Report:
Code:
0009:Starting process L"Z:\\tmp\\vir\\e00fd6129b643e8c576dbf03a6b662e9\\malware.exe" (entryproc=0x409600)
0009:Call KERNEL32.GetCommandLineA() ret=004096a3
0009:Call KERNEL32.VirtualAlloc(00000000,00117674,00001000,00000040) ret=00409a05
0009:Call ntdll.NtAllocateVirtualMemory(ffffffff,0032f174,00000000,0032f188,00001000,00000040) ret=7b899a09
0009:Call ntdll.LdrShutdownProcess() ret=7b892042
0009:Call PE DLL (proc=0x7b8a12c0,module=0x7b820000 L"KERNEL32.dll",reason=PROCESS_DETACH,res=0x1)
0009:Call PE DLL (proc=0x7bc77530,module=0x7bc10000 L"ntdll.dll",reason=PROCESS_DETACH,res=0x1)
000b:Call KERNEL32.ExitProcess(00000000) ret=7efa8555
000b:Call ntdll.LdrShutdownProcess() ret=7b87302f
000b:Call PE DLL (proc=0x7ef84910,module=0x7ef50000 L"advapi32.dll",reason=PROCESS_DETACH,res=0x1)
000b:Call PE DLL (proc=0x7b8a12c0,module=0x7b820000 L"KERNEL32.dll",reason=PROCESS_DETACH,res=0x1)
000b:Call PE DLL (proc=0x7bc77530,module=0x7bc10000 L"ntdll.dll",reason=PROCESS_DETACH,res=0x1)
000b:Call ntdll.NtTerminateProcess(ffffffff,00000000) ret=7b87303f
000d:Call ntdll.NtClose(00000038) ret=7b873a45
000d:Call advapi32.RegCloseKey(00000020) ret=7efa6f7a
000d:Call ntdll.NtClose(00000020) ret=7eed68e8
000d:Call KERNEL32.ExitProcess(00000000) ret=7efac805
000d:Call ntdll.LdrShutdownProcess() ret=7b87302f
000d:Call PE DLL (proc=0x7ef7c420,module=0x7ef40000 L"rpcrt4.dll",reason=PROCESS_DETACH,res=0x1)
000d:Call PE DLL (proc=0x7ef29b90,module=0x7ef20000 L"iphlpapi.dll",reason=PROCESS_DETACH,res=0x1)
000d:Call PE DLL (proc=0x7eeee910,module=0x7eec0000 L"advapi32.dll",reason=PROCESS_DETACH,res=0x1)
000d:Call PE DLL (proc=0x7b8a12c0,module=0x7b820000 L"KERNEL32.dll",reason=PROCESS_DETACH,res=0x1)
000d:Call PE DLL (proc=0x7bc77530,module=0x7bc10000 L"ntdll.dll",reason=PROCESS_DETACH,res=0x1)
000d:Call ntdll.NtTerminateProcess(ffffffff,00000000) ret=7b87303f
malware 1966 1965 0 04:29 ? 00:00:00 /bin/sh /usr/bin/xvfb-run /home/malware/bin/malware_launcher.sh /tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/malware.exe 30 /tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/dump 1
malware 1979 1966 0 04:29 ? 00:00:00 /bin/sh /home/malware/bin/malware_launcher.sh /tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/malware.exe 30 /tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/dump 1
malware 1997 1979 0 04:30 ? 00:00:00 grep .exe
Dumping the process memory for child processes...
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 03:53 ? 00:00:07 init [2]
root 2 1 0 03:53 ? 00:00:00 [migration/0]
root 3 1 0 03:53 ? 00:00:00 [ksoftirqd/0]
root 4 1 0 03:53 ? 00:00:00 [events/0]
root 5 1 0 03:53 ? 00:00:00 [khelper]
root 6 1 0 03:53 ? 00:00:00 [kthread]
root 9 6 0 03:53 ? 00:00:00 [kblockd/0]
root 10 6 0 03:53 ? 00:00:00 [kacpid]
root 76 6 0 03:53 ? 00:00:00 [kseriod]
root 112 6 0 03:53 ? 00:00:00 [pdflush]
root 113 6 0 03:53 ? 00:00:00 [pdflush]
root 114 6 0 03:53 ? 00:00:00 [kswapd0]
root 115 6 0 03:53 ? 00:00:00 [aio/0]
root 810 6 0 03:54 ? 00:00:00 [kjournald]
root 966 1 0 03:54 ? 00:00:01 udevd --daemon
root 1238 6 0 03:55 ? 00:00:00 [kpsmoused]
root 1519 6 0 03:55 ? 00:00:00 [kmirrord]
root 1652 1 0 03:55 ? 00:00:00 dhclient3 -pf /var/run/dhclient.eth0.pid -lf /var/lib/dhcp3/dhclient.eth0.leases eth0
root 1851 1 0 03:56 ? 00:00:00 /sbin/syslogd
root 1857 1 0 03:56 ? 00:00:00 /sbin/klogd -x
root 1879 1 0 03:56 ? 00:00:00 /usr/sbin/sshd
root 1897 1 0 03:56 ? 00:00:00 /usr/sbin/cron
malware 1919 1 0 03:56 ? 00:00:00 boa -c /home/malware/zerowine/
root 1931 1 0 03:56 tty1 00:00:00 /bin/login --
root 1932 1 0 03:56 tty2 00:00:00 /sbin/getty 38400 tty2
root 1933 1 0 03:56 tty3 00:00:00 /sbin/getty 38400 tty3
root 1934 1 0 03:56 tty4 00:00:00 /sbin/getty 38400 tty4
root 1935 1 0 03:56 tty5 00:00:00 /sbin/getty 38400 tty5
root 1939 1 0 03:56 tty6 00:00:00 /sbin/getty 38400 tty6
root 1949 1931 0 04:00 tty1 00:00:00 -bash
root 1959 1949 0 04:00 tty1 00:00:00 hd
malware 1965 1919 6 04:29 ? 00:00:02 /usr/bin/python /home/malware/zerowine/cgi-bin/upload.py
malware 1966 1965 0 04:29 ? 00:00:00 /bin/sh /usr/bin/xvfb-run /home/malware/bin/malware_launcher.sh /tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/malware.exe 30 /tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/dump 1
malware 1977 1966 13 04:29 ? 00:00:04 Xvfb :99 -screen 0 640x480x8 -nolisten tcp
malware 1979 1966 0 04:29 ? 00:00:00 /bin/sh /home/malware/bin/malware_launcher.sh /tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/malware.exe 30 /tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/dump 1
malware 1998 1979 0 04:30 ? 00:00:00 ps -edf
Dumping proc 1966
['/home/malware/bin/dump_process.py', '1966', '/tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/dump-1966']
*** Searching for process 'dump1'
Dumping proc 1979
['/home/malware/bin/dump_process.py', '1979', '/tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/dump-1979']
*** Searching for process 'dump1'
Dumping proc 1999
['/home/malware/bin/dump_process.py', '1999', '/tmp/vir/e00fd6129b643e8c576dbf03a6b662e9/dump-1999']
Traceback (most recent call last):
File "/home/malware/bin/dump_process.py", line 150, in
main(int(sys.argv[1]), sys.argv[2])
File "/home/malware/bin/dump_process.py", line 134, in main
dbg.addProcess(pid, False)
File "/usr/lib/python2.5/site-packages/ptrace/debugger/debugger.py", line 74, in addProcess
process = PtraceProcess(self, pid, is_attached, parent=parent)
File "/usr/lib/python2.5/site-packages/ptrace/debugger/process.py", line 165, in __init__
self.attach()
File "/usr/lib/python2.5/site-packages/ptrace/debugger/process.py", line 182, in attach
ptrace_attach(self.pid)
File "/usr/lib/python2.5/site-packages/ptrace/binding/func.py", line 155, in ptrace_attach
ptrace(PTRACE_ATTACH, pid)
File "/usr/lib/python2.5/site-packages/ptrace/binding/func.py", line 148, in ptrace
raise PtraceError(message, errno=errno, pid=pid)
ptrace.error.PtraceError: ptrace(cmd=16, pid=1999, 0, 0) error #3: No such process
----------DOS_HEADER----------
[IMAGE_DOS_HEADER]
e_magic: 0x5A4D
e_cblp: 0x90
e_cp: 0x3
e_crlc: 0x0
e_cparhdr: 0x4
e_minalloc: 0x0
e_maxalloc: 0xFFFF
e_ss: 0x0
e_sp: 0xB8
e_csum: 0x0
e_ip: 0x0
e_cs: 0x0
e_lfarlc: 0x40
e_ovno: 0x0
e_res:
e_oemid: 0x0
e_oeminfo: 0x0
e_res2:
e_lfanew: 0xE0
----------NT_HEADERS----------
[IMAGE_NT_HEADERS]
Signature: 0x4550
----------FILE_HEADER----------
[IMAGE_FILE_HEADER]
Machine: 0x14C
NumberOfSections: 0x3
TimeDateStamp: 0x44D8240C [Tue Aug 8 05:41:32 2006 UTC]
PointerToSymbolTable: 0x0
NumberOfSymbols: 0x0
SizeOfOptionalHeader: 0xE0
Characteristics: 0x10F
Flags: IMAGE_FILE_LOCAL_SYMS_STRIPPED, IMAGE_FILE_32BIT_MACHINE, IMAGE_FILE_EXECUTABLE_IMAGE, IMAGE_FILE_LINE_NUMS_STRIPPED, IMAGE_FILE_RELOCS_STRIPPED
----------OPTIONAL_HEADER----------
[IMAGE_OPTIONAL_HEADER]
Magic: 0x10B
MajorLinkerVersion: 0x6
MinorLinkerVersion: 0x0
SizeOfCode: 0xA000
SizeOfInitializedData: 0x3A000
SizeOfUninitializedData: 0x0
AddressOfEntryPoint: 0x9600
BaseOfCode: 0x1000
BaseOfData: 0xB000
ImageBase: 0x400000
SectionAlignment: 0x1000
FileAlignment: 0x1000
MajorOperatingSystemVersion: 0x4
MinorOperatingSystemVersion: 0x0
MajorImageVersion: 0x0
MinorImageVersion: 0x0
MajorSubsystemVersion: 0x4
MinorSubsystemVersion: 0x0
Reserved1: 0x0
SizeOfImage: 0x45000
SizeOfHeaders: 0x1000
CheckSum: 0x52D15
Subsystem: 0x2
DllCharacteristics: 0x0
SizeOfStackReserve: 0x100000
SizeOfStackCommit: 0x1000
SizeOfHeapReserve: 0x100000
SizeOfHeapCommit: 0x1000
LoaderFlags: 0x0
NumberOfRvaAndSizes: 0x10
DllCharacteristics:
----------PE Sections----------
[IMAGE_SECTION_HEADER]
Name: .text
Misc: 0x91C0
Misc_PhysicalAddress: 0x91C0
Misc_VirtualSize: 0x91C0
VirtualAddress: 0x1000
SizeOfRawData: 0xA000
PointerToRawData: 0x1000
PointerToRelocations: 0x0
PointerToLinenumbers: 0x0
NumberOfRelocations: 0x0
NumberOfLinenumbers: 0x0
Characteristics: 0x60000020
Flags: IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Entropy: 5.694083 (Min=0.0, Max=8.0)
MD5 hash: 1f1847d78fb8eaefc24c80ae1c21fa5a
SHA-1 hash: 747a1a9039d3573bcdbd511b32c55b94fe4b5508
SHA-256 hash: daa9a356f1aa9e1960e9d30140154dcb1d6ce661f41a3007b3ee1d517832d627
SHA-512 hash: 409d81a78d4218905cdb5f25d97487e5efbebf6162adc4335f626cc25f91abb5c7d7731f6d5a35debf118d412e07faea3b0b602de4dd24ebbaf1b42351fb4987
[IMAGE_SECTION_HEADER]
Name: .data
Misc: 0x387B8
Misc_PhysicalAddress: 0x387B8
Misc_VirtualSize: 0x387B8
VirtualAddress: 0xB000
SizeOfRawData: 0x39000
PointerToRawData: 0xB000
PointerToRelocations: 0x0
