[Longhorn group] Backdoor.Plexor + Backdoor.Trojan.LH1

Forum for analysis and discussion about malware.

[Longhorn group] Backdoor.Plexor + Backdoor.Trojan.LH1

Postby R136a1 » Mon Apr 10, 2017 7:19 pm

Hi folks,

Symantec published an article about a group they named Longhorn whose tools match the descriptions of the Vault 7 documents leaked by Wikileaks, allegedly the CIA hacking tools arsenal. In the article, they also published the signature names of some tools of which some can be found on Virustotal.

Blogpost: https://www.symantec.com/connect/blogs/ ... ed-vault-7

Backdoor.Plexor:
https://virustotal.com/en/file/6f03586b ... /analysis/
https://virustotal.com/en/file/425bbe70 ... /analysis/
https://virustotal.com/en/file/2156adca ... /analysis/

Backdoor.Trojan.LH1:
https://virustotal.com/en/file/21f72733 ... /analysis/
https://virustotal.com/en/file/e7591998 ... /analysis/

One of the samples is detected as Duqu by Microsoft...

Files attached.
You do not have the required permissions to view the files attached to this post.
User avatar
R136a1
 
Posts: 215
Joined: Wed Jul 13, 2011 4:30 pm
Location: Germany
Reputation point: 136

Re: [Longhorn group] Backdoor.Plexor + Backdoor.Trojan.LH1

Postby ea56f45e66e2c » Tue Jun 06, 2017 7:31 pm

Hey,
Thanks for sharing these samples. It's a bit late, but I wrote a technical analysis of the Longhorn sample you provided, as well as the Plexor backdoor which is Black Lambert : http://adelmas.com/blog/longhorn.php.
Microsoft (and Avira) detecting it as Duqu 2.0 is no surprise as they actually share a lot of features.

The Longhorn trojan matches the Vault7 specs perfectly as an ICE (In-memory Code Execution) loader.
Black Lambert is a very interesting malware. It is a pretty sophisticated and well made spying backdoor spreading in local networks by creating shares and installing a DCOM loader using clsid {b7867b64-a163-4e5d-93bb-76e0cef7153b}.
It has every feature a cyber espionage malware can have : lateral movements, file API, network discovery, remote administration through hidden desktop and Window control, various information gathering...
Here is the list of commands it implements :
Code: Select all
[+] Commands at 0x10064688 :
[0x10064688] cmd_cd [unc]
[0x100646F0] cmd_copy
[0x10064758] cmd_delete [test|force|reboot|recursive|store]
[0x100647C0] cmd_dir [disksize|limit|ads|summary|store]
[0x10064828] cmd_drives
[0x10064890] cmd_disconnect
[0x100648F8] cmd_execute [steal|prefetch]
[0x10064960] cmd_get [resume]
[0x100649C8] cmd_hash [store]
[0x10064A30] cmd_idlewatch
[0x10064A98] cmd_kill [force|block]
[0x10064B00] cmd_mkdir
[0x10064B68] cmd_match
[0x10064BD0] cmd_move [reboot]
[0x10064C38] cmd_mrs
[0x10064CA0] cmd_ps [path|owner|security|stats]
[0x10064D08] cmd_put [store]
[0x10064D70] cmd_rmdir
[0x10064DD8] cmd_set
[0x10064E40] cmd_shutdown
[0x10064EA8] cmd_supports [properties]
[0x10064F10] cmd_streams
[0x10064F78] cmd_time
[0x10064FE0] cmd_connect
[0x10065048] cmd_listen [reuse]
[0x100650B0] cmd_which
[0x10065118] cmd_screenshot
[0x10065180] cmd_wincontrol
[0x100651E8] cmd_winlist
[0x10065250] cmd_attrib
[0x100652B8] cmd_cat
[0x10065320] cmd_strings
[0x10065388] cmd_touch
[0x100653F0] cmd_arp [mac]
[0x10065458] cmd_ipconfig [mac]
[0x100654C0] cmd_netstat [pid|filter|kill]
[0x10065528] cmd_route [mac]
[0x10065590] cmd_at
[0x100655F8] cmd_nbtstat
[0x10065660] cmd_net [share|use|view]
[0x100656C8] cmd_netshare
[0x10065730] cmd_netuse
[0x10065798] cmd_netview
[0x10065800] cmd_services
[0x10065868] cmd_users
[0x100658D0] cmd_burndir
[0x10065938] cmd_catInstall
[0x100659A0] cmd_catUninstall
[0x10065A08] cmd_catRunMod
[0x10065A70] cmd_modlist
[0x10065AD8] cmd_modload
[0x10065B40] cmd_modunload
[0x10065BA8] cmd_netcat
Decrypted 53 commands.

It is also well documented with about 1100 encrypted strings. Decrypted strings :
Code: Select all
[0x10055E20] c:e:l:p:q:r:s:S:t:u:w:x:z:
[0x10055E60] on
[0x10055E6C] yes
[0x10055E78] off
[0x10055E84] no
[0x10055E90] server-only
[0x10055EA4] stunnel-client
[0x10055EBC] tunnel
[0x10055ECC] target-only
[0x10055EE0] stunnel-server
[0x10055EF8] ssl2
[0x10055F08] ssl3
[0x10055F18] tls1
[0x10055F28] ssl3tls1
[0x10055F3C] all
[0x10055F48] http
[0x10055F58] 0.0.0.0
[0x10055F68] Default
[0x10055F80] Shutdown event detected. Program will exit in %d seconds.
[0x10055FC8] Log Off event detected. Program could exit in %d seconds.
[0x1005600C] Close event detected. Program may exit.
[0x10056B70] Direct-Connect
[0x10056B88] Direct-Listen
[0x10056BC8] %d day%s
[0x10056BE4] %d hour%s
[0x10056BF8] %d minute%s
[0x10056C0C] %d second%s
[0x10056C38] Virtual PC
[0x10056C58] Crash in cmdListen (listen mode)
[0x10056C84] tunInfo.dbg value is %d
[0x10056CA4] Trying to listen on %s:%s
[0x10056CC8] Crash in cmdConnect
[0x10056CE4] sockInfo.dbg value is %d
[0x10056D08] Trying to connect to %s:%s
[0x10056D2C] %S: failed to delete while aborting transfer.
[0x10056D64] \\.\pipe\%I64ddplx
[0x10056D98] HTTP
[0x10056DA8] HTTPS
[0x10056DB8] Software\Microsoft\Windows\CurrentVersion\Internet Settings
[0x10056E38] EnableAutodial
[0x10056E60] NoNetAutodial
[0x10056E98] PIPE
[0x10056ECC] alert
[0x10056F10] %S: failed to delete while canceling upload.
[0x10056F6C] n/a
[0x10056F78] cmd
[0x10056F84] timercmd
[0x10056F98] file transfer
[0x10056FB0] MRS transfer
[0x10056FC8] tunnel accept
[0x10055EBC] tunnel
[0x10056FE0] pipe
[0x10056FF0] catalyst
[0x10057004] netcat
[0x10057014] supports
[0x10057028] BCP send
[0x1005703C] BCP recv
[0x10057114] info
[0x10057124] %s: %s
[0x1005713C] mem
[0x1005713C] mem
[0x1005713C] mem
[0x100573EC] busy
[0x10057420] unloaded
[0x1005740C] unload fail
[0x100573EC] busy
[0x10057420] unloaded
[0x1005740C] unload fail
[0x10057624] load
[0x10057014] supports
[0x10057644] unload
[0x10057014] supports
[0x100576DC] Cookie:
[0x10057758] --%hs
Content-Disposition: form-data; name="%s"; filename="diag.%d"
Content-Encoding: deflate



[0x100577C8]   
[0x10057700] Accept: */*
Accept-Encoding: gzip


[0x10057820] %02X%02X%02X%02X
[0x1005784C] id
[0x10057894] ack
[0x100578A4] &z=%02X%02X%02X%02X
[0x100578D4] text
[0x100578E4] Error sending data to target
[0x1005790C] Error running module
[0x1005792C] The session completed successfully.
[0x10057988] Error receiving data from target
[0x10057988] Error receiving data from target
[0x100578E4] Error sending data to target
[0x100579B8]

UDP connect error
.
[0x100579D8]

Received maximum amount of data. Aborting connection

[0x10057A18] {cmd:'reverse'}
[0x10056F78] cmd
[0x10057A30] accept
[0x10057A4C] tcp
[0x10057A58] udpReverse
[0x10057A6C] localIP
[0x10057A7C] localPort
[0x10057A90] remoteIP
[0x10057AA4] remotePort
[0x10057AB8] reuse
[0x10057A6C] localIP
[0x10057A7C] localPort
[0x10057AD8] maxRecv
[0x10055F48] http
[0x10057AE8] userAgent
[0x10057AFC] host
[0x10057B0C] port
[0x10056054] 2.0.0
[0x100585B4] 132914
[0x10056064] wl
[0x10057BE0] i386
[0x10057BE0] i386
[0x10057C40] windows
[0x10057C40] windows
[0x10057D3C] user
[0x10057E20] System
[0x10058010] i386
[0x10057E20] System
[0x10058038] Unknown
[0x10058048] No Root
[0x10058058] Removable
[0x1005806C] Disk
[0x1005807C] Mapped
[0x1005808C] Optical
[0x1005809C] RAMdisk
[0x100580AC] USB HD
[0x100580BC] USB Key
[0x100580CC] FireWire
[0x100580E0] \\.\%s
[0x10058310] \\.\pipe\%I64dout
[0x1005833C] \\.\pipe\%I64din
[0x10058398] SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
[0x1005844C] EnablePrefetcher
[0x100584AC] OpenProcess
[0x10058700] reboot
[0x10057148] store
[0x1005713C] mem
[0x10058740] limit
[0x10058750] offset
[0x10057148] store
[0x1005713C] mem
[0x100587D4] fs
[0x10058824] Disconnecting and terminating target software.
[0x10058864] GetLogicalDrives
[0x10058880] kernel32.dll
[0x10058898] GetVolumePathNamesForVolumeNameW
[0x100588C4] GetVolumePathNamesForVolumeName
[0x1005891C] %s.exe
[0x1005897C] remotePath
[0x10056EEC] hash
[0x10058750] offset
[0x10057148] store
[0x1005713C] mem
[0x100589C0] Target is running inside a Virtual Machine
[0x100589F4] threshold
[0x10058A08] freq
[0x10058A3C] Console Idle for %s.
[0x10058A6C] Console Active after %s idle.
[0x10058A94] Console activity detected. A user may be present.
[0x1005897C] remotePath
[0x10057178] size
[0x10057178] size
[0x10058750] offset
[0x10058C0C] localPath
[0x1005897C] remotePath
[0x10058C00] mrs
[0x10057148] store
[0x1005713C] mem
[0x10058C24] SeShutdownPrivilege
[0x10058CB8] Issuing system reboot in 5 seconds.
[0x10058CE4] Issuing system shutdown in 5 seconds.
[0x10058DA8] %PATH%
[0x10058DC0] .exe
[0x10058DD4] \Process(*)\ID Process
[0x10058E10] \Process(*)\% Processor Time
[0x10058E54] \Process(*)\Working Set
[0x10058E90] \Processor(_Total)\% Idle Time
[0x10058A08] freq
[0x10058EE8] Error while configuring PDH subsystem
[0x10058F38] set
[0x10058F38] set
[0x10057624] load
[0x10058A08] freq
[0x10058FD0] jpg
[0x10058FE0] CaptureDC: CreateCompatibleDC
[0x10059028] CaptureDC: CreateDIBSection
[0x100590A0] CaptureDC: BitBlt
[0x100590D0] CaptureDC: CreateCompatibleDC2
[0x10059118] CaptureDC: CreateDIBSection2
[0x1005915C] CaptureDC: StretchBlt
[0x10059068] CaptureDC: SelectObject
[0x10059068] CaptureDC: SelectObject
[0x10059190] CaptureHDESK: GetDC()
[0x100591C8] CaptureHDESK: Desktop is not visible
[0x10059298] Screen Capture exception caught. Aborted.
[0x10059220] CaptureHDESK: Window has an invalid size: [%d,%d,%d,%d]
[0x100592F4] desktopProc: Trying %s
[0x1005932C] desktopProc: OpenDesktop()
[0x10059370] desktopProc: GetUserObjectInformation()
[0x100593C8] winStationProc: Trying %s
[0x10059408] winStationProc: OpenWindowStation()
[0x10059458] winStationProc: GetUserObjectInformation()
[0x100594B8] winStationProc: Window Station NOT VISIBLE
[0x10059518] winStationProc: SetProcessWindowStation()
[0x10059578] winStationProc: Enumerating Desktops
[0x100595D0] Attempting to open current Input Desktop
[0x10059630] Successfully captured Input Desktop
[0x10059680] OpenInputDesktop: No Access
[0x100596C0] Enumerating Window Stations
[0x10059840] #32770
[0x10059858] Dialog
[0x10059880] ComboBox
[0x1005989C] ListBox
[0x100598B4] explorer.exe
[0x100598D8] Shell_TrayWnd
[0x100598FC] Progman
[0x10059988] scale
[0x10059998] quality
[0x100599A8] layered
[0x10059830] hwnd
[0x10059830] hwnd
[0x10059914] visible
[0x100599F4] action
[0x10059A04] trigger
[0x10059A14] activate
[0x10059A28] minimize
[0x10059A3C] quit
[0x10059A4C] close
[0x10059A5C] click
[0x10059AA0] ok
[0x10059AAC] cancel
[0x10055E6C] yes
[0x10055E84] no
[0x10059BDC] head
[0x10059BEC] tail
[0x10059C68] \system32\kernel32.dll
[0x10059E40] Connected
[0x10059E80] unknown
[0x10059F60] SYSTEM\CurrentControlSet\Services\netbt\Parameters\Interfaces\Tcpip_
[0x10059FF4] NetbiosOptions
[0x1005A01C] DhcpNetbiosOptions
[0x1005A068] SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
[0x1005A0F0] Domain
[0x1005A108] DhcpDomain
[0x1005A14C] dnsapi.dll
[0x1005A160] DnsQueryConfigAllocEx
[0x1005A180] DnsFreeConfigStructure
[0x1005A1A0] DnsGetSearchInformation
[0x1005A1C0] DnsFreeSearchInformation
[0x1005A1E4] DNS Search Suffix lookup failure
[0x1005A22C] Other
[0x1005A23C] Invalid
[0x1005A24C] Dynamic
[0x1005A25C] Static
[0x10058A08] freq
[0x1005A300] Special
[0x1005A310] Temp
[0x1005A320] PrintQ
[0x1005A330] Comm Device
[0x1005A344] IPC
[0x1005A350] Domain Master
[0x1005A368] Master Browser
[0x1005A380] Backup Browser
[0x1005A398] Terminal Server
[0x1005A3B0] Cluster
[0x1005A3C0] Cluster (Virtual)
[0x1005A3DC] Server
[0x1005A3EC] Win95/98/ME
[0x1005A400] Windows for Workgroups
[0x1005A420] Unix
[0x1005A430] Novell
[0x1005A440] LM 2.x Domain Member
[0x1005A460] MS_SQL
[0x1005A320] PrintQ
[0x1005A470] Dial-in
[0x1005A480] Time
[0x1005A490] AFP
[0x1005A49C] File/Print for NetWare
[0x1005A4BC] PDC
[0x1005A4C8] BDC
[0x1005A4D4] DOS
[0x1005A618] Network enumeration failed
[0x1005A64C] Unable to get target domain name
[0x1005A964] boot
[0x1005AA70] Shared
[0x1005AAA0] Stopped
[0x1005A63C] server
[0x10056F78] cmd
[0x10057CB0] time
[0x1005AC0C] soon
[0x1005AC1C] each
[0x1005AC2C] next
[0x1005ADE0] List Shares Failed
[0x1005ADFC] NetUseEnum
[0x1005A63C] server
[0x1005AE10] query
[0x1005A944] start
[0x1005AE20] stop
[0x1005AE30] config
[0x1005AE40] startopt
[0x1005A63C] server
[0x1005AE88] ntdll.dll
[0x1005AE9C] ZwCreateFile
[0x1005AEB4] RtlInitUnicodeString
[0x1005AED4] \Device\NetBt_Wins_Export
[0x1005AF30] UNIQUE
[0x1005AF40] Registering
[0x1005B048] Error querying "%s"
[0x1005B064] ncacn_np
[0x1005B080] ncacn_ip_tcp
[0x1005B0A8] Microsoft Enhanced Cryptographic Provider v1.0
[0x1005B110] %s
[0x1005B110] %s
[0x1005B160] Error loading module
[0x1005B194] Attempting to load RPC Loader
[0x1005B1BC] Successfully loaded RPC Loader
[0x1005B120] Error loading module: The RPC loader is not available
[0x1005B1E4] Unable to load RPC Loader
[0x1005B220] Attempting to load RPC Host
[0x1005B244] Successfully loaded RPC Host
[0x1005B26C] Failed to load RPC Host
[0x1005B2A4] Attempting to load module
[0x1005B2C8] Successfully loaded module
[0x1005B2EC] Failed to load module
[0x1005B320] Error creating session: Unable to contact target (possibly firewalled)
[0x1005B3B0] Error creating session: The module is not loaded on the target system
[0x1005B400] Error creating session
[0x1005B370] Error creating session: The RPC host is not running
[0x1005B470] Attempting to create RPC Host session with '%s'...
[0x1005B4E0] Re-attempting to create RPC Host session with "%s"...
[0x1005B554] Session %d successfully started
[0x1005B580] Error creating connection to remote host
[0x1005B5DC] SeDebugPrivilege
[0x1005B658] Unable to open specified process
[0x1005B62C] Unable to retrieve process token
[0x1005B608] Unable to impersonate user
[0x1005B684] Successfully installed persistently.
[0x1005B6B4] Unable to install.
[0x1005B6D0] Successfully removed.
[0x1005B6F0] Error removing.
[0x1005B708] idleMax
[0x10057050] ackEvery
[0x10057064] ackLimit
[0x1005B718] compressRaw
[0x1005B72C] compressOut
[0x1005B740] reconnectDelay
[0x10056F78] cmd
[0x10057094] pwd
[0x10057A40] opt
[0x1005B758] args
[0x1005B768] ack
[0x1005B774] ping
[0x100578D4] text
[0x1005B7B0] Memory allocation error! Terminating stream.
[0x100578D4] text
[0x1005B7B0] Memory allocation error! Terminating stream.
[0x1005B7B0] Memory allocation error! Terminating stream.
[0x1005B7E8] No overlapped! Terminating stream.
[0x1005B814] Packet Decompression Error!
[0x1005B870] Invalid STREAM_ACK for stream %d
[0x1005B8D4] Unexpected/Invalid STREAM_RESUME for stream %d
[0x1005B89C] Unexpected/Invalid STREAM_PAUSE for stream %d
[0x1005B838] Unexpected/Invalid STREAM_READY for stream %d
[0x1005BA50] TEXT
[0x1005BA60] RAW
[0x1005BA6C] NONE
[0x1005BA7C] input
[0x1005BA8C] output
[0x10057B5C] protocol
[0x1005BA9C] TCP
[0x1005BAA8] NP
[0x10057D3C] user
[0x1005A750] password
[0x10057D18] domain
[0x1005A708] local
[0x10057FA8] target
[0x1005BAB4] -UPLOAD
[0x1005BAC4] special
[0x1005BAD4] EXEC
[0x1005BAE4] module32
[0x1005BAF8] dcomldr32
[0x1005BB0C] rpchost32
[0x1005BB20] module64
[0x1005BB34] dcomldr64
[0x1005BB48] rpchost64
[0x10057FA8] target
[0x100572BC] pid
[0x1005BAF8] dcomldr32
[0x1005BB34] dcomldr64
[0x10057124] %s: %s
[0x1005BB60] SOFTWARE\Classes\AppID\{b7867b64-a163-4e5d-93bb-76e0cef7153b}
[0x1005BBE8] SOFTWARE\Classes\CLSID\{b7867b64-a163-4e5d-93bb-76e0cef7153b}\InProcServer32
[0x1005BC90] SOFTWARE\Classes\CLSID\{b7867b64-a163-4e5d-93bb-76e0cef7153b}
[0x1005BD18] {b7867b64-a163-4e5d-93bb-76e0cef7153b}
[0x1005BC90] SOFTWARE\Classes\CLSID\{b7867b64-a163-4e5d-93bb-76e0cef7153b}
[0x1005BB60] SOFTWARE\Classes\AppID\{b7867b64-a163-4e5d-93bb-76e0cef7153b}
[0x1005BBE8] SOFTWARE\Classes\CLSID\{b7867b64-a163-4e5d-93bb-76e0cef7153b}\InProcServer32
[0x1005BD70]
[0x1005BD7C] AppID
[0x1005BD90] ThreadingModel
[0x1005BDB8] Both
[0x1005BDCC] DllSurrogate
[0x1005BDF0] %s\%s
[0x1005BE08] Unable to retrieve information for %s
[0x1005BE5C] Unable to connect to %s
[0x1005BE94] %s%s
[0x1005BEA8] Attempting to install DCOM loader as %s...
[0x1005BF08] Error creating %s
[0x1005BE94] %s%s
[0x1005BE94] %s%s
[0x1005BF38] Attempting to start service...
[0x1005BFC4] Unable to start service
[0x1005BF80] Service successfully started
[0x1005C000] Attempting to connect to service control manager...
[0x1005C070] RemoteRegistry
[0x1005C098] Error opening remote registry service
[0x1005C0F0] Error connecting to service control manager
[0x1005C150] Attempting to connect to remote registry...
[0x1005C1B0] Error connecting to remote registry
[0x1005C200] Reattempting to connect to remote registry...
[0x1005C268] Unable to connect to remote registry
[0x1005C2BC] SharedAccess
[0x1005C2E0] Windows Firewall is not running
[0x1005C328] Unable to open firewall
[0x1005C360] GloballyOpenPorts
[0x1005C38C] List
[0x1005C3A0] 135:TCP
[0x1005C3B8] 135:TCP:*:Enabled:RPC Endpoint Mapper
[0x1005C410] SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
[0x1005C4D0] SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
[0x1005C588] IPC$
[0x1005C5A0] Attempting to open Windows Firewall
[0x1005C5F0] \\%s
[0x1005C608] Attempting to connect to %s...
[0x1005C650] Unable to open Windows Firewall
[0x1005C5A0] Attempting to open Windows Firewall
[0x1005C650] Unable to open Windows Firewall
[0x1005C698] ADMIN$
[0x1005C588] IPC$
[0x1005C6B0] Attempting to connect to %s on %s...
[0x1005C5F0] \\%s
[0x1005C708] Attempting to create %s share
[0x1005C7C8] Unable to create %s
[0x1005C750] Successfully created share.  Attempting to reconnect...
[0x1005C7F8] %s\TEMP\
[0x1005C814] %s\ADMIN$\Temp\
[0x1005C840] %s\ADMIN$\SysWOW64\kernel32.dll
[0x1005C888] Removing %s share
[0x1005C8B8] Attempting to connect to DCOM loader...
[0x1005C910] Failed to connect: Unable to contact target (possibly firewalled)
[0x1005C9A0] Failed to connect: DCOM loader is not installed
[0x1005CA08] Failed to connect to DCOM loader
[0x1005C5F0] \\%s
[0x1005C840] %s\ADMIN$\SysWOW64\kernel32.dll
[0x1005CA58] Attempting to install DCOM loader non-persistently...
[0x1005C8B8] Attempting to connect to DCOM loader...
[0x1005CA08] Failed to connect to DCOM loader
[0x1005CAD0] Removing DCOM loader from remote system
[0x1005CB28] Successfully removed DCOM loader from remote system
[0x1005CB98] !!!! Error removing DCOM loader -- Files may be left behind !!!!
[0x1005CC28] Loading DCOM loader payload
[0x1005CC68] Attempting to install DCOM loader
[0x1005C8B8] Attempting to connect to DCOM loader...
[0x1005CCB8] Reattempting to connect to DCOM loader...
[0x1005CD18] Making DCOM loader persistent
[0x1005CD60] Error installing DCOM loader
[0x1005CAD0] Removing DCOM loader from remote system
[0x1005CB28] Successfully removed DCOM loader from remote system
[0x1005CB98] !!!! Error removing DCOM loader -- Files may be left behind !!!!
[0x1005CDA8] Attempting to connect to the DCOM loader...
[0x1005CAD0] Removing DCOM loader from remote system
[0x1005CE08] kernel32
[0x1005CE1C] OpenProcess
[0x1005CE30] advapi32
[0x1005CE44] OpenProcessToken
[0x1005CE30] advapi32
[0x1005CE60] LookupPrivilegeValueW
[0x1005CE30] advapi32
[0x1005CE80] AdjustTokenPrivileges
[0x1005CE08] kernel32
[0x1005CEA0] CreateToolhelp32Snapshot
[0x1005CE30] advapi32
[0x1005CEC4] ImpersonateLoggedOnUser
[0x1005CEE4] urlmon
[0x1005CEF4] ObtainUserAgentString
[0x1005CF14] wininet
[0x1005CF24] HttpSendRequestExW
[0x1005CF14] wininet
[0x1005CF40] HttpSendRequestW
[0x1005CF14] wininet
[0x1005CF5C] HttpAddRequestHeadersA
[0x1005CF14] wininet
[0x1005CF7C] HttpQueryInfoA
[0x1005CF14] wininet
[0x1005CF94] HttpQueryInfoW
[0x1005CF14] wininet
[0x1005CFAC] HttpEndRequestW
[0x1005CF14] wininet
[0x1005CFC4] InternetWriteFile
[0x1005CF14] wininet
[0x1005CFE0] InternetQueryOptionW
[0x1005CF14] wininet
[0x1005D000] InternetOpenW
[0x1005CF14] wininet
[0x1005D018] InternetSetOptionW
[0x1005CF14] wininet
[0x1005D034] InternetCloseHandle
[0x1005CF14] wininet
[0x1005D050] InternetConnectW
[0x1005CF14] wininet
[0x1005D06C] HttpOpenRequestW
[0x100516C8] ---------------------------%02X%02X%02X%02X%02X%02X
[0x10051704] Content-Type: multipart/form-data; boundary=%s
[0x10051740] --%hs
Content-Disposition: form-data; name="file"; filename="~up%02X.tmp"
Content-Type: application/octet-stream



[0x100517C4] --%s--


[0x10051938] DefaultConnectionSettings
[0x100518A0] Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
[0x10051800] %s\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
[0x100598B4] explorer.exe
[0x10051974] Proxy-Authorization: Basic %s


[0x100519E0] wininet.dll
[0x10058880] kernel32.dll
[0x100519C4] MultiByteToWideChar
[0x100519A8] WideCharToMultiByte
[0x100519F4] Basic
[0x10051A14] POST
[0x10051A04] GET
[0x10051A28] http=
[0x10051800] %s\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
[0x10051938] DefaultConnectionSettings
[0x10051A38] DefaultConnectionSettings
[0x10051A94] %s\*
[0x10051A5C] %s\%s\ntuser.dat
[0x1005CE08] kernel32
[0x10054058] GetNativeSystemInfo
[0x1005CE08] kernel32
[0x10054074] IsWow64Process
[0x100540B0] SOFTWARE\Microsoft\Cryptography
[0x10054090] MachineGuid
[0x100540F8] unknown
[0x1005414C] Unknown
[0x10054134] SYSTEM
[0x10054110] NT AUTHORITY
[0x10054164] w%d.%d SP%d
[0x100543F8] Microsoft Windows
[0x100541F0] Windows 2000 Server
[0x100541C8] Windows Unknown
[0x10054194] Windows Unknown %d.%d
[0x1005443C] Secur32.dll
[0x10051974] Proxy-Authorization: Basic %s


