Advertisement
Guest User

Untitled

a guest
Oct 23rd, 2019
206
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.95 KB | None | 0 0
  1. Installrite Analysis
  2. The installation performed the following activity:
  3. 4 files added
  4. 3 files deleted
  5. 2 files updated
  6. 22 registry entries added
  7. 0 registry entries deleted
  8. 11 registry entries updated
  9.  
  10. Installed 10/24/2019 4:51:54 AM
  11.  
  12. All Files
  13. - Added Files
  14. > C:\WINDOWS\msagent\msfnhu.com
  15. > C:\WINDOWS\system32\msaueo.com
  16. > C:\WINDOWS\system32\mshost.exe
  17. - Modified Files
  18. > C:\WINDOWS\system32\config\system.log
  19.  
  20. Registry
  21. - Added Registry
  22. > HKU\S-1-5-21-839522115-796845957-
  23.  
  24. 2147137731-1003\Software\Microsoft\Windows
  25.  
  26. \CurrentVersion\Policies\Explorer\Run
  27. > COM Service
  28.  
  29. > HKLM\WINDOWS\Microsoft\Windows
  30.  
  31. \CurrentVersion\Policies\Explorer\Run
  32. > COM Service
  33.  
  34. > HKLM\WINDOWS\Microsoft\Active Setup
  35.  
  36. \INstalled Components\{44CC0112-AB51-22EF-BA32-
  37.  
  38. 20AA12E6115C}
  39. > StubPath
  40.  
  41. > HKCU\WINDOWS\Microsoft\Windows
  42.  
  43. \CurrentVersion\Policies\Explorer\Run
  44. > COM Service
  45.  
  46. > HKCU\Software\Microsoft\RAS AutoDial
  47.  
  48. \Control
  49. > LoginSessionDisable
  50.  
  51.  
  52. - Modified Registries
  53. > HKU\S-1-5-21-839522115-796845957-
  54.  
  55. 2147137731-1003...
  56. > HKLM\SYSTEM\CurrentControlSet\Services
  57.  
  58. \SharedAccess\Epoch: Epoch
  59. > HKLM\SOFTWARE\Microsoft\Cryptography\RNG:
  60.  
  61. Seed
  62. >HKCU\Software\Microsoft\Windows
  63.  
  64. \CurrentVersion\Explorer\User Assist\{75048700-
  65.  
  66. EF1F-11D0-9888-006097DEACF9}\Count
  67.  
  68.  
  69. Autostarts:
  70. - COM Service c:\windows\msagent
  71.  
  72. \msfnhu.com
  73. - n/a (Not verified) c:\windows
  74.  
  75. \system32\msaueo.com
  76.  
  77. Ports:
  78. mshost.exe:1372 TCP winxpsp2:6666 winxpsp2:0
  79.  
  80. LISTENING
  81.  
  82.  
  83. Dump
  84. mail.hotmail.com
  85. mail.flashmail.com
  86. za.mx.aol.com
  87. ns1.ip-plus.net
  88. Explorer.exe
  89.  
  90. winmm.dll
  91. advapi.dll
  92. wininet.dll
  93.  
  94. C:\WINDOWS\System32\aueo.blf
  95.  
  96. wwp.mirabilis.com:80
  97.  
  98. Behavior:
  99. Opens a port
  100. Can create and send email
  101.  
  102.  
  103. a) Name of the detected file to test:
  104.  
  105. b) What files were created / dropped? (if count is
  106.  
  107. more than 10; just indicate the number)
  108.  
  109.  
  110.  
  111.  
  112.  
  113. c) What files were modified / changed? (if count is
  114.  
  115. more than 10; just indicate the number)
  116.  
  117.  
  118.  
  119.  
  120.  
  121. d) What files were deleted / moved? (if count is
  122.  
  123. more than 10; just indicate the number)
  124.  
  125.  
  126.  
  127.  
  128.  
  129. e) What registries were created / dropped? (if count
  130.  
  131. is more than 10; just indicate the number)
  132.  
  133.  
  134.  
  135.  
  136.  
  137. f) What registries were modified / changed? (if
  138.  
  139. count is more than 10; just indicate the number)
  140.  
  141.  
  142.  
  143.  
  144.  
  145. g) What registries were deleted / moved? (if count
  146.  
  147. is more than 10; just indicate the number)
  148.  
  149.  
  150.  
  151.  
  152. h) What autostarts did the program use? (if count is
  153.  
  154. more than 10; just indicate the number)
  155.  
  156.  
  157.  
  158.  
  159.  
  160. i) What process was used / corresponding port / URL/
  161.  
  162. IP address it was trying to connect to?
  163.  
  164.  
  165.  
  166.  
  167.  
  168.  
  169. j) What process and dependencies did it run?
  170.  
  171.  
  172.  
  173.  
  174.  
  175.  
  176.  
  177. k) Is the program memory resident? What process is
  178.  
  179. it using in memory?
  180.  
  181.  
  182.  
  183.  
  184.  
  185. l) Does it exhibit malicious behavior? If yes, what
  186.  
  187. malware/ grayware type and classification is it?
  188.  
  189. m) What will be your recommendation or resolution or
  190.  
  191. action?
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement