Register for your free account! | Forgot your password?

You last visited: Today at 19:15

  • Please register to post and access all features, it's quick, easy and FREE!

 

Unsichtbare Wände

Reply
 
Old   #1
 
elite*gold: 0
Join Date: Dec 2006
Posts: 11
Received Thanks: 0
Unsichtbare Wände

Hey ho Leute.
Da ich mir dachte es sei manchmal seehr hilfreich durch wände zu schauen oder auch in Burgen^^.
Daher hab ich jetzt einen wallhack progt.
Ihr müsst den erst den wh starten und danach wow.
Wenn ihr dann auf eurem realm seit könnt ihr durch drücken von shift+F10 das menu öffnen.
Dort könnt ihr viele sachen einstellen ( transparens, sogar entscheiden ob ihr wollt das man durch den boden schauen kann, oder nur die wände ihn deiner höhe)
Hier is der DL: *CENSORED*

P.S. : bitte postet den link nicht in anderen foren o.ä.

VIel spaß damit



Cold aS Ice is offline  
Old   #2
 
elite*gold: 0
Join Date: Oct 2006
Posts: 28
Received Thanks: 3
100 % das da nen Key-Logger drin steckt.

NICHT RUNTERLADEN !


Blackylein is offline  
Old   #3
 
elite*gold: 0
Join Date: Dec 2006
Posts: 11
Received Thanks: 0
wenn du meinst^^
brauchst du ja nicht runterladen
Cold aS Ice is offline  
Old   #4
 
elite*gold: 0
Join Date: Aug 2006
Posts: 148
Received Thanks: 21
Ich test mal, edit folgt.

//edit

Hmm, ich würde die Finger von lassen, so lange es keinen Beweis gibt, das es wirklich funktioniert.

Code:
                           ___                __    _                          
         +  /-            /   |  ____  __  __/ /_  (_)____       -\  +         
        /s  h-           / /| | / __ \/ / / / __ \/ / ___/       -h  s\        
        oh-:d/          / ___ |/ / / / /_/ / /_/ / (__  )        /d:-ho        
        shh+hy-        /_/  |_/_/ /_/\__,_/_.___/_/____/        -yh+hhs        
      -:+hhdhyys/-                                           -\syyhdhh+:-      
    -//////dhhhhhddhhyss-       Analysis Report       -ssyhhddhhhhhd\\\\\\-    
   /++/////oydddddhhyys/     ooooooooooooooooooooo     \syyhhdddddyo\\\\\++\   
 -+++///////odh/-                                             -+hdo\\\\\\\+++- 
 +++++++++//yy+/:                                             :\+yy\\+++++++++ 
/+soss+sys//yyo/os++o+:                                 :+o++so\oyy\\sys+ssos+\
+oyyyys++o/+yss/+/oyyyy:                               :yyyyo\+\ssy+\o++syyyyo+
+oyyyyyyso+os/o/+yyyyyy/                               \yyyyyy+\o\so+osyyyyyyo+


[#############################################################################]
    Analysis Report for Wallhack 2.1.exe
                   MD5: f5e007ca168d31cddd7bd3453a1c3ed8
[#############################################################################]

Summary: 
    - Autostart capabilities: 
        This executable registers processes to be executed at system start.
        This could result in unwanted actions to be performed automatically.

    - Performs File Modification and Destruction:
        The executable modifiesand destructs files which are not temporary.

    - Spawns Processes:
        The executable produces processes during the execution.

    - Performs Registry Activities:
        The executable reads and modifies registry values. It also creates and
        monitors registry keys.

