Escolar Documentos
Profissional Documentos
Cultura Documentos
MALWARE
Windows.exe
Anlisis
La muestra elegida para analizar tiene de nombre Windows.exe, estas son sus especificaciones:
Nombre: windows.exe
Tipo de archivo: Portable Executable 32 .NET Assembly
Informacin de archivo: Microsoft Visual Studio .NET
Tamao: 28.50 KB (29184 bytes)
md5: 52A8409C1094FC21866C83DB6B3D25E8
sha: FB4DD5992C5D04230E8C06A5A3B01C16F0FFB7E2
Dependencias Creadas:
Windows.ex.exe --- Principal
DW20.exe servicio levantado
Archivos Generados:
C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\culture.dll
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_xww_5cf844d2\MSVCR80.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CommonControls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#
\900525e192ca3d523143207ac11ae5f5\Microsoft.VisualBasic.ni.dll
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\c91f68c2920882e02aec0
0eeabb6b415\System.Drawing.ni.dll
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms
\0c70e5d82578be2f6c0dde89182261c5\System.Windows.Forms.ni.dll
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\36dbfcf62e07d819b3de533898868
ecf\System.ni.dll
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\642534209e13d16e93b80a62874
2d2ee\mscorlib.ni.dll
C:\WINDOWS\system32\Apphelp.dll
C:\WINDOWS\system32\MSCTF.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\imm32.dll
C:\WINDOWS\system32\l_intl.nls
C:\WINDOWS\system32\mscoree.dll
C:\WINDOWS\system32\rpcss.dll
C:\WINDOWS\system32\shell32.dll
C:\Windows\AppPatch\sysmain.sdb
C:\windows.ex.exe
Servicios Generados:
Se levanta el servicio DW20.exe
MD5: a981419c39cc02259b8f2da3974000d9
SHA-1: 905d359e2c5e8330d39b746132fa9779f52c0b93
2f\52628d2e
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e
666\69db6748
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e
666\69db6748\11
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce
40\2995e574\9
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac
50\3914f670\25
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c
7e\4426ac2f\21
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59
c5\7f729234\e
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c99106
4\268e923b\24
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca0
6a0\31de29a4\b
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4
c0\3fcdfaca\10
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting
HKEY_CURRENT_USER\SOFTWARE\Microsoft\PCHealth\ErrorReporting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting\ExclusionList
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting\ExclusionList
HKEY_CURRENT_USER\SOFTWARE\Microsoft\PCHealth\ErrorReporting\ExclusionList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\ExclusionList
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting\InclusionList
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting\InclusionList
HKEY_CURRENT_USER\SOFTWARE\Microsoft\PCHealth\ErrorReporting\InclusionList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\InclusionList
HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting\DW\Installed
HKEY_CLASSES_ROOT\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server
HKEY_CURRENT_USER\Software\Microsoft\PCHealth\ErrorReporting\DW\Debug
HKEY_LOCAL_MACHINE\Software\Microsoft\Office\12.0\Common\Security
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\Software\Microsoft\Office\11.0\Common\InstallRoot
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office
HKEY_CURRENT_USER\Software\Microsoft\Office\Common
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient
HKEY_LOCAL_MACHINE\Software\Microsoft\Office\12.0\Common\ProductVersion
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
HKEY_CURRENT_USER\Software\Microsoft\PCHealth\ErrorReporting\DW
HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting\DW
HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting\DW\Debug
HKEY_CURRENT_USER\Software\Policies\Microsoft\PCHealth\ErrorReporting\DW
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCHealth\ErrorReporting\DW
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\KnownManagedDebuggingDlls
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet
Settings
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache
HKEY_LOCAL_MACHINE\System\Setup
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache\Content
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache\Content
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Cache\Paths
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Cache\Paths\Path1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Cache\Paths\Path2
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Cache\Paths\Path3
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Cache\Paths\Path4
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Cache\Special Paths
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache\Cookies
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache\Cookies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache\History
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache\History
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache\Extensible Cache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache\Extensible Cache\MSHist012014092220140929
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache\Extensible Cache\MSHist012014092920140930
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_AUTOPROXY_CACHE_ANAME_KB921400
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_TEMPORARYFILES_FOR_NOCACHE_840387
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_TEMPORARYFILES_FOR_NOCACHE_840386
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\FeatureControl\RETRY_HEADERONLYPOST_ONCONNECTIONRESET
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_CHUNK_TIMEOUT_KB914453
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_CERT_TRUST_VERIFIED_KB936882
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_BUFFERBREAKING_818408
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_ENSURE_FQDN_FOR_NEGOTIATE_KB899417
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_HTTP_DISABLE_NTLM_PREAUTH_IF_ABORTED_KB90240
9
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WPAD_STORE_URL_AS_FQDN_KB903926
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_KEEP_CACHE_INDEX_OPEN_KB899342
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WAIT_TIME_THREAD_TERMINATE_KB886801
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\RASAPI32
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004
HKEY_USERS\S-1-5-21-1547161642-507921405-8395221151004\Software\Microsoft\windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell
Folders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName
ActiveComputerName
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004\Environment
HKEY_USERS\S-1-5-21-1547161642-507921405-839522115-1004\Volatile Environment
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_USERS\S-1-5-21-1547161642-507921405-8395221151004\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\S-1-5-21-1547161642-507921405-8395221151004\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_USERS\S-1-5-21-1547161642-507921405-8395221151004\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF\LangBarAddIn\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\LangBarAddIn\
HKEY_CLASSES_ROOT\.htm
Control Panel\International\Geo
Bloqueos de Windows
*El equipo no presenta bloqueos aparentemente
Mtodo de ejecucin
Semiautomtica: El usuario debe ejecutar desde un principio el archivo, y este mismo de
sigue ejecutando aun despus de que la maquina tenga un reinicio.
Solucin:
Matar el servicio generado, eliminar cada una de las llaves del registro generadas, y cada
archivo generado.
En este punto correr una solucin de antivirus, ya que el archivo ya est firmado, fue
suficiente.
Recomendaciones:
*Para este punto, no se deber an correr archivos con nombres tan comprometedores como
Windows.ese es el nombre del sistema operativo, no deber a haber una aplicacin con el
mismo nombre, es demasiado sospechoso.
*Siempre antes de correr una aplicacin de la cual no ests seguro, analizarla en
www.virustotal.com , podrias tener una idea ms clara de lo que es el archivo.
Herramientas:
Las herramientas que sirvieron de apoyo en esta prctica fueron:
https://anubis.iseclab.org/
www.virustotal.com
CFF explorer
Regshot
Hashmyfiles
Floderchangesview
Evidencias