Pay-Per-Install Analysis – Part Four
GoldInstall
Next we have a company called GoldInstall.
This is how much they pay for 1000 installs per country.
Country Price OTH 13$ US 150$ GB 110$ CA 110$ DE 30$ BE 20$ IT 65$ CH 20$ CZ 20$ DK 20$ ES 30$ AU 55$ FR 30$ NL 20$ NO 20$ PT 30$ LB 6$ AL 6$ LA 6$ AF 6$ KZ 6$ AE 6$ LU 6$ AZ 6$ BD 6$ BH 6$ MN 6$ MO 6$ BN 6$ MV 6$ BT 6$ MY 6$ NP 6$ CN 6$ OM 6$ PH 6$ PK 6$ CY 6$ QA 6$ SA 6$ SG 6$ SY 6$ TW 6$ TH 6$ FJ 6$ TM 6$ HK 6$ ID 6$ IL 6$ IN 6$ UZ 6$ IQ 6$ IR 6$ VN 6$ YE 6$ JO 6$ JP 6$ KH 6$ KP 6$ KR 6$ KW 6$
One thing I found quiet funny, was these 2 entries in their FAQ.
Is your software a virus?
Definitely not! We don’t do anything against computer owner. If they choose to use an Goldinstall-supported service, it is identical to accepting the mechanisms we bring (such as popup advertisements). It’s just as simple as that.
So why does my antivirus classify you as trojan/worm/virus?
AV companies have a good interest in convincing you that the Internet is an insecure place full of danger, and that almost nothing is worth of any trust (unless you use their products). We don’t share such views.
So let me get this right. AV’s are wrong to detect an application that silently downloads and executes other malware? One being a rootkit in my tests, which incidentally had “botnet” in its internal PDB path.
List of strings from the dropper, which was only packed with UPX, and compiled with Visual Basic 6.0.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 | 0x000001B0 0x00000005 .text 0x000001D7 0x00000006 `.data 0x00000200 0x00000005 .rsrc 0x0000127C 0x0000000C AutoDownload 0x0000128D 0x00000007 = 3 0x000012D4 0x0000000E lientWidSocket 0x00001368 0x00000005 Form1 0x00001372 0x00000005 Form1 0x00001589 0x0000000A DDDDDDDDD@ 0x0000168B 0x00000005 Form1 0x000016AD 0x00000006 Timer3 0x000016CE 0x00000008 dpsocket 0x000016DA 0x00000013 AutoDownload.Socket 0x00001752 0x00000005 Text1 0x00001773 0x00000006 Timer2 0x00001795 0x0000000B WebBrowser1 0x000017A4 0x00000015 SHDocVwCtl.WebBrowser 0x00001874 0x00000006 Timer1 0x00001896 0x0000000A vb6chs.dll 0x00001911 0x0000000C AutoDownload 0x000022B8 0x0000004A *\AS:\Worker\tempvbp\AutoDownload.vbp 0x000025C9 0x00000013 AutoDownload.Socket 0x000025DD 0x00000006 Socket 0x00002760 0x0000000A ReadyState 0x0000276B 0x0000000B shdocvw.dll 0x00002777 0x00000015 SHDocVwCtl.WebBrowser 0x0000278D 0x0000000A WebBrowser 0x00004700 0x00000009 moduleAPI 0x0000470C 0x0000000E moduleRegister 0x0000471C 0x0000000D moduleWinInet 0x0000472C 0x00000005 Form1 0x00004734 0x00000013 classApplicationLog 0x00004748 0x00000007 Module1 0x00004750 0x00000007 Module2 0x00004758 0x0000000F modSocketMaster 0x00004768 0x0000000D CSocketMaster 0x00004778 0x00000006 Socket 0x00004780 0x0000000C AutoDownload 0x00004794 0x00000014 USER32.DLL 0x000047B0 0x00000018 KERNEL32.DLL 0x000047D0 0x00000018 ADVAPI32.DLL 0x000047F0 0x00000016 WININET.DLL 0x0000482C 0x00000008 kernel32 0x0000483C 0x0000000C GetLastError 0x0000484C 0x0000000B WebBrowser1 0x00004890 0x0000000C LoadLibraryA 0x000048D8 0x0000000E GetProcAddress 0x00004920 0x00000006 user32 0x0000492C 0x0000000F CallWindowProcA 0x00004974 0x0000000B FreeLibrary 0x000049B8 0x0000000D RtlMoveMemory 0x00004A18 0x00000006 Timer3 0x00004A64 0x00000008 VBA6.DLL 0x00004A74 0x0000000D InternetOpenA 0x00004AB0 0x0000001A RegOpenKeyExA 0x00004AD0 0x00000007 wininet 0x00004B20 0x00000013 InternetCloseHandle 0x00004B6C 0x00000010 InternetOpenUrlA 0x00004BB8 0x0000000B wininet.dll 0x00004BC8 0x0000000E HttpQueryInfoA 0x00004C10 0x00000010 InternetReadFile 0x00004C5C 0x00000012 InternetSetOptionA 0x00004D1C 0x00000035 C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB 0x00004D8C 0x00000005 Text1 0x00004DB4 0x0000001F C:\WINDOWS\system32\shdocvw.oca 0x00004DD4 0x0000000A SHDocVwCtl 0x00004E18 0x00000009 udpsocket 0x00004E24 0x00000006 Timer1 0x00004E2C 0x00000006 Timer2 0x00004E38 0x0000000C advapi32.dll 0x00004E4C 0x0000000D RegCreateKeyA 0x00004E94 0x0000000E RegSetValueExA 0x00004EDC 0x0000000B RegCloseKey 0x00004F20 0x0000000B RegOpenKeyA 0x00004F64 0x00000005 Sleep 0x00004FA4 0x0000000B shell32.dll 0x00004FB4 0x00000010 SHGetFolderPathA 0x00004FFC 0x0000000D kjgfrtxdgqe63 0x00005014 0x00000007 udpstop 0x0000501C 0x0000000A Decryption 0x00005028 0x00000007 GetItem 0x00005030 0x00000007 SetItem 0x00005038 0x0000000C SaveFileText 0x00005048 0x0000000C ReadFileText 0x00005058 0x0000000E IsWowInstalled 0x00005068 0x0000000C firstfucktag 0x00005078 0x00000007 SConfig 0x000050E4 0x0000000B GlobalAlloc 0x000050F0 0x0000000C SocketHandle 0x00005100 0x00000007 connect 0x00005140 0x0000000A GlobalFree 0x00005184 0x0000000A ws2_32.dll 0x00005194 0x0000000A WSAStartup 0x000051D8 0x0000000A WSACleanup 0x0000521C 0x00000015 WSAAsyncGetHostByName 0x0000526C 0x0000000E WSAAsyncSelect 0x000052B4 0x0000000F CreateWindowExA 0x000052C4 0x00000008 CloseSck 0x00005308 0x0000000D DestroyWindow 0x00005350 0x00000008 lstrlenA 0x00005394 0x00000008 lstrcpyA 0x000053D8 0x00000008 SetTimer 0x0000541C 0x00000009 KillTimer 0x00005460 0x00000008 IsWindow 0x0000547C 0x0000000D BytesReceived 0x000054CC 0x0000000E GetWindowLongA 0x00005514 0x0000000E SetWindowLongA 0x0000555C 0x00000010 GetModuleHandleA 0x00005640 0x00000005 Class 0x00005648 0x00000008 Protocol 0x00005654 0x00000022 C:\WINDOWS\system32\msvbvm60.dll\3 0x00005678 0x00000005 VBRUN 0x000056AC 0x00000006 socket 0x000056EC 0x0000000A GlobalLock 0x00005730 0x0000000C GlobalUnlock 0x00005778 0x00000005 htons 0x000057B8 0x00000005 ntohs 0x000057F8 0x00000007 connect 0x00005844 0x0000000B gethostname 0x00005888 0x0000000D gethostbyname 0x00005910 0x0000000B getsockname 0x00005954 0x0000000B getpeername 0x00005998 0x00000009 inet_addr 0x00005A10 0x00000006 sendto 0x00005A50 0x0000000A getsockopt 0x00005A94 0x0000000A setsockopt 0x00005B18 0x00000008 recvfrom 0x00005B5C 0x00000015 WSACancelAsyncRequest 0x00005B74 0x00000005 State 0x00005B7C 0x0000000D LocalHostName 0x00005B8C 0x00000007 LocalIP 0x00005BD0 0x00000006 listen 0x00005C10 0x00000006 accept 0x00005C50 0x00000009 inet_ntoa 0x00005C94 0x0000000B ioctlsocket 0x00005CD8 0x0000000B closesocket 0x00005D18 0x00000007 WndProc 0x00005D20 0x0000000A RemotePort 0x00005D2C 0x0000000A RemoteHost 0x00005D38 0x0000000C RemoteHostIP 0x00005D48 0x00000009 LocalPort 0x00005D58 0x00000008 SendData 0x00005D64 0x00000007 GetData 0x00005D6C 0x00000008 PeekData 0x00005D78 0x00000006 Listen 0x00005D80 0x00000006 Accept 0x00005D88 0x00000011 ConnectionRequest 0x00005D9C 0x0000000B DataArrival 0x00005DA8 0x00000005 Error 0x00005DB0 0x0000000C SendComplete 0x00005DC0 0x0000000C SendProgress 0x00005F00 0x0000000C netapi32.dll 0x00005F18 0x00000007 Netbios 0x00005F58 0x0000000E GetProcessHeap 0x00005FA0 0x00000009 HeapAlloc 0x00005FE4 0x00000008 HeapFree 0x00006094 0x0000000D GetVersionExA 0x00006100 0x0000000B CreateFileA 0x00006144 0x0000000F DeviceIoControl 0x0000618C 0x0000000B CloseHandle 0x000061D0 0x00000015 GetVolumeInformationA 0x00006284 0x00000012 GetModuleFileNameA 0x000062D0 0x00000013 GetCurrentProcessId 0x00006320 0x00000008 FlushLog 0x00006358 0x00000015 cmSocket_SendProgress 0x0000638C 0x0000001C CreateShortcut 0x000063AC 0x00000014 TargetPath 0x000063D8 0x00000020 WorkingDirectory 0x00006434 0x00000012 ExecQuery 0x00006448 0x00000014 MACAddress 0x000064B8 0x0000000C EbMode 0x000064CC 0x0000001C SetWindowLongA 0x000064F0 0x0000001E CallWindowProcA 0x00006514 0x00000014 WSACleanup 0x00006530 0x00000012 KillTimer 0x00006568 0x0000000C user32 0x0000657C 0x0000000C ws2_32 0x0000658C 0x0000000E cmSocket_Error 0x0000659C 0x00000015 cmSocket_SendComplete 0x00006628 0x0000000B UserControl 0x00006634 0x00000008 cmSocket 0x00006640 0x00000011 cmSocket_CloseSck 0x00006654 0x00000010 cmSocket_Connect 0x00006668 0x0000001A cmSocket_ConnectionRequest 0x00006684 0x00000014 cmSocket_DataArrival 0x000066A0 0x00000012 LocalPort 0x000066C8 0x00000010 Protocol 0x000066E0 0x00000014 RemoteHost 0x000066FC 0x00000014 RemotePort 0x00006784 0x00000006 Socket 0x0001B39C 0x00000025 SAFE_rGX8EhiOOnz7qnE0cOpCKcNDUhe57Sli 0x0001B3C4 0x00000025 SAFE_wXfFU0GiYdAvUQ86skySPaU80AmMHnmw 0x0001B3EC 0x00000025 SAFE_4fDBPXBwTcNF4WpeuDSuwqcW3psMwB0f 0x0001B414 0x00000025 SAFE_CU5ZIkuee8iXHaYeF0XH07I12WnVk4NM 0x0001B43C 0x00000025 SAFE_Ukw8ASw6d514KXPxkGUCxCJ89lOobEip 0x0001B464 0x00000006 iSplit 0x0001B46C 0x00000025 SAFE_TzIyaWLC083eHor12AAAXyzARroaoCl7 0x0001B494 0x00000025 SAFE_lF9XRDNe05MAKliKXQ75U40IY6PsfM6a 0x0001B4BC 0x00000025 SAFE_n5qnjCxOP7ZeVOOX2TLLvDCogYRVYSUI 0x0001B4E4 0x00000025 