[0x10054B78] CONNECT %s:%s HTTP/1.0


[0x10054B5C] User-Agent: %s


[0x10054B48] Host: %s


[0x10054B2C] Content-Length: 0


[0x10054B04] Proxy-Connection: Keep-Alive


[0x10054AE8] Pragma: no-cache


[0x10054ACC] WWW-Authenticate:
[0x10054AB0] Proxy-Authenticate:
[0x10054AA0] NTLM
[0x100519F4] Basic
[0x10054A90] Digest
[0x10054E14] Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;)
[0x10054E00] urlmon.dll
[0x1005CEF4] ObtainUserAgentString
[0x10054EE0] iphlpapi.dll
[0x10054EC4] GetExtendedTcpTable
[0x10054EA8] GetExtendedUdpTable
[0x10054E7C] AllocateAndGetTcpExTableFromStack
[0x10054E50] AllocateAndGetUdpExTableFromStack
[0x1005A22C] Other
[0x10055098] Local
[0x10055080] NetMgmt/SNMP
[0x10055070] ICMP
[0x10055064] EGP
[0x10055058] GGP
[0x10055048] HELLO
[0x1005503C] RIP
[0x1005502C] MSDP
[0x1005501C] IGMP
[0x1005500C] BGMP
[0x10055000] BBN
[0x10054FF0] OSPF
[0x10054FE4] BGP
[0x10054FD4] BOOTP
[0x10054FBC] NT AutoStatic
[0x10054FA8] DNS Proxy
[0x10054F90] DHCP Allocator
[0x10054F84] NAT
[0x10054F70] NT Static
[0x10054F58] NT Static !DOD
[0x10054F44] DiffServ
[0x10054F38] MGM
[0x10054F2C] ALG
[0x10054F1C] H323
[0x10054F10] FTP
[0x10054F04] DTP
[0x10055190] INVALID
[0x10055180] CLOSED
[0x1005516C] LISTENING
[0x10055158] SYN_SENT
[0x10055144] SYN_RCVD
[0x10055130] ESTABLISHED
[0x1005511C] FIN_WAIT1
[0x10055108] FIN_WAIT2
[0x100550F4] CLOSE_WAIT
[0x100550E4] CLOSING
[0x100550D0] LAST_ACK
[0x100550BC] TIME_WAIT
[0x100550A8] DELETE_TCB
[0x100551D4] OPTIONS / HTTP/1.1
Host: %s:%d
User-Agent: %s


[0x100551A8] OPTIONS / HTTP/1.1
Host: %s:%d


[0x10055218] 0123456789abcdef
[0x10055254] ntdll.dll
[0x10055234] NtQueryInformationFile
[0x10055370] :%s,
[0x10055360] :"",
[0x10055350] :true,
[0x10055340] :false,
[0x10055330] :"%s",
[0x10055320] :%d,
[0x10055310] :0x%x,
[0x10055300] :%lld,
[0x100552F0] :%I64d,
[0x100552E0] :%.2f,
[0x100552B8] :"%04d%02d%02dT%02d:%02d:%02d",
[0x100552A0] :"%02d:%02d",
[0x10055288] :"%u.%u.%u.%u"
[0x10055270] :[%d,%d,%d,%d],
[0x10055380] 0123456789ABCDEF
[0x10055218] 0123456789abcdef
[0x100553F4] code:%u,oscode:%u,resource:"%s",message:"%s"
[0x100553A8] code:1001,oscode:14,resource:"Error",message:"Error writing error"
[0x10054AA0] NTLM
[0x10055D48] Proxy-
[0x10055D00] NTLMSSP%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%s%s
[0x10055CD8] Proxy-Authorization: NTLM %s


[0x10055C58] NTLMSSP%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%cÿÿ%c%c‚%c%c
[0x10055CD8] Proxy-Authorization: NTLM %s


[0x100560C4] ncacn_ip_tcp
[0x10056300] ncacn_np
[0x10056320] Microsoft Enhanced Cryptographic Provider v1.0
[0x10056828] msvcrt
[0x10056838] msvcrt.dll
[0x1005684C] ntdll.dll
[0x10056860] NtQueryInformationProcess
[0x10056884] RtlQueueWorkItem
[0x100567C0] 10c32bce-7654-4fc1-a3be-d7e885598b81-
[0x10056814] %s%d
[0x10056758] 98d5a34b-fbf4-4f6c-82a9-cc18d584266e-
[0x100567AC] %s%d
[0x100568A0] ntdll.dll
[0x100568B4] kernel32.dll
[0x100568CC] CreateThread
[0x100568E4] GetProcAddress
[0x100568FC] EnterCriticalSection
[0x1005691C] LeaveCriticalSection
[0x1005693C] ExitThread
[0x10056950] GetCurrentThreadId
[0x1005696C] ResumeThread
[0x10056984] ntdll.dll
[0x10056998] RtlAcquirePebLock
[0x100569B4] RtlReleasePebLock
[0x100569D0] LdrLockLoaderLock
[0x100569EC] LdrUnlockLoaderLock
[0x10056F48] contents
[0x10056F48] contents
[0x10056F48] contents
[0x10056F48] contents
[0x10056F48] contents
[0x10056F48] contents
[0x10056F48] contents
[0x10057460] commands
[0x100575E8] features
[0x10056F48] contents
[0x10056F48] contents
[0x10057E74] ipList
[0x10056F48] contents
[0x10056F48] contents
[0x10056F48] contents
[0x10056F48] contents
[0x10056F48] contents
[0x10056F48] contents
[0x10058F18] updates
[0x10056F48] contents
[0x10056F48] contents
[0x10056F48] contents
[0x10056F48] contents
[0x10056F48] contents
[0x10056F48] contents
[0x10056F48] contents
[0x10057E74] ipList
[0x10056F48] contents
[0x10057084] type
[0x10057084] type
[0x1005A9A8] dependsOn
[0x10056F48] contents
[0x10056F48] contents
[0x10056F48] contents
[0x10056EBC] event
[0x10056EFC] hashError
[0x10057084] type
[0x10056F78] cmd
[0x10057148] store
[0x10057158] name
[0x10057148] store
[0x10057158] name
[0x10057148] store
[0x10057158] name
[0x10057298] image
[0x100572A8] instance
[0x100572D8] module
[0x100572E8] desc
[0x100572F8] ver
[0x100573FC] status
[0x100573FC] status
[0x100573FC] status
[0x100573FC] status
[0x100573FC] status
[0x100573FC] status
[0x10057158] name
[0x10056F78] cmd
[0x100572D8] module
[0x100572A8] instance
[0x10057634] state
[0x10057634] state
[0x100578D4] text
[0x10056F78] cmd
[0x10056EDC] stdout
[0x10057B80] versionName
[0x10057B94] build
[0x10057BA4] defaultName
[0x10057BB8] toolType
[0x10057D4C] processMode
[0x10057ED4] compress
[0x10057EE8] kpConnection
[0x10057F00] ip
[0x10057F0C] netmask
[0x10057158] name
[0x10057084] type
[0x10057FFC] processArch
[0x10057084] type
[0x10057158] name
[0x10057158] name
[0x10057158] name
[0x10058494] prefetchError
[0x10057158] name
[0x10057084] type
[0x10057158] name
[0x10057084] type
[0x10057148] store
[0x10057158] name
[0x10058A5C] message
[0x10057158] name
[0x10057158] name
[0x10058A5C] message
[0x10057158] name
[0x10058F28] value
[0x10057634] state
[0x10057634] state
[0x10057634] state
[0x10057084] type
[0x10057158] name
[0x10057158] name
[0x10057158] name
[0x10057158] name
[0x10057634] state
[0x100573FC] status
[0x100573FC] status
[0x10059EA4] winsPrimary
[0x10059EE4] dhcpServer
[0x10057084] type
[0x10057AFC] host
[0x10057D18] domain
[0x10057B5C] protocol
[0x1005A510] platform
[0x1005A944] start
[0x1005AA08] serviceType
[0x10057634] state
[0x10057158] name
[0x10057084] type
[0x100573FC] status
[0x10057FA8] target
[0x100578D4] text
[0x100578D4] text
[0x10057A6C] localIP
[0x10057A90] remoteIP
[0x10058A5C] message
[0x100570A0] throttled
[0x100570B4] ovlIn
[0x100570E4] ovlOut
[0x10057168] deleted
[0x1005719C] complete
[0x10057500] created
[0x10057500] created
[0x10057500] created
[0x100575B0] ignored
[0x10057B20] connected
[0x10057C7C] osVM
[0x10057D18] domain
[0x10057D8C] processIsAdminGroup
[0x10057E38] processElevation
[0x10057F5C] stream
[0x10057E38] processElevation
[0x10058278] secured
[0x10058288] onReboot
[0x10057168] deleted
[0x100575A0] removed
[0x10058478] prefetchModified
[0x10058944] background
[0x10058A18] idle
[0x10058A18] idle
[0x10058AD0] initial
[0x10058C00] mrs
[0x100575A0] removed
[0x10058AD0] initial
[0x10058AD0] initial
[0x10058F28] value
[0x10059820] child
[0x10059914] visible
[0x10059924] app
[0x10059930] minimized
[0x10059954] denied
[0x10059954] denied
[0x10059954] denied
[0x10059914] visible
[0x10059ABC] success
[0x10059AF0] r
[0x10059AFC] a
[0x10059B08] s
[0x10059B14] h
[0x10059B20] i
[0x10057A4C] tcp
[0x10059D3C] udp
[0x100575A0] removed
[0x100575A0] removed
[0x10059E54] enabled
[0x10059ED4] dhcp
[0x10059F20] autoconfEnabled
[0x10059F38] autoconfActive
[0x1005A26C] iproute
[0x1005A27C] proxy
[0x10058AD0] initial
[0x1005A6A0] interactive
[0x1005A6B4] today
[0x1005A6C4] repeats
[0x10056F5C] error
[0x1005A6D4] netDrive
[0x1005A8BC] loggedIn
[0x1005A6A0] interactive
[0x1005A9D0] shared
[0x1005A9E0] driver
[0x100581A4] progress
[0x1005ABF4] deletedAll
[0x10057094] pwd
[0x100574F4] dir
[0x100574F4] dir
[0x100574F4] dir
[0x10057158] name
[0x100574F4] dir
[0x10057BCC] toolPath
[0x10057BF4] toolArch
[0x10057C08] osInfo
[0x10057C30] osArch
[0x10057C58] osType
[0x10057C68] osFamily
[0x10057C8C] osVMinfo
[0x10057CA0] osICE
[0x10057CC0] netbios
[0x10057CD0] guid
[0x10057CE0] hostname
[0x10057CF4] domainname
[0x10057D08] group
[0x10057D60] processUser
[0x10057D74] processGroup
[0x10057DD4] processIntegrityName
[0x10057F4C] nick
[0x10057F6C] streamName
[0x10057F80] streamType
[0x10057FA8] target
[0x10057158] name
[0x10057FDC] path
[0x10057D60] processUser
[0x10057D74] processGroup
[0x10057DD4] processIntegrityName
[0x10057158] name
[0x100580F8] fstype
[0x10058108] label
[0x10058118] volname
[0x100574F4] dir
[0x100574F4] dir
[0x100585C8] source
[0x100574F4] dir
[0x100574F4] dir
[0x10057158] name
[0x100574F4] dir
[0x10058958] command
[0x10058968] commandLine
[0x10057158] name
[0x100574F4] dir
[0x10057158] name
[0x10057158] name
[0x10057158] name
[0x10058D70] timezone
[0x10057FDC] path
[0x10057158] name
[0x10058F28] value
[0x10059870] class
[0x10059870] class
[0x100578D4] text
[0x100578D4] text
[0x10059870] class
[0x10057158] name
[0x10057158] name
[0x10057158] name
[0x10057158] name
[0x100585C8] source
[0x10059D48] process
[0x10057D18] domain
[0x10057AFC] host
[0x10057158] name
[0x1005A544] comment
[0x10057D18] domain
[0x1005A554] browser
[0x1005A63C] server
[0x10057158] name
[0x1005A544] comment
[0x10057D18] domain
[0x10058958] command
[0x10057158] name
[0x1005A6E8] mount
[0x1005A6F8] remark
[0x100580F8] fstype
[0x10058118] volname
[0x1005A708] local
[0x1005A718] remote
[0x10057D3C] user
[0x10057D18] domain
[0x1005A750] password
[0x10057158] name
[0x1005A79C] fullName
[0x1005A544] comment
[0x1005A7C4] homeDir
[0x1005A810] logonServer
[0x1005A838] workstations
[0x1005A860] sidString
[0x1005A874] referenceDomain
[0x1005A890] globalGroups
[0x1005A8A8] localGroups
[0x1005A8D0] loggedInServer
[0x1005A8E8] loggedInDomains
[0x1005A900] loggedInAuthServer
[0x1005A91C] display
[0x10057FDC] path
[0x1005A9BC] description
[0x10057158] name
[0x10059D48] process
[0x10059D48] process
[0x1005AB1C] dependentService
[0x10057050] ackEvery
[0x10057064] ackLimit
[0x10057078] id
[0x100570C4] refIn
[0x100570D4] ackSent
[0x100570F4] refOut
[0x10057104] ackRecv
[0x10057178] size
[0x10057188] received
[0x100571B0] refs
[0x10057288] index
[0x10057578] dirCount
[0x1005758C] fileCount
[0x10057578] dirCount
[0x1005758C] fileCount
[0x100575C0] deletedCount
[0x10057288] index
[0x100572BC] pid
[0x10055EBC] tunnel
[0x10057B5C] protocol
[0x10057B70] version
[0x10057D28] processPid
[0x10057DA8] processIntegrity
[0x10057E54] processElevationType
[0x10057E84] acp
[0x10057E90] lcid
[0x10057EA0] oemcp
[0x10057EB0] langid
[0x100572BC] pid
[0x10057FBC] ppid
[0x10057FCC] threads
[0x10058020] processSession
[0x10057DA8] processIntegrity
[0x10057E54] processElevationType
[0x10058300] depth
[0x10058760] total
[0x10057578] dirCount
[0x1005758C] fileCount
[0x100587E0] adsCount
[0x100572BC] pid
[0x100572BC] pid
[0x10058A28] priority
[0x10058A28] priority
[0x100572BC] pid
[0x10058750] offset
[0x10058A18] idle
[0x10058D84] uptime
[0x100572BC] pid
[0x10058ED8] cpu
[0x1005713C] mem
[0x100572BC] pid
[0x10058F28] value
[0x10057178] size
[0x10058FB0] width
[0x10058FC0] height
[0x10057078] id
[0x100572BC] pid
[0x10059C24] result
[0x10057A7C] localPort
[0x10057AA4] remotePort
[0x10057A7C] localPort
[0x100572BC] pid
[0x10059E64] speed
[0x10059E64] speed
[0x10059E54] enabled
[0x1005A04C] netbiosOptions
[0x1005A128] ifIndex
[0x1005A128] ifIndex
[0x1005A2F0] metric
[0x1005A128] ifIndex
[0x1005A524] major
[0x1005A534] minor
[0x10057078] id
[0x1005A678] daysOfMonth
[0x1005A68C] daysOfWeek
[0x100573FC] status
[0x10057084] type
[0x1005A728] refcount
[0x1005A73C] usecount
[0x1005A764] lastLogon
[0x1005A778] lastLogoff
[0x1005A78C] priv
[0x1005A7B0] authFlags
[0x1005A7D4] badPWCount
[0x1005A7E8] logonCount
[0x1005A7FC] passwordAge
[0x1005A824] countryCode
[0x1005A850] flags
[0x100572BC] pid
[0x100572BC] pid
[0x1005AC88] job
[0x1005AF10] code
[0x10057A7C] localPort
[0x10057AA4] remotePort
[0x10058A28] priority
[0x100571C0] Invalid module context.
[0x100571E0] Module command crashed during execution.
[0x10057214] Module command execution failed.
[0x100573B0] Load failed: internal error while adding to tree.
[0x10057434] No module found with that Name/ID.
[0x10057474] You must specify a file to load.
[0x100574A4] No modules are loaded.
[0x10057510] No Burn Directory is registered.
[0x1005753C] A Burn Directory is already registered.
[0x10057510] No Burn Directory is registered.
[0x10057510] No Burn Directory is registered.
[0x10057600] Command array too large!
[0x10057654] Unrecoverable THREAD crash while executing command: %x
[0x10057958] An error occurred during the session.
[0x100581B8] Is a directory
[0x100585D8] You must specify source and destination arguments.
[0x1005863C] Copying a directory is not supported.
[0x10058710] You must specify a file to delete.
[0x100588EC] You must specify a command to execute.
[0x10058990] You must specify a file to download.
[0x10058AE0] Invalid process id.
[0x10058B30] Process did not exit in a timely manner.
[0x10058B64] You must specify a directory.
[0x10058B8C] Source is a directory; destination can't be a file.
[0x10058C54] Process token is missing the required privilege.
[0x10058D3C] The stream does not exist.
[0x10058D94] Which what?
[0x10059700] Unable to capture desktop.
[0x100597C8] Window can only be captured from Session %d
[0x10059780] Window is not visible, or has an invalid size. (%d,%d,%d,%d)
[0x10059748] Window is minimized and cannot be captured.
[0x100599B8] Window no longer exists. You may want to refresh.
[0x10059A6C] Failed to open Desktop to send mouse click.
[0x10059ACC] Unable to change attribute.
[0x10059B30] Arbitrary line limit reached. Truncating additional output.
[0x10059BB4] You must specify a file.
[0x10059C34] Specify a match length between %d and %d.
[0x10059CD8] Specify the -d flag to change directory timestamps.
[0x10059D58] Failed to kill connection. Is this an elevated process?
[0x10059D98] Only TCP connections can be terminated.
[0x10059DC8] Invalid local or remote filter supplied.
[0x1005A290] Failed to get network connection table.
[0x1005A5B0] Network enumeration failed: Computer browser service may be disabled or blocked by a firewall.
[0x1005AC5C] Day of the month must be 1 - 31.
[0x1005ACB0] Error: Service Not Active. This probably means the Task Scheduler service is not running.
[0x1005ADA4] Error: Options must be one of share, use, or view.
[0x1005AE70] User Not Found.
[0x1005B034] not found.
[0x1005B000] No usable NetBIOS interface found to query.
[0x1005B438] Cannot find module because none was specified.
[0x1005B784] Command unknown or not yet loaded
ea56f45e66e2c
 
Posts: 3
Joined: Fri Apr 15, 2016 11:56 am
Location: France
Reputation point: 0


Return to Malware

Who is online

Users browsing this forum: ea56f45e66e2c, tommyktlab and 5 guests

cron