PointerToLinenumbers: 0x0
NumberOfRelocations: 0x0
NumberOfLinenumbers: 0x0
Characteristics: 0xC0000040
Flags: IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
Entropy: 6.597233 (Min=0.0, Max=8.0)
MD5 hash: dc7c0a1442d1b0516c6a1c10772a2567
SHA-1 hash: 4d4ee9200bce670e641b223c7864c2e4691f9c94
SHA-256 hash: f3ba616d69921d0f693b706af198014284e2eccdfdeb659328d878e791d66539
SHA-512 hash: 4a51f5b57a8257f8cfb80b06a557fdf8e59d3f8318d08b0c84b82d9aa79a79a73c9e063136c7fe136425332a2281b4a1905c3ece29857d6d7598ff5fba447fe2
[IMAGE_SECTION_HEADER]
Name: .rsrc
Misc: 0xF38
Misc_PhysicalAddress: 0xF38
Misc_VirtualSize: 0xF38
VirtualAddress: 0x44000
SizeOfRawData: 0x1000
PointerToRawData: 0x44000
PointerToRelocations: 0x0
PointerToLinenumbers: 0x0
NumberOfRelocations: 0x0
NumberOfLinenumbers: 0x0
Characteristics: 0x40000040
Flags: IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
Entropy: 3.197878 (Min=0.0, Max=8.0)
MD5 hash: 32e09078b595d43301476cbfe9c9293b
SHA-1 hash: 6fa704dd2933091916f9c962bca5130cbb3b0710
SHA-256 hash: 9abac1c2e38c96758080e677ced0b28d7cec818afb81102ddc3744d7e4f0dcf5
SHA-512 hash: 5917ea794d43728b86c988d835cbe3eb51faf7f62b5cb4a16d271b7ca4169fec8241afd32cb720b0f39cd5edaae62d40a52796827d27b08fe7b6dd00f99714be
----------Directories----------
[IMAGE_DIRECTORY_ENTRY_EXPORT]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_IMPORT]
VirtualAddress: 0x435DC
Size: 0x28
[IMAGE_DIRECTORY_ENTRY_RESOURCE]
VirtualAddress: 0x44000
Size: 0xF38
[IMAGE_DIRECTORY_ENTRY_EXCEPTION]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_SECURITY]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_BASERELOC]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_DEBUG]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_COPYRIGHT]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_GLOBALPTR]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_TLS]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_IAT]
VirtualAddress: 0xB000
Size: 0x54
[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR]
VirtualAddress: 0x0
Size: 0x0
[IMAGE_DIRECTORY_ENTRY_RESERVED]
VirtualAddress: 0x0
Size: 0x0
----------Version Information----------
[VS_VERSIONINFO]
Length: 0x220
ValueLength: 0x34
Type: 0x0
[VS_FIXEDFILEINFO]
Signature: 0xFEEF04BD
StrucVersion: 0x10000
FileVersionMS: 0x70008
FileVersionLS: 0x9
ProductVersionMS: 0x70008
ProductVersionLS: 0x9
FileFlagsMask: 0x3F
FileFlags: 0x0
FileOS: 0x40004
FileType: 0x1
FileSubtype: 0x0
FileDateMS: 0x0
FileDateLS: 0x0
[StringFileInfo]
Length: 0x17E
ValueLength: 0x0
Type: 0x1
[StringTable]
Length: 0x15A
ValueLength: 0x0
Type: 0x1
LangID: 040904b0
FileVersion: 7, 8, 0, 9
CompanyName: aplanir
Comments: powerboat
ProductName: marketing
ProductVersion: 7, 8, 0, 9
FileDescription: subsecuente
[VarFileInfo]
Length: 0x44
ValueLength: 0x0
Type: 0x1
[Var]
Length: 0x24
ValueLength: 0x4
Type: 0x0
Translation: 0x0409 0x04b0
----------Imported symbols----------
[IMAGE_IMPORT_DESCRIPTOR]
OriginalFirstThunk: 0x43604
Characteristics: 0x43604
TimeDateStamp: 0x0 [Thu Jan 1 00:00:00 1970 UTC]
ForwarderChain: 0x0
Name: 0x437AA
FirstThunk: 0xB000
KERNEL32.dll.lstrlenA Hint[959]
KERNEL32.dll.VirtualAlloc Hint[885]
KERNEL32.dll.GetCommandLineA Hint[264]
KERNEL32.dll.LeaveCriticalSection Hint[583]
KERNEL32.dll.GetCurrentProcessId Hint[315]
KERNEL32.dll.WaitForSingleObject Hint[901]
KERNEL32.dll.GetVersionExA Hint[479]
KERNEL32.dll.CreateFileA Hint[77]
KERNEL32.dll.SetEndOfFile Hint[773]
KERNEL32.dll.GetThreadLocale Hint[464]
KERNEL32.dll.ExitProcess Hint[175]
KERNEL32.dll.HeapDestroy Hint[522]
KERNEL32.dll.QueryPerformanceCounter Hint[665]
KERNEL32.dll.FreeLibrary Hint[239]
KERNEL32.dll.DeleteFileA Hint[124]
KERNEL32.dll.ReadFile Hint[683]
KERNEL32.dll.GetModuleHandleA Hint[375]
KERNEL32.dll.TlsFree Hint[855]
KERNEL32.dll.LCMapStringA Hint[570]
KERNEL32.dll.GetCurrentProcess Hint[314]
----------Resource directory----------
[IMAGE_RESOURCE_DIRECTORY]
Characteristics: 0x0
TimeDateStamp: 0x0 [Thu Jan 1 00:00:00 1970 UTC]
MajorVersion: 0x0
MinorVersion: 0x0
NumberOfNamedEntries: 0x0
NumberOfIdEntries: 0x2
Id: [0x6] (RT_STRING)
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
Name: 0x6
OffsetToData: 0x80000020
[IMAGE_RESOURCE_DIRECTORY]
Characteristics: 0x0
TimeDateStamp: 0x0 [Thu Jan 1 00:00:00 1970 UTC]
MajorVersion: 0x0
MinorVersion: 0x0
NumberOfNamedEntries: 0x0
NumberOfIdEntries: 0x2
Id: [0x1]
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
Name: 0x1
OffsetToData: 0x80000058
[IMAGE_RESOURCE_DIRECTORY]
Characteristics: 0x0
TimeDateStamp: 0x0 [Thu Jan 1 00:00:00 1970 UTC]
MajorVersion: 0x0
MinorVersion: 0x0
NumberOfNamedEntries: 0x0
NumberOfIdEntries: 0x1
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
Name: 0x409
OffsetToData: 0xA0
[IMAGE_RESOURCE_DATA_ENTRY]
OffsetToData: 0x442F0
Size: 0x700
CodePage: 0x0
Reserved: 0x0
Id: [0x2]
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
Name: 0x2
OffsetToData: 0x80000070
[IMAGE_RESOURCE_DIRECTORY]
Characteristics: 0x0
TimeDateStamp: 0x0 [Thu Jan 1 00:00:00 1970 UTC]
MajorVersion: 0x0
MinorVersion: 0x0
NumberOfNamedEntries: 0x0
NumberOfIdEntries: 0x1
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
Name: 0x409
OffsetToData: 0xB0
[IMAGE_RESOURCE_DATA_ENTRY]
OffsetToData: 0x449F0
Size: 0x546
CodePage: 0x0
Reserved: 0x0
Id: [0x10] (RT_VERSION)
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
Name: 0x10
OffsetToData: 0x80000040
[IMAGE_RESOURCE_DIRECTORY]
Characteristics: 0x0
TimeDateStamp: 0x0 [Thu Jan 1 00:00:00 1970 UTC]
MajorVersion: 0x0
MinorVersion: 0x0
NumberOfNamedEntries: 0x0
NumberOfIdEntries: 0x1
Id: [0x1]
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
Name: 0x1
OffsetToData: 0x80000088
[IMAGE_RESOURCE_DIRECTORY]
Characteristics: 0x0
TimeDateStamp: 0x0 [Thu Jan 1 00:00:00 1970 UTC]
MajorVersion: 0x0
MinorVersion: 0x0
NumberOfNamedEntries: 0x0
NumberOfIdEntries: 0x1
[IMAGE_RESOURCE_DIRECTORY_ENTRY]
Name: 0x409
OffsetToData: 0xC0
[IMAGE_RESOURCE_DATA_ENTRY]
OffsetToData: 0x440D0
Size: 0x220
CodePage: 0x0
Reserved: 0x0
Post
