[SOLUCIONADO] ¿Podéis analizar este archivo?

Iniciado por elreymusedes, Julio 01, 2016, 06:27:53 AM

Tema anterior - Siguiente tema

0 Miembros y 1 Visitante están viendo este tema.

Imprimir
Ir Abajo Páginas1
Acciones del Usuario
Julio 01, 2016, 06:27:53 AM Ultima modificación: Julio 03, 2016, 10:47:16 PM por Nobody
Hola! si alguien con maquina virtual se aburre mucho me podria analizar la siguiente aplicacion que sospecho que viene disfrazada de lo que no es
PD: cuidado que puede ser malware

enlace mega:
You are not allowed to view links. You are not allowed to view links. Register or Login or You are not allowed to view links. Register or Login
OJO! NO DESCARGAR

Julio 01, 2016, 07:25:19 AM #1
Analizando...

Un saludo,

Blackdrake


Julio 01, 2016, 01:15:32 PM #2
¡Hola!

Blackdrake y yo analizamos el archivo. Estas son las conclusiones que pudimos sacar:


  • No crea otros ejecutables.
  • No modifica el registro de Windows.
  • No solicita acceso a Internet.

En nuestra opinión, LIMPIO.

Saludos.
You are not allowed to view links. You are not allowed to view links. Register or Login or You are not allowed to view links. Register or Login
Julio 01, 2016, 06:32:57 PM #3 Ultima modificación: Julio 01, 2016, 06:34:38 PM por blackdrake
Perdona la tardanza, pero se me hizo tarde y tuve que marchar, @You are not allowed to view links. You are not allowed to view links. Register or Login or You are not allowed to view links. Register or Login también lo analizó y sacó las mismas conclusiones que yo:


MD5   13f77ee2b76469a3994dfd08bae8372f
SHA1   bb78d2a759b44ef7d04d0ff7e74cccc7a4ad4634
Copyright 2010 Indigo Rose Corporation (www.indigorose.com)
ORIGINAL FILENAME:   ams_launch.exe
AutoPlay Media Studio is a Trademark of Indigo Rose Corporation
Created with AutoPlay Media Studio


Aunque se modifica el registro, no toca las importantes (Run por ejemplo):

Código: text
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IMM
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\SystemShared
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32
Drivers\wave
Drivers\wave\wdmaud.drv
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{3E227E76-690D-11D2-8161-0000F8775BF1}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{3E227E76-690D-11D2-8161-0000F8775BF1}\##?#Root#SYSTEM#0000#{3e227e76-690d-11d2-8161-0000f8775bf1}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{3E227E76-690D-11D2-8161-0000F8775BF1}\##?#Root#SYSTEM#0000#{3e227e76-690d-11d2-8161-0000f8775bf1}\#{cd171de3-69e5-11d2-b56d-0000f8754380}&{9B365890-165F-11D0-A195-0020AFD156E4}
Drivers\midi
Drivers\midi\wdmaud.drv
Drivers\aux
Drivers\aux\wdmaud.drv
Drivers\mixer
Drivers\mixer\wdmaud.drv
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004\Software\Microsoft\Multimedia\Sound Mapper
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Wave Mapper\wdmaud.drv
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Software\Microsoft\Multimedia\Sound Mapper
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Software\Microsoft\Windows\CurrentVersion\Multimedia\MIDIMap
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaResources\DirectSound\Application Compatibility\AUTORUN.EXE4BF2C253006DA400
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{A7C7A5B1-5AF3-11D1-9CED-00A024BF0407}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{A7C7A5B1-5AF3-11D1-9CED-00A024BF0407}\##?#Root#SYSTEM#0000#{a7c7a5b1-5af3-11d1-9ced-00a024bf0407}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{A7C7A5B1-5AF3-11D1-9CED-00A024BF0407}\##?#Root#SYSTEM#0000#{a7c7a5b1-5af3-11d1-9ced-00a024bf0407}\#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}&{9B365890-165F-11D0-A195-0020AFD156E4}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_8086&DEV_2415&SUBSYS_00008086&REV_01#3&267a616a&0&28#{6994ad04-93ef-11d0-a3cc-00a0c9223196}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_8086&DEV_2415&SUBSYS_00008086&REV_01#3&267a616a&0&28#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Topology
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_8086&DEV_2415&SUBSYS_00008086&REV_01#3&267a616a&0&28#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#{2f412ab5-ed3a-4590-ab24-b0ce2aa77d3c}&{9B365890-165F-11D0-A195-0020AFD156E4}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#{4245ff73-1db4-11d2-86e4-98ae20524153}&{9B365890-165F-11D0-A195-0020AFD156E4}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#{6c1b9f60-c0a9-11d0-96d8-00aa0051e51d}&{9B365890-165F-11D0-A195-0020AFD156E4}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#{8c07dd50-7a8d-11d2-8f8c-00c04fbf8fef}&dmusic
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#{b7eafdc0-a680-11d0-96d8-00aa0051e51d}&{9B365890-165F-11D0-A195-0020AFD156E4}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#{eec12db6-ad9c-4168-8658-b03daef417fe}&{ABD61E00-9350-47e2-A632-4438B90C6641}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaResources
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaResources\DirectSound
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaResources\DirectSound\Device Presence
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2415&SUBSYS_00008086&REV_01\3&267A616A&0&28
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2415&SUBSYS_00008086&REV_01\3&267A616A&0&28\DirectSound
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2415&SUBSYS_00008086&REV_01\3&267A616A&0&28\DirectSound\Device Presence
DirectSound
DirectSound\Device Presence
HKEY_LOCAL_MACHINE\Software\Microsoft\DirectSound
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaResources\DirectSound\Mixer Defaults
DirectSound\Mixer Defaults
DirectSound\Speaker Configuration
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{475c7950-e3d2-11e0-8d7a-806d6172696f}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{475c7952-e3d2-11e0-8d7a-806d6172696f}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{475c7952-e3d2-11e0-8d7a-806d6172696f}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{475c7950-e3d2-11e0-8d7a-806d6172696f}\
HKEY_CLASSES_ROOT\Directory
HKEY_CLASSES_ROOT\Directory\CurVer
HKEY_CLASSES_ROOT\Directory\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CLASSES_ROOT\Directory\\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Directory\\Clsid
HKEY_CLASSES_ROOT\Folder
HKEY_CLASSES_ROOT\Folder\Clsid
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes



El fichero tiene los siguientes archivos:

Código: text
C:\DOCUME~1\User\LOCALS~1\Temp\AppNana CodeBoot Generador v1.0.exe.2.Manifest
C:\DOCUME~1\User\LOCALS~1\Temp\AppNana CodeBoot Generador v1.0.exe.3.Manifest
C:\DOCUME~1\User\LOCALS~1\Temp\AppNana CodeBoot Generador v1.0.exe.Manifest
C:\DOCUME~1\User\LOCALS~1\Temp\AppNana CodeBoot Generador v1.0.exe.Config
C:\
C:\DOCUME~1\User\LOCALS~1\Temp\AppNana CodeBoot Generador v1.0.exe
C:\WINDOWS\system32\msctfime.ime
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\AutoPlay\Audio\Click1.ogg
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\AutoPlay\Audio
C:\DOCUME~1\User\LOCALS~1\Temp
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\AutoPlay\Audio\High1.ogg
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\AutoPlay
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\AutoPlay\Buttons\Acik Mavi.Btn
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\AutoPlay\Buttons
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\AutoPlay\Buttons\Boton Youtube.btn
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\AutoPlay\Buttons\Cik8.Btn
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\AutoPlay\Buttons\Turuncu.Btn
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\AutoPlay\Images\AppNana.jpg
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\autorun.exe
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\lua5.1.dll
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\lua51.dll
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\autorun.exe.2.Manifest
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\autorun.exe.3.Manifest
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\autorun.exe.Manifest
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\autorun.exe.Config
C:\DOCUME~1\User\LOCALS~1\Temp\ir_ext_temp_0\wdmaud.drv
C:\WINDOWS\system32\wdmaud.drv
root#system#0000#{3e227e76-690d-11d2-8161-0000f8775bf1}\{cd171de3-69e5-11d2-b56d-0000f8754380}&{9b365890-165f-11d0-a195-0020afd156e4}
C:\WINDOWS\system32\d3d9.dll
root#system#0000#{a7c7a5b1-5af3-11d1-9ced-00a024bf0407}\{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}&{9b365890-165f-11d0-a195-0020afd156e4}
C:\WINDOWS\System32\Drivers\ac97intc.sys
C:\{146F1A80-4791-11D0-A5D6-28DB04C10000}\\xe6\x9a\xa0\xe1\xea\x87\xe6\x8b\x8e\xe1\xc7\x8f\xed\xda\xa5\xed\xec\xa8\xec\x84\x84
IDE#CdRomVBOX_CD-ROM_____________________________1.0_____#42562d3231303037333036372020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
MountPointManager
STORAGE#Volume#1&30a96598&0&Signature32B832B7Offset7E00Length27F4DB200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
C:\Documents and Settings
C:\Documents and Settings\All Users
C:\Documents and Settings\All Users\Desktop
C:\DOCUME~1\
C:\DOCUME~1\User\
C:\DOCUME~1\User\LOCALS~1\
C:\DOCUME~1\User\LOCALS~1\Temp\
C:\DOCUME~1\User\LOCALS~1\Temp\_ir_tmpfnt_1\
C:\DOCUME~1\User\LOCALS~1\Temp\_ir_tmpfnt_1\Arial_1.TF



Y ningún AV lo detecta salvo:

TheHacker   Trojan/FakeAV.wwx
ClamAV   Win.Trojan.Fakeav-98257

Para mi está limpio, si pudieras decirnos exactamente que hace, quizás podría averiguar algo más.

Saludos.


Julio 03, 2016, 05:52:31 PM #4
Muchas gracias por analizarlo d verdad
Lo único que debería hacer es generar códigos y nada mas
Un saludo
Julio 03, 2016, 10:46:59 PM #5
¡Hola!

Me alegra que te haya sido útil.

Dicho estoy, doy el tema por solucionado.

Saludos.
You are not allowed to view links. You are not allowed to view links. Register or Login or You are not allowed to view links. Register or Login
Imprimir
Ir Arriba Páginas1
Acciones del Usuario