Scribd
Upload
122 views3 pages

Malware Analysis

The servicemain_exe file contains functionality for modifying services, modifying execution of threads in other processes, querying local/system time and windows version, starting windows services, reading software policies, checking if a debugger is present, and injecting threads into other processes. It also references several files, registry keys, and performs an outbound HTTP request.

Uploaded by

Viren Choudhari
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
122 views3 pages

Malware Analysis

The servicemain_exe file contains functionality for modifying services, modifying execution of threads in other processes, querying local/system time and windows version, starting windows services, reading software policies, checking if a debugger is present, and injecting threads into other processes. It also references several files, registry keys, and performs an outbound HTTP request.

Uploaded by

Viren Choudhari
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

servicemain_exe file analysis

 Contains functionality to modify services (start/stop/modify)


StartServiceCtrlDispatcherA,

 Contains functionality to modify the execution of threads in other processes


OpenProcess,GetLastError,wsprintfA,MessageBoxA,lstrlenA,VirtualAllocEx,WriteProcessMemory
,GetModuleHandleA,GetProcAddress,CreateRemoteThread,CloseHandle,

 Contains functionality to query local / system time


GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,RtlQueryPerf
ormanceCounter,

 Contains functionality to query windows version


HeapCreate,GetVersion,HeapSetInformation,

 Contains functionality to start windows services


StartServiceCtrlDispatcherA,

 Reads software policies


Value HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdenti􀃒ers

 Contains functionality to check if a debugger is running (IsDebuggerPresent)


RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledE
xceptionFilter,UnhandledExceptionFilter,

 Contains functionality to inject threads in other processes


OpenProcess,GetLastError,wsprintfA,MessageBoxA,lstrlenA,VirtualAllocEx,WriteProcessMemory
,GetModuleHandleA,GetProcAddress,CreateRemoteThread,CloseHandle,

FILES

C:\Windows\SYSTEM32\sechost.dll

C:\Users\user\Desktop
C:\Windows\system32\IMM32.DLL

C:\Users\user\Desktop\

REGISTRY KEYS

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Sorting\Versions

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution


Options

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Error Message Instrument\

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Srp\GP\DLL

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

unknown

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName

HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows

HKEY_LOCAL_MACHINE\SYSTEM\Setup

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName

HKEY_LOCAL_MACHINE\System\Setup

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows

Treygen_dll file analysis

Outbound HTTP GET --


http://www.zeff.jp:80/image/about/image_bs.php?rsv_bk=UUEzNDAxNzI0REIzQTU=&wds=NjQxMmFuZFN1blNoaW
5l0e2da

Executable Imported the IsDebuggerPresent Symbol

You might also like