Report - CrySyS Lab
Report - CrySyS Lab
Report - CrySyS Lab
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
NetScanFiles_2.jpg<br />
hash: F445D90FDD7AB950ADABC79451E57E2A<br />
compile time: 2012-07-19<br />
This module scans mapped network shares for specific file names and writes their list into the file<br />
“\ProgramData\Adobe\AdobeArm\sysdll2.txt”<br />
The file names to be found include the follwoing: *saidumlo* *secret*.* *секрет*.* *парол*.*<br />
*.xls *.pdf *.pgp *pass*.* *.rtf *.doc”<br />
The collected file list consists of items formatted according to the following structure:<br />
“[/N2.0-02.02.01.00:0000000032]\\SRV\share\a.xls 5 01.03.2013 06:43”<br />
NetScanShares_2.jpg<br />
hash: 696F408AF42071FBF1C60E6E50B60E09<br />
compile time: 2012-07-19<br />
This module enumerates network resources and writes its output into the file<br />
“\ProgramData\Adobe\AdobeArm\sysdll2.txt”<br />
The output contains Server, Share and Domain lists in use by the computer.<br />
Interestingly, the binary contains leftover data that is not used, like the listing of interesting files:<br />
“*saidumlo* *secret*.* *секрет*.* *парол*.* *.xls *.pdf *.pgp *pass*.* *.rtf *.doc”<br />
SystemInfo_2.jpg<br />
hash: 5C7BF0BB019B6C2DCD7DE61F89A2DE2E<br />
compile time: 2012-07-19<br />
This module obtains information about the victim system and its environment by executing the<br />
following commands:<br />
route print<br />
netstat -r<br />
netstat -b<br />
netstat -a<br />
systeminfo<br />
wmic computersystem get * /format:list<br />
wmic os get * /format:list<br />
wmic logicaldisk get * /format:list<br />
wmic product get * /format:list<br />
wmic service get * /format:list<br />
wmic process get * /format:list<br />
wmic useraccount get * /format:list<br />
wmic qfe get * /format:list<br />
Output is written into “\ProgramData\Adobe\AdobeArm\sysdll2.txt”<br />
32