Static PE information: data direc tory type: IMAGE_DIR ECTORY_ENT RY_DEBUGīinary string: D:\mcad\so urces\math cad\tgt\ma thcad.pdbd source: x jCufcebaI. Static file information: File size 4287867 > 1048576 Submission file is bigger than most known malware samples tmp 'C:\U sers\user\ AppData\Lo cal\Temp\~ ef7194.tmp ' 5048 'C: \Users\use r\AppData\ Local\Temp \' Process created: C:\Users\u ser\AppDat a\Local\Te mp\~ef7194. Process created: C:\Users\u ser\Deskto p\xjCufceb aI.exe 'C: \Users\use r\Desktop\ xjCufcebaI. Key opened: HKEY_CURRE NT_USER\So ftware\Pol icies\Micr osoft\Wind ows\Safer\ CodeIdenti fiersįile read: C:\Users\u ser\Deskto p\xjCufceb aI.exe text section which is very likely to contain packed code (zlib compression ratio user mode communication)īinary string: \Device\Cd aC15BA\Dos Devices\Cd aC15BAUĬontains functionality to load and extract PE file embedded resourcesĬode function: 0_2_03BBA2 10 FindRes ourceA,Loa dResource, LockResour ce,SizeofR esource,Si zeofResour ce,Virtual Protect,Si zeofResour ce,Virtual Protect,Cr eateDialog IndirectPa ramA,FreeR esource,įile created: C:\Users\u ser\AppDat a\Local\Te mp\a 00000001.s dmpīinary or memory string: OriginalFi lenamenlsb res.dllj% vs xjCufce baI.exe 00020000.s dmpīinary or memory string: OriginalFi lenameMCAD. Sample file is different than original file name gathered from version info tmpįound potential string decryption / allocating functionsĬode function: String fun ction: 03B B5CE0 appe ars 72 tim es Source: C:\Users\u ser\AppDat a\Local\Te mp\~ef7194. sysĬreates files inside the system directoryįile created: C:\Windows \SysWOW64\ drivers\CD AC15BA.SYS Source: C:\Users\u ser\Deskto p\xjCufceb aI.exeĬode function: 4x nop the n jl 004C8 F14hĬode function: 4x nop the n je 004C8 F44hĬode function: 4x nop the n xchg eax, eaxĬode function: 4x nop the n jl 004C9 057hĬode function: 4x nop the n xchg ebx, ebxĬode function: 4x nop the n jl 004C8 995hĬode function: 4x nop the n je 004C8 A3DhĬode function: 4x nop the n je 004C8 A76hĬode function: 4x nop the n mov eax, dword ptr Ĭontains functionality to communicate with device driversĬode function: 0_2_03BE20 40: wsprin tfA,Create FileA,Devi ceIoContro l,įile created: C:\Users\u ser\AppDat a\Local\Te mp\~ef87a1 \CdaC15BA. Remotely Track Device Without Authorizationĭeobfuscate/Decode Files or Information 1įound inlined nop instructions (likely shell or obfuscated code) Eavesdrop on Insecure Network Communication
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |