Free ExifTool 12.67 for iphone download4/11/2024 ![]() ![]() File: Nfile.asp Size: 67080 MD5: 2866C12CE666D6B15FC6E32D968BA57B - downloaded binary - there is an 8 byte padding ( 36 37 30 37 32 00 D3 77 ) before the PE header, remove it and you get MD5: A3D3B0686E7BD13293AD0E63EBEC67AF - the main NFlog trojanĪbbreviated timeline and created files - including activities during stage 2 of the attack - Note the 2nd stage starts more than an hour after the infection.File: CAServer.exe Size: 62976 MD5: 4FB872E0D0FC1A016C93C573A976D85D dropper for the backdoor service installer.The trojan collects all system logs and data and uploads them to C2 server in a very verbose form as you see below. ![]() ET signatures exist for the traffic patterns. Trojan Nflog was covered more than once before on Contagio and other sources. ![]() MutexObject iexplore.exe 1348 (iexplore.exe) ShimCacheMutex iexplore.exe 1348 (iexplore.exe) %temp% Loop_KeyboardManager %temp%\keybyd.dat Loop_HookKeyboard Mutexes Gh0st 3.6 source code (go up the path to see other files).Read here McAfee - Anatomy of a Gh0st Rat.Process terminated C:\WINDOWS\system32\cmd.exe -> .OFFICE11\EXCEL.EXEįile strings and system calls suggest it is a version of Gh0st rat with keylog File Write C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE -> %Temp%\Excel8.0\MSComctlLib.exdįile Write C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE -> %Temp%\ set.xlsįile Write C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE -> %Temp%\ ews.exeįile Write %Temp%\ews.exe -> %Application Data% \iexplore.exeįile Write %Temp%\ews.exe -> %Temp%\ Del.batįile Write %Temp%\ews.exe -> C:\WINDOWS\system32 \srvlic.dllįile Write %Temp%\ews.exe -> %Temp%\ keybyd.datįile Write C:\WINDOWS\system32\cmd.exe - > \deleted_files\ Del.batįile Write %Application Data%\iexplore.exe -> %Temp% \syslog.dat ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |