Profiling a rootkit: Hacker Defender Section 2

Publié le par kareldjag




Registry Tracking with RegMon:


2712    56.77157974    hxdef100.exe:448    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionshxdef100.exe    NOT FOUND        
2713    56.77293015    hxdef100.exe:448    OpenKey    HKLMSystemCurrentControlSetControlTerminal Server    SUCCESS    Access: 0x20019     
2714    56.77294540    hxdef100.exe:448    QueryValue    HKLMSystemCurrentControlSetControlTerminal ServerTSAppCompat    SUCCESS    0x0    
2715    56.77302933    hxdef100.exe:448    CloseKey    HKLMSystemCurrentControlSetControlTerminal Server    SUCCESS        
2716    56.77962112    hxdef100.exe:448    OpenKey    HKLMSystemCurrentControlSetControlTerminal Server    SUCCESS    Access: 0x20019     
2717    56.77964401    hxdef100.exe:448    QueryValue    HKLMSystemCurrentControlSetControlTerminal ServerTSAppCompat    SUCCESS    0x0    
2718    56.77969742    hxdef100.exe:448    CloseKey    HKLMSystemCurrentControlSetControlTerminal Server    SUCCESS        
2719    56.77982712    hxdef100.exe:448    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsGDI32.dll    NOT FOUND        
2720    56.77988434    hxdef100.exe:448    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsuser32.dll    NOT FOUND        
2721    56.77996445    hxdef100.exe:448    OpenKey    HKLMSystemCurrentControlSetControlError Message Instrument    NOT FOUND        
2722    56.78014374    hxdef100.exe:448    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionCompatibility32    SUCCESS    Access: 0x20019     
2723    56.78016281    hxdef100.exe:448    QueryValue    HKLMSoftwareMicrosoftWindows NTCurrentVersionCompatibility32hxdef100    NOT FOUND        
2724    56.78018188    hxdef100.exe:448    CloseKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionCompatibility32    SUCCESS        
2725    56.78020477    hxdef100.exe:448    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionIME Compatibility    SUCCESS    Access: 0x20019     
2726    56.78022385    hxdef100.exe:448    QueryValue    HKLMSoftwareMicrosoftWindows NTCurrentVersionIME Compatibilityhxdef100    NOT FOUND        
2727    56.78023911    hxdef100.exe:448    CloseKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionIME Compatibility    SUCCESS        
2728    56.78042984    hxdef100.exe:448    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionWindows    SUCCESS    Access: 0x20019     
2729    56.78044510    hxdef100.exe:448    QueryValue    HKLMSoftwareMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs    SUCCESS    ""    
2730    56.78049088    hxdef100.exe:448    CloseKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionWindows    SUCCESS        
2731    56.78088760    hxdef100.exe:448    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsRPCRT4.dll    NOT FOUND        
2732    56.78091812    hxdef100.exe:448    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsadvapi32.dll    NOT FOUND        
2733    56.78098679    hxdef100.exe:448    OpenKey    HKLMSystemCurrentControlSetControlTerminal Server    SUCCESS    Access: 0x20019     
2734    56.78103256    hxdef100.exe:448    QueryValue    HKLMSystemCurrentControlSetControlTerminal ServerTSAppCompat    SUCCESS    0x0    
2735    56.78104782    hxdef100.exe:448    QueryValue    HKLMSystemCurrentControlSetControlTerminal ServerTSUserEnabled    SUCCESS    0x0    
2736    56.78109360    hxdef100.exe:448    CloseKey    HKLMSystemCurrentControlSetControlTerminal Server    SUCCESS        
2737    56.78112030    hxdef100.exe:448    OpenKey    HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon    SUCCESS    Access: 0x20019     
2738    56.78117371    hxdef100.exe:448    QueryValue    HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonLeakTrack    NOT FOUND        
2739    56.78121567    hxdef100.exe:448    CloseKey    HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon    SUCCESS        
2740    56.78123856    hxdef100.exe:448    OpenKey    HKLM    SUCCESS    Access: 0x2000000     
2741    56.78128815    hxdef100.exe:448    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionDiagnostics    NOT FOUND        
2742    56.78131104    hxdef100.exe:448    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsmsvcrt.dll    NOT FOUND        
2743    56.78161240    hxdef100.exe:448    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsole32.dll    NOT FOUND        
2744    56.78198624    hxdef100.exe:448    OpenKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0xF003F     
2745    56.78202820    hxdef100.exe:448    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2746    56.78206635    hxdef100.exe:448    CreateKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0x2     
2747    56.78226852    hxdef100.exe:448    SetValue    HKLMSOFTWAREMicrosoftCryptographyRNGSeed    SUCCESS    D7 2D 87 7F BD 3D 12 F0 ...    
2748    56.78231430    hxdef100.exe:448    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2749    56.78237152    hxdef100.exe:448    OpenKey    HKLMSYSTEMCurrentControlSetControlSession Manager    SUCCESS    Access: 0x20019     
2750    56.78242493    hxdef100.exe:448    QueryValue    HKLMSYSTEMCurrentControlSetControlSession ManagerCriticalSectionTimeout    SUCCESS    0x278D00    
2751    56.78247452    hxdef100.exe:448    CloseKey    HKLMSYSTEMCurrentControlSetControlSession Manager    SUCCESS        
2752    56.78249359    hxdef100.exe:448    OpenKey    HKLMSoftwareMicrosoftOle    SUCCESS    Access: 0x20019     
2753    56.78253937    hxdef100.exe:448    QueryValue    HKLMSoftwareMicrosoftOleRWLockResourceTimeOut    NOT FOUND        
2754    56.78258514    hxdef100.exe:448    CloseKey    HKLMSoftwareMicrosoftOle    SUCCESS        
2755    56.78261948    hxdef100.exe:448    OpenKey    HKCRInterface    SUCCESS    Access: 0x20019     
2756    56.78266525    hxdef100.exe:448    QueryValue    HKCRInterfaceInterfaceHelperDisableAll    NOT FOUND        
2757    56.78267670    hxdef100.exe:448    QueryValue    HKCRInterfaceInterfaceHelperDisableAllForOle32    NOT FOUND        
2758    56.78271866    hxdef100.exe:448    QueryValue    HKCRInterfaceInterfaceHelperDisableTypeLib    NOT FOUND        
2759    56.78273010    hxdef100.exe:448    CloseKey    HKCRInterface    SUCCESS        
2760    56.78278732    hxdef100.exe:448    OpenKey    HKCRInterface{00020400-0000-0000-C000-000000000046}    SUCCESS    Access: 0x20019     
2761    56.78282928    hxdef100.exe:448    QueryValue    HKCRInterface{00020400-0000-0000-C000-000000000046}InterfaceHelperDisableAll    NOT FOUND        
2762    56.78284454    hxdef100.exe:448    QueryValue    HKCRInterface{00020400-0000-0000-C000-000000000046}InterfaceHelperDisableAllForOle32    NOT FOUND        
2763    56.78289032    hxdef100.exe:448    CloseKey    HKCRInterface{00020400-0000-0000-C000-000000000046}    SUCCESS        
2764    56.78293228    hxdef100.exe:448    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsoleaut32.dll    NOT FOUND        
2765    56.78300858    hxdef100.exe:448    OpenKey    HKLMSOFTWAREMicrosoftOLEAUT    NOT FOUND        
2766    56.78306580    hxdef100.exe:448    OpenKey    HKLMSOFTWAREMicrosoftOLEAUTUserEra    NOT FOUND        
2767    56.78311539    hxdef100.exe:448    OpenKey    HKLMSOFTWAREMicrosoftOLEAUT    NOT FOUND        
2768    56.78313828    hxdef100.exe:448    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsntdll.dll    NOT FOUND        
2769    56.78315735    hxdef100.exe:448    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionskernel32.dll    NOT FOUND        
2770    56.79214478    hxdef100.exe:448    OpenKey    HKLMSoftwareMicrosoftRpcPagedBuffers    NOT FOUND        
2771    56.79221344    hxdef100.exe:448    OpenKey    HKLMSoftwareMicrosoftRpc    SUCCESS    Access: 0x20019     
2772    56.79226303    hxdef100.exe:448    QueryValue    HKLMSoftwareMicrosoftRpcMaxRpcSize    NOT FOUND        
2773    56.79228973    hxdef100.exe:448    CloseKey    HKLMSoftwareMicrosoftRpc    SUCCESS        
2774    56.79234695    hxdef100.exe:448    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionshxdef100.exeRpcThreadPoolThrottle    NOT FOUND        
2775    56.79240417    hxdef100.exe:448    OpenKey    HKLMSoftwarePoliciesMicrosoftWindows NTRpc    NOT FOUND        
2776    56.79251099    hxdef100.exe:448    OpenKey    HKLMSystemCurrentControlSetControlSession Manager    SUCCESS    Access: 0x1     
2777    56.79253006    hxdef100.exe:448    QueryValue    HKLMSystemCurrentControlSetControlSession ManagerSafeDllSearchMode    NOT FOUND        
2778    56.79257584    hxdef100.exe:448    CloseKey    HKLMSystemCurrentControlSetControlSession Manager    SUCCESS        
2779    56.79288864    hxdef100.exe:448    OpenKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0xF003F     
2780    56.79290390    hxdef100.exe:448    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2781    56.79297638    hxdef100.exe:448    CreateKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0x2     
2782    56.79308319    hxdef100.exe:448    SetValue    HKLMSOFTWAREMicrosoftCryptographyRNGSeed    SUCCESS    9D D3 4E 53 04 B4 C9 51 ...    
2783    56.79309845    hxdef100.exe:448    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2784    56.79322433    hxdef100.exe:448    OpenKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0xF003F     
2785    56.79326630    hxdef100.exe:448    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2786    56.79329681    hxdef100.exe:448    CreateKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0x2     
2787    56.79336548    hxdef100.exe:448    SetValue    HKLMSOFTWAREMicrosoftCryptographyRNGSeed    SUCCESS    C4 0A 57 27 3B 92 60 21 ...    
2788    56.79337692    hxdef100.exe:448    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2789    56.79349518    hxdef100.exe:448    OpenKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0xF003F     
2790    56.79353714    hxdef100.exe:448    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2791    56.79357147    hxdef100.exe:448    CreateKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0x2     
2792    56.79364014    hxdef100.exe:448    SetValue    HKLMSOFTWAREMicrosoftCryptographyRNGSeed    SUCCESS    CF C1 D7 42 24 E9 04 9B ...    
2793    56.79368210    hxdef100.exe:448    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2794    56.79376602    hxdef100.exe:448    OpenKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0xF003F     
2795    56.79381180    hxdef100.exe:448    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2796    56.79387283    hxdef100.exe:448    CreateKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0x2     
2797    56.79391098    hxdef100.exe:448    SetValue    HKLMSOFTWAREMicrosoftCryptographyRNGSeed    SUCCESS    60 57 BC 3D B1 B2 F1 35 ...    
2798    56.79395294    hxdef100.exe:448    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2799    56.79403687    hxdef100.exe:448    OpenKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0xF003F     
2800    56.79408264    hxdef100.exe:448    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2801    56.79414368    hxdef100.exe:448    CreateKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0x2     
2802    56.79418182    hxdef100.exe:448    SetValue    HKLMSOFTWAREMicrosoftCryptographyRNGSeed    SUCCESS    5C B9 C6 DA 38 44 11 DF ...    
2803    56.79422379    hxdef100.exe:448    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2804    56.79433823    hxdef100.exe:448    OpenKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0xF003F     
2805    56.79434967    hxdef100.exe:448    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2806    56.79441452    hxdef100.exe:448    CreateKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0x2     
2807    56.79445267    hxdef100.exe:448    SetValue    HKLMSOFTWAREMicrosoftCryptographyRNGSeed    SUCCESS    2E 0A 2C B0 D2 D2 2F F8 ...    
2808    56.79449463    hxdef100.exe:448    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2809    56.79460907    hxdef100.exe:448    OpenKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0xF003F     
2810    56.79462051    hxdef100.exe:448    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2811    56.79468536    hxdef100.exe:448    CreateKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0x2     
2812    56.79475403    hxdef100.exe:448    SetValue    HKLMSOFTWAREMicrosoftCryptographyRNGSeed    SUCCESS    17 EC 3D 06 0C 6F 1B 15 ...    
2813    56.79476547    hxdef100.exe:448    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2814    56.79561234    hxdef100.exe:448    OpenKey    HKLMSYSTEMCurrentControlSetControlSafeBoot    SUCCESS    Access: 0xF003F     
2815    56.79566956    hxdef100.exe:448    OpenKey    HKLMSYSTEMCurrentControlSetControlSafeBootMinimal    SUCCESS    Access: 0xF003F     
2816    56.79572296    hxdef100.exe:448    OpenKey    HKLMSYSTEMCurrentControlSetControlSafeBootNetwork    SUCCESS    Access: 0xF003F     
2817    56.79577255    hxdef100.exe:448    OpenKey    HKLMSYSTEMControlSet001ControlSafeBootMinimalHackerDefender100    NOT FOUND        
2818    56.79610825    hxdef100.exe:448    CreateKey    HKLMSYSTEMCurrentControlSetControlSafeBootMinimalHackerDefender100    SUCCESS    Access: 0xF003F     
2819    56.79645538    hxdef100.exe:448    SetValue    HKLMSYSTEMCurrentControlSetControlSafeBootMinimalHackerDefender100(Default)    SUCCESS    "Service"    
2820    56.79649734    hxdef100.exe:448    OpenKey    HKLMSYSTEMControlSet001ControlSafeBootNetworkHackerDefender100    NOT FOUND        
2821    56.79666138    hxdef100.exe:448    CreateKey    HKLMSYSTEMCurrentControlSetControlSafeBootNetworkHackerDefender100    SUCCESS    Access: 0xF003F     
2822    56.79684448    hxdef100.exe:448    SetValue    HKLMSYSTEMCurrentControlSetControlSafeBootNetworkHackerDefender100(Default)    SUCCESS    "Service"    
2823    56.79689789    hxdef100.exe:448    CloseKey    HKLMSYSTEMCurrentControlSetControlSafeBootMinimal    SUCCESS        
2824    56.79694366    hxdef100.exe:448    CloseKey    HKLMSYSTEMCurrentControlSetControlSafeBootNetwork    SUCCESS        
2825    56.79695892    hxdef100.exe:448    CloseKey    HKLMSYSTEMCurrentControlSetControlSafeBoot    SUCCESS        
2826    57.06081009    hxdef100.exe:316    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionshxdef100.exe    NOT FOUND        
2827    57.06136322    hxdef100.exe:316    OpenKey    HKLMSystemCurrentControlSetControlTerminal Server    SUCCESS    Access: 0x20019     
2828    57.06138229    hxdef100.exe:316    QueryValue    HKLMSystemCurrentControlSetControlTerminal ServerTSAppCompat    SUCCESS    0x0    
2829    57.06140518    hxdef100.exe:316    CloseKey    HKLMSystemCurrentControlSetControlTerminal Server    SUCCESS        
2830    57.06288528    hxdef100.exe:316    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsGDI32.dll    NOT FOUND        
2831    57.06290817    hxdef100.exe:316    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsuser32.dll    NOT FOUND        
2832    57.06298065    hxdef100.exe:316    OpenKey    HKLMSystemCurrentControlSetControlError Message Instrument    NOT FOUND        
2833    57.06318283    hxdef100.exe:316    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionCompatibility32    SUCCESS    Access: 0x20019     
2834    57.06320572    hxdef100.exe:316    QueryValue    HKLMSoftwareMicrosoftWindows NTCurrentVersionCompatibility32hxdef100    NOT FOUND        
2835    57.06322098    hxdef100.exe:316    CloseKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionCompatibility32    SUCCESS        
2836    57.06324768    hxdef100.exe:316    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionIME Compatibility    SUCCESS    Access: 0x20019     
2837    57.06326294    hxdef100.exe:316    QueryValue    HKLMSoftwareMicrosoftWindows NTCurrentVersionIME Compatibilityhxdef100    NOT FOUND        
2838    57.06327820    hxdef100.exe:316    CloseKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionIME Compatibility    SUCCESS        
2839    57.06339264    hxdef100.exe:316    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionWindows    SUCCESS    Access: 0x20019     
2840    57.06340790    hxdef100.exe:316    QueryValue    HKLMSoftwareMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs    SUCCESS    ""    
2841    57.06343079    hxdef100.exe:316    CloseKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionWindows    SUCCESS        
2842    57.06382751    hxdef100.exe:316    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsRPCRT4.dll    NOT FOUND        
2843    57.06385803    hxdef100.exe:316    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsadvapi32.dll    NOT FOUND        
2844    57.06389618    hxdef100.exe:316    OpenKey    HKLMSystemCurrentControlSetControlTerminal Server    SUCCESS    Access: 0x20019     
2845    57.06391144    hxdef100.exe:316    QueryValue    HKLMSystemCurrentControlSetControlTerminal ServerTSAppCompat    SUCCESS    0x0    
2846    57.06392670    hxdef100.exe:316    QueryValue    HKLMSystemCurrentControlSetControlTerminal ServerTSUserEnabled    SUCCESS    0x0    
2847    57.06394196    hxdef100.exe:316    CloseKey    HKLMSystemCurrentControlSetControlTerminal Server    SUCCESS        
2848    57.06396866    hxdef100.exe:316    OpenKey    HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon    SUCCESS    Access: 0x20019     
2849    57.06399155    hxdef100.exe:316    QueryValue    HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonLeakTrack    NOT FOUND        
2850    57.06400299    hxdef100.exe:316    CloseKey    HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon    SUCCESS        
2851    57.06402588    hxdef100.exe:316    OpenKey    HKLM    SUCCESS    Access: 0x2000000     
2852    57.06404114    hxdef100.exe:316    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionDiagnostics    NOT FOUND        
2853    57.06406403    hxdef100.exe:316    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsmsvcrt.dll    NOT FOUND        
2854    57.06437302    hxdef100.exe:316    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsole32.dll    NOT FOUND        
2855    57.06470871    hxdef100.exe:316    OpenKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0xF003F     
2856    57.06472015    hxdef100.exe:316    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2857    57.06475449    hxdef100.exe:316    CreateKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0x2     
2858    57.06482697    hxdef100.exe:316    SetValue    HKLMSOFTWAREMicrosoftCryptographyRNGSeed    SUCCESS    C4 A6 CA BF 60 D5 CF EA ...    
2859    57.06484222    hxdef100.exe:316    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2860    57.06489563    hxdef100.exe:316    OpenKey    HKLMSYSTEMCurrentControlSetControlSession Manager    SUCCESS    Access: 0x20019     
2861    57.06491852    hxdef100.exe:316    QueryValue    HKLMSYSTEMCurrentControlSetControlSession ManagerCriticalSectionTimeout    SUCCESS    0x278D00    
2862    57.06493378    hxdef100.exe:316    CloseKey    HKLMSYSTEMCurrentControlSetControlSession Manager    SUCCESS        
2863    57.06495667    hxdef100.exe:316    OpenKey    HKLMSoftwareMicrosoftOle    SUCCESS    Access: 0x20019     
2864    57.06497192    hxdef100.exe:316    QueryValue    HKLMSoftwareMicrosoftOleRWLockResourceTimeOut    NOT FOUND        
2865    57.06498337    hxdef100.exe:316    CloseKey    HKLMSoftwareMicrosoftOle    SUCCESS        
2866    57.06501770    hxdef100.exe:316    OpenKey    HKCRInterface    SUCCESS    Access: 0x20019     
2867    57.06502914    hxdef100.exe:316    QueryValue    HKCRInterfaceInterfaceHelperDisableAll    NOT FOUND        
2868    57.06504059    hxdef100.exe:316    QueryValue    HKCRInterfaceInterfaceHelperDisableAllForOle32    NOT FOUND        
2869    57.06505203    hxdef100.exe:316    QueryValue    HKCRInterfaceInterfaceHelperDisableTypeLib    NOT FOUND        
2870    57.06506348    hxdef100.exe:316    CloseKey    HKCRInterface    SUCCESS        
2871    57.06508636    hxdef100.exe:316    OpenKey    HKCRInterface{00020400-0000-0000-C000-000000000046}    SUCCESS    Access: 0x20019     
2872    57.06510162    hxdef100.exe:316    QueryValue    HKCRInterface{00020400-0000-0000-C000-000000000046}InterfaceHelperDisableAll    NOT FOUND        
2873    57.06511307    hxdef100.exe:316    QueryValue    HKCRInterface{00020400-0000-0000-C000-000000000046}InterfaceHelperDisableAllForOle32    NOT FOUND        
2874    57.06512833    hxdef100.exe:316    CloseKey    HKCRInterface{00020400-0000-0000-C000-000000000046}    SUCCESS        
2875    57.06516647    hxdef100.exe:316    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsoleaut32.dll    NOT FOUND        
2876    57.06520844    hxdef100.exe:316    OpenKey    HKLMSOFTWAREMicrosoftOLEAUT    NOT FOUND        
2877    57.06523132    hxdef100.exe:316    OpenKey    HKLMSOFTWAREMicrosoftOLEAUTUserEra    NOT FOUND        
2878    57.06524277    hxdef100.exe:316    OpenKey    HKLMSOFTWAREMicrosoftOLEAUT    NOT FOUND        
2879    57.06526566    hxdef100.exe:316    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsntdll.dll    NOT FOUND        
2880    57.06528473    hxdef100.exe:316    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionskernel32.dll    NOT FOUND        
2881    57.06925964    hxdef100.exe:316    OpenKey    HKLMSoftwareMicrosoftRpcPagedBuffers    NOT FOUND        
2882    57.06929016    hxdef100.exe:316    OpenKey    HKLMSoftwareMicrosoftRpc    SUCCESS    Access: 0x20019     
2883    57.06930923    hxdef100.exe:316    QueryValue    HKLMSoftwareMicrosoftRpcMaxRpcSize    NOT FOUND        
2884    57.06933594    hxdef100.exe:316    CloseKey    HKLMSoftwareMicrosoftRpc    SUCCESS        
2885    57.06936264    hxdef100.exe:316    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionshxdef100.exeRpcThreadPoolThrottle    NOT FOUND        
2886    57.06941605    hxdef100.exe:316    OpenKey    HKLMSoftwarePoliciesMicrosoftWindows NTRpc    NOT FOUND        
2887    57.06949234    hxdef100.exe:316    OpenKey    HKLMSystemCurrentControlSetControlSession Manager    SUCCESS    Access: 0x1     
2888    57.06950760    hxdef100.exe:316    QueryValue    HKLMSystemCurrentControlSetControlSession ManagerSafeDllSearchMode    NOT FOUND        
2889    57.06952667    hxdef100.exe:316    CloseKey    HKLMSystemCurrentControlSetControlSession Manager    SUCCESS        
2890    57.06982422    hxdef100.exe:316    OpenKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0xF003F     
2891    57.06983948    hxdef100.exe:316    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2892    57.06987762    hxdef100.exe:316    CreateKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0x2     
2893    57.06995392    hxdef100.exe:316    SetValue    HKLMSOFTWAREMicrosoftCryptographyRNGSeed    SUCCESS    ED 87 5D 3F FE 16 5C FE ...    
2894    57.06996536    hxdef100.exe:316    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2895    57.07006836    hxdef100.exe:316    OpenKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0xF003F     
2896    57.07007980    hxdef100.exe:316    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2897    57.07011032    hxdef100.exe:316    CreateKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0x2     
2898    57.07014847    hxdef100.exe:316    SetValue    HKLMSOFTWAREMicrosoftCryptographyRNGSeed    SUCCESS    56 44 A2 F4 64 E1 D2 9B ...    
2899    57.07015991    hxdef100.exe:316    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2900    57.07024384    hxdef100.exe:316    OpenKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0xF003F     
2901    57.07025528    hxdef100.exe:316    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2902    57.07029343    hxdef100.exe:316    CreateKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0x2     
2903    57.07032776    hxdef100.exe:316    SetValue    HKLMSOFTWAREMicrosoftCryptographyRNGSeed    SUCCESS    58 A5 42 11 F2 45 97 82 ...    
2904    57.07033920    hxdef100.exe:316    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2905    57.07042313    hxdef100.exe:316    OpenKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0xF003F     
2906    57.07043457    hxdef100.exe:316    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2907    57.07046890    hxdef100.exe:316    CreateKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0x2     
2908    57.07050323    hxdef100.exe:316    SetValue    HKLMSOFTWAREMicrosoftCryptographyRNGSeed    SUCCESS    AD AB 74 2A A0 93 EB D0 ...    
2909    57.07051468    hxdef100.exe:316    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2910    57.07059860    hxdef100.exe:316    OpenKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0xF003F     
2911    57.07061005    hxdef100.exe:316    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2912    57.07064056    hxdef100.exe:316    CreateKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0x2     
2913    57.07067871    hxdef100.exe:316    SetValue    HKLMSOFTWAREMicrosoftCryptographyRNGSeed    SUCCESS    C4 E3 E0 45 C8 08 91 93 ...    
2914    57.07069016    hxdef100.exe:316    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2915    57.07077408    hxdef100.exe:316    OpenKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0xF003F     
2916    57.07078171    hxdef100.exe:316    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2917    57.07081604    hxdef100.exe:316    CreateKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0x2     
2918    57.07085037    hxdef100.exe:316    SetValue    HKLMSOFTWAREMicrosoftCryptographyRNGSeed    SUCCESS    8E A6 50 1B 0D 04 05 2A ...    
2919    57.07086182    hxdef100.exe:316    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2920    57.07094574    hxdef100.exe:316    OpenKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0xF003F     
2921    57.07095718    hxdef100.exe:316    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2922    57.07098770    hxdef100.exe:316    CreateKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS    Access: 0x2     
2923    57.07102585    hxdef100.exe:316    SetValue    HKLMSOFTWAREMicrosoftCryptographyRNGSeed    SUCCESS    39 89 79 D2 B7 E4 03 BF ...    
2924    57.07103729    hxdef100.exe:316    CloseKey    HKLMSOFTWAREMicrosoftCryptographyRNG    SUCCESS        
2925    57.07201004    hxdef100.exe:316    OpenKey    HKLMSystemCurrentControlSetControlServiceCurrent    SUCCESS    Access: 0x1     
2926    57.07203293    hxdef100.exe:316    QueryValue    HKLMSystemCurrentControlSetControlServiceCurrent(Default)    SUCCESS    0x19    
2927    57.07205200    hxdef100.exe:316    CloseKey    HKLMSystemCurrentControlSetControlServiceCurrent    SUCCESS        
2928    57.07570267    hxdef100.exe:316    OpenKey    HKLMSystemCurrentControlSetControlComputerName    SUCCESS    Access: 0x20019     
2929    57.07580948    hxdef100.exe:316    OpenKey    HKLMSystemCurrentControlSetControlComputerNameActiveComputerName    SUCCESS    Access: 0x20019     
2930    57.07582855    hxdef100.exe:316    QueryValue    HKLMSystemCurrentControlSetControlComputerNameActiveComputerNameComputerName    SUCCESS    "OEM-TDYOG7RCYK7"    
2931    57.07585526    hxdef100.exe:316    CloseKey    HKLMSystemCurrentControlSetControlComputerNameActiveComputerName    SUCCESS        
2932    57.07587433    hxdef100.exe:316    CloseKey    HKLMSystemCurrentControlSetControlComputerName    SUCCESS        
2933    57.07940292    hxdef100.exe:316    OpenKey    HKLMSOFTWARENetwork AssociatesTVDShared ComponentsOn Access ScannerBehaviourBlocking    NOT FOUND        
2934    57.08078766    hxdef100.exe:316    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsWS2HELP.dll    NOT FOUND        
2935    57.08081436    hxdef100.exe:316    OpenKey    HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsws2_32.dll    NOT FOUND        


All created keys are not shown: we need to monitor APIs for more investigations.
And if we dump the registry with a Somarsoft free tool like DumpReg, we can see that there's something wrong with some keys:





3.MONITORING APIs:





































we can see in the different screeshots the hooking of ntdll, the creation of service and driver registry keys, the start of the service etc.


Now we're going to monitor the driver:



***IRP TRACKING:
















A complete list of HxDef driver communications can be found here (with IRPTrace).



4.ROOTKIT DETECTION WITH WINDOWS and system utilities:


-integrity check of Windows files (sigverif.exe): no change is detected.

- searching the process with the Task Manager: nothing;

-service and drivers:

On a command line with "sc query" or "net start" for a list of running service:  Hackerdefender service is not listed.




The same result is find on the control panel (mmc.exe).

If we try to check the system for unsigned drivers (verifer.exe): nothing.

If we take a look at hidden peripherals (devmgmt.msc): HackerDefender driver is not on the list:









If we use some system tools:

-a basic integrity checkers like Sentinel: nothing is suspected:






-with an advanced integrity checkers such as XIntegrity Pro, no change is detected from the clean Service Database:






-If we try to catch the process again with utilities such as Process Explorer or RegMon (once HxDef is launched):






HackerDefender acts as a Man-In-The-Middle attack: each time we query the system for running application for instance, HxDef returns a Status Invalid Parameter.
As i'm not a programmer, i've asked some questions to Ivo Ivanov from Infoprocess
about what APIs are really necessary in our case.
and here's his answer:


"The key point of hiding a process is that it allows an attacker to create an
undetectable backdoor that cannot be discovered using standard process tools
like Process Explorer or Windows Task Manager or even Anti-rootkit software.
Hacker Defender rootkit installs hidden backdoors, registers as hidden
system service and installs hidden system driver. 
There are two well-known methods of hiding processes:
1.Hooking ZwQuerySystemInformation() native API. It is an easy way to
control the access to the process list (i.e. what you see in Task Manager
for example).
A call to ZwQuerySystemInformation(SystemInformationClass) will return a
container with all process records. What an attacker can do is to hook this
API and remove a specific process record before this function returns to its
caller.
2.As an alternative the attacker can employ a lower-level approach and hide
a process by modifying EPROCESS kernel data structures. This is a very
robust technique. It is interesting that it doesn’t prevent the process from
being allocated a time slot in which to execute, due to the fact that
Windows scheduler works with threads. That’s it – the threads are being
scheduled to run, not the processes."


In order to understand some explanations, it can be needful to take a look at MSD library.


We have seen with the most popular rootkit example that a rootkit:

-does not create new files, but only hides its own files;

-does not alter the integrity of the system (no modification of files),

-patches the system by hooking system functions and unliking its own service from the module list.


Windows and efficient system utilities like Process Explorer are not able to detect the presence of a rootkit: specialized detectors are required.







Publié dans LINE DEFENSE

Commenter cet article

testedhacks 05/09/2015 09:42

Your blog is really one amongst my most favorite blogs, it’s so creative.