![]() ![]() ![]() File: CAServer.exe Size: 62976 MD5: 4FB872E0D0FC1A016C93C573A976D85D dropper for the backdoor service installer.The trojan collects all system logs and data and uploads them to C2 server in a very verbose form as you see below. ET signatures exist for the traffic patterns. Trojan Nflog was covered more than once before on Contagio and other sources. MutexObject iexplore.exe 1348 (iexplore.exe) ![]() ShimCacheMutex iexplore.exe 1348 (iexplore.exe) %temp% Loop_KeyboardManager %temp%\keybyd.dat Loop_HookKeyboard Mutexes Gh0st 3.6 source code (go up the path to see other files).Read here McAfee - Anatomy of a Gh0st Rat.Process terminated C:\WINDOWS\system32\cmd.exe -> .OFFICE11\EXCEL.EXEįile strings and system calls suggest it is a version of Gh0st rat with keylog File Write C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE -> %Temp%\Excel8.0\MSComctlLib.exdįile Write C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE -> %Temp%\ set.xlsįile Write C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE -> %Temp%\ ews.exeįile Write %Temp%\ews.exe -> %Application Data% \iexplore.exeįile Write %Temp%\ews.exe -> %Temp%\ Del.batįile Write %Temp%\ews.exe -> C:\WINDOWS\system32 \srvlic.dllįile Write %Temp%\ews.exe -> %Temp%\ keybyd.datįile Write C:\WINDOWS\system32\cmd.exe - > \deleted_files\ Del.batįile Write %Application Data%\iexplore.exe -> %Temp% \syslog.dat ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |