Ergebnis 1 bis 6 von 6
  1. #1
    Stiller Leser
    Registriert seit

  2. #2
    DateMake Dialer
    Registriert seit


    Für Leute die sich nicht auskennen: Vorsichtig könnte ein Virus sein.

    Vielleicht kann mal ein erfahrener Nutzer einen VT Bericht posten.
    Tut ist im Trash -BB

  3. #3
    Tsutomu Shimomura
    Registriert seit


                               ___                __    _                          
             +  /-            /   |  ____  __  __/ /_  (_)____       -\  +         
            /s  h-           / /| | / __ \/ / / / __ \/ / ___/       -h  s\        
            oh-:d/          / ___ |/ / / / /_/ / /_/ / (__  )        /d:-ho        
            shh+hy-        /_/  |_/_/ /_/\__,_/_.___/_/____/        -yh+hhs        
          -:+hhdhyys/-                                           -\syyhdhh+:-      
        -//////dhhhhhddhhyss-       Analysis Report       -ssyhhddhhhhhd\\\\\\-    
       /++/////oydddddhhyys/     ooooooooooooooooooooo     \syyhhdddddyo\\\\\++\   
     -+++///////odh/-                                             -+hdo\\\\\\\+++- 
     +++++++++//yy+/:                                             :\+yy\\+++++++++ 
    /+soss+sys//yyo/os++o+:                                 :+o++so\oyy\\sys+ssos+\
    +oyyyys++o/+yss/+/oyyyy:                               :yyyyo\+\ssy+\o++syyyyo+
    +oyyyyyyso+os/o/+yyyyyy/                               \yyyyyy+\o\so+osyyyyyyo+
        Analysis Report for Ken's PhishingPageProducer.exe
                       MD5: 26cbbb47627468fa28a3fbdedf6a94ff
        - Performs Registry Activities:
            The executable reads and modifies registry values. It also creates and
            monitors registry keys.
        Table of Contents
    - General information
    - Ken's Phis.exe
      a) Registry Activities
      b) File Activities
      c) Windows Service Activities
        1. General Information
        Information about Anubis' invocation
            Time needed:        240 s
            Report created:     07/19/10, 05:59:57 UTC
            Termination reason: Timeout
            Program version:    1.74.3016
        2. Ken's Phis.exe
        General information about this executable
            Analysis Reason: Primary Analysis Subject
            Filename:        Ken's Phis.exe
            MD5:             26cbbb47627468fa28a3fbdedf6a94ff
            SHA-1:           ebde63103daf0f6a21b2c0cae45f7bba1d25a4a2
            File Size:       2646016 Bytes
            Command Line:    "C:\Ken's Phis.exe" 
            at analysis end: alive
            Exit Code:       0
        Load-time Dlls
            Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
                   Base Address: [0x7C900000 ], Size: [0x000AF000 ]
            Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
                   Base Address: [0x7C800000 ], Size: [0x000F6000 ]
            Module Name: [ C:\WINDOWS\system32\MSVBVM60.DLL ],
                   Base Address: [0x73420000 ], Size: [0x00153000 ]
            Module Name: [ C:\WINDOWS\system32\USER32.dll ],
                   Base Address: [0x7E410000 ], Size: [0x00091000 ]
            Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
                   Base Address: [0x77F10000 ], Size: [0x00049000 ]
            Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
                   Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
            Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
                   Base Address: [0x77E70000 ], Size: [0x00092000 ]
            Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
                   Base Address: [0x77FE0000 ], Size: [0x00011000 ]
            Module Name: [ C:\WINDOWS\system32\ole32.dll ],
                   Base Address: [0x774E0000 ], Size: [0x0013D000 ]
            Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
                   Base Address: [0x77C10000 ], Size: [0x00058000 ]
            Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ],
                   Base Address: [0x77120000 ], Size: [0x0008B000 ]
        Run-time Dlls
            Module Name: [ C:\WINDOWS\system32\comctl32.dll ],
                   Base Address: [0x5D090000 ], Size: [0x0009A000 ]
            Module Name: [ C:\WINDOWS\system32\wshom.ocx ],
                   Base Address: [0x60280000 ], Size: [0x00021000 ]
            Module Name: [ C:\WINDOWS\system32\MPR.dll ],
                   Base Address: [0x71B20000 ], Size: [0x00012000 ]
            Module Name: [ C:\WINDOWS\system32\ScrRun.dll ],
                   Base Address: [0x735A0000 ], Size: [0x0002A000 ]
            Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
                   Base Address: [0x74720000 ], Size: [0x0004C000 ]
            Module Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ],
                   Base Address: [0x76FD0000 ], Size: [0x0007F000 ]
            Module Name: [ C:\WINDOWS\system32\COMRes.dll ],
                   Base Address: [0x77050000 ], Size: [0x000C5000 ]
            Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
                   Base Address: [0x773D0000 ], Size: [0x00103000 ]
            Module Name: [ C:\WINDOWS\system32\VERSION.dll ],
                   Base Address: [0x77C00000 ], Size: [0x00008000 ]
            Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
                   Base Address: [0x77F60000 ], Size: [0x00076000 ]
            Module Name: [ C:\WINDOWS\system32\SHELL32.dll ],
                   Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
            Module Name: [ C:\WINDOWS\system32\SXS.DLL ],
                   Base Address: [0x7E720000 ], Size: [0x000B0000 ]
        2.a) Ken's Phis.exe - Registry Activities
        Registry Values Read:
            Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\INPROCSERVER32 ], 
                 Value Name: [  ], Value: [ C:\WINDOWS\system32\wshom.ocx ], 1 time
            Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\INPROCSERVER32 ], 
                 Value Name: [ ThreadingModel ], Value: [ Apartment ], 1 time
            Key: [ HKLM\SOFTWARE\CLASSES\TYPELIB\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\WIN32 ], 
                 Value Name: [  ], Value: [ C:\WINDOWS\system32\wshom.ocx ], 1 time
                 Value Name: [  ], Value: [ {72C24DD5-D70A-438B-8A42-98424B88AFB8} ], 1 time
            Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ], 
                 Value Name: [ CUAS ], Value: [ 0 ], 1 time
            Key: [ HKLM\SOFTWARE\Microsoft\Cryptography ], 
                 Value Name: [ MachineGuid ], Value: [ 4604e8cc-5b9c-4ffb-a374-a62e6d0494fc ], 4 times
            Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion ], 
                 Value Name: [ ProductId ], Value: [ 76487-640-1457236-23837 ], 4 times
            Key: [ HKLM\SYSTEM\ControlSet001\Services\Disk\Enum ], 
                 Value Name: [ 0 ], Value: [ IDE\DiskQEMU_HARDDISK___________________________0.9.1___\4d51303030302031202020202020202020202020 ], 6 times
            Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], 
                 Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
            Key: [ HKLM\SYSTEM\Setup ], 
                 Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
            Key: [ HKLM\Software\Microsoft\COM3 ], 
                 Value Name: [ Com+Enabled ], Value: [ 1 ], 2 times
            Key: [ HKLM\Software\Microsoft\COM3 ], 
                 Value Name: [ REGDBVersion ], Value: [ 0x0700000000000000 ], 5 times
            Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
                 Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time
            Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ], 
                 Value Name: [ 932 ], Value: [ c_932.nls ], 1 time
            Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ], 
                 Value Name: [ 936 ], Value: [ c_936.nls ], 1 time
            Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ], 
                 Value Name: [ 949 ], Value: [ c_949.nls ], 1 time
            Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ], 
                 Value Name: [ 950 ], Value: [ c_950.nls ], 1 time
            Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], 
                 Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time
            Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], 
                 Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times
            Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], 
                 Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times
        Monitored Registry Keys:
            Key: [ HKLM\Software\Classes ], 
                 Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 3 times
            Key: [ HKLM\Software\Classes\CLSID ], 
                 Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 2 times
            Key: [ HKLM\Software\Microsoft\COM3 ], 
                 Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 6 times
            Key: [ HKLM\system\CurrentControlSet\control\NetworkProvider\HwOrder ], 
                 Watch subtree: [ 0 ], Notify Filter: [ Value Change ], 1 time
            Key: [ HKU ], 
                 Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 3 times
        2.b) Ken's Phis.exe - File Activities
        Files Created:
            File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF2AD4.tmp ]
        Files Read:
            File Name: [ C:\Ken's Phis.exe ]
            File Name: [ C:\WINDOWS\Registration\R000000000007.clb ]
            File Name: [ C:\WINDOWS\system32\wshom.ocx ]
        Device Control Communication:
            File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times
        Memory Mapped Files:
            File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
            File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
            File Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ]
            File Name: [ C:\WINDOWS\system32\COMRes.dll ]
            File Name: [ C:\WINDOWS\system32\MSCTF.dll ]
            File Name: [ C:\WINDOWS\system32\MSVBVM60.DLL ]
            File Name: [ C:\WINDOWS\system32\SHELL32.dll ]
            File Name: [ C:\WINDOWS\system32\SXS.DLL ]
            File Name: [ C:\WINDOWS\system32\ScrRun.dll ]
            File Name: [ C:\WINDOWS\system32\comctl32.dll ]
            File Name: [ C:\WINDOWS\system32\imm32.dll ]
            File Name: [ C:\WINDOWS\system32\rpcss.dll ]
            File Name: [ C:\WINDOWS\system32\wshom.ocx ]
            File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF2AD4.tmp ]
        2.c) Ken's Phis.exe - Windows Service Activities
        Services Changed:
            Service: [ SharedAccess ], Control Code: [ SERVICE_CONTROL_STOP ]
                           International Secure Systems Lab                        
    Vienna University of Technology     Eurecom France            UC Santa Barbara
    Anubis: Analyzing Unknown Binaries
    Geändert von GrafZeppelin (19.07.2010 um 07:13 Uhr)
    [b]Support im Bereich Wardriving, WLAN-Hacking, Backtrack 3 und Anfängerfragen!Bitte keine Fragen bezüglich RATs/Trojaner.

    Und wehe mich schreibt nochmal so ein Vollhonk an der nichtmal die Antwort liest weil er zu faul ist sich weiter zu bilden!

  4. #4
    Fortgeschrittener Avatar von Kitti321
    Registriert seit


    ist schon das 2. prog das du kommentarlos reinstellst terrox. (
    auf FH spreaden ist das letzte, wenn dus nicht tust sry, aber du benimmst dich doch seeehr verdächtig...
    [B]Meine bescheidenen Kenntnisse
    [S]Gratis FUD Crypter

  5. #5
    Alea Iacta Est Avatar von Ezi0
    Registriert seit


    Wollte es auf VM-Ware testen, es lässt sich aber unter einer VM Ware nicht öffnen, kommt eine Fehlermeldung.

    Ich würd's lassen das DIng zu laden.


  6. #6
    Tsutomu Shimomura
    Registriert seit


    Zitat Zitat von Kitti321 Beitrag anzeigen
    ist schon das 2. prog das du kommentarlos reinstellst terrox. (
    auf FH spreaden ist das letzte, wenn dus nicht tust sry, aber du benimmst dich doch seeehr verdächtig...

    Teste es sniff es mach sonstwas anstatt ins blaue zu schießen!
    [b]Support im Bereich Wardriving, WLAN-Hacking, Backtrack 3 und Anfängerfragen!Bitte keine Fragen bezüglich RATs/Trojaner.

    Und wehe mich schreibt nochmal so ein Vollhonk an der nichtmal die Antwort liest weil er zu faul ist sich weiter zu bilden!



  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • Anhänge hochladen: Nein
  • Beiträge bearbeiten: Nein