![]() ![]() The trojan collects all system logs and data and uploads them to C2 server in a very verbose form as you see below. ET signatures exist for the traffic patterns. Trojan Nflog was covered more than once before on Contagio and other sources. ![]() MutexObject iexplore.exe 1348 (iexplore.exe) ShimCacheMutex iexplore.exe 1348 (iexplore.exe) %temp% Loop_KeyboardManager %temp%\keybyd.dat Loop_HookKeyboard Mutexes Gh0st 3.6 source code (go up the path to see other files).Read here McAfee - Anatomy of a Gh0st Rat.Process terminated C:\WINDOWS\system32\cmd.exe -> .OFFICE11\EXCEL.EXEįile strings and system calls suggest it is a version of Gh0st rat with keylog File Write C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE -> %Temp%\Excel8.0\MSComctlLib.exdįile Write C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE -> %Temp%\ set.xlsįile Write C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE -> %Temp%\ ews.exeįile Write %Temp%\ews.exe -> %Application Data% \iexplore.exeįile Write %Temp%\ews.exe -> %Temp%\ Del.batįile Write %Temp%\ews.exe -> C:\WINDOWS\system32 \srvlic.dllįile Write %Temp%\ews.exe -> %Temp%\ keybyd.datįile Write C:\WINDOWS\system32\cmd.exe - > \deleted_files\ Del.batįile Write %Application Data%\iexplore.exe -> %Temp% \syslog.dat ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |