Jump to content
andr82

Fisier suspect Win

Recommended Posts

Mi-a pornit din senin procesul WinSat.exe impreuna cu WinSat.dll, exe-ul mi-a incarcat in memorie aprox. 400 Mb si avea trafic mare pe net iar in acest timp interfata "aero" a disparut. Intrebarea mea este cand este programat sa ruleze acest proces ce acorda o nota sistemului sau ce il executa si cand? Stiu ca se poate si dezactiva. Nu am mai patit pana acum si nu ma deranjeaza daca nu porneste prea des. Am urcat fisierul pe VT si nu este nimic suspect in afara ca nu este semnat Microsoft dar are fileinfo, copyright specific Microsoft. Probabil din moment ce VT nu l-a detectat are semnatura sha corecta... Foarte interesant pe VT graph, WinSat.dll are in componenta un fisier PNG care relationeaza cu executarea unor exe si cu niste instructiuni remote. Cine are cont pe VT nu strica sa arunce o privire pe analiza acestor 2 fisiere... Folosesc win de peste 10 ani si nu am intalnit pana acuma aceasta situatie.

Link to comment
Share on other sites

  • Active Members

Fa-i un dump si baga-l pe un stick sa-l ai pentru o eventuala analiza. Task manager, click dreapta pe el -> Create dump file.

 

Eventual pune-l si aici. Ai putea sa verifici totodata daca se conecteaza de aiurea si pe ce port. Recent am avut o experienta asemanatoare cu un botnet. Verifica daca acceseaza servere GIT.

 

Folosind frida ai putea verifica rapid cam ce face per ansamblu. 

 

 

Quote

 

frida-trace -i "send*" -i "recv*"  WinSat.exe

...

__handlers__/ <dll> / *.js

...

 onEnter(log, args, state) {
    log('sendto(<NUME DLL>)');
    log(hexdump(args[1]));
  }

 

 

Ar trebui sa faca dumping la pachete fie TCP fie UDP gen:

421621 ms             0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
023342d0  53 41 4d 50 c1 cb 27 0d b0 78 70 05 8a 03 0a 00  peece..'..xp.....
023342e0  8e 01 00 00 58 e8 43 00 64 2a 33 02 90 2f 33 02  ....X.C.d*3../3.
023342f0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
02334300  00 00 00 00 00 00 00 00 01 00 00 00 b6 80 41 00  ..............A.
02334310  c6 80 41 00 70 60 33 02 00 00 00 00 d4 85 45 00  ..A.p`3.......E.
02334320  e4 42 33 02 36 00 00 00 00 00 00 00 17 00 00 00  .B3.6...........
02334330  18 00 00 00 28 00 00 00 00 00 00 01 01 01 01 00  ....(...........
02334340  00 00 00 00 01 03 00 00 00 00 00 00 d4 64 33 02  .............d3.
02334350  00 00 00 00 0f 00 00 ff f4 59 33 02 00 00 f4 ff  .........Y3.....
02334360  00 00 00 00 68 21 33 02 f5 ff ff ff 00 00 00 00  ....h!3.........
02334370  00 00 00 00 00 00 00 00 00 00 00 00 1f 01 00 00  ................
02334380  00 00 00 00 70 60 33 02 00 00 00 00 00 00 00 00  ....p`3.........
02334390  00 00 00 00 00 00 00 00 00 00 00 00 a8 db 46 00  ..............F.
023343a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
023343b0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
023343c0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

 

 

 

 

 

(vezi si RegOpenKeyExA function (winreg.h) - Win32 apps | Microsoft Docs

 

 

Edited by vatman32
  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...