http://http://www3.pic-upload.de/01.07.10/x2l43oftzbp.png
RapidShare: 1-CLICK Web hosting - Easy Filehosting (http://rapidshare.com/files/404173841/Ken_s_PhishingPageProducer.rar.html)
Für Leute die sich nicht auskennen: Vorsichtig könnte ein Virus sein.
Vielleicht kann mal ein erfahrener Nutzer einen VT Bericht posten.
GrafZeppelin
19.07.2010, 07:08
___ __ _
+ /- / | ____ __ __/ /_ (_)____ -\ +
/s h- / /| | / __ \/ / / / __ \/ / ___/ -h s\
oh-:d/ / ___ |/ / / / /_/ / /_/ / (__ ) /d:-ho
shh+hy- /_/ |_/_/ /_/\__,_/_.___/_/____/ -yh+hhs
-:+hhdhyys/- -\syyhdhh+:-
-//////dhhhhhddhhyss- Analysis Report -ssyhhddhhhhhd\\\\\\-
/++/////oydddddhhyys/ ooooooooooooooooooooo \syyhhdddddyo\\\\\++\
-+++///////odh/- -+hdo\\\\\\\+++-
+++++++++//yy+/: :\+yy\\+++++++++
/+soss+sys//yyo/os++o+: :+o++so\oyy\\sys+ssos+\
+oyyyys++o/+yss/+/oyyyy: :yyyyo\+\ssy+\o++syyyyo+
+oyyyyyyso+os/o/+yyyyyy/ \yyyyyy+\o\so+osyyyyyyo+
[################################################## ###########################]
Analysis Report for Ken's PhishingPageProducer.exe
MD5: 26cbbb47627468fa28a3fbdedf6a94ff
[################################################## ###########################]
Summary:
- Performs Registry Activities:
The executable reads and modifies registry values. It also creates and
monitors registry keys.
[================================================== ===========================]
Table of Contents
[================================================== ===========================]
- General information
- Ken's Phis.exe
a) Registry Activities
b) File Activities
c) Windows Service Activities
[################################################## ###########################]
1. General Information
[################################################## ###########################]
[================================================== ===========================]
Information about Anubis' invocation
[================================================== ===========================]
Time needed: 240 s
Report created: 07/19/10, 05:59:57 UTC
Termination reason: Timeout
Program version: 1.74.3016
[################################################## ###########################]
2. Ken's Phis.exe
[################################################## ###########################]
[================================================== ===========================]
General information about this executable
[================================================== ===========================]
Analysis Reason: Primary Analysis Subject
Filename: Ken's Phis.exe
MD5: 26cbbb47627468fa28a3fbdedf6a94ff
SHA-1: ebde63103daf0f6a21b2c0cae45f7bba1d25a4a2
File Size: 2646016 Bytes
Command Line: "C:\Ken's Phis.exe"
Process-status
at analysis end: alive
Exit Code: 0
[================================================== ===========================]
Load-time Dlls
[================================================== ===========================]
Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
Base Address: [0x7C900000 ], Size: [0x000AF000 ]
Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
Base Address: [0x7C800000 ], Size: [0x000F6000 ]
Module Name: [ C:\WINDOWS\system32\MSVBVM60.DLL ],
Base Address: [0x73420000 ], Size: [0x00153000 ]
Module Name: [ C:\WINDOWS\system32\USER32.dll ],
Base Address: [0x7E410000 ], Size: [0x00091000 ]
Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
Base Address: [0x77F10000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
Base Address: [0x77E70000 ], Size: [0x00092000 ]
Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
Base Address: [0x77FE0000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\system32\ole32.dll ],
Base Address: [0x774E0000 ], Size: [0x0013D000 ]
Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
Base Address: [0x77C10000 ], Size: [0x00058000 ]
Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ],
Base Address: [0x77120000 ], Size: [0x0008B000 ]
[================================================== ===========================]
Run-time Dlls
[================================================== ===========================]
Module Name: [ C:\WINDOWS\system32\comctl32.dll ],
Base Address: [0x5D090000 ], Size: [0x0009A000 ]
Module Name: [ C:\WINDOWS\system32\wshom.ocx ],
Base Address: [0x60280000 ], Size: [0x00021000 ]
Module Name: [ C:\WINDOWS\system32\MPR.dll ],
Base Address: [0x71B20000 ], Size: [0x00012000 ]
Module Name: [ C:\WINDOWS\system32\ScrRun.dll ],
Base Address: [0x735A0000 ], Size: [0x0002A000 ]
Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
Base Address: [0x74720000 ], Size: [0x0004C000 ]
Module Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ],
Base Address: [0x76FD0000 ], Size: [0x0007F000 ]
Module Name: [ C:\WINDOWS\system32\COMRes.dll ],
Base Address: [0x77050000 ], Size: [0x000C5000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
Base Address: [0x773D0000 ], Size: [0x00103000 ]
Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
Base Address: [0x77C00000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
Base Address: [0x77F60000 ], Size: [0x00076000 ]
Module Name: [ C:\WINDOWS\system32\SHELL32.dll ],
Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
Module Name: [ C:\WINDOWS\system32\SXS.DLL ],
Base Address: [0x7E720000 ], Size: [0x000B0000 ]
[================================================== ===========================]
2.a) Ken's Phis.exe - Registry Activities
[================================================== ===========================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\INPROCSERVER32 ],
Value Name: [ ], Value: [ C:\WINDOWS\system32\wshom.ocx ], 1 time
Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\INPROCSERVER32 ],
Value Name: [ ThreadingModel ], Value: [ Apartment ], 1 time
Key: [ HKLM\SOFTWARE\CLASSES\TYPELIB\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\WIN32 ],
Value Name: [ ], Value: [ C:\WINDOWS\system32\wshom.ocx ], 1 time
Key: [ HKLM\SOFTWARE\CLASSES\WSCRIPT.SHELL\CLSID ],
Value Name: [ ], Value: [ {72C24DD5-D70A-438B-8A42-98424B88AFB8} ], 1 time
Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ],
Value Name: [ CUAS ], Value: [ 0 ], 1 time
Key: [ HKLM\SOFTWARE\Microsoft\Cryptography ],
Value Name: [ MachineGuid ], Value: [ 4604e8cc-5b9c-4ffb-a374-a62e6d0494fc ], 4 times
Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion ],
Value Name: [ ProductId ], Value: [ 76487-640-1457236-23837 ], 4 times
Key: [ HKLM\SYSTEM\ControlSet001\Services\Disk\Enum ],
Value Name: [ 0 ], Value: [ IDE\DiskQEMU_HARDDISK___________________________0. 9.1___\4d51303030302031202020202020202020202020 ], 6 times
Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ],
Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
Key: [ HKLM\SYSTEM\Setup ],
Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\COM3 ],
Value Name: [ Com+Enabled ], Value: [ 1 ], 2 times
Key: [ HKLM\Software\Microsoft\COM3 ],
Value Name: [ REGDBVersion ], Value: [ 0x0700000000000000 ], 5 times
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\Cod eIdentifiers ],
Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ],
Value Name: [ 932 ], Value: [ c_932.nls ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ],
Value Name: [ 936 ], Value: [ c_936.nls ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ],
Value Name: [ 949 ], Value: [ c_949.nls ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ],
Value Name: [ 950 ], Value: [ c_950.nls ], 1 time
Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ],
Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],
Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],
Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Monitored Registry Keys:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\Software\Classes ],
Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 3 times
Key: [ HKLM\Software\Classes\CLSID ],
Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 2 times
Key: [ HKLM\Software\Microsoft\COM3 ],
Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 6 times
Key: [ HKLM\system\CurrentControlSet\control\NetworkProvi der\HwOrder ],
Watch subtree: [ 0 ], Notify Filter: [ Value Change ], 1 time
Key: [ HKU ],
Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 3 times
[================================================== ===========================]
2.b) Ken's Phis.exe - File Activities
[================================================== ===========================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF2AD4.tmp ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\Ken's Phis.exe ]
File Name: [ C:\WINDOWS\Registration\R000000000007.clb ]
File Name: [ C:\WINDOWS\system32\wshom.ocx ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
File Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ]
File Name: [ C:\WINDOWS\system32\COMRes.dll ]
File Name: [ C:\WINDOWS\system32\MSCTF.dll ]
File Name: [ C:\WINDOWS\system32\MSVBVM60.DLL ]
File Name: [ C:\WINDOWS\system32\SHELL32.dll ]
File Name: [ C:\WINDOWS\system32\SXS.DLL ]
File Name: [ C:\WINDOWS\system32\ScrRun.dll ]
File Name: [ C:\WINDOWS\system32\comctl32.dll ]
File Name: [ C:\WINDOWS\system32\imm32.dll ]
File Name: [ C:\WINDOWS\system32\rpcss.dll ]
File Name: [ C:\WINDOWS\system32\wshom.ocx ]
File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF2AD4.tmp ]
[================================================== ===========================]
2.c) Ken's Phis.exe - Windows Service Activities
[================================================== ===========================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Services Changed:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Service: [ SharedAccess ], Control Code: [ SERVICE_CONTROL_STOP ]
[################################################## ###########################]
International Secure Systems Lab
http://www.iseclab.org
Vienna University of Technology Eurecom France UC Santa Barbara
http://www.tuwien.ac.at http://www.eurecom.fr http://www.cs.ucsb.edu
Contact: anubis@iseclab.org
Anubis: Analyzing Unknown Binaries (http://anubis.iseclab.org)
http://virusscan.jotti.org/de/scanresult/30cb8f164029b10ec2d0677322abee38b1a66492
Kitti321
19.07.2010, 08:18
ist schon das 2. prog das du kommentarlos reinstellst terrox. (http://free-hack.com/sonstige/60272-win7-activator.html#post486688)
auf FH spreaden ist das letzte, wenn dus nicht tust sry, aber du benimmst dich doch seeehr verdächtig...
Wollte es auf VM-Ware testen, es lässt sich aber unter einer VM Ware nicht öffnen, kommt eine Fehlermeldung.
Ich würd's lassen das DIng zu laden.
MfG
GrafZeppelin
19.07.2010, 09:31
ist schon das 2. prog das du kommentarlos reinstellst terrox. (http://free-hack.com/sonstige/60272-win7-activator.html#post486688)
auf FH spreaden ist das letzte, wenn dus nicht tust sry, aber du benimmst dich doch seeehr verdächtig...
Teste es sniff es mach sonstwas anstatt ins blaue zu schießen!
Powered by vBulletin® Copyright ©2024 Adduco Digital e.K. und vBulletin Solutions, Inc. Alle Rechte vorbehalten.