys kldback.sys klbg.sys avgntflt.sys MiniIcpt.sys PktIcpt.sys HookCentre.sys aswmonflt.sys AVC3.SYS bdfm.sys bdfsfltr.sys AVCKF.SYS issfltr.sys nvcmflt.sys K7Sentry.sys cmdguard.sys mfehidk.sys mfencoas.sys kmkuflt.sys catflt.sys ggc.sys PZDrvXP.sys antispyfilter.sys ZxFsFilt.sys ikfilesec.sys PCTCore.sys PCTCore64.sys fsgk.sys vradfil2.sys savant.sys sascan.sys strapvista64.sys strapvista.sys ssvhook.sys snscore.sys HookSys.sys Rtw.sys cwdriver.sys fpav_rtp.sys fsfilter.sys fildds.sys SCFltr.sys UFDFilter.sys STKrnl64.sys Spiderg3.sys dwprot.sys EstRkr.sys EstRkmon.sys pwipf6.sys OADevice.sys savonaccess.sys fortishield.sys fortirmon.sys fortimon2.sys avgmfrs.sys avgmfi64.sys avgmfx64.sys avgmfx86.sys pervac.sys THFilter.sys issregistry.sys nregsec.sys nprosec.sys shldflt.sys NanoAVMF.sys AntiLeakFilter.sys NxFsMon.sys vchle.sys vcreg.sys vcdriv.sys V3Flu2k.sys OMFltLh.sys AszFltNt.sys AhnRghLh.sys ArfMonNt.sys V3IftmNt.sys V3Ift2k.sys V3MifiNt.sys V3Flt2k.sys ATamptNt.sys SMDrvNt.sys tkfsavxp64.sys tkfsavxp.sys tkfsft64.sys tkfsft.sys BdFileSpy.sys NovaShield.sys eeyehv64.sys eeyehv.sys SegF.sys csaav.sys AshAvScan.sys PLGFltr.sys avmf.sys ino_fltr.sys caavFltr.sys amm6460.sys amm8660.sys amfsm.sys PSINFILE.SYS PSINPROC.SYS mpFilter.sys drivesentryfilterdriver2lite.sys vcMFilter.sys tmpreflt.sys tmevtmgr.sys SDActMon.sys MaxProtector.sys eamonm.sys mbam.sys a2acc64.sys a2acc.sys a2gffi64.sys a2gffx64.sys a2gffx86.sys SRTSP64.SYS SRTSPIT.sys SRTSP.sys eraser.sys eeCtrl.sys ZwFlushBuffersFile \??\NtSecureSys \Device\NtSecureSys \Device\Tcp Boot Bus Extender Group \SystemRoot\System32\Drivers\ ImagePath Start Type ErrorControl DisplayName \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services %s\Services\%S ControlSet \REGISTRY\MACHINE\SYSTEM \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\%S \SystemRoot\System32\Drivers\%S.sys 20101 ObRegisterCallbacks \SystemRoot\ \??\ \SystemRoot\System32\Drivers\%s.sys System32\ \SystemRoot\System32\winload.exe \bootmgr \boot.ini \ntldr \SystemRoot\System32\ *.dll \SystemRoot\System32\ntdll.dll win32k.sys <<<Obsolete>>
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
September 2016
Categories |
RSS Feed
