427 Botnet fm qxd

Download 6,98 Mb.

Pdf ko'rish

bet	299/387
Sana	03.12.2022
Hajmi	6,98 Mb.
	#878307

1 ... 295 296 297 298 299 300 301 302 ... 387

Bog'liq
Botnets - The killer web applications

Filesize 113152 bytes MD5 82f78a89bde09a71ef99b3cedb991bcc Start Reason CreateProcess Termination Reason
Filesystem Deleted Files c:\malware.exe Mutexes Creates Mutex: arm4n Registry Changes
Network Activity DNS Lookup Host Name IP Address sexccc.serveftp.com sexccc.ath.cx 208.98.19.3 TCP Connections

www.syngress.com
366
Chapter 10 • Using Sandbox Tools for Botnets
427_Botnet_10.qxd 1/9/07 3:06 PM Page 366

Table 10.1
Extract of a Malware Analysis
Analysis Number
2
Parent ID
1
Process ID
2028
Filename
C:\WINDOWS\system32\arman.exe
--install c:\82f78a89bde09a71ef99b3cedb991bcc.exe
Filesize
113152 bytes
MD5
82f78a89bde09a71ef99b3cedb991bcc
Start Reason
CreateProcess
Termination Reason
Timeout
Start Time
00:05.391
Stop Time
02:00.469
DLL-Handling
Loaded DLLs
C:\WINDOWS\system32\arman.exe
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
...
Filesystem
Deleted Files
c:\malware.exe
Mutexes
Creates Mutex: arm4n
Registry
Changes
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Arman" =
C:\WINDOWS\system32\arman.exe
Reads
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Arman"
HKLM\Software\Microsoft\Rpc\SecurityService "DefaultAuthLevel"
System Info
Get System Directory
Network Activity
DNS Lookup
Host Name
IP Address
sexccc.serveftp.com
sexccc.ath.cx
208.98.19.3
TCP Connections
Opened listening TCP connection on port: 11666
C&C Server: 208.98.19.3:6666
Username: XP-DEU 0 0 :[XP|DEU|P|00|gcoDZaUz]
Nickname: [XP|DEU|P|00|gcoDZaUz]
Channel: ##tibia2## (Password: tibiablows)
www.syngress.com
Using Sandbox Tools for Botnets • Chapter 10
367
427_Botnet_10.qxd 1/9/07 3:06 PM Page 367

Download 6,98 Mb.

Do'stlaringiz bilan baham:

1 ... 295 296 297 298 299 300 301 302 ... 387