From c8936555c97428d5f6f19d9309b4c4a658506b93 Mon Sep 17 00:00:00 2001
From: aaron <schmocker@puzzle.ch>
Date: Thu, 2 Dec 2021 23:04:51 +0100
Subject: [PATCH] add malware scan

---
 forensics/honeypot/win_malware | 412 +++++++++++++++++++++++++++++++++
 1 file changed, 412 insertions(+)
 create mode 100644 forensics/honeypot/win_malware

diff --git a/forensics/honeypot/win_malware b/forensics/honeypot/win_malware
new file mode 100644
index 0000000..803cbc7
--- /dev/null
+++ b/forensics/honeypot/win_malware
@@ -0,0 +1,412 @@
+Volatility 3 Framework 1.0.1
+
+PID	Process	Start VPN	End VPN	Tag	Protection	CommitCharge	PrivateMemory	File output	Hexdump	Disasm
+
+1556	explorer.exe	0x3130000	0x3130fff	VadS	PAGE_EXECUTE_READWRITE	1	1	Disabled	
+00 00 00 00 00 00 00 00	........
+00 00 00 00 00 00 00 00	........
+00 00 13 03 00 00 00 00	........
+00 00 00 00 00 00 00 00	........
+10 00 13 03 00 00 00 00	........
+00 00 00 00 00 00 00 00	........
+20 00 13 03 00 00 00 00	........
+00 00 00 00 00 00 00 00	........	
+0x3130000:	add	byte ptr [eax], al
+0x3130002:	add	byte ptr [eax], al
+0x3130004:	add	byte ptr [eax], al
+0x3130006:	add	byte ptr [eax], al
+0x3130008:	add	byte ptr [eax], al
+0x313000a:	add	byte ptr [eax], al
+0x313000c:	add	byte ptr [eax], al
+0x313000e:	add	byte ptr [eax], al
+0x3130010:	add	byte ptr [eax], al
+0x3130012:	adc	eax, dword ptr [ebx]
+0x3130014:	add	byte ptr [eax], al
+0x3130016:	add	byte ptr [eax], al
+0x3130018:	add	byte ptr [eax], al
+0x313001a:	add	byte ptr [eax], al
+0x313001c:	add	byte ptr [eax], al
+0x313001e:	add	byte ptr [eax], al
+0x3130020:	adc	byte ptr [eax], al
+0x3130022:	adc	eax, dword ptr [ebx]
+0x3130024:	add	byte ptr [eax], al
+0x3130026:	add	byte ptr [eax], al
+0x3130028:	add	byte ptr [eax], al
+0x313002a:	add	byte ptr [eax], al
+0x313002c:	add	byte ptr [eax], al
+0x313002e:	add	byte ptr [eax], al
+0x3130030:	and	byte ptr [eax], al
+0x3130032:	adc	eax, dword ptr [ebx]
+0x3130034:	add	byte ptr [eax], al
+0x3130036:	add	byte ptr [eax], al
+0x3130038:	add	byte ptr [eax], al
+0x313003a:	add	byte ptr [eax], al
+0x313003c:	add	byte ptr [eax], al
+0x313003e:	add	byte ptr [eax], al
+2460	SearchFilterHo	0x730000	0x76ffff	VadS	PAGE_EXECUTE_READWRITE	1	1	Disabled	
+c5 2f 31 e7 87 c4 00 01	./1.....
+ee ff ee ff 00 00 00 00	........
+a8 00 73 00 a8 00 73 00	..s...s.
+00 00 73 00 00 00 73 00	..s...s.
+40 00 00 00 88 05 73 00	@.....s.
+00 00 77 00 3f 00 00 00	..w.?...
+01 00 00 00 00 00 00 00	........
+f0 0f 73 00 f0 0f 73 00	..s...s.	
+0x730000:	lds	ebp, ptr [edi]
+0x730002:	xor	edi, esp
+0x730004:	xchg	esp, eax
+0x730006:	add	byte ptr [ecx], al
+0x730008:	out	dx, al
+2856	explorer.exe	0x16e0000	0x16e0fff	VadS	PAGE_EXECUTE_READWRITE	1	1	Disabled	
+00 00 00 00 00 00 00 00	........
+00 00 00 00 00 00 00 00	........
+00 00 6e 01 00 00 00 00	..n.....
+00 00 00 00 00 00 00 00	........
+10 00 6e 01 00 00 00 00	..n.....
+00 00 00 00 00 00 00 00	........
+20 00 6e 01 00 00 00 00	..n.....
+00 00 00 00 00 00 00 00	........	
+0x16e0000:	add	byte ptr [eax], al
+0x16e0002:	add	byte ptr [eax], al
+0x16e0004:	add	byte ptr [eax], al
+0x16e0006:	add	byte ptr [eax], al
+0x16e0008:	add	byte ptr [eax], al
+0x16e000a:	add	byte ptr [eax], al
+0x16e000c:	add	byte ptr [eax], al
+0x16e000e:	add	byte ptr [eax], al
+0x16e0010:	add	byte ptr [eax], al
+0x16e0012:	outsb	dx, byte ptr [esi]
+0x16e0013:	add	dword ptr [eax], eax
+0x16e0015:	add	byte ptr [eax], al
+0x16e0017:	add	byte ptr [eax], al
+0x16e0019:	add	byte ptr [eax], al
+0x16e001b:	add	byte ptr [eax], al
+0x16e001d:	add	byte ptr [eax], al
+0x16e001f:	add	byte ptr [eax], dl
+0x16e0021:	add	byte ptr [esi + 1], ch
+0x16e0024:	add	byte ptr [eax], al
+0x16e0026:	add	byte ptr [eax], al
+0x16e0028:	add	byte ptr [eax], al
+0x16e002a:	add	byte ptr [eax], al
+0x16e002c:	add	byte ptr [eax], al
+0x16e002e:	add	byte ptr [eax], al
+0x16e0030:	and	byte ptr [eax], al
+0x16e0032:	outsb	dx, byte ptr [esi]
+0x16e0033:	add	dword ptr [eax], eax
+0x16e0035:	add	byte ptr [eax], al
+0x16e0037:	add	byte ptr [eax], al
+0x16e0039:	add	byte ptr [eax], al
+0x16e003b:	add	byte ptr [eax], al
+0x16e003d:	add	byte ptr [eax], al
+2856	explorer.exe	0x38d0000	0x38d1fff	VadS	PAGE_EXECUTE_READWRITE	2	1	Disabled	
+b0 00 eb 70 b0 01 eb 6c	...p...l
+b0 02 eb 68 b0 03 eb 64	...h...d
+b0 04 eb 60 b0 05 eb 5c	...`...\
+b0 06 eb 58 b0 07 eb 54	...X...T
+b0 08 eb 50 b0 09 eb 4c	...P...L
+b0 0a eb 48 b0 0b eb 44	...H...D
+b0 0c eb 40 b0 0d eb 3c	...@...<
+b0 0e eb 38 b0 0f eb 34	...8...4	
+0x38d0000:	mov	al, 0
+0x38d0002:	jmp	0x38d0074
+0x38d0004:	mov	al, 1
+0x38d0006:	jmp	0x38d0074
+0x38d0008:	mov	al, 2
+0x38d000a:	jmp	0x38d0074
+0x38d000c:	mov	al, 3
+0x38d000e:	jmp	0x38d0074
+0x38d0010:	mov	al, 4
+0x38d0012:	jmp	0x38d0074
+0x38d0014:	mov	al, 5
+0x38d0016:	jmp	0x38d0074
+0x38d0018:	mov	al, 6
+0x38d001a:	jmp	0x38d0074
+0x38d001c:	mov	al, 7
+0x38d001e:	jmp	0x38d0074
+0x38d0020:	mov	al, 8
+0x38d0022:	jmp	0x38d0074
+0x38d0024:	mov	al, 9
+0x38d0026:	jmp	0x38d0074
+0x38d0028:	mov	al, 0xa
+0x38d002a:	jmp	0x38d0074
+0x38d002c:	mov	al, 0xb
+0x38d002e:	jmp	0x38d0074
+0x38d0030:	mov	al, 0xc
+0x38d0032:	jmp	0x38d0074
+0x38d0034:	mov	al, 0xd
+0x38d0036:	jmp	0x38d0074
+0x38d0038:	mov	al, 0xe
+0x38d003a:	jmp	0x38d0074
+0x38d003c:	mov	al, 0xf
+0x38d003e:	jmp	0x38d0074
+3324	iexplore.exe	0x1fd0000	0x1fd1fff	VadS	PAGE_EXECUTE_READWRITE	2	1	Disabled	
+b0 00 eb 70 b0 01 eb 6c	...p...l
+b0 02 eb 68 b0 03 eb 64	...h...d
+b0 04 eb 60 b0 05 eb 5c	...`...\
+b0 06 eb 58 b0 07 eb 54	...X...T
+b0 08 eb 50 b0 09 eb 4c	...P...L
+b0 0a eb 48 b0 0b eb 44	...H...D
+b0 0c eb 40 b0 0d eb 3c	...@...<
+b0 0e eb 38 b0 0f eb 34	...8...4	
+0x1fd0000:	mov	al, 0
+0x1fd0002:	jmp	0x1fd0074
+0x1fd0004:	mov	al, 1
+0x1fd0006:	jmp	0x1fd0074
+0x1fd0008:	mov	al, 2
+0x1fd000a:	jmp	0x1fd0074
+0x1fd000c:	mov	al, 3
+0x1fd000e:	jmp	0x1fd0074
+0x1fd0010:	mov	al, 4
+0x1fd0012:	jmp	0x1fd0074
+0x1fd0014:	mov	al, 5
+0x1fd0016:	jmp	0x1fd0074
+0x1fd0018:	mov	al, 6
+0x1fd001a:	jmp	0x1fd0074
+0x1fd001c:	mov	al, 7
+0x1fd001e:	jmp	0x1fd0074
+0x1fd0020:	mov	al, 8
+0x1fd0022:	jmp	0x1fd0074
+0x1fd0024:	mov	al, 9
+0x1fd0026:	jmp	0x1fd0074
+0x1fd0028:	mov	al, 0xa
+0x1fd002a:	jmp	0x1fd0074
+0x1fd002c:	mov	al, 0xb
+0x1fd002e:	jmp	0x1fd0074
+0x1fd0030:	mov	al, 0xc
+0x1fd0032:	jmp	0x1fd0074
+0x1fd0034:	mov	al, 0xd
+0x1fd0036:	jmp	0x1fd0074
+0x1fd0038:	mov	al, 0xe
+0x1fd003a:	jmp	0x1fd0074
+0x1fd003c:	mov	al, 0xf
+0x1fd003e:	jmp	0x1fd0074
+3324	iexplore.exe	0x3030000	0x3030fff	VadS	PAGE_EXECUTE_READWRITE	1	1	Disabled	
+00 00 00 00 00 00 00 00	........
+00 00 00 00 00 00 00 00	........
+00 00 03 03 00 00 00 00	........
+00 00 00 00 00 00 00 00	........
+10 00 03 03 00 00 00 00	........
+00 00 00 00 00 00 00 00	........
+20 00 03 03 00 00 00 00	........
+00 00 00 00 00 00 00 00	........	
+0x3030000:	add	byte ptr [eax], al
+0x3030002:	add	byte ptr [eax], al
+0x3030004:	add	byte ptr [eax], al
+0x3030006:	add	byte ptr [eax], al
+0x3030008:	add	byte ptr [eax], al
+0x303000a:	add	byte ptr [eax], al
+0x303000c:	add	byte ptr [eax], al
+0x303000e:	add	byte ptr [eax], al
+0x3030010:	add	byte ptr [eax], al
+0x3030012:	add	eax, dword ptr [ebx]
+0x3030014:	add	byte ptr [eax], al
+0x3030016:	add	byte ptr [eax], al
+0x3030018:	add	byte ptr [eax], al
+0x303001a:	add	byte ptr [eax], al
+0x303001c:	add	byte ptr [eax], al
+0x303001e:	add	byte ptr [eax], al
+0x3030020:	adc	byte ptr [eax], al
+0x3030022:	add	eax, dword ptr [ebx]
+0x3030024:	add	byte ptr [eax], al
+0x3030026:	add	byte ptr [eax], al
+0x3030028:	add	byte ptr [eax], al
+0x303002a:	add	byte ptr [eax], al
+0x303002c:	add	byte ptr [eax], al
+0x303002e:	add	byte ptr [eax], al
+0x3030030:	and	byte ptr [eax], al
+0x3030032:	add	eax, dword ptr [ebx]
+0x3030034:	add	byte ptr [eax], al
+0x3030036:	add	byte ptr [eax], al
+0x3030038:	add	byte ptr [eax], al
+0x303003a:	add	byte ptr [eax], al
+0x303003c:	add	byte ptr [eax], al
+0x303003e:	add	byte ptr [eax], al
+3324	iexplore.exe	0x5fff0000	0x5fffffff	VadS	PAGE_EXECUTE_READWRITE	16	1	Disabled	
+64 74 72 52 00 00 00 00	dtrR....
+00 02 ff 5f 00 00 00 00	..._....
+00 00 00 00 00 00 00 00	........
+00 00 00 00 00 00 00 00	........
+00 00 00 00 00 00 00 00	........
+00 00 00 00 00 00 00 00	........
+00 00 00 00 00 00 00 00	........
+00 00 00 00 00 00 00 00	........	
