Анализ грабера

Fairhawk · 27.02.2012

Intro.
Первый анализ малвари сделанный мной, нашел на malwaredomainlist.com, на днях.

Основное:
filename: iu4jFQ.exe
filesize: 95232
md5: 00F9B209E18103E1DCD728AEA1C64A7A
sha1: F94A6FFB958113B2BEB77FCC689E73576E9004B2
Time/Data Stamp: 15:00:42 21 Февраля 2012

PE Section:
Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 90394 90624 6.52 7c112cfca236327dd65671dc10b21f3d
.rdata 98304 1934 2048 5.25 9d80892ce7ac23bb48a095d1aa92109b
.data 102400 87312 1536 3.60 ca99aa762acc89f4c41813955fc053b9

https://www.virustotal.com/file/e22e62780ae...sis/1330023644/

Анализ:
Сэмл грамматно обфусицирован, полезных строк в открытом виде нет, импорт не вызывает подозрений, все нужные API находятся и вызываются при выполнении. Добавляет себя в исключение стандартного фаервола. Размер всегда фиксированый, хешы и имя отличаются в каждом сэмле. PeID в режиме "Hardcore Scan" определил как - "UPolyX v0.5 *".

Список всех(!) API которые юзает malware:

Код:

SetConsoleInputExeNameW
IsDebuggerPresent
CopyFileExW
SetThreadUILanguage
NtQueryInformationProcess
SaferRecordEventLogEntry
ImpersonateLoggedOnUser
SaferCloseLevel
SaferComputeTokenFromLevel
SaferIdentifyLevel
RevertToSelf
RegQueryValueW
RegEnumKeyW
RegDeleteKeyW
RegSetValueW
RegCloseKey
RegQueryValueExW
RegOpenKeyW
RegSetValueExW
RegCreateKeyExW
CreateProcessAsUserW
RegOpenKeyExW
FreeSid
LookupAccountSidW
GetSecurityDescriptorOwner
GetFileSecurityW
WNetCancelConnection2W
WNetGetConnectionW
WNetAddConnection2W
ShellExecuteExW
SHChangeNotify
FlushConsoleInputBuffer
LoadLibraryA
InterlockedExchange
FreeLibrary
LocalAlloc
GetVDMCurrentDirectories
CmdBatNotification
GetModuleHandleA
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCurrentProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
GetTickCount
QueryPerformanceCounter
GetThreadLocale
GetDiskFreeSpaceExW
CompareFileTime
RemoveDirectoryW
GetCurrentDirectoryW
SetCurrentDirectoryW
TerminateProcess
WaitForSingleObject
GetExitCodeProcess
CopyFileW
SetFileAttributesW
DeleteFileW
SetFileTime
CreateDirectoryW
FillConsoleOutputAttribute
SetConsoleTextAttribute
ScrollConsoleScreenBufferW
FormatMessageW
DuplicateHandle
FlushFileBuffers
HeapReAlloc
HeapSize
GetFileAttributesExW
LocalFree
GetDriveTypeW
InitializeCriticalSection
SetConsoleCtrlHandler
GetWindowsDirectoryW
GetConsoleTitleW
GetModuleFileNameW
GetVersion
EnterCriticalSection
LeaveCriticalSection
ExpandEnvironmentStringsW
SearchPathW
WriteFile
GetVolumeInformationW
SetLastError
MoveFileW
SetConsoleTitleW
MoveFileExW
GetBinaryTypeW
GetFileAttributesW
GetCurrentThreadId
CreateProcessW
LoadLibraryW
ReadProcessMemory
SetErrorMode
GetConsoleMode
SetConsoleMode
VirtualAlloc
VirtualFree
SetEnvironmentVariableW
GetEnvironmentVariableW
GetCommandLineW
GetEnvironmentStringsW
GetLocalTime
GetTimeFormatW
FileTimeToLocalFileTime
GetDateFormatW
GetLastError
CloseHandle
SetThreadLocale
GetProcAddress
GetModuleHandleW
SetFilePointer
lstrcmpW
lstrcmpiW
HeapAlloc
GetProcessHeap
HeapFree
MultiByteToWideChar
ReadFile
WriteConsoleW
FillConsoleOutputCharacterW
SetConsoleCursorPosition
ReadConsoleW
GetConsoleScreenBufferInfo
GetStdHandle
GetFileType
VirtualQuery
RaiseException
GetCPInfo
GetConsoleOutputCP
WideCharToMultiByte
GetFileSize
CreateFileW
FindClose
FindNextFileW
FindFirstFileW
GetFullPathNameW
GetUserDefaultLCID
GetLocaleInfoW
SetLocalTime
SystemTimeToFileTime
GetSystemTime
FileTimeToSystemTime
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
__initenv
_cexit
_XcptFilter
_exit
_c_exit
calloc
_wcslwr
qsort
_vsnwprintf
wcsstr
_dup2
_dup
_open_osfhandle
_close
swscanf
_ultoa
_pipe
_seh_longjmp_unwind
_setmode
wcsncmp
iswxdigit
fflush
exit
_wtol
time
srand
__set_app_type
wcsrchr
malloc
free
wcstoul
_errno
iswalpha
printf
rand
swprintf
_iob
fprintf
towlower
realloc
setlocale
_snwprintf
wcscat
_wcsupr
wcsncpy
_wpopen
fgets
_pclose
memmove
wcschr
iswspace
_tell
longjmp
wcscmp
_wcsnicmp
_wcsicmp
wcstol
iswdigit
_getch
_get_osfhandle
_controlfp
_setjmp3
_except_handler3
wcscpy
wcslen
wcsspn
towupper
GetUserObjectInformationW
GetThreadDesktop
MessageBeep
GetProcessWindowStation

