как узнать что делает криптованый эксешник? эксе в комплекте

Тема в разделе "Мегафлуд", создана пользователем Mensch, 11 май 2011.

  1. Mensch

    Mensch

    Регистр.:
    4 сен 2010
    Сообщения:
    182
    Симпатии:
    16
    Случайным образом ко мне на комп попал эксешник в архиве...и на него кликнули =)

    я в этом деле профан =) решил спросить у вас =) мб кто поможет =)

    запускал из под win 7 x64 =) мб ему права админские надо было?

    эксешник прилогаю

    http://upwap.ru/1489665
     
  2. CraZee

    CraZee

    Регистр.:
    11 сен 2006
    Сообщения:
    594
    Симпатии:
    658
    Действия можно отследить только на виртуальной машине. Ставишь чистую ОС (желательно такую, как у тебя) и мониторишь исходящий трафик, изменения в системе и т.д.
     
  3. legion2k

    legion2k

    Регистр.:
    16 дек 2007
    Сообщения:
    162
    Симпатии:
    56
    либо запустить у себя из песочницы (hxxp://sandboxie.com) - и там в процессах видно что данный ехе делает, либо есть сервис наподобие

    http://anubis.iseclab.org/

    загружаешь ехе - и через пару минут получаешь отчёт о нём.
     
    Mensch нравится это.
  4. Mensch

    Mensch

    Регистр.:
    4 сен 2010
    Сообщения:
    182
    Симпатии:
    16
    Код:
                               ___                __    _                          
             +  /-            /   |  ____  __  __/ /_  (_)____       -\  +         
            /s  h-           / /| | / __ \/ / / / __ \/ / ___/       -h  s\        
            oh-:d/          / ___ |/ / / / /_/ / /_/ / (__  )        /d:-ho        
            shh+hy-        /_/  |_/_/ /_/\__,_/_.___/_/____/        -yh+hhs        
          -:+hhdhyys/-                                           -\syyhdhh+:-      
        -//////dhhhhhddhhyss-       Analysis Report       -ssyhhddhhhhhd\\\\\\-    
       /++/////oydddddhhyys/     ooooooooooooooooooooo     \syyhhdddddyo\\\\\++\   
     -+++///////odh/-                                             -+hdo\\\\\\\+++- 
     +++++++++//yy+/:                                             :\+yy\\+++++++++ 
    /+soss+sys//yyo/os++o+:                                 :+o++so\oyy\\sys+ssos+\
    +oyyyys++o/+yss/+/oyyyy:                               :yyyyo\+\ssy+\o++syyyyo+
    +oyyyyyyso+os/o/+yyyyyy/                               \yyyyyy+\o\so+osyyyyyyo+
    
    
    [#############################################################################]
        Analysis Report for Crypted by n4rc0hack3r.exe
                       MD5: 816d85f36773d2b9e1326674345824bd
    [#############################################################################]
    
    Summary: 
        - AV Hit: 
            This executable is detected by an antivirus software.
    
    [=============================================================================]
        Table of Contents
    [=============================================================================]
    
    - General information
    - Crypted by.exe
      a) Registry Activities
      b) File Activities
      c) Other Activities
    
    
    [#############################################################################]
        1. General Information
    [#############################################################################]
    [=============================================================================]
        Information about Anubis' invocation
    [=============================================================================]
            Time needed:        247 s
            Report created:     05/10/11, 20:49:36 UTC
            Termination reason: Timeout
            Program version:    1.75.3394
    
    
    [#############################################################################]
        2. Crypted by.exe
    [#############################################################################]
    [=============================================================================]
        General information about this executable
    [=============================================================================]
            Analysis Reason: Primary Analysis Subject
            Filename:        Crypted by.exe
            MD5:             816d85f36773d2b9e1326674345824bd
            SHA-1:           893e5e694ae392d3e48a5f810d2cd93e6c712139
            File Size:       48319 Bytes
            Command Line:    "C:\Crypted by.exe"
            Process-status
            at analysis end: alive
            Exit Code:       0
    
    [=============================================================================]
        Load-time Dlls
    [=============================================================================]
            Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
                   Base Address: [0x7C900000 ], Size: [0x000AF000 ]
            Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
                   Base Address: [0x7C800000 ], Size: [0x000F6000 ]
            Module Name: [ C:\WINDOWS\system32\MSVBVM60.DLL ],
                   Base Address: [0x73420000 ], Size: [0x00153000 ]
            Module Name: [ C:\WINDOWS\system32\USER32.dll ],
                   Base Address: [0x7E410000 ], Size: [0x00091000 ]
            Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
                   Base Address: [0x77F10000 ], Size: [0x00049000 ]
            Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
                   Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
            Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
                   Base Address: [0x77E70000 ], Size: [0x00092000 ]
            Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
                   Base Address: [0x77FE0000 ], Size: [0x00011000 ]
            Module Name: [ C:\WINDOWS\system32\ole32.dll ],
                   Base Address: [0x774E0000 ], Size: [0x0013D000 ]
            Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
                   Base Address: [0x77C10000 ], Size: [0x00058000 ]
            Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ],
                   Base Address: [0x77120000 ], Size: [0x0008B000 ]
    
    [=============================================================================]
        Run-time Dlls
    [=============================================================================]
            Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
                   Base Address: [0x74720000 ], Size: [0x0004C000 ]
            Module Name: [ C:\WINDOWS\system32\SXS.DLL ],
                   Base Address: [0x7E720000 ], Size: [0x000B0000 ]
    
    [=============================================================================]
        Ikarus Virus Scanner
    [=============================================================================]
            Virus.Win32.Vbinder (Sig-Id: 1565865)
    
    [=============================================================================]
        2.a) Crypted by.exe - Registry Activities
    [=============================================================================]
    [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Registry Values Read:
    [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
            Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ], 
                 Value Name: [ CUAS ], Value: [ 0 ], 1 time
            Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], 
                 Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
            Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
                 Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time
            Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ], 
                 Value Name: [ 932 ], Value: [ c_932.nls ], 1 time
            Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ], 
                 Value Name: [ 936 ], Value: [ c_936.nls ], 1 time
            Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ], 
                 Value Name: [ 949 ], Value: [ c_949.nls ], 1 time
            Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ], 
                 Value Name: [ 950 ], Value: [ c_950.nls ], 1 time
            Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], 
                 Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time
            Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], 
                 Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times
            Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], 
                 Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times
    
    
    [=============================================================================]
        2.b) Crypted by.exe - File Activities
    [=============================================================================]
    [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Files Read:
    [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
            File Name: [ C:\Crypted by.exe ]
    
    [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File System Control Communication:
    [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
            File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time
    
    [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Device Control Communication:
    [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
            File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times
    
    [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Memory Mapped Files:
    [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
            File Name: [ C:\WINDOWS\system32\MSCTF.dll ]
            File Name: [ C:\WINDOWS\system32\MSVBVM60.DLL ]
            File Name: [ C:\WINDOWS\system32\SXS.DLL ]
            File Name: [ C:\WINDOWS\system32\imm32.dll ]
            File Name: [ C:\WINDOWS\system32\rpcss.dll ]
    
    [=============================================================================]
        2.c) Crypted by.exe - Other Activities
    [=============================================================================]
    [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Mutexes Created:
    [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
            Mutex: [ CTF.Asm.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
            Mutex: [ CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
            Mutex: [ CTF.LBES.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
            Mutex: [ CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
            Mutex: [ CTF.TMD.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
            Mutex: [ CTF.TimListCache.FMPDefaultS-1-5-21-842925246-1425521274-308236825-500MUTEX.DefaultS-1-5-21-842925246-1425521274-308236825-500 ]
    
    [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Windows SEH exceptions:
    [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
            Description: [ Exception 0xc000008f (STATUS_FLOAT_INEXACT_RESULT) at 0x7c812aeb ], 31960 times
    
    
    
    
    
    [#############################################################################]
                           International Secure Systems Lab                        
                                http://www.iseclab.org                             
    
    Vienna University of Technology     Eurecom France            UC Santa Barbara
    http://www.tuwien.ac.at          http://www.eurecom.fr  http://www.cs.ucsb.edu
    
                              Contact: anubis@iseclab.org                          




    это означает, что он только считывает реестр? и После этого мапит в памяти библиотеки?


    да и помоему win7 без запуска от админа не дало бы ему реестр копать =)