Sperolz.A_3 is a Worm. Worms are reproducing malicious programs that run independently and travel across network connections without human action. They could spread over email, IM, peer-to-peer networks, or directly over the wire by leveraging vulnerabilities. The threat that a worm poses is its capability to replicate itself on the system so the computer can send out hundreds or thousands of copies of itself.
Mutexes created
Directory level activity
File level activity- write - file - C:\WINDOWS\winlog.EXE
- write - file - PIPE\wkssvc
- write - file - C:\WINDOWS\TEMP\scs1.tmp
- write - file - C:\WINDOWS\TEMP\scs2.tmp
- delete - file - C:\WINDOWS\TEMP\scs1.tmp
- delete - file - C:\WINDOWS\TEMP\scs2.tmp
Registry level activity- write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersPersonal
- write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0932c062-299c-11e2-afd8-806d6172696f}\BaseClass
- write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0932c060-299c-11e2-afd8-806d6172696f}\BaseClass
- write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCommon Documents
- write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersDesktop
- write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCommon Desktop
- write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
- write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
- write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
- write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCache
- write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCookies
- write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoamMUICacheC:\WINDOWS\winlog.exe
Library level activity- load - library - C:\WINDOWS\system32\rpcss.dll
- load - library - C:\WINDOWS\system32\uxtheme.dll
- load - library - uxtheme.dll
- load - library - OLEAUT32.DLL
- load - library - oleaut32.dll
- load - library - ole32.dll
- load - library - SXS.DLL
- load - library - USER32
- load - library - C:\WINDOWS\system32\vb6chs.dll
- load - library - kernel32
- load - library - shlwapi.dll
- load - library - shell32.dll
- load - library - netapi32
- load - library - OLE32.DLL
- load - library - C:\WINDOWS\system32\SHELL32.dll
- load - library - SHELL32.dll
- load - library - SETUPAPI.dll
- load - library - CLBCATQ.DLL
- load - library - KERNEL32.DLL
- load - library - C:\WINDOWS\system32\urlmon.dll
- load - library - Secur32.dll
- load - library - userenv
- load - library - KERNEL32
- load - library - VERSION.dll
- load - library - C:\WINDOWS\winlog.exe
- load - library - browseui.dll
- load - library - WINMM.DLL
- load - library - NTVDMD.DLL
- load - library - Userenv.dll
- load - library - Userenv.dll
Process API calls used
- ZwMapViewOfSection
- VirtualProtectEx
- NtCreateSection
- CreateProcessInternalW
- NtFreeVirtualMemory
- ExitProcess
Registry API calls used
- NtOpenKey
- NtQueryValueKey
- RegOpenKeyExA
- RegQueryValueExW
- RegCloseKey
- RegOpenKeyExW
- RegEnumKeyW
- RegCreateKeyExW
- RegSetValueExW
- RegEnumValueW
- RegQueryInfoKeyW
- RegEnumKeyExW
- RegCloseKey
System API calls used
- LdrGetDllHandle
- LdrLoadDll
- IsDebuggerPresent
- LdrGetProcedureAddress
- SetWindowsHookExA
- LookupPrivilegeValueW
- NtDelayExecution
Filesystem API calls used
- NtCreateFile
- NtQueryInformationFile
- NtSetInformationFile
- FindFirstFileExW
- NtOpenFile
- NtReadFile
- NtWriteFile
- NtOpenFile
Network
UDP source >> destination
- 192.168.30.254 >> 192.168.30.7
- 192.168.30.7 >> 192.168.30.255
TCP source >> destination
- 192.168.30.7 >> 192.168.30.254
Domains:
DNS Request:
HTTP Request:
DLL related data
Number of DLL's imported = 1
|
