Unsichtbare Wände

Page 1 of 2 1 2
11/06/2008 16:06 Cold aS Ice#1
Hey ho Leute.
Da ich mir dachte es sei manchmal seehr hilfreich durch wände zu schauen oder auch in Burgen^^.
Daher hab ich jetzt einen wallhack progt.
Ihr müsst den erst den wh starten und danach wow.
Wenn ihr dann auf eurem realm seit könnt ihr durch drücken von shift+F10 das menu öffnen.
Dort könnt ihr viele sachen einstellen ( transparens, sogar entscheiden ob ihr wollt das man durch den boden schauen kann, oder nur die wände ihn deiner höhe)
Hier is der DL: *CENSORED*

P.S. : bitte postet den link nicht in anderen foren o.ä.

VIel spaß damit
11/06/2008 17:21 Blackylein#2
100 % das da nen Key-Logger drin steckt.

NICHT RUNTERLADEN !
11/06/2008 17:59 Cold aS Ice#3
wenn du meinst^^
brauchst du ja nicht runterladen
11/06/2008 18:06 Syne#4
Ich test mal, edit folgt.

//edit

Hmm, ich würde die Finger von lassen, so lange es keinen Beweis gibt, das es wirklich funktioniert.

Code:
                           ___                __    _                          
         +  /-            /   |  ____  __  __/ /_  (_)____       -\  +         
        /s  h-           / /| | / __ \/ / / / __ \/ / ___/       -h  s\        
        oh-:d/          / ___ |/ / / / /_/ / /_/ / (__  )        /d:-ho        
        shh+hy-        /_/  |_/_/ /_/\__,_/_.___/_/____/        -yh+hhs        
      -:+hhdhyys/-                                           -\syyhdhh+:-      
    -//////dhhhhhddhhyss-       Analysis Report       -ssyhhddhhhhhd\\\\\\-    
   /++/////oydddddhhyys/     ooooooooooooooooooooo     \syyhhdddddyo\\\\\++\   
 -+++///////odh/-                                             -+hdo\\\\\\\+++- 
 +++++++++//yy+/:                                             :\+yy\\+++++++++ 
/+soss+sys//yyo/os++o+:                                 :+o++so\oyy\\sys+ssos+\
+oyyyys++o/+yss/+/oyyyy:                               :yyyyo\+\ssy+\o++syyyyo+
+oyyyyyyso+os/o/+yyyyyy/                               \yyyyyy+\o\so+osyyyyyyo+


[#############################################################################]
    Analysis Report for Wallhack 2.1.exe
                   MD5: f5e007ca168d31cddd7bd3453a1c3ed8
[#############################################################################]

Summary: 
    - Autostart capabilities: 
        This executable registers processes to be executed at system start.
        This could result in unwanted actions to be performed automatically.

    - Performs File Modification and Destruction:
        The executable modifiesand destructs files which are not temporary.

    - Spawns Processes:
        The executable produces processes during the execution.

    - Performs Registry Activities:
        The executable reads and modifies registry values. It also creates and
        monitors registry keys.

[=============================================================================]
    Table of Contents
[=============================================================================]

- General information
- sample.exe
  a) Registry Activities
  b) File Activities
  c) Process Activities
    - crypted.exe
      a) Registry Activities
      b) File Activities


[#############################################################################]
    1. General Information
[#############################################################################]
[=============================================================================]
    Information about Anubis' invocation
[=============================================================================]
        Time needed:        241 s
        Report created:     11/06/08, 18:12:43
        Termination reason: Timeout
        Program version:    1.64.0

[=============================================================================]
    Global Network Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    TCP Connection Attempts:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        From ANUBIS:1037 to 66.220.17.200:80



[#############################################################################]
    2. sample.exe
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: Primary Analysis Subject
        Filename:        sample.exe
        MD5:             f5e007ca168d31cddd7bd3453a1c3ed8
        SHA-1:           a1adcffc5ca1b5329cb2a3aeb4fe62b1c334b0be
        File Size:       2290240 Bytes
        Command Line:    "C:\sample.exe"
        Process-status
        at analysis end: alive
        Exit Code:       0

[=============================================================================]
    Load-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
               Base Address: [0x7C900000 ], Size: [0x000AF000 ]
        Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
               Base Address: [0x7C800000 ], Size: [0x000F6000 ]
        Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
               Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
        Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
               Base Address: [0x77E70000 ], Size: [0x00092000 ]
        Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
               Base Address: [0x77FE0000 ], Size: [0x00011000 ]
        Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
               Base Address: [0x77F10000 ], Size: [0x00049000 ]
        Module Name: [ C:\WINDOWS\system32\USER32.dll ],
               Base Address: [0x7E410000 ], Size: [0x00091000 ]
        Module Name: [ C:\WINDOWS\system32\COMCTL32.dll ],
               Base Address: [0x5D090000 ], Size: [0x0009A000 ]
        Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
               Base Address: [0x77C00000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\IMM32.DLL ],
               Base Address: [0x76390000 ], Size: [0x0001D000 ]

[=============================================================================]
    Run-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\advpack.dll ],
               Base Address: [0x42EC0000 ], Size: [0x0002E000 ]
        Module Name: [ C:\WINDOWS\system32\feclient.dll ],
               Base Address: [0x693F0000 ], Size: [0x00009000 ]
        Module Name: [ C:\WINDOWS\system32\MPR.dll ],
               Base Address: [0x71B20000 ], Size: [0x00012000 ]
        Module Name: [ C:\WINDOWS\system32\USERENV.dll ],
               Base Address: [0x769C0000 ], Size: [0x000B4000 ]
        Module Name: [ C:\WINDOWS\system32\ole32.dll ],
               Base Address: [0x774E0000 ], Size: [0x0013D000 ]
        Module Name: [ C:\WINDOWS\system32\SETUPAPI.dll ],
               Base Address: [0x77920000 ], Size: [0x000F3000 ]
        Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ],
               Base Address: [0x77A80000 ], Size: [0x00095000 ]
        Module Name: [ C:\WINDOWS\system32\MSASN1.dll ],
               Base Address: [0x77B20000 ], Size: [0x00012000 ]
        Module Name: [ C:\WINDOWS\system32\Apphelp.dll ],
               Base Address: [0x77B40000 ], Size: [0x00022000 ]
        Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
               Base Address: [0x77C10000 ], Size: [0x00058000 ]
        Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
               Base Address: [0x77F60000 ], Size: [0x00076000 ]

[=============================================================================]
    SigBuster Output
[=============================================================================]
        Microsoft_CAB vna SN:206

[=============================================================================]
    2.a) sample.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce ], 
             Value Name: [ wextract_cleanup0 ], New Value: [ rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\" ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], 
             Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
        Key: [ HKLM\SYSTEM\Setup ], 
             Value Name: [ OsLoaderPath ], Value: [ \ ], 2 times
        Key: [ HKLM\SYSTEM\Setup ], 
             Value Name: [ SystemPartition ], Value: [ \Device\HarddiskVolume1 ], 2 times
        Key: [ HKLM\SYSTEM\WPA\MediaCenter ], 
             Value Name: [ Installed ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ], 
             Value Name: [ DevicePath ], Value: [ %SystemRoot%\inf ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 
             Value Name: [ DriverCachePath ], Value: [ %SystemRoot%\Driver Cache ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 
             Value Name: [ LogLevel ], Value: [ 0 ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 
             Value Name: [ ServicePackCachePath ], Value: [ c:\windows\ServicePackFiles\ServicePackCache ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 
             Value Name: [ ServicePackSourcePath ], Value: [ c:\windows\ServicePackFiles ], 2 times
        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 
             Value Name: [ SourcePath ], Value: [ D:\ ], 2 times
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ PolicyScope ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ ItemSize ], Value: [ 779 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ ItemSize ], Value: [ 517 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ ItemSize ], Value: [ 918 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ ItemSize ], Value: [ 229 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ ItemSize ], Value: [ 370 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], 
             Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], 
             Value Name: [ ComputerName ], Value: [ USER ], 3 times
        Key: [ HKLM\System\CurrentControlSet\Control\ProductOptions ], 
             Value Name: [ ProductType ], Value: [ WinNT ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], 
             Value Name: [ Domain ], Value: [  ], 2 times
        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], 
             Value Name: [ Hostname ], Value: [ user ], 2 times
        Key: [ HKLM\System\Setup ], 
             Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\WPA\PnP ], 
             Value Name: [ seed ], Value: [ 1374283966 ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], 
             Value Name: [ Cache ], Value: [ C:\Documents and Settings\user\Local Settings\Temporary Internet Files ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ Local Settings ], Value: [ %USERPROFILE%\Local Settings ], 1 time
        Key: [ HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], 
             Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Monitored Registry Keys:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\system\CurrentControlSet\control\NetworkProvider\HwOrder ], 
             Watch subtree: [ 0 ], Notify Filter: [ Value Change ], 1 time


[=============================================================================]
    2.b) sample.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP ]
        File Name: [ C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\TMP4351$.TMP ]
        File Name: [ C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\crypted.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ PIPE\lsarpc ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\crypted.exe ]
        File Name: [ MountPointManager ]
        File Name: [ PIPE\lsarpc ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Directories Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Directory: [ C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ C: ], Control Code: [ 0x004D0008 ], 1 time
        File: [ MountPointManager ], Control Code: [ 0x006D0008 ], 1 time
        File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\crypted.exe ]
        File Name: [ C:\WINDOWS\system32\Apphelp.dll ]
        File Name: [ C:\WINDOWS\system32\SETUPAPI.dll ]
        File Name: [ C:\WINDOWS\system32\advpack.dll ]
        File Name: [ C:\WINDOWS\system32\feclient.dll ]
        File Name: [ C:\Windows\AppPatch\sysmain.sdb ]

[=============================================================================]
    2.c) sample.exe - Process Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Processes Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Executable: [ C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\crypted.exe ], Command Line: [  ]
        Executable: [  ], Command Line: [ C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\crypted.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Remote Threads Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Affected Process: [ C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\crypted.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Foreign Memory Regions Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Process: [ C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\crypted.exe ]



[#############################################################################]
    3. crypted.exe
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: Started by sample.exe
        Filename:        crypted.exe
        MD5:             ca71346d15cd55f9238d9f2042ffb04b
        SHA-1:           26e87ab5db02d66fa9b0bda7bd9a8af0859fe565
        File Size:       112740 Bytes
        Command Line:    C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\crypted.exe
        Process-status
        at analysis end: alive
        Exit Code:       0

[=============================================================================]
    Load-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
               Base Address: [0x7C900000 ], Size: [0x000AF000 ]
        Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
               Base Address: [0x7C800000 ], Size: [0x000F6000 ]
        Module Name: [ C:\WINDOWS\system32\MSVBVM60.DLL ],
               Base Address: [0x73420000 ], Size: [0x00153000 ]
        Module Name: [ C:\WINDOWS\system32\USER32.dll ],
               Base Address: [0x7E410000 ], Size: [0x00091000 ]
        Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
               Base Address: [0x77F10000 ], Size: [0x00049000 ]
        Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
               Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
        Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
               Base Address: [0x77E70000 ], Size: [0x00092000 ]
        Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
               Base Address: [0x77FE0000 ], Size: [0x00011000 ]
        Module Name: [ C:\WINDOWS\system32\ole32.dll ],
               Base Address: [0x774E0000 ], Size: [0x0013D000 ]
        Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
               Base Address: [0x77C10000 ], Size: [0x00058000 ]
        Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ],
               Base Address: [0x77120000 ], Size: [0x0008B000 ]
        Module Name: [ C:\WINDOWS\system32\IMM32.DLL ],
               Base Address: [0x76390000 ], Size: [0x0001D000 ]

[=============================================================================]
    Run-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
               Base Address: [0x74720000 ], Size: [0x0004C000 ]
        Module Name: [ C:\WINDOWS\system32\msctfime.ime ],
               Base Address: [0x755C0000 ], Size: [0x0002E000 ]
        Module Name: [ C:\WINDOWS\system32\version.dll ],
               Base Address: [0x77C00000 ], Size: [0x00008000 ]
        Module Name: [ C:\WINDOWS\system32\SXS.DLL ],
               Base Address: [0x7E720000 ], Size: [0x000B0000 ]

[=============================================================================]
    3.a) crypted.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ], 
             Value Name: [ CUAS ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\CTF\SystemShared ], 
             Value Name: [ CUAS ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\IMM ], 
             Value Name: [ Ime File ], Value: [ msctfime.ime ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ], 
             Value Name: [ 932 ], Value: [ c_932.nls ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ], 
             Value Name: [ 936 ], Value: [ c_936.nls ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ], 
             Value Name: [ 949 ], Value: [ c_949.nls ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ], 
             Value Name: [ 950 ], Value: [ c_950.nls ], 1 time


[=============================================================================]
    3.b) crypted.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\crypted.exe ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ unnamed file ], Control Code: [ 0x00390008 ], 7 times

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\WINDOWS\system32\MSCTF.dll ]
        File Name: [ C:\WINDOWS\system32\SXS.DLL ]
        File Name: [ C:\WINDOWS\system32\msctfime.ime ]
        File Name: [ C:\WINDOWS\system32\rpcss.dll ]



[#############################################################################]
                       International Secure Systems Lab                        
                            http://www.iseclab.org                             

Vienna University of Technology     Eurecom France            UC Santa Barbara
http://www.tuwien.ac.at          http://www.eurecom.fr  http://www.cs.ucsb.edu

                          Contact: [Only registered and activated users can see links. Click Here To Register...]
Ich lasse die Datei nachher mal ein bisschen auf VMWare laufen, edit kommt dann noch einmal.

Mfg
Syne
11/06/2008 18:23 n8wing#5
Antivir: Nothing found
ArcaVir: Nothing found
Avast: Nothing found
AVG: Nothing found
BitDefender: Nothing found
F-Prot: Nothing found
Norman: Nothing found
Rising: Nothing found
VirusBlokAda32: Nothing found
VirusBuster: Nothing found

[Only registered and activated users can see links. Click Here To Register...]
Scanned by [Only registered and activated users can see links. Click Here To Register...]
11/06/2008 18:28 Alisami#6
geht einfach net :P
11/06/2008 18:34 apollo17#7
Antivir: Nothing found
ArcaVir: Nothing found
Avast: Nothing found
AVG: Nothing found
BitDefender: Nothing found
F-Prot: Nothing found
Norman: Nothing found
Rising: Nothing found
VirusBlokAda32: Nothing found
VirusBuster: Nothing found

Hat nichts zu sagen das einzigste sicher um was zu testen is sandibox o.ä den es kann auch ganz schnell mal ein Fud RAT/Keylogger usw sein da hilft euch so seiten wie vt o.ä nichts.
11/06/2008 18:40 Pand0r#8
From ANUBIS:1037 to 66.220.17.200:80


Sagt doch schon alles aus .....
Und lol File Name: [ C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\crypted. exe ^^

Internet Provider Abuse Inc!

*edit*
Kiddy hat Datei selbst gelöcht?!
Naja ich hab trotzdem noch die Datei, haha ;)
11/06/2008 18:52 Alisami#9
habs gestartet :P Idee wie ichs losbekomm? Also mache mir keine Sorgen um ACc, aber und Rest!

Hat sich an vielen Stellen festgesetzt:

KVOLUME1\WINDOWS\SYSTEM32\ADVAPI32.DLL\DEVICE\HARD DISKVOLUME1\WINDOWS\SYSTEM32\RPCRT4.DLL\DEVICE\HAR DDISKVOLUME1\WINDOWS\SYSTEM32\GDI32.DLL\DEVICE\HAR DDISKVOLUME1\WINDOWS\SYSTEM32\USER32.DLL\DEVICE\HA RDDISKVOLUME1\WINDOWS\SYSTEM32\MSVCRT.DLL\DEVICE\H ARDDISKVOLUME1\WINDOWS\SYSTEM32\CTYPE.NLS\DEVICE\H ARDDISKVOLUME1\WINDOWS\SYSTEM32\SHELL32.DLL\DEVICE \HARDDISKVOLUME1\WINDOWS\SYSTEM32\SHLWAPI.DLL\DEVI CE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WI NDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.2180_X-WW_A84F1FF9\COMCTL32.DLL\DEVICE\HARDDISKVOLUME1\WI NDOWS\WINDOWSSHELL.MANIFEST\DEVICE\HARDDISKVOLUME1 \WINDOWS\SYSTEM32\COMCTL32.DLL\DEVICE\HARDDISKVOLU ME1\WINDOWS\SYSTEM32\WININET.DLL\DEVICE\HARDDISKVO LUME1\WINDOWS\SYSTEM32\CRYPT32.DLL\DEVICE\HARDDISK VOLUME1\WINDOWS\SYSTEM32\MSASN1.DLL\DEVICE\HARDDIS KVOLUME1\WINDOWS\SYSTEM32\OLEAUT32.DLL\DEVICE\HARD DISKVOLUME1\WINDOWS\SYSTEM32\OLE32.DLL\DEVICE\HARD DISKVOLUME1\WINDOWS\SYSTEM32\SORTKEY.NLS\DEVICE\HA RDDISKVOLUME1\WINDOWS\SYSTEM32\WS2_32.DLL\DEVICE\H ARDDISKVOLUME1\WINDOWS\SYSTEM32\WS2HELP.DLL\DEVICE \HARDDISKVOLUME1\WINDOWS\SYSTEM32\ADVPACK.DLL\DEVI CE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\VERSION.DLL\DE VICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MSVBVM60.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RPCSS.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\UXTHEME.D LL\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MSCTF.D LL\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\IMM32.D LL\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\APPHELP .DLL\DEVICE\HARDDISKVOLUME1\WINDOWS\APPPATCH\SYSMA IN.SDB\DEVICE\HARDDISKVOLUME1\$MFT(:SNi¡:ÉnkLXÀ \DEVICE\HARDDISKVOLUME1E(·ý  ,!¬
Y
Ä&:'C'E\DEVICE\HARDDISKVOLUME1\!\DEVICE \HARDDISKVOLUME1\DOKUME~1\)\DEVICE\HARDDISKVOLUME1 \DOKUME~1\ALISAMI\2\DEVICE\HARDDISKVOLUME1\DOKUME~ 1\ALISAMI\LOKALE~1\7\DEVICE\HARDDISKVOLUME1\DOKUME ~1\ALISAMI\LOKALE~1\TEMP\B\DEVICE\HARDDISKVOLUME1\ DOKUME~1\ALISAMI\LOKALE~1\TEMP\IXP000.TMP\\DEVICE\ HARDDISKVOLUME1\WINDOWS\)\DEVICE\HARDDISKVOLUME1\W INDOWS\SYSTEM32\

Idee?
11/06/2008 18:52 Syne#10
Es ist zu 100% ein Trojaner/Keylogger (VMWare laufen gehabt), aber die IP (66.220.17.200) stimmt denke ich mal nicht.

Code:
IP address:                     66.220.17.200
Reverse DNS:                    [No reverse DNS entry per ns1.lop.com.]
Reverse DNS authenticity:       [Unknown]
ASN:                            6939
ASN Name:                       HURRICANE
IP range connectivity:          2
Registrar (per ASN):            ARIN
Country (per IP registrar):     US [United States]
Country Currency:               USD [United States Dollars]
Country IP Range:               66.220.0.0 to 66.220.127.255
Country fraud profile:          Normal
City (per outside source):      Shalimar, Florida
Country (per outside source):   US [United States]
Private (internal) IP?          No
IP address registrar:           whois.arin.net
Known Proxy?                    No
Quote:
Originally Posted by Alisami View Post
habs gestartet :P Idee wie ichs losbekomm? Also mache mir keine Sorgen um ACc, aber und Rest!

Hat sich an vielen Stellen festgesetzt:

...

Idee?
Öhm, also wenn du es auf deinen System ohne VM oder Sandbox ausgeführt hast, bist du eigentlich selber schuld... das war ziemlich leicht sinnig!

[Only registered and activated users can see links. Click Here To Register...]

[Only registered and activated users can see links. Click Here To Register...]

Sollte helfen...

Mfg
Syne
11/06/2008 18:56 apollo17#11
Thx habe es mir schon gedacht abusen folgen :) schlechter crypter der war wohl net fud :=)

hat vill wer noch die no-ip daten ?
11/06/2008 18:56 Pand0r#12
Warum hast unter VMWare nochmal laufen gehabt ?
Hat man schon zu 100% an Anubis gesehen, das er Dateien erstellt wie crypted.exe und zu einer IP connected.
11/06/2008 19:44 Syne#13
Quote:
Originally Posted by Pand0r View Post
Warum hast unter VMWare nochmal laufen gehabt ?
Hat man schon zu 100% an Anubis gesehen, das er Dateien erstellt wie crypted.exe und zu einer IP connected.
Langeweile und wollte es mir selbst mal live angucken. :)

Mfg
Syne
11/06/2008 20:50 ---Mario---#14
Boah ihr seit ja voll die Kenner! :)
Syne deine Ergebnisse sind erste Klasse. Ihr postet unnötiges Zeug rein was zu 99% sowieso nur SCHEISSE ist! Lasst es lieber wenn ihr keine Ahnung habt. =)
11/06/2008 20:53 Pand0r#15
Quote:
Originally Posted by ---Mario--- View Post
Boah ihr seit ja voll die Kenner! :)
Syne deine Ergebnisse sind erste Klasse. Ihr postet unnötiges Zeug rein was zu 99% sowieso nur SCHEISSE ist! Lasst es lieber wenn ihr keine Ahnung habt. =)
Unnötiges Zeug?
Ähm Nein!

Anubis Resultat war wohl, dass mit Abstand beste hier im Thread!
Virustotal und Viruschief ist eher lächerlich.
Page 1 of 2 1 2