Разделы откуда сэмпл грабит данные(может быть полезно):

Код:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall)	
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AIMP2	
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cygnus Hex Editor FREE EDITION	
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectAnimation	
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IDA Pro Advanced v5.5 with Hex-Rays Decompiler v1.1_is1	
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 7.0.1 (x86 ru)	
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions	
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Process_Hacker2_is1	
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SysAnalyzer_is1	
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\The KMPlayer	
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinPcapInst	
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinRAR archiver	
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark	
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}	
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{29D3773E-54F4-23C2-D523-236A4453B845}_is1	
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5888428E-699C-4E71-BF71-94EE06B497DA}	
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6A86554B-8928-30E4-A53C-D7337689134D}	
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}	
HKCU\Software\WinRAR	
HKCU\Software\Far\Plugins\FTP\Hosts	
HKCU\Software\Far\Plugins\FTP\Hosts	
HKCU\Software\Far2\Plugins\FTP\Hosts	
HKCU\Software\Far2\Plugins\FTP\Hosts	
HKCU\Software\Far\SavedDialogHistory\FTPHost	
HKCU\Software\Far\SavedDialogHistory\FTPHost	
HKCU\Software\Far2\SavedDialogHistory\FTPHost	
HKCU\Software\Far2\SavedDialogHistory\FTPHost	
HKCU\Software\Ghisler\Windows Commander	
HKLM\Software\Ghisler\Windows Commander	
HKCU\Software\Ghisler\Total Commander	
HKLM\Software\Ghisler\Total Commander	
C:\WINDOWS\wcx_ftp.ini	
C:\Documents and Settings\Администратор\wcx_ftp.ini	
C:\Documents and Settings\Администратор\Application Data\GHISLER\wcx_ftp.ini	
C:\Documents and Settings\All Users\Application Data\GHISLER\wcx_ftp.ini	
C:\Documents and Settings\Администратор\Local Settings\Application Data\GHISLER\wcx_ftp.ini	
C:\Documents and Settings\Администратор\Application Data\GlobalSCAPE\CuteFTP\sm.dat	
C:\Documents and Settings\Администратор\Application Data\GlobalSCAPE\CuteFTP Pro\sm.dat	
C:\Documents and Settings\Администратор\Application Data\GlobalSCAPE\CuteFTP Lite\sm.dat	
C:\Documents and Settings\Администратор\Application Data\CuteFTP\sm.dat	
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP\sm.dat	
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP Pro\sm.dat	
C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP Lite\sm.dat	
C:\Documents and Settings\All Users\Application Data\CuteFTP\sm.dat	
C:\Documents and Settings\Администратор\Local Settings\Application Data\GlobalSCAPE\CuteFTP\sm.dat	
C:\Documents and Settings\Администратор\Local Settings\Application Data\GlobalSCAPE\CuteFTP Pro\sm.dat	
C:\Documents and Settings\Администратор\Local Settings\Application Data\GlobalSCAPE\CuteFTP Lite\sm.dat	
C:\Documents and Settings\Администратор\Local Settings\Application Data\CuteFTP\sm.dat	
C:\Program Files\GlobalSCAPE\CuteFTP\sm.dat	
C:\Program Files\GlobalSCAPE\CuteFTP Pro\sm.dat	
C:\Program Files\GlobalSCAPE\CuteFTP Lite\sm.dat	
C:\Program Files\CuteFTP\sm.dat	
HKCU\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar	
HKCU\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar	
HKCU\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar	
HKCU\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar	
HKCU\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar	
HKCU\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar	
HKCU\Software\FlashFXP\3	
HKCU\Software\FlashFXP	
HKCU\Software\FlashFXP\4	
HKLM\Software\FlashFXP\3	
HKLM\Software\FlashFXP	
HKLM\Software\FlashFXP\4	
C:\Documents and Settings\Администратор\Application Data\FlashFXP\3\Sites.dat	
C:\Documents and Settings\Администратор\Application Data\FlashFXP\4\Sites.dat	
C:\Documents and Settings\Администратор\Application Data\FlashFXP\3\Quick.dat	
C:\Documents and Settings\Администратор\Application Data\FlashFXP\4\Quick.dat	
C:\Documents and Settings\Администратор\Application Data\FlashFXP\3\History.dat	
C:\Documents and Settings\Администратор\Application Data\FlashFXP\4\History.dat	
C:\Documents and Settings\All Users\Application Data\FlashFXP\3\Sites.dat	
C:\Documents and Settings\All Users\Application Data\FlashFXP\4\Sites.dat	
C:\Documents and Settings\All Users\Application Data\FlashFXP\3\Quick.dat	
C:\Documents and Settings\All Users\Application Data\FlashFXP\4\Quick.dat	
C:\Documents and Settings\All Users\Application Data\FlashFXP\3\History.dat	
C:\Documents and Settings\All Users\Application Data\FlashFXP\4\History.dat	
C:\Documents and Settings\Администратор\Local Settings\Application Data\FlashFXP\3\Sites.dat	
C:\Documents and Settings\Администратор\Local Settings\Application Data\FlashFXP\4\Sites.dat	
C:\Documents and Settings\Администратор\Local Settings\Application Data\FlashFXP\3\Quick.dat	
C:\Documents and Settings\Администратор\Local Settings\Application Data\FlashFXP\4\Quick.dat	
C:\Documents and Settings\Администратор\Local Settings\Application Data\FlashFXP\3\History.dat	
C:\Documents and Settings\Администратор\Local Settings\Application Data\FlashFXP\4\History.dat	
HKCU\Software\FileZilla	
HKCU\Software\FileZilla	
HKCU\Software\FileZilla	
HKCU\Software\FileZilla Client	
HKLM\Software\FileZilla	
HKLM\Software\FileZilla Client	
C:\Documents and Settings\Администратор\Application Data\FileZilla\sitemanager.xml	
C:\Documents and Settings\Администратор\Application Data\FileZilla\recentservers.xml	
C:\Documents and Settings\Администратор\Application Data\FileZilla\filezilla.xml	
C:\Documents and Settings\All Users\Application Data\FileZilla\sitemanager.xml	
C:\Documents and Settings\All Users\Application Data\FileZilla\recentservers.xml	
C:\Documents and Settings\All Users\Application Data\FileZilla\filezilla.xml	
C:\Documents and Settings\Администратор\Local Settings\Application Data\FileZilla\sitemanager.xml	
C:\Documents and Settings\Администратор\Local Settings\Application Data\FileZilla\recentservers.xml	
C:\Documents and Settings\Администратор\Local Settings\Application Data\FileZilla\filezilla.xml	
HKCU\Software\BPFTP\Bullet Proof FTP\Main	
HKCU\Software\BulletProof Software\BulletProof FTP Client\Main	
HKCU\Software\BPFTP\Bullet Proof FTP\Options	
HKCU\Software\BulletProof Software\BulletProof FTP Client\Options	
HKCU\Software\BPFTP	
HKLM\Software\TurboFTP	
HKCU\Software\Sota\FFFTP	
HKCU\Software\Sota\FFFTP\Options	
HKCU\Software\Sota\FFFTP\Options	
HKCU\Software\CoffeeCup Software\Internet\Profiles	
HKCU\Software\CoffeeCup Software\Internet\Profiles	
HKCU\Software\FTPWare\COREFTP\Sites	
HKCU\Software\FTPWare\COREFTP\Sites	
HKCU\Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224	
HKCU\Software\VanDyke\SecureFX	
HKCU\Software\Cryer\WebSitePublisher	
HKCU\Software\Cryer\WebSitePublisher	
HKCU\Software\ExpanDrive\Sessions	
HKCU\Software\ExpanDrive\Sessions	