[=============================================================================]
    Table of Contents
[=============================================================================]

- General information
- sample.exe
  a) Registry Activities
  b) File Activities
  c) Process Activities
    - crypted.exe
      a) Registry Activities
      b) File Activities


[#############################################################################]
    1. General Information
[#############################################################################]
[=============================================================================]
    Information about Anubis' invocation
[=============================================================================]
        Time needed:        241 s
        Report created:     11/06/08, 18:12:43
        Termination reason: Timeout
        Program version:    1.64.0

[=============================================================================]
    Global Network Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    TCP Connection Attempts:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        From ANUBIS:1037 to 66.220.17.200:80



[#############################################################################]
    2. sample.exe
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: Primary Analysis Subject
        Filename:        sample.exe
        MD5:             f5e007ca168d31cddd7bd3453a1c3ed8
        SHA-1:           a1adcffc5ca1b5329cb2a3aeb4fe62b1c334b0be
        File Size:       2290240 Bytes
        Command Line:    "C:\sample.exe"
        Process-status
        at analysis end: alive
        Exit Code:       0

[=============================================================================]
    Load-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
               Base Address: [0x7C900000 ], Size: [0x000AF000 ]
        Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
               Base Address: [0x7C800000 ], Size: [0x000F6000 ]
        Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
               Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
        Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
               Base Address: [0x77E70000 ], Size: [0x00092000 ]
        Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
               Base Address: [0x77FE0000 ], Size: [0x00011000 ]
        Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
               Base Address: [0x77F10000 ], Size: [0x00049000 ]
        Module Name: [ C:\WINDOWS\system32\USER32.dll ],
               Base Address: [0x7E410000 ], Size: [0x00091000 ]
        Module Name: [ C:\WINDOWS\system32\COMCTL32.dll ],
               Base Address: [0x5D090000 ], Size: [0x0009A000 ]
        Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
               Base Address: [0x77C00000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\IMM32.DLL ],
               Base Address: [0x76390000 ], Size: [0x0001D000 ]

[=============================================================================]
    Run-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\advpack.dll ],
               Base Address: [0x42EC0000 ], Size: [0x0002E000 ]
        Module Name: [ C:\WINDOWS\system32\feclient.dll ],
               Base Address: [0x693F0000 ], Size: [0x00009000 ]
        Module Name: [ C:\WINDOWS\system32\MPR.dll ],
               Base Address: [0x71B20000 ], Size: [0x00012000 ]
        Module Name: [ C:\WINDOWS\system32\USERENV.dll ],
               Base Address: [0x769C0000 ], Size: [0x000B4000 ]
        Module Name: [ C:\WINDOWS\system32\ole32.dll ],
               Base Address: [0x774E0000 ], Size: [0x0013D000 ]
        Module Name: [ C:\WINDOWS\system32\SETUPAPI.dll ],
               Base Address: [0x77920000 ], Size: [0x000F3000 ]
        Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ],
               Base Address: [0x77A80000 ], Size: [0x00095000 ]
        Module Name: [ C:\WINDOWS\system32\MSASN1.dll ],
               Base Address: [0x77B20000 ], Size: [0x00012000 ]
        Module Name: [ C:\WINDOWS\system32\Apphelp.dll ],
               Base Address: [0x77B40000 ], Size: [0x00022000 ]
        Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
               Base Address: [0x77C10000 ], Size: [0x00058000 ]
        Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
               Base Address: [0x77F60000 ], Size: [0x00076000 ]

[=============================================================================]
    SigBuster Output
[=============================================================================]
        Microsoft_CAB vna SN:206

[=============================================================================]
    2.a) sample.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce ], 
             Value Name: [ wextract_cleanup0 ], New Value: [ rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\" ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], 
             Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
        Key: [ HKLM\SYSTEM\Setup ], 
             Value Name: [ OsLoaderPath ], Value: [ \ ], 2 times
        Key: [ HKLM\SYSTEM\Setup ], 
             Value Name: [ SystemPartition ], Value: [ \Device\HarddiskVolume1 ], 2 times
        Key: [ HKLM\SYSTEM\WPA\MediaCenter ], 
             Value Name: [ Installed ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ], 
             Value Name: [ DevicePath ], Value: [ %SystemRoot%\inf ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 
             Value Name: [ DriverCachePath ], Value: [ %SystemRoot%\Driver Cache ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 
             Value Name: [ LogLevel ], Value: [ 0 ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 
             Value Name: [ ServicePackCachePath ], Value: [ c:\windows\ServicePackFiles\ServicePackCache ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 
             Value Name: [ ServicePackSourcePath ], Value: [ c:\windows\ServicePackFiles ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 
             Value Name: [ SourcePath ], Value: [ D:\ ], 2 times
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ PolicyScope ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ ItemSize ], Value: [ 779 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ ItemSize ], Value: [ 517 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ ItemSize ], Value: [ 918 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ ItemSize ], Value: [ 229 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ ItemSize ], Value: [ 370 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], 
             Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], 
             Value Name: [ ComputerName ], Value: [ USER ], 3 times
        Key: [ HKLM\System\CurrentControlSet\Control\ProductOptions ], 
             Value Name: [ ProductType ], Value: [ WinNT ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], 
             Value Name: [ Domain ], Value: [  ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], 
             Value Name: [ Hostname ], Value: [ user ], 2 times
        Key: [ HKLM\System\Setup ], 
             Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\WPA\PnP ], 
             Value Name: [ seed ], Value: [ 1374283966 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], 
             Value Name: [ Cache ], Value: [ C:\Documents and Settings\user\Local Settings\Temporary Internet Files ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ Local Settings ], Value: [ %USERPROFILE%\Local Settings ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Monitored Registry Keys:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\system\CurrentControlSet\control\NetworkProvider\HwOrder ], 
             Watch subtree: [ 0 ], Notify Filter: [ Value Change ], 1 time


[=============================================================================]
    2.b) sample.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP ]
        File Name: [ C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\TMP4351$.TMP ]
        File Name: [ C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\crypted.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ PIPE\lsarpc ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\crypted.exe ]
        File Name: [ MountPointManager ]
        File Name: [ PIPE\lsarpc ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Directories Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Directory: [ C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ C: ], Control Code: [ 0x004D0008 ], 1 time
        File: [ MountPointManager ], Control Code: [ 0x006D0008 ], 1 time
        File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\crypted.exe ]
        File Name: [ C:\WINDOWS\system32\Apphelp.dll ]
        File Name: [ C:\WINDOWS\system32\SETUPAPI.dll ]
        File Name: [ C:\WINDOWS\system32\advpack.dll ]
        File Name: [ C:\WINDOWS\system32\feclient.dll ]
        File Name: [ C:\Windows\AppPatch\sysmain.sdb ]

[=============================================================================]
    2.c) sample.exe - Process Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Processes Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Executable: [ C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\crypted.exe ], Command Line: [  ]
        Executable: [  ], Command Line: [ C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\crypted.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Remote Threads Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Affected Process: [ C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\crypted.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Foreign Memory Regions Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Process: [ C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\crypted.exe ]



[#############################################################################]
    3. crypted.exe
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: Started by sample.exe
        Filename:        crypted.exe
        MD5:             ca71346d15cd55f9238d9f2042ffb04b
        SHA-1:           26e87ab5db02d66fa9b0bda7bd9a8af0859fe565
        File Size:       112740 Bytes
        Command Line:    C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\crypted.exe
        Process-status
        at analysis end: alive
        Exit Code:       0

[=============================================================================]
    Load-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
               Base Address: [0x7C900000 ], Size: [0x000AF000 ]
        Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
               Base Address: [0x7C800000 ], Size: [0x000F6000 ]
        Module Name: [ C:\WINDOWS\system32\MSVBVM60.DLL ],
               Base Address: [0x73420000 ], Size: [0x00153000 ]
        Module Name: [ C:\WINDOWS\system32\USER32.dll ],
               Base Address: [0x7E410000 ], Size: [0x00091000 ]
        Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
               Base Address: [0x77F10000 ], Size: [0x00049000 ]
        Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
               Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
        Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
               Base Address: [0x77E70000 ], Size: [0x00092000 ]
        Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
               Base Address: [0x77FE0000 ], Size: [0x00011000 ]
        Module Name: [ C:\WINDOWS\system32\ole32.dll ],
               Base Address: [0x774E0000 ], Size: [0x0013D000 ]
        Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
               Base Address: [0x77C10000 ], Size: [0x00058000 ]
        Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ],
               Base Address: [0x77120000 ], Size: [0x0008B000 ]
        Module Name: [ C:\WINDOWS\system32\IMM32.DLL ],
               Base Address: [0x76390000 ], Size: [0x0001D000 ]

[=============================================================================]
    Run-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
               Base Address: [0x74720000 ], Size: [0x0004C000 ]
        Module Name: [ C:\WINDOWS\system32\msctfime.ime ],
               Base Address: [0x755C0000 ], Size: [0x0002E000 ]
        Module Name: [ C:\WINDOWS\system32\version.dll ],
               Base Address: [0x77C00000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\SXS.DLL ],
               Base Address: [0x7E720000 ], Size: [0x000B0000 ]

[=============================================================================]
    3.a) crypted.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ], 
             Value Name: [ CUAS ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\CTF\SystemShared ], 
             Value Name: [ CUAS ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\IMM ], 
             Value Name: [ Ime File ], Value: [ msctfime.ime ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ], 
             Value Name: [ 932 ], Value: [ c_932.nls ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ], 
             Value Name: [ 936 ], Value: [ c_936.nls ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ], 
             Value Name: [ 949 ], Value: [ c_949.nls ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ], 
             Value Name: [ 950 ], Value: [ c_950.nls ], 1 time


[=============================================================================]
    3.b) crypted.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\crypted.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ unnamed file ], Control Code: [ 0x00390008 ], 7 times

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\WINDOWS\system32\MSCTF.dll ]
        File Name: [ C:\WINDOWS\system32\SXS.DLL ]
        File Name: [ C:\WINDOWS\system32\msctfime.ime ]
        File Name: [ C:\WINDOWS\system32\rpcss.dll ]



[#############################################################################]
                       International Secure Systems Lab                        
                            http://www.iseclab.org                             

Vienna University of Technology     Eurecom France            UC Santa Barbara
http://www.tuwien.ac.at          http://www.eurecom.fr  http://www.cs.ucsb.edu

                          Contact: 
Ich lasse die Datei nachher mal ein bisschen auf VMWare laufen, edit kommt dann noch einmal.

Mfg
Syne


Syne is offline  
Old   #5
 
elite*gold: 0
Join Date: Aug 2007
Posts: 643
Received Thanks: 24
Antivir: Nothing found
ArcaVir: Nothing found
Avast: Nothing found
AVG: Nothing found
BitDefender: Nothing found
F-Prot: Nothing found
Norman: Nothing found
Rising: Nothing found
VirusBlokAda32: Nothing found
VirusBuster: Nothing found


Scanned by
n8wing is offline  
Old   #6
 
elite*gold: 19
Join Date: Sep 2007
Posts: 1,525
Received Thanks: 1,057
geht einfach net :P
Alisami is offline  
Old   #7
 
elite*gold: 0
Join Date: Mar 2008
Posts: 77
Received Thanks: 4
Antivir: Nothing found
ArcaVir: Nothing found
Avast: Nothing found
AVG: Nothing found
BitDefender: Nothing found
F-Prot: Nothing found
Norman: Nothing found
Rising: Nothing found
VirusBlokAda32: Nothing found
VirusBuster: Nothing found

Hat nichts zu sagen das einzigste sicher um was zu testen is sandibox o.ä den es kann auch ganz schnell mal ein Fud RAT/Keylogger usw sein da hilft euch so seiten wie vt o.ä nichts.
apollo17 is offline  
Old   #8
 
elite*gold: 1438
Join Date: Jun 2007
Posts: 3,216
Received Thanks: 758
From ANUBIS:1037 to 66.220.17.200:80


Sagt doch schon alles aus .....
Und lol File Name: [ C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\crypted. exe ^^

Internet Provider Abuse Inc!

*edit*
Kiddy hat Datei selbst gelöcht?!
Naja ich hab trotzdem noch die Datei, haha
Pand0r is offline  
Old   #9
 
elite*gold: 19
Join Date: Sep 2007
Posts: 1,525
Received Thanks: 1,057
habs gestartet :P Idee wie ichs losbekomm? Also mache mir keine Sorgen um ACc, aber und Rest!

Hat sich an vielen Stellen festgesetzt:

KVOLUME1\WINDOWS\SYSTEM32\ADVAPI32.DLL\DEVICE\HARD DISKVOLUME1\WINDOWS\SYSTEM32\RPCRT4.DLL\DEVICE\HAR DDISKVOLUME1\WINDOWS\SYSTEM32\GDI32.DLL\DEVICE\HAR DDISKVOLUME1\WINDOWS\SYSTEM32\USER32.DLL\DEVICE\HA RDDISKVOLUME1\WINDOWS\SYSTEM32\MSVCRT.DLL\DEVICE\H ARDDISKVOLUME1\WINDOWS\SYSTEM32\CTYPE.NLS\DEVICE\H ARDDISKVOLUME1\WINDOWS\SYSTEM32\SHELL32.DLL\DEVICE \HARDDISKVOLUME1\WINDOWS\SYSTEM32\SHLWAPI.DLL\DEVI CE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WI NDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.2180_X-WW_A84F1FF9\COMCTL32.DLL\DEVICE\HARDDISKVOLUME1\WI NDOWS\WINDOWSSHELL.MANIFEST\DEVICE\HARDDISKVOLUME1 \WINDOWS\SYSTEM32\COMCTL32.DLL\DEVICE\HARDDISKVOLU ME1\WINDOWS\SYSTEM32\WININET.DLL\DEVICE\HARDDISKVO LUME1\WINDOWS\SYSTEM32\CRYPT32.DLL\DEVICE\HARDDISK VOLUME1\WINDOWS\SYSTEM32\MSASN1.DLL\DEVICE\HARDDIS KVOLUME1\WINDOWS\SYSTEM32\OLEAUT32.DLL\DEVICE\HARD DISKVOLUME1\WINDOWS\SYSTEM32\OLE32.DLL\DEVICE\HARD DISKVOLUME1\WINDOWS\SYSTEM32\SORTKEY.NLS\DEVICE\HA RDDISKVOLUME1\WINDOWS\SYSTEM32\WS2_32.DLL\DEVICE\H ARDDISKVOLUME1\WINDOWS\SYSTEM32\WS2HELP.DLL\DEVICE \HARDDISKVOLUME1\WINDOWS\SYSTEM32\ADVPACK.DLL\DEVI CE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\VERSION.DLL\DE VICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MSVBVM60.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RPCSS.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\UXTHEME.D LL\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MSCTF.D LL\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\IMM32.D LL\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\APPHELP .DLL\DEVICE\HARDDISKVOLUME1\WINDOWS\APPPATCH\SYSMA IN.SDB\DEVICE\HARDDISKVOLUME1\$MFT(:SNi¡:ÉnkLXÀ \DEVICE\HARDDISKVOLUME1E(·ý  ,!¬
Y
Ä&:'C'E\DEVICE\HARDDISKVOLUME1\!\DEVICE \HARDDISKVOLUME1\DOKUME~1\)\DEVICE\HARDDISKVOLUME1 \DOKUME~1\ALISAMI\2\DEVICE\HARDDISKVOLUME1\DOKUME~ 1\ALISAMI\LOKALE~1\7\DEVICE\HARDDISKVOLUME1\DOKUME ~1\ALISAMI\LOKALE~1\TEMP\B\DEVICE\HARDDISKVOLUME1\ DOKUME~1\ALISAMI\LOKALE~1\TEMP\IXP000.TMP\\DEVICE\ HARDDISKVOLUME1\WINDOWS\)\DEVICE\HARDDISKVOLUME1\W INDOWS\SYSTEM32\

Idee?
Alisami is offline  
Old   #10
 
elite*gold: 0
Join Date: Aug 2006
Posts: 148
Received Thanks: 21
Es ist zu 100% ein Trojaner/Keylogger (VMWare laufen gehabt), aber die IP (66.220.17.200) stimmt denke ich mal nicht.

Code:
IP address:                     66.220.17.200
Reverse DNS:                    [No reverse DNS entry per ns1.lop.com.]
Reverse DNS authenticity:       [Unknown]
ASN:                            6939
ASN Name:                       HURRICANE
IP range connectivity:          2
Registrar (per ASN):            ARIN
Country (per IP registrar):     US [United States]
Country Currency:               USD [United States Dollars]
Country IP Range:               66.220.0.0 to 66.220.127.255
Country fraud profile:          Normal
City (per outside source):      Shalimar, Florida
Country (per outside source):   US [United States]
Private (internal) IP?          No
IP address registrar:           whois.arin.net
Known Proxy?                    No
Quote:
Originally Posted by Alisami View Post
habs gestartet :P Idee wie ichs losbekomm? Also mache mir keine Sorgen um ACc, aber und Rest!

Hat sich an vielen Stellen festgesetzt:

...

Idee?
Öhm, also wenn du es auf deinen System ohne VM oder Sandbox ausgeführt hast, bist du eigentlich selber schuld... das war ziemlich leicht sinnig!





Sollte helfen...

Mfg
Syne
Syne is offline  
Old   #11
 
elite*gold: 0
Join Date: Mar 2008
Posts: 77
Received Thanks: 4
Thx habe es mir schon gedacht abusen folgen schlechter crypter der war wohl net fud :=)

hat vill wer noch die no-ip daten ?
apollo17 is offline  
Old   #12
 
elite*gold: 1438
Join Date: Jun 2007
Posts: 3,216
Received Thanks: 758
Warum hast unter VMWare nochmal laufen gehabt ?
Hat man schon zu 100% an Anubis gesehen, das er Dateien erstellt wie crypted.exe und zu einer IP connected.
Pand0r is offline  
Old   #13
 
elite*gold: 0
Join Date: Aug 2006
Posts: 148
Received Thanks: 21
Quote:
Originally Posted by Pand0r View Post
Warum hast unter VMWare nochmal laufen gehabt ?
Hat man schon zu 100% an Anubis gesehen, das er Dateien erstellt wie crypted.exe und zu einer IP connected.
Langeweile und wollte es mir selbst mal live angucken.

Mfg
Syne
Syne is offline  
Old   #14
 
elite*gold: 0
Join Date: Dec 2006
Posts: 2
Received Thanks: 0
Talking

Boah ihr seit ja voll die Kenner!
Syne deine Ergebnisse sind erste Klasse. Ihr postet unnötiges Zeug rein was zu 99% sowieso nur SCHEISSE ist! Lasst es lieber wenn ihr keine Ahnung habt. =)
---Mario--- is offline  
Old   #15
 
elite*gold: 1438
Join Date: Jun 2007
Posts: 3,216
Received Thanks: 758
Quote:
Originally Posted by ---Mario--- View Post
Boah ihr seit ja voll die Kenner!
Syne deine Ergebnisse sind erste Klasse. Ihr postet unnötiges Zeug rein was zu 99% sowieso nur SCHEISSE ist! Lasst es lieber wenn ihr keine Ahnung habt. =)
Unnötiges Zeug?
Ähm Nein!

Anubis Resultat war wohl, dass mit Abstand beste hier im Thread!
Virustotal und Viruschief ist eher lächerlich.


Pand0r is offline  
Reply



« Previous Thread | Next Thread »

Similar Threads
unsichtbare gms ?????
Noch was: könnt sein das diese Woche mehrere unsichtbare GMs da sind-also wird die CS denke ich fair ablaufen und hackt doch wer, müsste er erwischt...
7 Replies - Last Chaos
Unsichtbare Gm´s sehen ?
Halloo, ich wollte mal wissen, ob es irgendwie eine Möglichkeit gibt, Gm´s zu sehen, wenn sie unsichtbar sind. Vllt. erkennt man sie nur ganz...
2 Replies - Flyff PServer - Discussions / Questions
Unsichtbare Lc ordner
edit: closed pls hier hat nichts gestanden habe ich wohl geirrt sry.
0 Replies - Last Chaos
durch unsichtbare wände laufen
Ich habe heute ein Video gesehen wie jemand durch unsichtbare wände gelaufen ist und alles dahinter erkunden konnte. Ich habe mich schon lange...
10 Replies - WoW Main - Discussions / Questions



All times are GMT +1. The time now is 19:15.


Powered by vBulletin®
Copyright ©2000 - 2016, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.

Support | Contact Us | FAQ | Advertising | Privacy Policy
Copyright ©2016 elitepvpers All Rights Reserved.