SlideShare a Scribd company logo

Пример отчета по анализу вредоносного кода Zeus, подготовленного Cisco AMP Threat Grid

Cisco Russia
Cisco Russia

The document appears to be a malware analysis report that details the behavior and network activity of a suspicious executable file. It found numerous behavioral indicators suggesting the file is a variant of Zeus malware. The analysis observed the file making HTTP requests to a web server, downloading additional files, modifying the registry and executing other processes. The report provided details on the file, network streams, processes and artifacts observed during dynamic analysis in a virtual sandbox environment.

Technology
1 of 16
Download to read offline
Severity: 100 Confidence: 100 Severity: 95 Confidence: 95 Severity: 90 Confidence: 100 Severity: 90 Confidence: 100 Severity: 80 Confidence: 60 Severity: 80 Confidence: 95 Severity: 75 Confidence: 75 Severity: 70 Confidence: 80 Severity: 60 Confidence: 70 Severity: 50 Confidence: 50 Severity: 50 Confidence: 80 Severity: 40 Confidence: 60 Severity: 40 Confidence: 60 Severity: 35 Confidence: 50 Severity: 35 Confidence: 20 Severity: 30 Confidence: 30 Severity: 25 Confidence: 25 Severity: 25 Confidence: 60 Severity: 25 Confidence: 25 Analysis Report ID 79ec746ef572388896c1485e1b70146f OS 2600.xpsp.080413-2111 Started 8/7/14 15:53:09 Ended 8/7/14 15:59:27 Duration 0:06:18 Sandbox plague (pilot-d) Filename 0553733405.exe Magic Type PE32 executable (GUI) Intel 80386, for MS Windows Analyzed As exe SHA256 d9d42df15fad8c80da9102c80c14c2913ccf7ce7e454e8d54a4decd823fc98af SHA1 d1c9100913bedab19cc127a3cd427b678ac46192 MD5 bdcd4ff82d6894156b945c96ac45b9ec Warnings Executable Failed Integrity Check Behavioral Indicators Possible ZeuS Variant Detected Process Modified an Executable File Netsh.exe Used to Disable Windows Firewall Netsh.exe Used to Alter Windows Firewall Process Modified Autorun Registry Key Value Downloaded PE Executable Outbound HTTP GET Request Process Modified File in a User Directory Potential Sandbox Detection - Enumeration of ProductID Potential Code Injection Detected Command Exe File Execution Detected PE Has Sections Marked Executable and Writable PE Has Sections Marked Shareable Possible Double Flux Nameserver Detected [Beta] Possible Fast Flux Domain Detected [Beta] Executable with Encrypted Sections Outbound Communications to Nginx Web Server PE Resource Indicates Chinese Origin Outbound HTTP POST Communications
Severity: 20 Confidence: 60 Severity: 20 Confidence: 60 Stream: 4 Transaction: 0 Stream: 5 Transaction: 0 Stream: 6 Transaction: 0 Stream: 7 Transaction: 0 Stream: 8 Transaction: 0 Stream: 9 Transaction: 0 Stream: 10 Transaction: 0 Process Enumerated Running Processes Using Tasklist Utility Process Enumerates TCP/IP Network Configuration HTTP Traffic POST http://gokspflol.com:80/LKj839htgHBO/file.php Server IP: 91.196.54.104 Server Port: 80 Resp. Content: application/octet-stream Timestamp: +117.032s POST http://gokspflol.com:80/LKj839htgHBO/file.php Server IP: 91.196.54.104 Server Port: 80 Resp. Content: application/octet-stream Timestamp: +117.118s POST http://gokspflol.com:80/LKj839htgHBO/file.php Server IP: 91.196.54.104 Server Port: 80 Resp. Content: application/octet-stream Timestamp: +121.251s GET http://www.google.com:80/webhp Server IP: 173.194.46.113 Server Port: 80 Resp. Content: text/html Timestamp: +140.784s POST http://gokspflol.com:80/LKj839htgHBO/gate.php Server IP: 91.196.54.104 Server Port: 80 Resp. Content: application/octet-stream Timestamp: +142.047s POST http://gokspflol.com:80/LKj839htgHBO/files/config.dll Server IP: 91.196.54.104 Server Port: 80 Resp. Content: application/octet-stream Timestamp: +142.813s POST http://gokspflol.com:80/LKj839htgHBO/file.php
Stream: 11 Transaction: 0 Stream: 2 Query: 1648 Stream: 2 Query: 61567 Stream: 3 Query: 60263 Server IP: 91.196.54.104 Server Port: 80 Resp. Content: application/x-dosexec Timestamp: +143.1s POST http://gokspflol.com:80/LKj839htgHBO/gate.php Server IP: 91.196.54.104 Server Port: 80 Resp. Content: application/octet-stream Timestamp: +146.421s DNS Traffic Query Type: A, Query Data: www.google.com TTL: - Timestamp: +139.847s Query Type: A, Query Data: gokspflol.com TTL: 150 Timestamp: +116.48s Query Type: A, Query Data: gokspflol.com TTL: 150 Timestamp: +116.483s TCP/IP Streams Network Stream: 0 Src. IP 172.16.1.1 Src. Port Dest. IP 172.16.138.194 Dest. Port Transport ICMP Artifacts 0 Packets 2 Bytes 96 Timestamp +35.858s Network Stream: 1 Src. IP 172.16.138.194 Src. Port Dest. IP 224.0.0.22 Dest. Port Transport IGMP Artifacts 0 Packets 2 Bytes 80 Timestamp +37.976s Network Stream: 2 (DNS)
Src. IP 172.16.138.194 Src. Port 1061 Dest. IP 172.16.1.1 Dest. Port 53 Transport UDP Artifacts 0 Packets 4 Bytes 858 Timestamp +116.48s Network Stream: 3 (DNS) Src. IP 172.16.138.194 Src. Port 1062 Dest. IP 172.16.1.1 Dest. Port 53 Transport UDP Artifacts 0 Packets 2 Bytes 586 Timestamp +116.483s Network Stream: 4 (HTTP) Src. IP 172.16.138.194 Src. Port 1063 Dest. IP 91.196.54.104 Dest. Port 80 Transport TCP Artifacts 1 Packets 164 Bytes 185283 Timestamp +116.906s Network Stream: 5 (HTTP) Src. IP 172.16.138.194 Src. Port 1064 Dest. IP 91.196.54.104 Dest. Port 80 Transport TCP Artifacts 1 Packets 15 Bytes 7134 Timestamp +117.034s Network Stream: 6 (HTTP) Src. IP 172.16.138.194 Src. Port 1065 Dest. IP 91.196.54.104 Dest. Port 80 Transport TCP Artifacts 1 Packets 199 Bytes 230209 Timestamp +121.132s Network Stream: 7 (HTTP) Src. IP 172.16.138.194 Src. Port 1066
Parent: 1988 Dest. IP 173.194.46.113 Dest. Port 80 Transport TCP Artifacts 1 Packets 38 Bytes 33625 Timestamp +140.725s Network Stream: 8 (HTTP) Src. IP 172.16.138.194 Src. Port 1067 Dest. IP 91.196.54.104 Dest. Port 80 Transport TCP Artifacts 1 Packets 10 Bytes 1419 Timestamp +141.927s Network Stream: 9 (HTTP) Src. IP 172.16.138.194 Src. Port 1068 Dest. IP 91.196.54.104 Dest. Port 80 Transport TCP Artifacts 1 Packets 15 Bytes 7095 Timestamp +142.675s Network Stream: 10 (HTTP) Src. IP 172.16.138.194 Src. Port 1069 Dest. IP 91.196.54.104 Dest. Port 80 Transport TCP Artifacts 1 Packets 260 Bytes 295007 Timestamp +142.985s Network Stream: 11 (HTTP) Src. IP 172.16.138.194 Src. Port 1070 Dest. IP 91.196.54.104 Dest. Port 80 Transport TCP Artifacts 1 Packets 10 Bytes 1214 Timestamp +146.299s Processes Name: 0553733405.exe
Parent: 1824 Parent: 1988 Parent: 184 Parent: 184 PID: 160 Children: 0 File Actions: 3 Registry Actions: 1 Analysis Reason: Is target sample. Name: 0553733405.exe PID: 184 Children: 2 File Actions: 3 Registry Actions: 3 Analysis Reason: Parent is being analyzed Name: mien.exe PID: 488 Children: 0 File Actions: 3 Registry Actions: 0 Analysis Reason: Parent is being analyzed Name: cmd.exe PID: 1824 Children: 1 File Actions: 3 Registry Actions: 3 Analysis Reason: Parent is being analyzed Name: mien.exe PID: 1988 Children: 2 File Actions: 3 Registry Actions: 1 Analysis Reason: Parent is being analyzed Name: hostname.exe PID: 220 Children: 0 File Actions: 3 Registry Actions: 7 Analysis Reason: Process activity after target sample started. Name: tasklist.exe PID: 392 Children: 0 File Actions: 3 Registry Actions: 0 Analysis Reason: Process activity after target sample started. Name: tmp650921d2.exe PID: 396 Children: 0 File Actions: 3 Registry Actions: 7 Analysis Reason: Process activity after target sample started. Name: ipconfig.exe PID: 408 Children: 0 File Actions: 3
Registry Actions: 0 Analysis Reason: Process activity after target sample started. Name: winlogon.exe PID: 428 Children: 0 File Actions: 3 Registry Actions: 0 Analysis Reason: Process activity after target sample started. Name: lsass.exe PID: 484 Children: 0 File Actions: 3 Registry Actions: 0 Analysis Reason: Process activity after target sample started. Name: svchost.exe PID: 652 Children: 0 File Actions: 3 Registry Actions: 0 Analysis Reason: Process activity after target sample started. Name: svchost.exe PID: 796 Children: 0 File Actions: 3 Registry Actions: 1 Analysis Reason: Process activity after target sample started. Name: svchost.exe PID: 844 Children: 0 File Actions: 3 Registry Actions: 0 Analysis Reason: Process activity after target sample started. Name: netsh.exe PID: 1000 Children: 0 File Actions: 3 Registry Actions: 0 Analysis Reason: Process activity after target sample started. Name: wmiprvse.exe PID: 1112 Children: 0 File Actions: 3 Registry Actions: 0 Analysis Reason: Process activity after target sample started. Name: Explorer.EXE PID: 1148 Children: 0 File Actions: 3 Registry Actions: 7 Analysis Reason: Process activity after target sample started.
Modified by: 184 (0553733405.exe) Read by: 160 (0553733405.exe) Created by: 184 (0553733405.exe) Name: cmd.exe PID: 1156 Children: 0 File Actions: 3 Registry Actions: 0 Analysis Reason: Process activity after target sample started. Name: cmd.exe PID: 1208 Children: 0 File Actions: 3 Registry Actions: 7 Analysis Reason: Process activity after target sample started. Name: tmp650921d2.exe PID: 1708 Children: 0 File Actions: 3 Registry Actions: 0 Analysis Reason: Process activity after target sample started. Artifacts Artifact 1: 0553733405.exe Src: submitted Imports: 191 Type: EXE - PE32 executable (GUI) Intel 80386, for MS... SHA256: d9d42df15fad8c80da9102c80c14c2913ccf7ce7e454e8d54a4decd823fc98af Size: 308224 Exports: 0 AV Sigs: 0 MD5: bdcd4ff82d6894156b945c96ac45b9ec Artifact 2: Documents and SettingsAdministrator...n DataUwhymien.exe Src: disk Imports: 191 Type: EXE - PE32 executable (GUI) Intel 80386, for MS... SHA256: f3cdb190eba04f63dd72e1e5772603d38088a9ea1ea6701f0b604fc9fd95c30a Size: 308224 Exports: 0 AV Sigs: 0 MD5: 7fea12b40bcaceb9347ad426c3cdb461 Artifact 3: temp0553733405.exe Src: disk Imports: 191 Type: EXE - PE32 executable (GUI) Intel 80386, for MS... SHA256: d9d42df15fad8c80da9102c80c14c2913ccf7ce7e454e8d54a4decd823fc98af Size: 308224 Exports: 0 AV Sigs: 0 MD5: bdcd4ff82d6894156b945c96ac45b9ec Artifact 4:
Read by: 1156 (cmd.exe) Documents and SettingsAdministrator...ataLeymtyodsyo.epd Src: disk Imports: 0 Type: data SHA256: 3f10dc24fe2715dc4f69ac3af223bf28375eb1ceb16b569c71f61585eee1bd63 Size: 399066 Exports: 0 AV Sigs: 0 MD5: c867627b458c957c419586313a377e6f Artifact 5: WINDOWSPrefetchCMD.EXE-087B4001.pf Src: disk Imports: 0 Type: data SHA256: e1807396fbc6f84bcdbe6659293c241048cf13a8c2a72fa8386577edfce523ae Size: 12932 Exports: 0 AV Sigs: 0 MD5: b371d56172afc6376ed13c29e7c95663 Artifact 6: Documents and SettingsAdministrator...DataElmoyelinw.eco Src: disk Imports: 0 Type: data SHA256: 91dd2f7b3eb6701b35ea3a7148408bbb64c2ef2fcd7322e84bc25e5137d6de0e Size: 9433 Exports: 0 AV Sigs: 0 MD5: 0da6e692cbee5c0a575d572c344ee841 Artifact 7: Documents and SettingsAdministrator...okAdministrator.wab Src: disk Imports: 0 Type: data SHA256: e24fa116b9f460dc55131a7772cd194188032e55dee0c874dcb4e62c5e0ef23c Size: 176594 Exports: 0 AV Sigs: 0 MD5: c62276113d0468f8215b5bfcad810066 Artifact 8: Documents and SettingsAdministrator...kAdministrator.wab~ Src: disk Imports: 0 Type: data SHA256: e24fa116b9f460dc55131a7772cd194188032e55dee0c874dcb4e62c5e0ef23c Size: 176594 Exports: 0 AV Sigs: 0 MD5: c62276113d0468f8215b5bfcad810066 Artifact 9: Documents and SettingsAdministrator...trator@google[2].txt Src: disk Imports: 0 Type: ASCII text SHA256: 9ba6b1fdc0c16ac09caa6b5cda53781d4245e800ad478dec7bdc17be74f47d5f Size: 327 Exports: 0
AV Sigs: 0 MD5: 5b07bec122cef3be03daa7d4b2bbdffd Artifact 10: Documents and SettingsAdministratorCookiesindex.dat Src: disk Imports: 0 Type: Internet Explorer cache file version Ver 5.2 SHA256: 3f1e063b094727983567dc59200368c2730fd8cf6d71d43a8ab3348a78d38de2 Size: 32768 Exports: 0 AV Sigs: 0 MD5: fc4fff9fbb16be51485f2affe83b2b82 Artifact 11: Documents and SettingsAdministrator... ExpressFolders.dbx Src: disk Imports: 0 Type: MS Outlook Express DBX file, folder database SHA256: 722d676dc803351cb2ab4a3b4d2f96d9c8d36d4748d93d88f0570f16c4b1f2ff Size: 75204 Exports: 0 AV Sigs: 0 MD5: c0a6b920be7cc9deed14c88ccd6fc84a Artifact 12: Documents and SettingsAdministrator...ok ExpressInbox.dbx Src: disk Imports: 0 Type: MS Outlook Express DBX file, message database SHA256: 0a794011f2f9274053eae42ab94be4c8e7ab42977ac188bae474ee3810158a9d Size: 142036 Exports: 0 AV Sigs: 0 MD5: a5be91c1b79359f28ef1793f88748e93 Artifact 13: Documents and SettingsAdministrator... ExpressOffline.dbx Src: disk Imports: 0 Type: MS Outlook Express DBX file, offline database SHA256: 14ff7ea3f7634352d7e787a69b997d6694ac1f8270db51ad077b24efeffbfa11 Size: 9656 Exports: 0 AV Sigs: 0 MD5: c78f0742eae95fcf92f7f1c6009d9341 Artifact 14: Documents and SettingsAdministrator...pressSent Items.dbx Src: disk Imports: 0 Type: MS Outlook Express DBX file, message database SHA256: 37b9f67bd4301ecf6f56cbdaf697131c20441c3514f67f09510a2e700872a0ff Size: 76500 Exports: 0 AV Sigs: 0 MD5: 5c9871500ef4f120d08456c18e04bb8c Artifact 15: Documents and SettingsAdministrator...l SettingsTemp:$I30 Src: disk Imports: 0 Type: data
SHA256: aae89fc0f03e2959ae4d701a80cc3915918c950b159f6abb6c92c1433b1a8534 Size: 8 Exports: 0 AV Sigs: 0 MD5: f5be5308b59e045b7c5b33ee8908cfb7 Artifact 16: Documents and SettingsAdministrator...Temptmp49402139.bat Src: disk Imports: 0 Type: JS - JavaScript SHA256: ab992adf7190584b310ccdc873a2d1bab142d31d176607537479b492fa63a518 Size: 148 Exports: 0 AV Sigs: 0 MD5: eab7ff00f0672cbb464a3559959abb2f Artifact 17: WINDOWSPrefetch0553733405.EXE-29BD3105.pf Src: disk Imports: 0 Type: data SHA256: 20880208ebe53e348d89929f1c8f0bf6a892b114f217b13ac495ddd23cd29942 Size: 14902 Exports: 0 AV Sigs: 0 MD5: ab1983cb947518905a3b65667e3d8cff Artifact 18: WINDOWSPrefetchRUNDLL32.EXE-1BC69D2D.pf Src: disk Imports: 0 Type: data SHA256: 096c5f681ef43e46e678ac54e9f17af48dd7c95efa2cf1a1ebba5b2047daf93a Size: 21148 Exports: 0 AV Sigs: 0 MD5: 85e017caddc84913038e28330f37658a Artifact 19: WINDOWSPrefetchRUNDLL32.EXE-451FC2C0.pf Src: disk Imports: 0 Type: data SHA256: e3fe1ba179dd050bd194ca69c30ee0ec7db082dfcc06c7f9dd26d6561840e337 Size: 12602 Exports: 0 AV Sigs: 0 MD5: e351d3a15519644e3c7decd1ba1dc8e9 Artifact 20: WINDOWSPrefetchTASKLIST.EXE-10D94B23.pf Src: disk Imports: 0 Type: data SHA256: 4f622d4a580f4bee5811d66d28179c338a4cc1f6bf38a5e9675680df729ec0a5 Size: 24914 Exports: 0 AV Sigs: 0 MD5: 6faf841a8494759936bb136c118abfb0 Artifact 21: WINDOWSPrefetchTMP650921D2.EXE-29C2F8AE.pf
Src: disk Imports: 0 Type: data SHA256: 936b6a21ddeaa25e2055f9d300944b49c5546f65df08a8cb42a74f46d0584b43 Size: 22678 Exports: 0 AV Sigs: 0 MD5: f67dd18afb660a7134bae1a72655b2f7 Artifact 22: WINDOWSPrefetchNETSH.EXE-085CFFDE.pf Src: disk Imports: 0 Type: data SHA256: c4f069507f3553306c0acd8227e105e0f9799a527fbe20da390fb2f7c4b34a6d Size: 41782 Exports: 0 AV Sigs: 0 MD5: bd794157750537a4c32841e76a3634af Artifact 23: WINDOWSPrefetchIPCONFIG.EXE-2395F30B.pf Src: disk Imports: 0 Type: data SHA256: 2122d0f18927c0f7dff9ef130282089c800d38df0dd92da48dc48bd32f041776 Size: 33780 Exports: 0 AV Sigs: 0 MD5: 421634a51df3f4c7daf944ecc11a33c9 Artifact 24: WINDOWSPrefetchLOGONUI.EXE-0AF22957.pf Src: disk Imports: 0 Type: data SHA256: c81b9eebede296d44ba7e86aaf4f36da30808d58f76e5518193bf3720542cf29 Size: 22144 Exports: 0 AV Sigs: 0 MD5: dd7617cbd3490d5be4b622ec57113e57 Artifact 25: WINDOWSPrefetchMIEN.EXE-1ECD8E53.pf Src: disk Imports: 0 Type: data SHA256: 422afe172f39bbb6b40a678a83ca4c2a74e7af494145e15dcd304cc22eb76ae7 Size: 14476 Exports: 0 AV Sigs: 0 MD5: 8e1210eb95e1fd8afd8f9eb07446afc6 Artifact 26: WINDOWSPrefetchWMIPRVSE.EXE-28F301A9.pf Src: disk Imports: 0 Type: data SHA256: 087f1f638c6b4e744aae614a0ffc065ccc22cd279f2c1392c228599a6fd2ffab Size: 26238 Exports: 0 AV Sigs: 0
Related to: stream 4 Related to: stream 5 MD5: 2bbcc62c4ddb77eba7975ce643f378ee Artifact 27: WINDOWSPrefetchWSCRIPT.EXE-32960AB9.pf Src: disk Imports: 0 Type: data SHA256: 61820969cb9462c523a845cd8306e447c12f8632b0e797e99d51649edeccba2e Size: 26330 Exports: 0 AV Sigs: 0 MD5: eb8ffc240ad0168c3947bcaef83d7c2e Artifact 28: WINDOWSPrefetchDEVCON.EXE-1DF04AC9.pf Src: disk Imports: 0 Type: data SHA256: e5cb5d1e5614632c6297fdf942f6999611fad875d3ccecf96c533b38c60b1bfa Size: 36662 Exports: 0 AV Sigs: 0 MD5: a3c203c1f09879ee036faf37c963aebf Artifact 29: WINDOWSPrefetchHOSTNAME.EXE-279591F3.pf Src: disk Imports: 0 Type: data SHA256: 02fbbd4abe33f5773f65e1d7a1b76e59571d1790808af48c467f4dbeca5f2997 Size: 13782 Exports: 0 AV Sigs: 0 MD5: 338527a140651b1359578a24ebd45997 Artifact 30: WINDOWSsystem32configSysEvent.Evt Src: disk Imports: 0 Type: data SHA256: 70357674c317165afe935972ab3a6ca4fa509c3855dda3f3e50ce7c71a436276 Size: 65536 Exports: 0 AV Sigs: 0 MD5: abb2c0dfb26138fa0356e7c5e9ec511a Artifact 31: file.php Src: network Imports: 0 Type: PDP-11 kernel overlay SHA256: 811f4cb6bb5185fe14dd33d91f3dc0ecc3a8a29179fb27e85b8b656601c733dc Size: 177951 Exports: 0 AV Sigs: 0 MD5: 50221717b96c6dd480d1b1468004ddb0 Artifact 32: file.php Src: network Imports: 0 Type: data SHA256: 2bd8a667e145dddf2f92860d8f827bb6c6a9915cf6fa4fc6ea80443736252149
Related to: stream 6 Related to: stream 7 Related to: stream 8 Related to: stream 9 Related to: stream 10 Related to: stream 11 Size: 5776 Exports: 0 AV Sigs: 0 MD5: 4020dd60948d9576dc4f9d059ba4e5bc Artifact 33: file.php Src: network Imports: 0 Type: PDP-11 kernel overlay SHA256: c03415b3feae5a836fb01d332bc3e4501c9fc92c0f9ba265d2e49e9dd63a89b5 Size: 221471 Exports: 0 AV Sigs: 0 MD5: b2141129aa0dee1862d38d1943783bb0 Artifact 34: webhp Src: network Imports: 0 Type: HTML - HTML document, ASCII text, with very lon... SHA256: 7c56b529307b217425a8e9b3d15d12f1447e75f7280a3c86437def315d243519 Size: 31040 Exports: 0 AV Sigs: 0 MD5: 30947a2072ad3352df2a581daf42c7c5 Artifact 35: gate.php Src: network Imports: 0 Type: data SHA256: 4262e9dae477d9bcd9a5d949ec2e8dd8d59c89f4e66baa024b506545216fd824 Size: 141 Exports: 0 AV Sigs: 0 MD5: bdee3c995288622c106208ef5b294eb5 Artifact 36: config.dll Src: network Imports: 0 Type: data SHA256: 2bd8a667e145dddf2f92860d8f827bb6c6a9915cf6fa4fc6ea80443736252149 Size: 5776 Exports: 0 AV Sigs: 0 MD5: 4020dd60948d9576dc4f9d059ba4e5bc Artifact 37: file.php Src: network Imports: 135 Type: EXE - PE32 executable (GUI) Intel 80386, for MS... SHA256: 91c3bae800c6b14d8193cdca7f33278311959246d41a0d458a0934ff6b1bde73 Size: 283851 Exports: 0 AV Sigs: 0 MD5: 9aef6af237d06556637b499ad7345a04 Artifact 38: gate.php Src: network
Related to: 652 (svchost.exe) Related to: 428 (winlogon.exe) Related to: 1824 (cmd.exe) Related to: 1148 (Explorer.EXE) Related to: 844 (svchost.exe) Imports: 0 Type: data SHA256: 6c4664d381cd2a6e87c6893d13a4d75bb4559a15461e12c1b011a205d3cd51ee Size: 64 Exports: 0 AV Sigs: 0 MD5: 92cc8391446bae9a6fef609b07a68d9d Artifact 39: 652-svchost.exe Src: memory Imports: 79 Type: EXE - PE32 executable (GUI) Intel 80386, for MS... SHA256: fb609c3d1eb1851b61bb44fc164ef008472ab72f782fa4e60a455d50d30218a7 Size: 14336 Exports: 0 AV Sigs: 0 MD5: 807f5d5522abfc807efa5739d649949c Artifact 40: 428-winlogon.exe Src: memory Imports: 0 Type: EXE - PE32 executable (GUI) Intel 80386, for MS... SHA256: 1bb5f4cfe651743eb16d980cfa95b1510e66da63bfde997bdfb8e4aa9518d549 Size: 507904 Exports: 0 AV Sigs: 0 MD5: 1f20ae415f85c144fdd2519664203fc0 Artifact 41: 1824-cmd.exe Src: memory Imports: 189 Type: EXE - PE32 executable (console) Intel 80386, fo... SHA256: 566e95987e726bcf4dd5978a0d0368d05d85939f2481ee49efa0541a6e240de2 Size: 389120 Exports: 0 AV Sigs: 0 MD5: dcad668219b5e5adbe52cdf4506a9aa5 Artifact 42: 1148-Explorer.EXE Src: memory Imports: 500 Type: EXE - PE32 executable (GUI) Intel 80386, for MS... SHA256: bed85aa91ebf640e127778c04db19f8c732daef46385200277a000c794635243 Size: 1033728 Exports: 0 AV Sigs: 0 MD5: c3bbb0b3ce8cdbd67451059ea2e956ab Artifact 43: 844-svchost.exe Src: memory Imports: 79 Type: EXE - PE32 executable (GUI) Intel 80386, for MS... SHA256: 32e868489cfe58845f82c411d4b775a0d400e8e2f230c2bfa5e5235172f6601f Size: 14336 Exports: 0 AV Sigs: 0 MD5: 2ca8172407e110f5b16d596f822796dc
Related to: 796 (svchost.exe) Files Created: 7 Files Read: 13 Files Modified: 12 Files Deleted: 0 Artifact 44: 796-svchost.exe Src: memory Imports: 79 Type: EXE - PE32 executable (GUI) Intel 80386, for MS... SHA256: 9009548aad78bb3725d4eb84b96cc74dc376d54420a64e40c12100da84ed8d99 Size: 14336 Exports: 0 AV Sigs: 0 MD5: 3638f4255fa8aa729a57874fa566c088 Registry Activity Created Keys Modified Keys Filesystem Activity All information contained in this report is confidential and proprietary information belonging solely to ThreatGRID, Inc. This document is client confidential and is intended for internal customer use only. The information contained herein is the property of ThreatGRID and may not be copied, used or disclosed in whole or in part, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) without the prior written permission of ThreatGRID. Generated by ThreatBRAIN

Recommended

Пример отчета по анализу вредоносного кода TeslaCrypt, подготовленного Cisco ...
Пример отчета по анализу вредоносного кода TeslaCrypt, подготовленного Cisco ...Пример отчета по анализу вредоносного кода TeslaCrypt, подготовленного Cisco ...
Пример отчета по анализу вредоносного кода TeslaCrypt, подготовленного Cisco ...
Cisco Russia
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filter
Giovanni Bechis
 
mod_perl 2.0 For Speed Freaks!
mod_perl 2.0 For Speed Freaks!mod_perl 2.0 For Speed Freaks!
mod_perl 2.0 For Speed Freaks!
Philippe M. Chiasson
 
Varnish Cache and Django (Falcon, Flask etc)
Varnish Cache and Django (Falcon, Flask etc)Varnish Cache and Django (Falcon, Flask etc)
Varnish Cache and Django (Falcon, Flask etc)
Данил Иванов
 
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
DevOpsDays Tel Aviv
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging Ruby
Aman Gupta
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby Systems
Engine Yard
 
Pledge in OpenBSD
Pledge in OpenBSDPledge in OpenBSD
Pledge in OpenBSD
Giovanni Bechis
 

Recommended

Пример отчета по анализу вредоносного кода TeslaCrypt, подготовленного Cisco ...
Пример отчета по анализу вредоносного кода TeslaCrypt, подготовленного Cisco ...Пример отчета по анализу вредоносного кода TeslaCrypt, подготовленного Cisco ...
Пример отчета по анализу вредоносного кода TeslaCrypt, подготовленного Cisco ...
Cisco Russia
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filter
Giovanni Bechis
 
mod_perl 2.0 For Speed Freaks!
mod_perl 2.0 For Speed Freaks!mod_perl 2.0 For Speed Freaks!
mod_perl 2.0 For Speed Freaks!
Philippe M. Chiasson
 
Varnish Cache and Django (Falcon, Flask etc)
Varnish Cache and Django (Falcon, Flask etc)Varnish Cache and Django (Falcon, Flask etc)
Varnish Cache and Django (Falcon, Flask etc)
Данил Иванов
 
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
DevOpsDays Tel Aviv
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging Ruby
Aman Gupta
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby Systems
Engine Yard
 
Pledge in OpenBSD
Pledge in OpenBSDPledge in OpenBSD
Pledge in OpenBSD
Giovanni Bechis
 
Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)
Ontico
 
TechTalkThursday 29.06.2017: Wie verhält sich DDoS in der Realität?
TechTalkThursday 29.06.2017: Wie verhält sich DDoS in der Realität?TechTalkThursday 29.06.2017: Wie verhält sich DDoS in der Realität?
TechTalkThursday 29.06.2017: Wie verhält sich DDoS in der Realität?
nine
 
OWASP Proxy
OWASP ProxyOWASP Proxy
OWASP Proxy
Security B-Sides
 
Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD
Giovanni Bechis
 
Nmap5.cheatsheet.eng.v1
Nmap5.cheatsheet.eng.v1Nmap5.cheatsheet.eng.v1
Nmap5.cheatsheet.eng.v1
Arduino Aficionado
 
Tutorial Stream Reasoning SPARQLstream and Morph-streams
Tutorial Stream Reasoning SPARQLstream and Morph-streamsTutorial Stream Reasoning SPARQLstream and Morph-streams
Tutorial Stream Reasoning SPARQLstream and Morph-streams
Jean-Paul Calbimonte
 
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Ravi Rajput
 
BlockChain implementation by python
BlockChain implementation by pythonBlockChain implementation by python
BlockChain implementation by python
wonyong hwang
 
Streams for the Web
Streams for the WebStreams for the Web
Streams for the Web
Domenic Denicola
 
DEF CON 27- ALBINOWAX - http desync attacks
DEF CON 27- ALBINOWAX - http desync attacksDEF CON 27- ALBINOWAX - http desync attacks
DEF CON 27- ALBINOWAX - http desync attacks
Felipe Prado
 
Node Interactive Debugging Node.js In Production
Node Interactive Debugging Node.js In ProductionNode Interactive Debugging Node.js In Production
Node Interactive Debugging Node.js In Production
Yunong Xiao
 
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
NoNameCon
 
Containers for sysadmins
Containers for sysadminsContainers for sysadmins
Containers for sysadmins
Carlos de Alfonso Laguna
 
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)
Hari
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)
Giovanni Bechis
 
Ex no1 (1)
Ex no1 (1)Ex no1 (1)
Ex no1 (1)
basramya
 
True stories on the analysis of network activity using Python
True stories on the analysis of network activity using PythonTrue stories on the analysis of network activity using Python
True stories on the analysis of network activity using Python
delimitry
 
September Ethereum Berlin Workshop
September Ethereum Berlin WorkshopSeptember Ethereum Berlin Workshop
September Ethereum Berlin Workshop
aeronbuchanan
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
DefconRussia
 
tit
tittit
tit
Christian Heinrich
 
Handy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemHandy Networking Tools and How to Use Them
Handy Networking Tools and How to Use Them
Sneha Inguva
 
Non-blocking I/O, Event loops and node.js
Non-blocking I/O, Event loops and node.jsNon-blocking I/O, Event loops and node.js
Non-blocking I/O, Event loops and node.js
Marcus Frödin
 

More Related Content

What's hot

Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)
Ontico
 
Tutorial Stream Reasoning SPARQLstream and Morph-streams
Tutorial Stream Reasoning SPARQLstream and Morph-streamsTutorial Stream Reasoning SPARQLstream and Morph-streams
Tutorial Stream Reasoning SPARQLstream and Morph-streams
Jean-Paul Calbimonte
 
Streams for the Web
Streams for the WebStreams for the Web
Streams for the Web
Domenic Denicola
 
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
NoNameCon
 
Ex no1 (1)
Ex no1 (1)Ex no1 (1)
Ex no1 (1)
basramya
 

What's hot (20)

Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)
 
TechTalkThursday 29.06.2017: Wie verhält sich DDoS in der Realität?
TechTalkThursday 29.06.2017: Wie verhält sich DDoS in der Realität?TechTalkThursday 29.06.2017: Wie verhält sich DDoS in der Realität?
TechTalkThursday 29.06.2017: Wie verhält sich DDoS in der Realität?
 
OWASP Proxy
OWASP ProxyOWASP Proxy
OWASP Proxy
 
Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD
 
Nmap5.cheatsheet.eng.v1
Nmap5.cheatsheet.eng.v1Nmap5.cheatsheet.eng.v1
Nmap5.cheatsheet.eng.v1
 
Tutorial Stream Reasoning SPARQLstream and Morph-streams
Tutorial Stream Reasoning SPARQLstream and Morph-streamsTutorial Stream Reasoning SPARQLstream and Morph-streams
Tutorial Stream Reasoning SPARQLstream and Morph-streams
 
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Nmap not only a port scanner by ravi rajput comexpo security awareness meet
Nmap not only a port scanner by ravi rajput comexpo security awareness meet
 
BlockChain implementation by python
BlockChain implementation by pythonBlockChain implementation by python
BlockChain implementation by python
 
Streams for the Web
Streams for the WebStreams for the Web
Streams for the Web
 
DEF CON 27- ALBINOWAX - http desync attacks
DEF CON 27- ALBINOWAX - http desync attacksDEF CON 27- ALBINOWAX - http desync attacks
DEF CON 27- ALBINOWAX - http desync attacks
 
Node Interactive Debugging Node.js In Production
Node Interactive Debugging Node.js In ProductionNode Interactive Debugging Node.js In Production
Node Interactive Debugging Node.js In Production
 
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
 
Containers for sysadmins
Containers for sysadminsContainers for sysadmins
Containers for sysadmins
 
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)
 
Ex no1 (1)
Ex no1 (1)Ex no1 (1)
Ex no1 (1)
 
True stories on the analysis of network activity using Python
True stories on the analysis of network activity using PythonTrue stories on the analysis of network activity using Python
True stories on the analysis of network activity using Python
 
September Ethereum Berlin Workshop
September Ethereum Berlin WorkshopSeptember Ethereum Berlin Workshop
September Ethereum Berlin Workshop
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
 
tit
tittit
tit
 

Similar to Пример отчета по анализу вредоносного кода Zeus, подготовленного Cisco AMP Threat Grid

Full Stack Load Testing
Full Stack Load Testing Full Stack Load Testing
Full Stack Load Testing
Terral R Jordan
 
Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...
Jim Clausing
 
Using Node.js to Build Great Streaming Services - HTML5 Dev Conf
Using Node.js to Build Great Streaming Services - HTML5 Dev ConfUsing Node.js to Build Great Streaming Services - HTML5 Dev Conf
Using Node.js to Build Great Streaming Services - HTML5 Dev Conf
Tom Croucher
 
Introduzione ai network penetration test secondo osstmm
Introduzione ai network penetration test secondo osstmmIntroduzione ai network penetration test secondo osstmm
Introduzione ai network penetration test secondo osstmm
Simone Onofri
 
AnyMQ, Hippie, and the real-time web
AnyMQ, Hippie, and the real-time webAnyMQ, Hippie, and the real-time web
AnyMQ, Hippie, and the real-time web
clkao
 
Http request&response by Vignesh 15 MAR 2014
Http request&response by Vignesh 15 MAR 2014Http request&response by Vignesh 15 MAR 2014
Http request&response by Vignesh 15 MAR 2014
Navaneethan Naveen
 
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
Wesley Beary
 

Similar to Пример отчета по анализу вредоносного кода Zeus, подготовленного Cisco AMP Threat Grid (20)

Handy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemHandy Networking Tools and How to Use Them
Handy Networking Tools and How to Use Them
 
Non-blocking I/O, Event loops and node.js
Non-blocking I/O, Event loops and node.jsNon-blocking I/O, Event loops and node.js
Non-blocking I/O, Event loops and node.js
 
(NET404) Making Every Packet Count
(NET404) Making Every Packet Count(NET404) Making Every Packet Count
(NET404) Making Every Packet Count
 
AWS re:Invent 2016: Making Every Packet Count (NET404)
AWS re:Invent 2016: Making Every Packet Count (NET404)AWS re:Invent 2016: Making Every Packet Count (NET404)
AWS re:Invent 2016: Making Every Packet Count (NET404)
 
Full Stack Load Testing
Full Stack Load Testing Full Stack Load Testing
Full Stack Load Testing
 
Pycon - Python for ethical hackers
Pycon - Python for ethical hackers Pycon - Python for ethical hackers
Pycon - Python for ethical hackers
 
Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...
 
Web Real-time Communications
Web Real-time CommunicationsWeb Real-time Communications
Web Real-time Communications
 
Using Node.js to Build Great Streaming Services - HTML5 Dev Conf
Using Node.js to Build Great Streaming Services - HTML5 Dev ConfUsing Node.js to Build Great Streaming Services - HTML5 Dev Conf
Using Node.js to Build Great Streaming Services - HTML5 Dev Conf
 
Async programming: From 0 to task.IsComplete - es
Async programming: From 0 to task.IsComplete - esAsync programming: From 0 to task.IsComplete - es
Async programming: From 0 to task.IsComplete - es
 
Ngrep commands
Ngrep commandsNgrep commands
Ngrep commands
 
Nginx, PHP, Apache and Spelix
Nginx, PHP, Apache and SpelixNginx, PHP, Apache and Spelix
Nginx, PHP, Apache and Spelix
 
6 app-tcp
6 app-tcp6 app-tcp
6 app-tcp
 
Introduzione ai network penetration test secondo osstmm
Introduzione ai network penetration test secondo osstmmIntroduzione ai network penetration test secondo osstmm
Introduzione ai network penetration test secondo osstmm
 
AnyMQ, Hippie, and the real-time web
AnyMQ, Hippie, and the real-time webAnyMQ, Hippie, and the real-time web
AnyMQ, Hippie, and the real-time web
 
Http request&response by Vignesh 15 MAR 2014
Http request&response by Vignesh 15 MAR 2014Http request&response by Vignesh 15 MAR 2014
Http request&response by Vignesh 15 MAR 2014
 
Incident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsIncident response: Advanced Network Forensics
Incident response: Advanced Network Forensics
 
Devoxx Maroc 2015 HTTP 1, HTTP 2 and folks
Devoxx Maroc 2015 HTTP 1, HTTP 2 and folksDevoxx Maroc 2015 HTTP 1, HTTP 2 and folks
Devoxx Maroc 2015 HTTP 1, HTTP 2 and folks
 
fog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the Cloudfog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the Cloud
 
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
 

More from Cisco Russia

Обзор Сервисных Услуг Cisco в России и странах СНГ.
Обзор Сервисных Услуг Cisco в России и странах СНГ.Обзор Сервисных Услуг Cisco в России и странах СНГ.
Обзор Сервисных Услуг Cisco в России и странах СНГ.
Cisco Russia
 
Клиентские контракты на техническую поддержку Cisco Smart Net Total Care
Клиентские контракты на техническую поддержку Cisco Smart Net Total CareКлиентские контракты на техническую поддержку Cisco Smart Net Total Care
Клиентские контракты на техническую поддержку Cisco Smart Net Total Care
Cisco Russia
 
Обнаружение известного вредоносного кода в зашифрованном с помощью TLS трафик...
Обнаружение известного вредоносного кода в зашифрованном с помощью TLS трафик...Обнаружение известного вредоносного кода в зашифрованном с помощью TLS трафик...
Обнаружение известного вредоносного кода в зашифрованном с помощью TLS трафик...
Cisco Russia
 

More from Cisco Russia (20)

Service portfolio 18
Service portfolio 18Service portfolio 18
Service portfolio 18
 
История одного взлома. Как решения Cisco могли бы предотвратить его?
История одного взлома. Как решения Cisco могли бы предотвратить его?История одного взлома. Как решения Cisco могли бы предотвратить его?
История одного взлома. Как решения Cisco могли бы предотвратить его?
 
Об оценке соответствия средств защиты информации
Об оценке соответствия средств защиты информацииОб оценке соответствия средств защиты информации
Об оценке соответствия средств защиты информации
 
Обзор Сервисных Услуг Cisco в России и странах СНГ.
Обзор Сервисных Услуг Cisco в России и странах СНГ.Обзор Сервисных Услуг Cisco в России и странах СНГ.
Обзор Сервисных Услуг Cisco в России и странах СНГ.
 
Клиентские контракты на техническую поддержку Cisco Smart Net Total Care
Клиентские контракты на техническую поддержку Cisco Smart Net Total CareКлиентские контракты на техническую поддержку Cisco Smart Net Total Care
Клиентские контракты на техническую поддержку Cisco Smart Net Total Care
 
Cisco Catalyst 9000 series
Cisco Catalyst 9000 series Cisco Catalyst 9000 series
Cisco Catalyst 9000 series
 
Cisco Catalyst 9500
Cisco Catalyst 9500Cisco Catalyst 9500
Cisco Catalyst 9500
 
Cisco Catalyst 9400
Cisco Catalyst 9400Cisco Catalyst 9400
Cisco Catalyst 9400
 
Cisco Umbrella
Cisco UmbrellaCisco Umbrella
Cisco Umbrella
 
Cisco Endpoint Security for MSSPs
Cisco Endpoint Security for MSSPsCisco Endpoint Security for MSSPs
Cisco Endpoint Security for MSSPs
 
Cisco FirePower
Cisco FirePowerCisco FirePower
Cisco FirePower
 
Профессиональные услуги Cisco для Software-Defined Access
Профессиональные услуги Cisco для Software-Defined AccessПрофессиональные услуги Cisco для Software-Defined Access
Профессиональные услуги Cisco для Software-Defined Access
 
Обнаружение известного вредоносного кода в зашифрованном с помощью TLS трафик...
Обнаружение известного вредоносного кода в зашифрованном с помощью TLS трафик...Обнаружение известного вредоносного кода в зашифрованном с помощью TLS трафик...
Обнаружение известного вредоносного кода в зашифрованном с помощью TLS трафик...
 
Промышленный Интернет вещей: опыт и результаты применения в нефтегазовой отрасли
Промышленный Интернет вещей: опыт и результаты применения в нефтегазовой отраслиПромышленный Интернет вещей: опыт и результаты применения в нефтегазовой отрасли
Промышленный Интернет вещей: опыт и результаты применения в нефтегазовой отрасли
 
Полугодовой отчет Cisco по информационной безопасности за 2017 год
Полугодовой отчет Cisco по информационной безопасности за 2017 год Полугодовой отчет Cisco по информационной безопасности за 2017 год
Полугодовой отчет Cisco по информационной безопасности за 2017 год
 
Годовой отчет Cisco по кибербезопасности за 2017 год
Годовой отчет Cisco по кибербезопасности за 2017 годГодовой отчет Cisco по кибербезопасности за 2017 год
Годовой отчет Cisco по кибербезопасности за 2017 год
 
Безопасность для цифровой экономики. Развитие продуктов и решений Cisco
Безопасность для цифровой экономики. Развитие продуктов и решений CiscoБезопасность для цифровой экономики. Развитие продуктов и решений Cisco
Безопасность для цифровой экономики. Развитие продуктов и решений Cisco
 
Cisco StealthWatch. Использование телеметрии для решения проблемы зашифрованн...
Cisco StealthWatch. Использование телеметрии для решения проблемы зашифрованн...Cisco StealthWatch. Использование телеметрии для решения проблемы зашифрованн...
Cisco StealthWatch. Использование телеметрии для решения проблемы зашифрованн...
 
Обеспечение бесперебойной работы корпоративных приложений в больших гетероген...
Обеспечение бесперебойной работы корпоративных приложений в больших гетероген...Обеспечение бесперебойной работы корпоративных приложений в больших гетероген...
Обеспечение бесперебойной работы корпоративных приложений в больших гетероген...
 
Новое поколение серверов Сisco UCS. Гиперконвергентное решении Cisco HyperFle...
Новое поколение серверов Сisco UCS. Гиперконвергентное решении Cisco HyperFle...Новое поколение серверов Сisco UCS. Гиперконвергентное решении Cisco HyperFle...
Новое поколение серверов Сisco UCS. Гиперконвергентное решении Cisco HyperFle...
 