HKCU\Software\ExpanDrive	
C:\Documents and Settings\Администратор\Application Data\ExpanDrive\drives.js	
C:\Documents and Settings\Администратор\Local Settings\Application Data\ExpanDrive\drives.js	
C:\Documents and Settings\All Users\Application Data\ExpanDrive\drives.js	
HKLM\Software\NCH Software\ClassicFTP\FTPAccounts	
HKLM\Software\NCH Software\ClassicFTP\FTPAccounts	
HKCU\Software\NCH Software\ClassicFTP\FTPAccounts	
HKCU\Software\NCH Software\ClassicFTP\FTPAccounts	
HKCU\SOFTWARE\NCH Software\Fling\Accounts	
HKCU\SOFTWARE\NCH Software\Fling\Accounts	
HKLM\SOFTWARE\NCH Software\Fling\Accounts	
HKLM\SOFTWARE\NCH Software\Fling\Accounts	
HKCU\Software\FTPClient\Sites	
HKCU\Software\FTPClient\Sites	
HKLM\Software\FTPClient\Sites	
HKLM\Software\FTPClient\Sites	
HKCU\Software\SoftX.org\FTPClient\Sites	
HKCU\Software\SoftX.org\FTPClient\Sites	
HKLM\Software\SoftX.org\FTPClient\Sites	
HKLM\Software\SoftX.org\FTPClient\Sites	
C:\Documents and Settings\Администратор\Application Data\SharedSettings.ccs	
C:\Documents and Settings\Администратор\Application Data\SharedSettings.sqlite	
C:\Documents and Settings\Администратор\Application Data\SharedSettings_1_0_5.ccs	
C:\Documents and Settings\Администратор\Application Data\SharedSettings_1_0_5.sqlite	
C:\Documents and Settings\All Users\Application Data\SharedSettings.ccs	
C:\Documents and Settings\All Users\Application Data\SharedSettings.sqlite	
C:\Documents and Settings\All Users\Application Data\SharedSettings_1_0_5.ccs	
C:\Documents and Settings\All Users\Application Data\SharedSettings_1_0_5.sqlite	
C:\Documents and Settings\Администратор\Local Settings\Application Data\SharedSettings.ccs	
C:\Documents and Settings\Администратор\Local Settings\Application Data\SharedSettings.sqlite	
C:\Documents and Settings\Администратор\Local Settings\Application Data\SharedSettings_1_0_5.ccs	
C:\Documents and Settings\Администратор\Local Settings\Application Data\SharedSettings_1_0_5.sqlite	
C:\Documents and Settings\Администратор\Application Data\CoffeeCup Software\SharedSettings.ccs	
C:\Documents and Settings\Администратор\Application Data\CoffeeCup Software\SharedSettings.sqlite	
C:\Documents and Settings\Администратор\Application Data\CoffeeCup Software\SharedSettings_1_0_5.ccs	
C:\Documents and Settings\Администратор\Application Data\CoffeeCup Software\SharedSettings_1_0_5.sqlite	
C:\Documents and Settings\All Users\Application Data\CoffeeCup Software\SharedSettings.ccs	
C:\Documents and Settings\All Users\Application Data\CoffeeCup Software\SharedSettings.sqlite	
C:\Documents and Settings\All Users\Application Data\CoffeeCup Software\SharedSettings_1_0_5.ccs	
C:\Documents and Settings\All Users\Application Data\CoffeeCup Software\SharedSettings_1_0_5.sqlite	
C:\Documents and Settings\Администратор\Local Settings\Application Data\CoffeeCup Software\SharedSettings.ccs	
C:\Documents and Settings\Администратор\Local Settings\Application Data\CoffeeCup Software\SharedSettings.sqlite	
C:\Documents and Settings\Администратор\Local Settings\Application Data\CoffeeCup Software\SharedSettings_1_0_5.ccs	
C:\Documents and Settings\Администратор\Local Settings\Application Data\CoffeeCup Software\SharedSettings_1_0_5.sqlite	
HKCU\SOFTWARE\LeapWare	
HKCU\SOFTWARE\LeapWare	
HKLM\SOFTWARE\LeapWare	
HKLM\SOFTWARE\LeapWare	
HKCU\Software\Martin Prikryl	
HKCU\Software\Martin Prikryl	
HKLM\Software\Martin Prikryl	
HKLM\Software\Martin Prikryl	
C:\WINDOWS\32BitFtp.ini	
HKCU\Software\South River Technologies\WebDrive\Connections	
HKCU\Software\South River Technologies\WebDrive\Connections	
HKLM\Software\South River Technologies\WebDrive\Connections	
HKLM\Software\South River Technologies\WebDrive\Connections	
HKCU\Software\Opera Software	
HKCR\Opera.HTML\shell\open\command	
HKCU\Software\AceBIT	
HKCU\Software\AceBIT	
HKLM\Software\AceBIT	
HKLM\Software\AceBIT	
HKLM\SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}	
HKLM\SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}	
HKLM\SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}	
HKLM\SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}	
HKCU\Software\Mozilla	
HKCU\Software\Mozilla	
HKLM\Software\Mozilla	
HKLM\Software\Mozilla	
HKLM\Software\Mozilla\Mozilla Firefox	
HKLM\Software\Mozilla\Mozilla Firefox	
HKLM\Software\Mozilla\Mozilla Firefox	
HKLM\Software\Mozilla\Mozilla Firefox\7.0.1 (ru)	
HKLM\Software\Mozilla\Mozilla Firefox\7.0.1 (ru)
HKLM\Software\Mozilla\Mozilla Firefox\7.0.1 (ru)	
HKLM\Software\Mozilla\Mozilla Firefox\7.0.1 (ru)\Main	
C:\Documents and Settings\Администратор\Application Data\Mozilla\Firefox\profiles.ini	
C:\Documents and Settings\Администратор\Application Data\Mozilla\Firefox\Profiles\9zessehq.default\signons.sqlite	
C:\Documents and Settings\Администратор\Application Data\Mozilla\Firefox\Profiles\9zessehq.default\signons.sqlite	
C:\Documents and Settings\Администратор\Application Data\Mozilla\Firefox\Profiles\9zessehq.default/secmod.db	
C:\Documents and Settings\Администратор\Application Data\Mozilla\Firefox\Profiles\9zessehq.default/cert8.db	
C:\Documents and Settings\Администратор\Application Data\Mozilla\Firefox\Profiles\9zessehq.default/key3.db
HKLM\Software\Mozilla\Mozilla Firefox\7.0.1 (ru)\Main	
HKLM\Software\Mozilla\Mozilla Firefox\7.0.1 (ru)\Main	
HKLM\Software\Mozilla\Mozilla Firefox\7.0.1 (ru)\Uninstall	
HKLM\Software\Mozilla\Mozilla Firefox\7.0.1 (ru)\Uninstall	
HKLM\Software\Mozilla\Mozilla Firefox\7.0.1 (ru)\Uninstall	
HKLM\Software\Mozilla\Mozilla Firefox 7.0.1	
HKLM\Software\Mozilla\Mozilla Firefox 7.0.1	
HKLM\Software\Mozilla\Mozilla Firefox 7.0.1	
HKLM\Software\Mozilla\Mozilla Firefox 7.0.1\bin	
HKLM\Software\Mozilla\Mozilla Firefox 7.0.1\bin	
HKLM\Software\Mozilla\Mozilla Firefox 7.0.1\bin	
HKLM\Software\Mozilla\Mozilla Firefox 7.0.1\extensions	
HKLM\Software\Mozilla\Mozilla Firefox 7.0.1\extensions	
HKLM\Software\Mozilla\Mozilla Firefox 7.0.1\extensions	
HKCU\Software\Mozilla	
HKCU\Software\LeechFTP	
HKCR\CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32	
HKCU\Software\Adobe\Common	
HKCU\Software\Adobe\Common	
HKCU\Software\ChromePlus	
HKCU\Software\FlashPeak\BlazeFtp\Settings	
HKCR\FTP++.Link\shell\open\command	
HKLM\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32	
HKCU\SOFTWARE\Robo-FTP 3.7\FTPServers	
HKCU\SOFTWARE\Robo-FTP 3.7\FTPServers	
HKLM\SOFTWARE\Robo-FTP 3.7\FTPServers	
HKLM\SOFTWARE\Robo-FTP 3.7\FTPServers	
HKCU\SOFTWARE\Robo-FTP 3.7\Scripts	
HKCU\Software\LinasFTP\Site Manager	
HKCU\Software\LinasFTP\Site Manager	
HKCU\Software\SimonTatham\PuTTY\Sessions	
HKCU\Software\SimonTatham\PuTTY\Sessions	
HKLM\Software\SimonTatham\PuTTY\Sessions	
HKLM\Software\SimonTatham\PuTTY\Sessions
C:\DOCUME~1\9335~1\LOCALS~1\Temp\Client Hash
C:\Documents and Settings\Администратор\Local Settings\Temporary Internet Files\Content.IE5\index.dat	
C:\Documents and Settings\Администратор\Cookies\index.dat	
C:\Documents and Settings\Администратор\Local Settings\History\History.IE5\index.dat	
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings	
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache	
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache

Все данные после сбора отправляются на:

Код:

alfredomusik.de
favoriteburger.net
favoriteleague.com
favoritecolla.net
favoriteguild.com
favoritelot.com
favoritesklad.com
favoritetank.net
linertweet.com
2elkompozit.com
kiamv.com

После выполнения, сэмл удаляет сам себя, через .bat файл.
PS. В аттаче бинарник.

waahoo · 27.02.2012

где анализ то? дамп с импорта и стук на гейт это еще не анализ. но ина том спасибо, добавил бы реверса чуток был бы огонь.

Ar3s · 27.02.2012

Ну судя по всему - это стиллер. Осталось опознать

Судя по этому - это зевсоподобное что-то.

higaru · 27.02.2012

Ar3s
не, судя по списку ключей реестра не Зевс, смотреть влом както =)

salamandra · 27.02.2012

http://www.securityhome.eu/malware/malware...cdd6a9.13615292

Код:

004023AE    68 59124100                PUSH 1_.00411259                                                                          ; ASCII "Software\WinRAR"
004023B3    FF35 55124100              PUSH DWORD PTR DS:[411255]
004023B9    E8 68AA0000                CALL <JMP.&advapi32.RegCreateKeyA>

00403A88    68 E4164100                PUSH 1_.004116E4                                                                          ; ASCII "HWID"
00403A8D    E8 26EAFFFF                CALL 1_.004024B8

Ar3s · 28.02.2012

Win32/Fareit - а нормальное название кто-нить озвучит?

Win32/Fareit is a multiple component malware family that consists of a password stealing component, PWS:Win32/Fareit, that steals sensitive information from the affected user's computer and sends it to a remote attacker, and a Distributed Denial of Service (DDoS) component, DDoS:Win32/Fareit.gen!A, that may be commanded to perform flooding attacks against other servers.

источник

Анализ грабера

Fairhawk

floppy-диск

Вложения

waahoo

ворчливый дед

Ar3s

Старожил форума

higaru

HDD-drive

salamandra

(L3) cache

Ar3s

Старожил форума