JScript.Nemucod.ZW_4 is an Exploit. An Exploit is a piece of software or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behaviour to occur on computer software. Attackers usually use an exploit to deliver a payload on the victims system.
Mutexes created
Directory level activity
File level activity
Registry level activity- write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0932c062-299c-11e2-afd8-806d6172696f}\BaseClass
- write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0932c060-299c-11e2-afd8-806d6172696f}\BaseClass
Library level activity- load - library - KERNEL32.DLL
- load - library - ADVAPI32.dll
- load - library - SHELL32.dll
- load - library - C:\WINDOWS\system32\shell32.dll
- load - library - C:\WINDOWS\system32\rundll32.exe
- load - library - C:\WINDOWS\system32\uxtheme.dll
- load - library - uxtheme.dll
- load - library - ole32.dll
- load - library - C:\WINDOWS\system32\rpcss.dll
- load - library - UxTheme.dll
- load - library - OLE32.DLL
- load - library - C:\WINDOWS\system32\SHELL32.dll
- load - library - SETUPAPI.dll
- load - library - KERNEL32
- load - library - appHelp.dll
- load - library - cscui.dll
- load - library - CLBCATQ.DLL
- load - library - C:\WINDOWS\System32\cscui.dll
- load - library - EXPLORER.EXE
Process API calls used
- CreateProcessInternalW
- ShellExecuteExW
Registry API calls used
- RegOpenKeyExW
- RegQueryValueExW
- RegCloseKey
- NtOpenKey
- NtQueryValueKey
- NtQueryValueKey
System API calls used
- LdrGetDllHandle
- LdrGetProcedureAddress
- LdrLoadDll
- LdrGetProcedureAddress
Filesystem API calls used
- FindFirstFileExW
- FindFirstFileExW
Network
UDP source >> destination
- 192.168.30.3 >> 192.168.30.255
TCP source >> destination
Domains:
DNS Request:
HTTP Request:
DLL related data
Number of DLL's imported = 0
|
