|
FSIS forensic report summary 2 samples:
================================================
Date: 2007/7/18 Time: 9:11:36
File name: file.exe
FileSize: 53760
MD5: D13DFC9068B64DA468F410E84FA1E9A1
1. launch thread.
2. open registry SOFTWARE\Microsoft\Windows\CurrentVersion.
3. create new executable file onto the system
C:\WINDOWS\Media\910F41.dll.
4. inject code into executable file on the system.
5. create registry
CLSID\{C666CF63-767F-4831-94AC-E683D962C63C}.
6. set registry: .
7. open registry
SOFTWARE\Microsoft\Windows\CurrentVersion.
8. create registry
CLSID\{C666CF63-767F-4831-94AC-E683D962C63C}\InprocServer32.
9. set auto run for the newly dropped executable
file: .
10. create registry
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{C666CF63-767F-4831-94AC-E683D962C63C}.
11. set registry: Install.
12. create registry SOFTWARE\Microsoft\Internet
Explorer\Main.
13. set registry: Enable Browser Extensions.
14. open registry SOFTWARE\Microsoft\Windows\CurrentVersion.
15. create a process for
ProcessName=C:\Program Files\intern~1\iexplore.exe ProcessHandle=77C .
Date: 2007/7/18 Time: 9:6:55
File name: wpa.exe
FileSize: 8704
MD5: 7B3D2AF232318E1C019EB8E5F22E6231
1. query system folder: C:\WINDOWS\system32.
2. open Security Control manager:
MachineName=localhost Handle=148FC0
3. open service: ServiceName=wpa ServiceHandle=0
4. create a service wpa as Windows Product
Activation.
5. start a service program: ServiceHandle=1480F0
6. create a mutex named as wpa.
7. open registry: software\microsoft\ole.
8. set registry: enabledcom to n
9. open registry:
system\currentcontrolset\control\lsa.
10. set registry: restrictanonymous to 1
11. query Windows folder: .
12. open file C:\WINDOWS\debug\dcpromo.log.
13. start up a Winsock to communitate with outside.
14. query host: ypgw.wallloan.com.
|
