Jump to content
Tuts 4 You

Strange file was sent, help analyzing.


carb0n

Recommended Posts

There was a file sent from my email that I didn't authorize, me and my staff have been analyzing but haven't come u with a lot of stuff, here is what we got so far:

johnnyk

analyzed the crypter

drops this smss.exe into windows directory

hers some reports

http://anubis.iseclab.org/?action=result&a...amp;format=html

http://research.sunbelt-software.com/ViewM...aspx?id=6585843

http://www.novirusthanks.org/analisis/39b5...18cba37b757e2b4

plus it dorps this crypter.exe and this txt file saying

Your files zip,rar,doc,txt,xls,ppt,vbs,htm,html,pas,bas,c,cpp,exe were encrypted . Send mail to unknowncrypter@mail.ru for unencryption key. Your PC has been marked - reporting this activity may lead to the complete deletion of your HDD.

cm2

guys I ran the file through the lab computer which is a winxp machine NOT updated using internet explorer 6 has avg.

tcpmon showed no outside connections now while both the main file and the stub both do alot of querying and copies into the prefetch I don't see much in the way of activity they both ran and then stopped the lab is not a virtual pc it is a live installation on a separate hdd

filemon showed that it queried alot for the gdi exploit but was not able to execute.

it does modify the host file to hackhound.org 127.0.0.1

in the end the file APPEARED to run look for some exploitable shiz and then end

I have not seen any effects of this exe on the lab

IT DOES try and set itself to run as a debugger in the gdl execute debugger registry entry

but other than that I don't see anything else happening

will continue to monitor tonight

So if you guys find anything else, please let me know, thanks.

http://rapidshare.de/files/41145344/backdoored.rar.html

Link to comment
Your files zip,rar,doc,txt,xls,ppt,vbs,htm,html,pas,bas,c,cpp,exe were encrypted . Send mail to unknowncrypter@mail.ru for unencryption key. Your PC has been marked - reporting this activity may lead to the complete deletion of your HDD.

This message reminds me of GPcode !

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...