SAFE_Uj0uzUEwwlL7B4YJJgs45Rdz2oEQLD8U 0x0001B50C 0x00000025 SAFE_mzrUqCGPviedE1Pcoxpz2We782pjCNUw 0x0001B534 0x00000025 SAFE_X8QUuSJSJc12iEyzfDnXJgOweBRL5Bts 0x0001B55C 0x00000025 SAFE_8mGmoaasaLRD5fHYjqVi04xGvoTiqark 0x0001B590 0x00000025 SAFE_eTgd1MK7Yy2XtTCJ2xKTBn5ayGXzlGi9 0x0001B5B8 0x00000025 SAFE_wjXCs4MaYvL4wQ3cWDHO8t6i5V8HcQ3c 0x0001B5E0 0x00000025 SAFE_xaESA2wJxxZY73kp2GVdZ2HFDxAuVWSL 0x0001B608 0x00000025 SAFE_Fp521kylwus4A0b8WWSYV7IMKClDLhno 0x0001B630 0x00000025 SAFE_WYQHz1fvKVyxUS2HORFM9RioUYC8UsUi 0x0001B658 0x00000025 SAFE_p7w6cFENZMIBQFccDq7StOvuDjNVqpIL 0x0001B680 0x00000025 SAFE_xjzfjrRvFgBPyI9Ly7RSulUXFJRDsgm5 0x0001B6A8 0x00000025 SAFE_9S0STCtgN17H8PFHBODi0juoUEuZBReV 0x0001B6D0 0x00000025 SAFE_sYcsc0R6Dngoyzvsj9HSEAwZjIvmvX46 0x0001B6F8 0x00000025 SAFE_mOf9lycdfUgnHchmTmCVrEGKeNU0qLFx 0x0001B720 0x00000025 SAFE_fnIuiVsEdGGHBupQQDw8R6lV8rCKRlEH 0x0001B748 0x00000025 SAFE_T571D8NHgN0hn6pJqX9ssVAJPflUAka5 0x0001B770 0x00000025 SAFE_lLyb4qPjfKJEq4gcKn6npaBRVuMn1uvY 0x0001B798 0x00000025 SAFE_RdiVDGLIzkh9zIdkFamXWBxLKNsKF985 0x0001B7C0 0x00000025 SAFE_OX7ybJucwnBnYa0uh44S3EAdOoyyUW3F 0x0001B7E8 0x00000025 SAFE_POnEsHULLpOHjDh7D7JhUOMAWG0aNcSx 0x0001B810 0x00000025 SAFE_heeojzWnKmhomAYQhNGcQTNIdVbtEnnQ 0x0001B838 0x00000025 SAFE_mZH4O1J1aXfWesOSmxySseAFZeDEShAK 0x0001B860 0x00000025 SAFE_oQxKf0tkzZt0pV5gH0CiJnMmh6GrLnZ2 0x0001B888 0x00000025 SAFE_pGeaxyUTOa6Uz8mtm2QxkxYIqZJTEuxl 0x0001B8B0 0x00000025 SAFE_GqZAWhIKHz2Tu42yAKSO68W8O0uBp8PG 0x0001B8D8 0x00000009 requestID 0x0001B8E4 0x0000000A bytesTotal 0x0001B8F0 0x00000006 Number 0x0001B8F8 0x0000000B Description 0x0001B904 0x00000005 sCode 0x0001B90C 0x00000006 Source 0x0001B914 0x00000008 HelpFile 0x0001B920 0x0000000B HelpContext 0x0001B92C 0x0000000D CancelDisplay 0x0001B93C 0x00000009 bytesSent 0x0001B948 0x0000000E bytesRemaining 0x0001B958 0x00000025 SAFE_YoiwczIxR2qYF6Prg6qac9HgIRnEY8PX 0x0001B994 0x0000003F Returns/Sets the port to be connected to on the remote computer 0x0001B9D4 0x00000007 lngPort 0x0001B9DC 0x00000020 Returns/Sets the socket protocol 0x0001BA00 0x0000000B enmProtocol 0x0001BA0C 0x0000003A Returns/Sets the name used to identify the remote computer 0x0001BA48 0x00000007 strHost 0x0001BA50 0x00000022 Returns the remote host IP address 0x0001BA74 0x00000030 Returns/Sets the port used on the local computer 0x0001BAA8 0x0000002A Returns the state of the socket connection 0x0001BAD4 0x0000001E Returns the local machine name 0x0001BAF4 0x00000024 Returns the local machine IP address 0x0001BB1C 0x00000037 Returns the number of bytes received on this connection 0x0001BB54 0x00000019 Returns the socket handle 0x0001BB70 0x00000050 Returns or sets an expression that stores any extra data needed for your program 0x0001BBC4 0x00000006 strTag 0x0001BBCC 0x00000025 Accept an incoming connection request 0x0001BBF4 0x00000009 LocalPort 0x0001BC00 0x00000007 LocalIP 0x0001BC08 0x00000029 Binds socket to specific port and adapter 0x0001BC34 0x00000018 Close current connection 0x0001BC50 0x0000000A RemoteHost 0x0001BC5C 0x0000000A RemotePort 0x0001BC68 0x0000001E Connect to the remote computer 0x0001BC90 0x00000007 varType 0x0001BC98 0x00000006 maxLen 0x0001BCA0 0x00000029 Retrieve data sent by the remote computer 0x0001BCCC 0x00000027 Listen for incoming connection requests 0x0001BCF4 0x00000039 Look at incoming data without removing it from the buffer 0x0001BD30 0x0000001C Send data to remote computer 0x0001BD50 0x00000034 Occurs when a remote client is attempting to connect 0x0001BD8C 0x0000003B Occurs when data has been received from the remote computer 0x0001BDC8 0x0000000E Error occurred 0x0001BDD8 0x0000002B Occurs after a send operation has completed 0x0001BE04 0x00000025 Occurs during process of sending data 0x000536A0 0x0000000C MSVBVM60.DLL 0x000536B0 0x00000018 EVENT_SINK_GetIDsOfNames 0x000536CA 0x0000000E MethCallEngine 0x000536DA 0x00000011 EVENT_SINK_Invoke 0x000536EE 0x00000012 Zombie_GetTypeInfo 0x00053702 0x00000011 EVENT_SINK_AddRef 0x00053716 0x0000000F DllFunctionCall 0x00053728 0x00000017 Zombie_GetTypeInfoCount 0x00053742 0x00000012 EVENT_SINK_Release 0x00053756 0x00000019 EVENT_SINK_QueryInterface 0x00053772 0x00000012 __vbaExceptHandler 0x00053786 0x0000000E ProcCallEngine 0x0005413E 0x0000000C CONFIG 0x00054339 0x0000000A DDDDDDDDD@ 0x00054452 0x0000001E VS_VERSION_INFO 0x000544AE 0x00000016 VarFileInfo 0x000544CE 0x00000016 Translation 0x000544F2 0x0000001C StringFileInfo 0x00054516 0x00000010 080404B0 0x0005452E 0x00000016 CompanyName 0x00054552 0x00000016 ProductName 0x0005457A 0x00000016 FileVersion 0x000545A6 0x0000001C ProductVersion 0x000545D6 0x00000018 InternalName 0x00054602 0x00000020 OriginalFilename 0x00054624 0x00000010 dick.exe |
Sandbox report of the dropper.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | Detailed report of suspicious malware actions: Created file on defined folder: C:\Documents and Settings\Administrator\Local Settings\Temp\~DFE274.tmp Defined file type copied to Windows folder: C:\WINDOWS\system32\drivers\zgiejqbqy7.sys Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\geurge.exe Defined registry AutoStart location added or modified: machine\software\microsoft\Windows\CurrentVersion\Run\ewrgetuj = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\geurge.exe Defined registry AutoStart location added or modified: machine\system\CurrentControlSet\Services\zgiejqbqy7\DisplayName = zgiejqbqy7 Defined registry AutoStart location added or modified: machine\system\CurrentControlSet\Services\zgiejqbqy7\ImagePath = system32\drivers\zgiejqbqy7.sys Defined registry AutoStart location added or modified: machine\system\CurrentControlSet\Services\zgiejqbqy7\Start = 01000000 Defined registry AutoStart location added or modified: machine\system\CurrentControlSet\Services\zgiejqbqy7\Type = 01000000 Internet connection: C:\Documents and Settings\Administrator\Local Settings\Temp\geurge.exe Connects to "122.224.6.48" on port 88 (TCP). Internet connection: C:\Documents and Settings\Administrator\current\Local Settings\Temp\geurge.exe Connects to "93.174.92.220" on port 80 (TCP - HTTP). Query DNS: config.perfectexe.com Query DNS: ghucom.com Risk evaluation result: High |
Strings from the rootkit driver I spoke of earlier.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 | 0x00000377 0x00000006 h.text 0x0000039F 0x00000006 h.data 0x000003C8 0x00000006 .cdata 0x00000418 0x00000006 .reloc 0x00001EA9 0x00000005 8SVWh 0x000024AD 0x00000005 VVVVh 0x00002564 0x00000005 WWWWh 0x0000C0EC 0x0000001A \Driver\NTICE 0x0000C108 0x00000016 \Driver\npf 0x0000C120 0x00000016 \SystemRoot 0x0000C142 0x00000006 .cdata 0x0000C14A 0x0000000A hwldi 0x0000C156 0x0000000A hwsht 0x0000C170 0x00000010 TransportAddress 0x0000C182 0x00000011 ConnectionContext 0x0000C19E 0x00000006 0x0000C1A6 0x0000000A hwbcr 0x0000C39C 0x00000009 opera.exe 0x0000C3A8 0x0000000A thebat.exe 0x0000C3B4 0x0000000F thunderbird.exe 0x0000C3C4 0x00000009 msimn.exe 0x0000C3D0 0x0000000A telnet.exe 0x0000C708 0x0000002D e:\eclipse\botnet\drivers\Bin\i386\kernel.pdb 0x000103AE 0x00000008 hfisa@Pj 0x00010920 0x00000019 %08x %ws+0x%x (%08x:%08x) 0x0001093A 0x0000001D %08x unknown+0x%x (%08x:%08x) 0x00010958 0x00000012 (0x%08X-->0x%08X) 0x00010978 0x0000000A hwbcr 0x00010984 0x00000012 IofCompleteRequest 0x00010998 0x0000000D IofCallDriver 0x00010A6E 0x0000001E FILE: unknown+0x%x (%08x:%08x) 0x00010A94 0x0000000C (%08x:%08x) 0x00010AA2 0x00000005 +0x%x 0x00010AA8 0x00000009 FILE: %ws 0x00010ADA 0x00000025 BugCheck %X, {%08x, %08x, %08x, %08x} 0x00010B00 0x00000006 .cdata 0x00011610 0x0000000C CreateModule 0x00011620 0x0000000C DeleteModule 0x00012CF6 0x00000014 ObfDereferenceObject 0x00012D0E 0x00000017 ObReferenceObjectByName 0x00012D28 0x00000012 IoDriverObjectType 0x00012D3E 0x00000014 RtlInitUnicodeString 0x00012D57 0x00000014 xAllocatePoolWithTag 0x00012D6E 0x00000006 memset 0x00012D78 0x00000012 IofCompleteRequest 0x00012D8E 0x0000000C PoCallDriver 0x00012D9E 0x00000013 PoStartNextPowerIrp 0x00012DB4 0x0000000E IoDeleteDevice 0x00012DC6 0x0000001B IoAttachDeviceToDeviceStack 0x00012DE4 0x0000000E IoCreateDevice 0x00012DF6 0x00000012 ObfReferenceObject 0x00012E0C 0x00000018 IoGetRelatedDeviceObject 0x00012E28 0x00000019 ObReferenceObjectByHandle 0x00012E44 0x0000000C IoCreateFile 0x00012E54 0x00000006 memcpy 0x00012E5E 0x0000000D IofCallDriver 0x00012E6E 0x0000000E IoAttachDevice 0x00012E80 0x00000009 _purecall 0x00012E8C 0x00000013 IoGetCurrentProcess 0x00012EA3 0x00000010 xFreePoolWithTag 0x00012EB6 0x00000008 _stricmp 0x00012EC2 0x00000012 KeGetCurrentThread 0x00012ED8 0x00000015 KeWaitForSingleObject 0x00012EF0 0x0000000D IoAllocateIrp 0x00012F00 0x0000000C KeClearEvent 0x00012F10 0x00000010 IoFileObjectType 0x00012F24 0x00000006 strcmp 0x00012F2E 0x00000007 strncat 0x00012F38 0x00000018 NtQuerySystemInformation 0x00012F54 0x00000007 ZwClose 0x00012F5E 0x00000018 KeServiceDescriptorTable 0x00012F7A 0x00000010 MmIsAddressValid 0x00012F8E 0x00000007 sprintf 0x00012F98 0x0000000C KeBugCheckEx 0x00012FA8 0x0000000C PsGetVersion 0x00012FB8 0x0000001D IoBuildDeviceIoControlRequest 0x00012FD8 0x00000011 KeInitializeEvent 0x00012FEC 0x0000000A KeSetEvent 0x00012FFA 0x00000014 RtlFreeUnicodeString 0x00013012 0x00000017 RtlCompareUnicodeString 0x0001302C 0x00000014 RtlCopyUnicodeString 0x00013044 0x00000019 MmGetSystemRoutineAddress 0x00013060 0x00000011 RtlFreeAnsiString 0x00013074 0x0000001C RtlUnicodeStringToAnsiString 0x00013094 0x00000016 RtlQueryRegistryValues 0x000130AE 0x0000001E IoRegisterShutdownNotification 0x000130D0 0x00000013 KeSetPriorityThread 0x000130E6 0x00000014 PsCreateSystemThread 0x000130FE 0x00000019 RtlUnicodeStringToInteger 0x0001311A 0x00000013 RtlTimeToTimeFields 0x00013130 0x00000007 _allmul 0x0001313A 0x00000015 RtlWriteRegistryValue 0x00013152 0x00000014 RtlCreateRegistryKey 0x0001316A 0x00000008 swprintf 0x00013176 0x00000016 RtlDeleteRegistryValue 0x00013190 0x00000011 ObQueryNameString 0x000131A4 0x00000009 IoFreeIrp 0x000131B0 0x0000000E ObInsertObject 0x000131C2 0x0000001E SeSetAccessStateGenericMapping 0x000131E4 0x00000011 RtlMapGenericMask 0x000131F8 0x00000013 SeCreateAccessState 0x0001320E 0x0000000E ObCreateObject 0x00013220 0x00000009 IoFreeMdl 0x0001322C 0x0000000D MmUnlockPages 0x0001323C 0x0000000B IoCancelIrp 0x0001324A 0x00000013 MmProbeAndLockPages 0x00013260 0x0000000D IoAllocateMdl 0x00013270 0x00000018 KeWaitForMultipleObjects 0x0001328C 0x0000000C KeResetEvent 0x0001329C 0x00000012 KeNumberProcessors 0x000132B2 0x00000008 _aulldiv 0x000132BE 0x0000001C RtlAnsiStringToUnicodeString 0x000132DE 0x00000011 RtlInitAnsiString 0x000132F2 0x0000000B KeTickCount 0x000132FE 0x0000000C ntoskrnl.exe 0x0001330F 0x0000000F eGetCurrentIrql 0x00013323 0x0000000A fRaiseIrql 0x00013331 0x0000000A fLowerIrql 0x0001333F 0x00000010 fReleaseSpinLock 0x00013353 0x00000010 fAcquireSpinLock 0x00013364 0x00000007 HAL.dll 0x0001336E 0x00000007 strncpy 0x00013378 0x00000007 wcsncpy 0x00013382 0x00000006 strlen 0x0001338C 0x00000010 RtlCompareMemory 0x000133A0 0x0000000A ZwReadFile 0x000133AE 0x0000000B ZwWriteFile 0x000133BC 0x00000011 KeQuerySystemTime 0x000133D0 0x00000006 strchr 0x000133DA 0x00000006 wcschr 0x000133E4 0x00000009 RtlUnwind 0x00013C39 0x00000009 ;$;);2;9; |
There you can see the “botnet” string, nothing good about that file. That also looks to see if kernel mode debugger is running.
To be continued…
Leave a Reply