Free for apple download ExifTool 12.671/14/2024 ![]() The trojan collects all system logs and data and uploads them to C2 server in a very verbose form as you see below. ET signatures exist for the traffic patterns. Trojan Nflog was covered more than once before on Contagio and other sources. MutexObject iexplore.exe 1348 (iexplore.exe) ShimCacheMutex iexplore.exe 1348 (iexplore.exe) %temp% Loop_KeyboardManager %temp%\keybyd.dat Loop_HookKeyboard Mutexes ![]() Gh0st 3.6 source code (go up the path to see other files).Read here McAfee - Anatomy of a Gh0st Rat.Process terminated C:\WINDOWS\system32\cmd.exe -> .OFFICE11\EXCEL.EXEįile strings and system calls suggest it is a version of Gh0st rat with keylog ![]() ![]() File Write C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE -> %Temp%\Excel8.0\MSComctlLib.exdįile Write C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE -> %Temp%\ set.xlsįile Write C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE -> %Temp%\ ews.exeįile Write %Temp%\ews.exe -> %Application Data% \iexplore.exeįile Write %Temp%\ews.exe -> %Temp%\ Del.batįile Write %Temp%\ews.exe -> C:\WINDOWS\system32 \srvlic.dllįile Write %Temp%\ews.exe -> %Temp%\ keybyd.datįile Write C:\WINDOWS\system32\cmd.exe - > \deleted_files\ Del.batįile Write %Application Data%\iexplore.exe -> %Temp% \syslog.dat ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |