[SOLUCIONADO] ¿Podéis analizar este archivo?

Iniciado por elreymusedes, Julio 01, 2016, 06:27:53 AM

Tema anterior - Siguiente tema

0 Miembros y 1 Visitante están viendo este tema.

Imprimir
Ir Abajo Páginas1
Acciones del Usuario
Julio 01, 2016, 06:27:53 AM Ultima modificación: Julio 03, 2016, 10:47:16 PM por Nobody
Hola! si alguien con maquina virtual se aburre mucho me podria analizar la siguiente aplicacion que sospecho que viene disfrazada de lo que no es
PD: cuidado que puede ser malware

enlace mega:
No tienes permitido ver los links. Registrarse o Entrar a mi cuenta
OJO! NO DESCARGAR

Julio 01, 2016, 07:25:19 AM #1
Analizando...

Un saludo,

Blackdrake


Julio 01, 2016, 01:15:32 PM #2
¡Hola!

Blackdrake y yo analizamos el archivo. Estas son las conclusiones que pudimos sacar:


  • No crea otros ejecutables.
  • No modifica el registro de Windows.
  • No solicita acceso a Internet.

En nuestra opinión, LIMPIO.

Saludos.
No tienes permitido ver los links. Registrarse o Entrar a mi cuenta
Julio 01, 2016, 06:32:57 PM #3 Ultima modificación: Julio 01, 2016, 06:34:38 PM por blackdrake
Perdona la tardanza, pero se me hizo tarde y tuve que marchar, @No tienes permitido ver los links. Registrarse o Entrar a mi cuenta también lo analizó y sacó las mismas conclusiones que yo:


MD5   13f77ee2b76469a3994dfd08bae8372f
SHA1   bb78d2a759b44ef7d04d0ff7e74cccc7a4ad4634
Copyright 2010 Indigo Rose Corporation (www.indigorose.com)
ORIGINAL FILENAME:   ams_launch.exe
AutoPlay Media Studio is a Trademark of Indigo Rose Corporation
Created with AutoPlay Media Studio


Aunque se modifica el registro, no toca las importantes (Run por ejemplo):

Código: php
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IMM
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\SystemShared
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32
Drivers\wave
Drivers\wave\wdmaud.drv
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{3E227E76-690D-11D2-8161-0000F8775BF1}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{3E227E76-690D-11D2-8161-0000F8775BF1}\##?#Root#SYSTEM#0000#{3e227e76-690d-11d2-8161-0000f8775bf1}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{3E227E76-690D-11D2-8161-0000F8775BF1}\##?#Root#SYSTEM#0000#{3e227e76-690d-11d2-8161-0000f8775bf1}\#{cd171de3-69e5-11d2-b56d-0000f8754380}&{9B365890-165F-11D0-A195-0020AFD156E4}
Drivers\midi
Drivers\midi\wdmaud.drv
Drivers\aux
Drivers\aux\wdmaud.drv
Drivers\mixer
Drivers\mixer\wdmaud.drv
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004\Software\Microsoft\Multimedia\Sound Mapper
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Wave Mapper\wdmaud.drv
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Software\Microsoft\Multimedia\Sound Mapper
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Software\Microsoft\Windows\CurrentVersion\Multimedia\MIDIMap
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaResources\DirectSound\Application Compatibility\AUTORUN.EXE4BF2C253006DA400
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{A7C7A5B1-5AF3-11D1-9CED-00A024BF0407}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{A7C7A5B1-5AF3-11D1-9CED-00A024BF0407}\##?#Root#SYSTEM#0000#{a7c7a5b1-5af3-11d1-9ced-00a024bf0407}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{A7C7A5B1-5AF3-11D1-9CED-00A024BF0407}\##?#Root#SYSTEM#0000#{a7c7a5b1-5af3-11d1-9ced-00a024bf0407}\#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}&{9B365890-165F-11D0-A195-0020AFD156E4}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_8086&DEV_2415&SUBSYS_00008086&REV_01#3&267a616a&0&28#{6994ad04-93ef-11d0-a3cc-00a0c9223196}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_8086&DEV_2415&SUBSYS_00008086&REV_01#3&267a616a&0&28#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Topology
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_8086&DEV_2415&SUBSYS_00008086&REV_01#3&267a616a&0&28#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#{2f412ab5-ed3a-4590-ab24-b0ce2aa77d3c}&{9B365890-165F-11D0-A195-0020AFD156E4}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#{4245ff73-1db4-11d2-86e4-98ae20524153}&{9B365890-165F-11D0-A195-0020AFD156E4}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#{6c1b9f60-c0a9-11d0-96d8-00aa0051e51d}&{9B365890-165F-11D0-A195-0020AFD156E4}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#{8c07dd50-7a8d-11d2-8f8c-00c04fbf8fef}&dmusic
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#{b7eafdc0-a680-11d0-96d8-00aa0051e51d}&{9B365890-165F-11D0-A195-0020AFD156E4}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#{eec12db6-ad9c-4168-8658-b03daef417fe}&{ABD61E00-9350-47e2-A632-4438B90C6641}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaResources
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaResources\DirectSound
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaResources\DirectSound\Device Presence
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2415&SUBSYS_00008086&REV_01\3&267A616A&0&28
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2415&SUBSYS_00008086&REV_01\3&267A616A&0&28\DirectSound
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2415&SUBSYS_00008086&REV_01\3&267A616A&0&28\DirectSound\Device Presence
DirectSound
DirectSound\Device Presence
HKEY_LOCAL_MACHINE\Software\Microsoft\DirectSound
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaResources\DirectSound\Mixer Defaults
DirectSound\Mixer Defaults
DirectSound\Speaker Configuration
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{475c7950-e3d2-11e0-8d7a-806d6172696f}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{475c7952-e3d2-11e0-8d7a-806d6172696f}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{475c7952-e3d2-11e0-8d7a-806d6172696f}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{475c7950-e3d2-11e0-8d7a-806d6172696f}\
HKEY_CLASSES_ROOT\Directory
HKEY_CLASSES_ROOT\Directory\CurVer
HKEY_CLASSES_ROOT\Directory\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CLASSES_ROOT\Directory\\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Directory\\Clsid
HKEY_CLASSES_ROOT\Folder
HKEY_CLASSES_ROOT\Folder\Clsid
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes



El fichero tiene los siguientes archivos:

Código: php
C:\DOCUME~1\User\LOCALS~1\Temp\AppNana CodeBoot Generador v1.0.exe.2.Manifest
C:\DOCUME~1\User\LOCALS~1\Temp\AppNana CodeBoot Generador v1.0.exe.3.Manifest
C:\DOCUME~1\User\LOCALS~1\Temp\AppNana CodeBoot Generador v1.0.exe.Manifest
C:\DOCUME~1\User\LOCALS~1\Temp\AppNana CodeBoot Generador v1.0.exe.Config
C:\
C:\DOCUME~1\User\LOCALS~1\Temp\AppNana CodeBoot Generador v1.0.exe
C:\WINDOWS\system32\msctfime.ime
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\AutoPlay\Audio\Click1.ogg
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\AutoPlay\Audio
C:\DOCUME~1\User\LOCALS~1\Temp
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\AutoPlay\Audio\High1.ogg
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\AutoPlay
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\AutoPlay\Buttons\Acik Mavi.Btn
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\AutoPlay\Buttons
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\AutoPlay\Buttons\Boton Youtube.btn
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\AutoPlay\Buttons\Cik8.Btn
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\AutoPlay\Buttons\Turuncu.Btn
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\AutoPlay\Images\AppNana.jpg
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\autorun.exe
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\lua5.1.dll
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\lua51.dll
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\autorun.exe.2.Manifest
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\autorun.exe.3.Manifest
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\autorun.exe.Manifest
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\autorun.exe.Config
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\wdmaud.drv
C:\WINDOWS\system32\wdmaud.drv
root#system#0000#{3e227e76-690d-11d2-8161-0000f8775bf1}\{cd171de3-69e5-11d2-b56d-0000f8754380}&{9b365890-165f-11d0-a195-0020afd156e4}
C:\WINDOWS\system32\d3d9.dll
root#system#0000#{a7c7a5b1-5af3-11d1-9ced-00a024bf0407}\{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}&{9b365890-165f-11d0-a195-0020afd156e4}
C:\WINDOWS\System32\Drivers\ac97intc.sys
C:\{146F1A80-4791-11D0-A5D6-28DB04C10000}\\xe6\x9a\xa0\xe1\xea\x87\xe6\x8b\x8e\xe1\xc7\x8f\xed\xda\xa5\xed\xec\xa8\xec\x84\x84
IDE#CdRomVBOX_CD-ROM_____________________________1.0_____#42562d3231303037333036372020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
MountPointManager
STORAGE#Volume#1&30a96598&0&Signature32B832B7Offset7E00Length27F4DB200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
C:\Documents and Settings
C:\Documents and Settings\All Users
C:\Documents and Settings\All Users\Desktop
C:\DOCUME~1\
C:\DOCUME~1\User\
C:\DOCUME~1\User\LOCALS~1\
C:\DOCUME~1\User\LOCALS~1\Temp\
C:\DOCUME~1\User\LOCALS~1\Temp\_ir_tmpfnt_1\
C:\DOCUME~1\User\LOCALS~1\Temp\_ir_tmpfnt_1\Arial_1.TF



Y ningún AV lo detecta salvo:

TheHacker   Trojan/FakeAV.wwx
ClamAV   Win.Trojan.Fakeav-98257

Para mi está limpio, si pudieras decirnos exactamente que hace, quizás podría averiguar algo más.

Saludos.


Julio 03, 2016, 05:52:31 PM #4
Muchas gracias por analizarlo d verdad
Lo único que debería hacer es generar códigos y nada mas
Un saludo
Julio 03, 2016, 10:46:59 PM #5
¡Hola!

Me alegra que te haya sido útil.

Dicho estoy, doy el tema por solucionado.

Saludos.
No tienes permitido ver los links. Registrarse o Entrar a mi cuenta
Imprimir
Ir Arriba Páginas1
Acciones del Usuario