Recently uploaded

Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
ScyllaDB
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
David Michel
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Peter Udo Diehl
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 

Recently uploaded (20)

10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
 

Пример отчета по анализу вредоносного кода Zeus, подготовленного Cisco AMP Threat Grid

  • 1. Severity: 100 Confidence: 100 Severity: 95 Confidence: 95 Severity: 90 Confidence: 100 Severity: 90 Confidence: 100 Severity: 80 Confidence: 60 Severity: 80 Confidence: 95 Severity: 75 Confidence: 75 Severity: 70 Confidence: 80 Severity: 60 Confidence: 70 Severity: 50 Confidence: 50 Severity: 50 Confidence: 80 Severity: 40 Confidence: 60 Severity: 40 Confidence: 60 Severity: 35 Confidence: 50 Severity: 35 Confidence: 20 Severity: 30 Confidence: 30 Severity: 25 Confidence: 25 Severity: 25 Confidence: 60 Severity: 25 Confidence: 25 Analysis Report ID 79ec746ef572388896c1485e1b70146f OS 2600.xpsp.080413-2111 Started 8/7/14 15:53:09 Ended 8/7/14 15:59:27 Duration 0:06:18 Sandbox plague (pilot-d) Filename 0553733405.exe Magic Type PE32 executable (GUI) Intel 80386, for MS Windows Analyzed As exe SHA256 d9d42df15fad8c80da9102c80c14c2913ccf7ce7e454e8d54a4decd823fc98af SHA1 d1c9100913bedab19cc127a3cd427b678ac46192 MD5 bdcd4ff82d6894156b945c96ac45b9ec Warnings Executable Failed Integrity Check Behavioral Indicators Possible ZeuS Variant Detected Process Modified an Executable File Netsh.exe Used to Disable Windows Firewall Netsh.exe Used to Alter Windows Firewall Process Modified Autorun Registry Key Value Downloaded PE Executable Outbound HTTP GET Request Process Modified File in a User Directory Potential Sandbox Detection - Enumeration of ProductID Potential Code Injection Detected Command Exe File Execution Detected PE Has Sections Marked Executable and Writable PE Has Sections Marked Shareable Possible Double Flux Nameserver Detected [Beta] Possible Fast Flux Domain Detected [Beta] Executable with Encrypted Sections Outbound Communications to Nginx Web Server PE Resource Indicates Chinese Origin Outbound HTTP POST Communications
  • 2. Severity: 20 Confidence: 60 Severity: 20 Confidence: 60 Stream: 4 Transaction: 0 Stream: 5 Transaction: 0 Stream: 6 Transaction: 0 Stream: 7 Transaction: 0 Stream: 8 Transaction: 0 Stream: 9 Transaction: 0 Stream: 10 Transaction: 0 Process Enumerated Running Processes Using Tasklist Utility Process Enumerates TCP/IP Network Configuration HTTP Traffic POST http://gokspflol.com:80/LKj839htgHBO/file.php Server IP: 91.196.54.104 Server Port: 80 Resp. Content: application/octet-stream Timestamp: +117.032s POST http://gokspflol.com:80/LKj839htgHBO/file.php Server IP: 91.196.54.104 Server Port: 80 Resp. Content: application/octet-stream Timestamp: +117.118s POST http://gokspflol.com:80/LKj839htgHBO/file.php Server IP: 91.196.54.104 Server Port: 80 Resp. Content: application/octet-stream Timestamp: +121.251s GET http://www.google.com:80/webhp Server IP: 173.194.46.113 Server Port: 80 Resp. Content: text/html Timestamp: +140.784s POST http://gokspflol.com:80/LKj839htgHBO/gate.php Server IP: 91.196.54.104 Server Port: 80 Resp. Content: application/octet-stream Timestamp: +142.047s POST http://gokspflol.com:80/LKj839htgHBO/files/config.dll Server IP: 91.196.54.104 Server Port: 80 Resp. Content: application/octet-stream Timestamp: +142.813s POST http://gokspflol.com:80/LKj839htgHBO/file.php
  • 3. Stream: 11 Transaction: 0 Stream: 2 Query: 1648 Stream: 2 Query: 61567 Stream: 3 Query: 60263 Server IP: 91.196.54.104 Server Port: 80 Resp. Content: application/x-dosexec Timestamp: +143.1s POST http://gokspflol.com:80/LKj839htgHBO/gate.php Server IP: 91.196.54.104 Server Port: 80 Resp. Content: application/octet-stream Timestamp: +146.421s DNS Traffic Query Type: A, Query Data: www.google.com TTL: - Timestamp: +139.847s Query Type: A, Query Data: gokspflol.com TTL: 150 Timestamp: +116.48s Query Type: A, Query Data: gokspflol.com TTL: 150 Timestamp: +116.483s TCP/IP Streams Network Stream: 0 Src. IP 172.16.1.1 Src. Port Dest. IP 172.16.138.194 Dest. Port Transport ICMP Artifacts 0 Packets 2 Bytes 96 Timestamp +35.858s Network Stream: 1 Src. IP 172.16.138.194 Src. Port Dest. IP 224.0.0.22 Dest. Port Transport IGMP Artifacts 0 Packets 2 Bytes 80 Timestamp +37.976s Network Stream: 2 (DNS)
  • 4. Src. IP 172.16.138.194 Src. Port 1061 Dest. IP 172.16.1.1 Dest. Port 53 Transport UDP Artifacts 0 Packets 4 Bytes 858 Timestamp +116.48s Network Stream: 3 (DNS) Src. IP 172.16.138.194 Src. Port 1062 Dest. IP 172.16.1.1 Dest. Port 53 Transport UDP Artifacts 0 Packets 2 Bytes 586 Timestamp +116.483s Network Stream: 4 (HTTP) Src. IP 172.16.138.194 Src. Port 1063 Dest. IP 91.196.54.104 Dest. Port 80 Transport TCP Artifacts 1 Packets 164 Bytes 185283 Timestamp +116.906s Network Stream: 5 (HTTP) Src. IP 172.16.138.194 Src. Port 1064 Dest. IP 91.196.54.104 Dest. Port 80 Transport TCP Artifacts 1 Packets 15 Bytes 7134 Timestamp +117.034s Network Stream: 6 (HTTP) Src. IP 172.16.138.194 Src. Port 1065 Dest. IP 91.196.54.104 Dest. Port 80 Transport TCP Artifacts 1 Packets 199 Bytes 230209 Timestamp +121.132s Network Stream: 7 (HTTP) Src. IP 172.16.138.194 Src. Port 1066
  • 5. Parent: 1988 Dest. IP 173.194.46.113 Dest. Port 80 Transport TCP Artifacts 1 Packets 38 Bytes 33625 Timestamp +140.725s Network Stream: 8 (HTTP) Src. IP 172.16.138.194 Src. Port 1067 Dest. IP 91.196.54.104 Dest. Port 80 Transport TCP Artifacts 1 Packets 10 Bytes 1419 Timestamp +141.927s Network Stream: 9 (HTTP) Src. IP 172.16.138.194 Src. Port 1068 Dest. IP 91.196.54.104 Dest. Port 80 Transport TCP Artifacts 1 Packets 15 Bytes 7095 Timestamp +142.675s Network Stream: 10 (HTTP) Src. IP 172.16.138.194 Src. Port 1069 Dest. IP 91.196.54.104 Dest. Port 80 Transport TCP Artifacts 1 Packets 260 Bytes 295007 Timestamp +142.985s Network Stream: 11 (HTTP) Src. IP 172.16.138.194 Src. Port 1070 Dest. IP 91.196.54.104 Dest. Port 80 Transport TCP Artifacts 1 Packets 10 Bytes 1214 Timestamp +146.299s Processes Name: 0553733405.exe
  • 6. Parent: 1824 Parent: 1988 Parent: 184 Parent: 184 PID: 160 Children: 0 File Actions: 3 Registry Actions: 1 Analysis Reason: Is target sample. Name: 0553733405.exe PID: 184 Children: 2 File Actions: 3 Registry Actions: 3 Analysis Reason: Parent is being analyzed Name: mien.exe PID: 488 Children: 0 File Actions: 3 Registry Actions: 0 Analysis Reason: Parent is being analyzed Name: cmd.exe PID: 1824 Children: 1 File Actions: 3 Registry Actions: 3 Analysis Reason: Parent is being analyzed Name: mien.exe PID: 1988 Children: 2 File Actions: 3 Registry Actions: 1 Analysis Reason: Parent is being analyzed Name: hostname.exe PID: 220 Children: 0 File Actions: 3 Registry Actions: 7 Analysis Reason: Process activity after target sample started. Name: tasklist.exe PID: 392 Children: 0 File Actions: 3 Registry Actions: 0 Analysis Reason: Process activity after target sample started. Name: tmp650921d2.exe PID: 396 Children: 0 File Actions: 3 Registry Actions: 7 Analysis Reason: Process activity after target sample started. Name: ipconfig.exe PID: 408 Children: 0 File Actions: 3
  • 7. Registry Actions: 0 Analysis Reason: Process activity after target sample started. Name: winlogon.exe PID: 428 Children: 0 File Actions: 3 Registry Actions: 0 Analysis Reason: Process activity after target sample started. Name: lsass.exe PID: 484 Children: 0 File Actions: 3 Registry Actions: 0 Analysis Reason: Process activity after target sample started. Name: svchost.exe PID: 652 Children: 0 File Actions: 3 Registry Actions: 0 Analysis Reason: Process activity after target sample started. Name: svchost.exe PID: 796 Children: 0 File Actions: 3 Registry Actions: 1 Analysis Reason: Process activity after target sample started. Name: svchost.exe PID: 844 Children: 0 File Actions: 3 Registry Actions: 0 Analysis Reason: Process activity after target sample started. Name: netsh.exe PID: 1000 Children: 0 File Actions: 3 Registry Actions: 0 Analysis Reason: Process activity after target sample started. Name: wmiprvse.exe PID: 1112 Children: 0 File Actions: 3 Registry Actions: 0 Analysis Reason: Process activity after target sample started. Name: Explorer.EXE PID: 1148 Children: 0 File Actions: 3 Registry Actions: 7 Analysis Reason: Process activity after target sample started.
  • 8. Modified by: 184 (0553733405.exe) Read by: 160 (0553733405.exe) Created by: 184 (0553733405.exe) Name: cmd.exe PID: 1156 Children: 0 File Actions: 3 Registry Actions: 0 Analysis Reason: Process activity after target sample started. Name: cmd.exe PID: 1208 Children: 0 File Actions: 3 Registry Actions: 7 Analysis Reason: Process activity after target sample started. Name: tmp650921d2.exe PID: 1708 Children: 0 File Actions: 3 Registry Actions: 0 Analysis Reason: Process activity after target sample started. Artifacts Artifact 1: 0553733405.exe Src: submitted Imports: 191 Type: EXE - PE32 executable (GUI) Intel 80386, for MS... SHA256: d9d42df15fad8c80da9102c80c14c2913ccf7ce7e454e8d54a4decd823fc98af Size: 308224 Exports: 0 AV Sigs: 0 MD5: bdcd4ff82d6894156b945c96ac45b9ec Artifact 2: Documents and SettingsAdministrator...n DataUwhymien.exe Src: disk Imports: 191 Type: EXE - PE32 executable (GUI) Intel 80386, for MS... SHA256: f3cdb190eba04f63dd72e1e5772603d38088a9ea1ea6701f0b604fc9fd95c30a Size: 308224 Exports: 0 AV Sigs: 0 MD5: 7fea12b40bcaceb9347ad426c3cdb461 Artifact 3: temp0553733405.exe Src: disk Imports: 191 Type: EXE - PE32 executable (GUI) Intel 80386, for MS... SHA256: d9d42df15fad8c80da9102c80c14c2913ccf7ce7e454e8d54a4decd823fc98af Size: 308224 Exports: 0 AV Sigs: 0 MD5: bdcd4ff82d6894156b945c96ac45b9ec Artifact 4:
  • 9. Read by: 1156 (cmd.exe) Documents and SettingsAdministrator...ataLeymtyodsyo.epd Src: disk Imports: 0 Type: data SHA256: 3f10dc24fe2715dc4f69ac3af223bf28375eb1ceb16b569c71f61585eee1bd63 Size: 399066 Exports: 0 AV Sigs: 0 MD5: c867627b458c957c419586313a377e6f Artifact 5: WINDOWSPrefetchCMD.EXE-087B4001.pf Src: disk Imports: 0 Type: data SHA256: e1807396fbc6f84bcdbe6659293c241048cf13a8c2a72fa8386577edfce523ae Size: 12932 Exports: 0 AV Sigs: 0 MD5: b371d56172afc6376ed13c29e7c95663 Artifact 6: Documents and SettingsAdministrator...DataElmoyelinw.eco Src: disk Imports: 0 Type: data SHA256: 91dd2f7b3eb6701b35ea3a7148408bbb64c2ef2fcd7322e84bc25e5137d6de0e Size: 9433 Exports: 0 AV Sigs: 0 MD5: 0da6e692cbee5c0a575d572c344ee841 Artifact 7: Documents and SettingsAdministrator...okAdministrator.wab Src: disk Imports: 0 Type: data SHA256: e24fa116b9f460dc55131a7772cd194188032e55dee0c874dcb4e62c5e0ef23c Size: 176594 Exports: 0 AV Sigs: 0 MD5: c62276113d0468f8215b5bfcad810066 Artifact 8: Documents and SettingsAdministrator...kAdministrator.wab~ Src: disk Imports: 0 Type: data SHA256: e24fa116b9f460dc55131a7772cd194188032e55dee0c874dcb4e62c5e0ef23c Size: 176594 Exports: 0 AV Sigs: 0 MD5: c62276113d0468f8215b5bfcad810066 Artifact 9: Documents and SettingsAdministrator...trator@google[2].txt Src: disk Imports: 0 Type: ASCII text SHA256: 9ba6b1fdc0c16ac09caa6b5cda53781d4245e800ad478dec7bdc17be74f47d5f Size: 327 Exports: 0
  • 10. AV Sigs: 0 MD5: 5b07bec122cef3be03daa7d4b2bbdffd Artifact 10: Documents and SettingsAdministratorCookiesindex.dat Src: disk Imports: 0 Type: Internet Explorer cache file version Ver 5.2 SHA256: 3f1e063b094727983567dc59200368c2730fd8cf6d71d43a8ab3348a78d38de2 Size: 32768 Exports: 0 AV Sigs: 0 MD5: fc4fff9fbb16be51485f2affe83b2b82 Artifact 11: Documents and SettingsAdministrator... ExpressFolders.dbx Src: disk Imports: 0 Type: MS Outlook Express DBX file, folder database SHA256: 722d676dc803351cb2ab4a3b4d2f96d9c8d36d4748d93d88f0570f16c4b1f2ff Size: 75204 Exports: 0 AV Sigs: 0 MD5: c0a6b920be7cc9deed14c88ccd6fc84a Artifact 12: Documents and SettingsAdministrator...ok ExpressInbox.dbx Src: disk Imports: 0 Type: MS Outlook Express DBX file, message database SHA256: 0a794011f2f9274053eae42ab94be4c8e7ab42977ac188bae474ee3810158a9d Size: 142036 Exports: 0 AV Sigs: 0 MD5: a5be91c1b79359f28ef1793f88748e93 Artifact 13: Documents and SettingsAdministrator... ExpressOffline.dbx Src: disk Imports: 0 Type: MS Outlook Express DBX file, offline database SHA256: 14ff7ea3f7634352d7e787a69b997d6694ac1f8270db51ad077b24efeffbfa11 Size: 9656 Exports: 0 AV Sigs: 0 MD5: c78f0742eae95fcf92f7f1c6009d9341 Artifact 14: Documents and SettingsAdministrator...pressSent Items.dbx Src: disk Imports: 0 Type: MS Outlook Express DBX file, message database SHA256: 37b9f67bd4301ecf6f56cbdaf697131c20441c3514f67f09510a2e700872a0ff Size: 76500 Exports: 0 AV Sigs: 0 MD5: 5c9871500ef4f120d08456c18e04bb8c Artifact 15: Documents and SettingsAdministrator...l SettingsTemp:$I30 Src: disk Imports: 0 Type: data
  • 11. SHA256: aae89fc0f03e2959ae4d701a80cc3915918c950b159f6abb6c92c1433b1a8534 Size: 8 Exports: 0 AV Sigs: 0 MD5: f5be5308b59e045b7c5b33ee8908cfb7 Artifact 16: Documents and SettingsAdministrator...Temptmp49402139.bat Src: disk Imports: 0 Type: JS - JavaScript SHA256: ab992adf7190584b310ccdc873a2d1bab142d31d176607537479b492fa63a518 Size: 148 Exports: 0 AV Sigs: 0 MD5: eab7ff00f0672cbb464a3559959abb2f Artifact 17: WINDOWSPrefetch0553733405.EXE-29BD3105.pf Src: disk Imports: 0 Type: data SHA256: 20880208ebe53e348d89929f1c8f0bf6a892b114f217b13ac495ddd23cd29942 Size: 14902 Exports: 0 AV Sigs: 0 MD5: ab1983cb947518905a3b65667e3d8cff Artifact 18: WINDOWSPrefetchRUNDLL32.EXE-1BC69D2D.pf Src: disk Imports: 0 Type: data SHA256: 096c5f681ef43e46e678ac54e9f17af48dd7c95efa2cf1a1ebba5b2047daf93a Size: 21148 Exports: 0 AV Sigs: 0 MD5: 85e017caddc84913038e28330f37658a Artifact 19: WINDOWSPrefetchRUNDLL32.EXE-451FC2C0.pf Src: disk Imports: 0 Type: data SHA256: e3fe1ba179dd050bd194ca69c30ee0ec7db082dfcc06c7f9dd26d6561840e337 Size: 12602 Exports: 0 AV Sigs: 0 MD5: e351d3a15519644e3c7decd1ba1dc8e9 Artifact 20: WINDOWSPrefetchTASKLIST.EXE-10D94B23.pf Src: disk Imports: 0 Type: data SHA256: 4f622d4a580f4bee5811d66d28179c338a4cc1f6bf38a5e9675680df729ec0a5 Size: 24914 Exports: 0 AV Sigs: 0 MD5: 6faf841a8494759936bb136c118abfb0 Artifact 21: WINDOWSPrefetchTMP650921D2.EXE-29C2F8AE.pf
  • 12. Src: disk Imports: 0 Type: data SHA256: 936b6a21ddeaa25e2055f9d300944b49c5546f65df08a8cb42a74f46d0584b43 Size: 22678 Exports: 0 AV Sigs: 0 MD5: f67dd18afb660a7134bae1a72655b2f7 Artifact 22: WINDOWSPrefetchNETSH.EXE-085CFFDE.pf Src: disk Imports: 0 Type: data SHA256: c4f069507f3553306c0acd8227e105e0f9799a527fbe20da390fb2f7c4b34a6d Size: 41782 Exports: 0 AV Sigs: 0 MD5: bd794157750537a4c32841e76a3634af Artifact 23: WINDOWSPrefetchIPCONFIG.EXE-2395F30B.pf Src: disk Imports: 0 Type: data SHA256: 2122d0f18927c0f7dff9ef130282089c800d38df0dd92da48dc48bd32f041776 Size: 33780 Exports: 0 AV Sigs: 0 MD5: 421634a51df3f4c7daf944ecc11a33c9 Artifact 24: WINDOWSPrefetchLOGONUI.EXE-0AF22957.pf Src: disk Imports: 0 Type: data SHA256: c81b9eebede296d44ba7e86aaf4f36da30808d58f76e5518193bf3720542cf29 Size: 22144 Exports: 0 AV Sigs: 0 MD5: dd7617cbd3490d5be4b622ec57113e57 Artifact 25: WINDOWSPrefetchMIEN.EXE-1ECD8E53.pf Src: disk Imports: 0 Type: data SHA256: 422afe172f39bbb6b40a678a83ca4c2a74e7af494145e15dcd304cc22eb76ae7 Size: 14476 Exports: 0 AV Sigs: 0 MD5: 8e1210eb95e1fd8afd8f9eb07446afc6 Artifact 26: WINDOWSPrefetchWMIPRVSE.EXE-28F301A9.pf Src: disk Imports: 0 Type: data SHA256: 087f1f638c6b4e744aae614a0ffc065ccc22cd279f2c1392c228599a6fd2ffab Size: 26238 Exports: 0 AV Sigs: 0
  • 13. Related to: stream 4 Related to: stream 5 MD5: 2bbcc62c4ddb77eba7975ce643f378ee Artifact 27: WINDOWSPrefetchWSCRIPT.EXE-32960AB9.pf Src: disk Imports: 0 Type: data SHA256: 61820969cb9462c523a845cd8306e447c12f8632b0e797e99d51649edeccba2e Size: 26330 Exports: 0 AV Sigs: 0 MD5: eb8ffc240ad0168c3947bcaef83d7c2e Artifact 28: WINDOWSPrefetchDEVCON.EXE-1DF04AC9.pf Src: disk Imports: 0 Type: data SHA256: e5cb5d1e5614632c6297fdf942f6999611fad875d3ccecf96c533b38c60b1bfa Size: 36662 Exports: 0 AV Sigs: 0 MD5: a3c203c1f09879ee036faf37c963aebf Artifact 29: WINDOWSPrefetchHOSTNAME.EXE-279591F3.pf Src: disk Imports: 0 Type: data SHA256: 02fbbd4abe33f5773f65e1d7a1b76e59571d1790808af48c467f4dbeca5f2997 Size: 13782 Exports: 0 AV Sigs: 0 MD5: 338527a140651b1359578a24ebd45997 Artifact 30: WINDOWSsystem32configSysEvent.Evt Src: disk Imports: 0 Type: data SHA256: 70357674c317165afe935972ab3a6ca4fa509c3855dda3f3e50ce7c71a436276 Size: 65536 Exports: 0 AV Sigs: 0 MD5: abb2c0dfb26138fa0356e7c5e9ec511a Artifact 31: file.php Src: network Imports: 0 Type: PDP-11 kernel overlay SHA256: 811f4cb6bb5185fe14dd33d91f3dc0ecc3a8a29179fb27e85b8b656601c733dc Size: 177951 Exports: 0 AV Sigs: 0 MD5: 50221717b96c6dd480d1b1468004ddb0 Artifact 32: file.php Src: network Imports: 0 Type: data SHA256: 2bd8a667e145dddf2f92860d8f827bb6c6a9915cf6fa4fc6ea80443736252149
  • 14. Related to: stream 6 Related to: stream 7 Related to: stream 8 Related to: stream 9 Related to: stream 10 Related to: stream 11 Size: 5776 Exports: 0 AV Sigs: 0 MD5: 4020dd60948d9576dc4f9d059ba4e5bc Artifact 33: file.php Src: network Imports: 0 Type: PDP-11 kernel overlay SHA256: c03415b3feae5a836fb01d332bc3e4501c9fc92c0f9ba265d2e49e9dd63a89b5 Size: 221471 Exports: 0 AV Sigs: 0 MD5: b2141129aa0dee1862d38d1943783bb0 Artifact 34: webhp Src: network Imports: 0 Type: HTML - HTML document, ASCII text, with very lon... SHA256: 7c56b529307b217425a8e9b3d15d12f1447e75f7280a3c86437def315d243519 Size: 31040 Exports: 0 AV Sigs: 0 MD5: 30947a2072ad3352df2a581daf42c7c5 Artifact 35: gate.php Src: network Imports: 0 Type: data SHA256: 4262e9dae477d9bcd9a5d949ec2e8dd8d59c89f4e66baa024b506545216fd824 Size: 141 Exports: 0 AV Sigs: 0 MD5: bdee3c995288622c106208ef5b294eb5 Artifact 36: config.dll Src: network Imports: 0 Type: data SHA256: 2bd8a667e145dddf2f92860d8f827bb6c6a9915cf6fa4fc6ea80443736252149 Size: 5776 Exports: 0 AV Sigs: 0 MD5: 4020dd60948d9576dc4f9d059ba4e5bc Artifact 37: file.php Src: network Imports: 135 Type: EXE - PE32 executable (GUI) Intel 80386, for MS... SHA256: 91c3bae800c6b14d8193cdca7f33278311959246d41a0d458a0934ff6b1bde73 Size: 283851 Exports: 0 AV Sigs: 0 MD5: 9aef6af237d06556637b499ad7345a04 Artifact 38: gate.php Src: network
  • 15. Related to: 652 (svchost.exe) Related to: 428 (winlogon.exe) Related to: 1824 (cmd.exe) Related to: 1148 (Explorer.EXE) Related to: 844 (svchost.exe) Imports: 0 Type: data SHA256: 6c4664d381cd2a6e87c6893d13a4d75bb4559a15461e12c1b011a205d3cd51ee Size: 64 Exports: 0 AV Sigs: 0 MD5: 92cc8391446bae9a6fef609b07a68d9d Artifact 39: 652-svchost.exe Src: memory Imports: 79 Type: EXE - PE32 executable (GUI) Intel 80386, for MS... SHA256: fb609c3d1eb1851b61bb44fc164ef008472ab72f782fa4e60a455d50d30218a7 Size: 14336 Exports: 0 AV Sigs: 0 MD5: 807f5d5522abfc807efa5739d649949c Artifact 40: 428-winlogon.exe Src: memory Imports: 0 Type: EXE - PE32 executable (GUI) Intel 80386, for MS... SHA256: 1bb5f4cfe651743eb16d980cfa95b1510e66da63bfde997bdfb8e4aa9518d549 Size: 507904 Exports: 0 AV Sigs: 0 MD5: 1f20ae415f85c144fdd2519664203fc0 Artifact 41: 1824-cmd.exe Src: memory Imports: 189 Type: EXE - PE32 executable (console) Intel 80386, fo... SHA256: 566e95987e726bcf4dd5978a0d0368d05d85939f2481ee49efa0541a6e240de2 Size: 389120 Exports: 0 AV Sigs: 0 MD5: dcad668219b5e5adbe52cdf4506a9aa5 Artifact 42: 1148-Explorer.EXE Src: memory Imports: 500 Type: EXE - PE32 executable (GUI) Intel 80386, for MS... SHA256: bed85aa91ebf640e127778c04db19f8c732daef46385200277a000c794635243 Size: 1033728 Exports: 0 AV Sigs: 0 MD5: c3bbb0b3ce8cdbd67451059ea2e956ab Artifact 43: 844-svchost.exe Src: memory Imports: 79 Type: EXE - PE32 executable (GUI) Intel 80386, for MS... SHA256: 32e868489cfe58845f82c411d4b775a0d400e8e2f230c2bfa5e5235172f6601f Size: 14336 Exports: 0 AV Sigs: 0 MD5: 2ca8172407e110f5b16d596f822796dc
  • 16. Related to: 796 (svchost.exe) Files Created: 7 Files Read: 13 Files Modified: 12 Files Deleted: 0 Artifact 44: 796-svchost.exe Src: memory Imports: 79 Type: EXE - PE32 executable (GUI) Intel 80386, for MS... SHA256: 9009548aad78bb3725d4eb84b96cc74dc376d54420a64e40c12100da84ed8d99 Size: 14336 Exports: 0 AV Sigs: 0 MD5: 3638f4255fa8aa729a57874fa566c088 Registry Activity Created Keys Modified Keys Filesystem Activity All information contained in this report is confidential and proprietary information belonging solely to ThreatGRID, Inc. This document is client confidential and is intended for internal customer use only. The information contained herein is the property of ThreatGRID and may not be copied, used or disclosed in whole or in part, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) without the prior written permission of ThreatGRID. Generated by ThreatBRAIN