+0x5fff0000:	je	0x5fff0075
+0x5fff0003:	push	edx
+0x5fff0004:	add	byte ptr [eax], al
+0x5fff0006:	add	byte ptr [eax], al
+0x5fff0008:	add	byte ptr [edx], al
+0x5fff000a:	lcall	[edi]
+0x5fff000d:	add	byte ptr [eax], al
+0x5fff000f:	add	byte ptr [eax], al
+0x5fff0011:	add	byte ptr [eax], al
+0x5fff0013:	add	byte ptr [eax], al
+0x5fff0015:	add	byte ptr [eax], al
+0x5fff0017:	add	byte ptr [eax], al
+0x5fff0019:	add	byte ptr [eax], al
+0x5fff001b:	add	byte ptr [eax], al
+0x5fff001d:	add	byte ptr [eax], al
+0x5fff001f:	add	byte ptr [eax], al
+0x5fff0021:	add	byte ptr [eax], al
+0x5fff0023:	add	byte ptr [eax], al
+0x5fff0025:	add	byte ptr [eax], al
+0x5fff0027:	add	byte ptr [eax], al
+0x5fff0029:	add	byte ptr [eax], al
+0x5fff002b:	add	byte ptr [eax], al
+0x5fff002d:	add	byte ptr [eax], al
+0x5fff002f:	add	byte ptr [eax], al
+0x5fff0031:	add	byte ptr [eax], al
+0x5fff0033:	add	byte ptr [eax], al
+0x5fff0035:	add	byte ptr [eax], al
+0x5fff0037:	add	byte ptr [eax], al
+0x5fff0039:	add	byte ptr [eax], al
+0x5fff003b:	add	byte ptr [eax], al
+0x5fff003d:	add	byte ptr [eax], al
+3344	iexplore.exe	0x25c0000	0x25c1fff	VadS	PAGE_EXECUTE_READWRITE	2	1	Disabled	
+b0 00 eb 70 b0 01 eb 6c	...p...l
+b0 02 eb 68 b0 03 eb 64	...h...d
+b0 04 eb 60 b0 05 eb 5c	...`...\
+b0 06 eb 58 b0 07 eb 54	...X...T
+b0 08 eb 50 b0 09 eb 4c	...P...L
+b0 0a eb 48 b0 0b eb 44	...H...D
+b0 0c eb 40 b0 0d eb 3c	...@...<
+b0 0e eb 38 b0 0f eb 34	...8...4	
+0x25c0000:	mov	al, 0
+0x25c0002:	jmp	0x25c0074
+0x25c0004:	mov	al, 1
+0x25c0006:	jmp	0x25c0074
+0x25c0008:	mov	al, 2
+0x25c000a:	jmp	0x25c0074
+0x25c000c:	mov	al, 3
+0x25c000e:	jmp	0x25c0074
+0x25c0010:	mov	al, 4
+0x25c0012:	jmp	0x25c0074
+0x25c0014:	mov	al, 5
+0x25c0016:	jmp	0x25c0074
+0x25c0018:	mov	al, 6
+0x25c001a:	jmp	0x25c0074
+0x25c001c:	mov	al, 7
+0x25c001e:	jmp	0x25c0074
+0x25c0020:	mov	al, 8
+0x25c0022:	jmp	0x25c0074
+0x25c0024:	mov	al, 9
+0x25c0026:	jmp	0x25c0074
+0x25c0028:	mov	al, 0xa
+0x25c002a:	jmp	0x25c0074
+0x25c002c:	mov	al, 0xb
+0x25c002e:	jmp	0x25c0074
+0x25c0030:	mov	al, 0xc
+0x25c0032:	jmp	0x25c0074
+0x25c0034:	mov	al, 0xd
+0x25c0036:	jmp	0x25c0074
+0x25c0038:	mov	al, 0xe
+0x25c003a:	jmp	0x25c0074
+0x25c003c:	mov	al, 0xf
+0x25c003e:	jmp	0x25c0074
+3344	iexplore.exe	0x5fff0000	0x5fffffff	VadS	PAGE_EXECUTE_READWRITE	16	1	Disabled	
+64 74 72 52 00 00 00 00	dtrR....
+20 03 ff 5f 00 00 00 00	..._....
+00 00 00 00 00 00 00 00	........
+00 00 00 00 00 00 00 00	........
+00 00 00 00 00 00 00 00	........
+00 00 00 00 00 00 00 00	........
+00 00 00 00 00 00 00 00	........
+00 00 00 00 00 00 00 00	........	
+0x5fff0000:	je	0x5fff0075
+0x5fff0003:	push	edx
+0x5fff0004:	add	byte ptr [eax], al
+0x5fff0006:	add	byte ptr [eax], al
+0x5fff0008:	and	byte ptr [ebx], al
+0x5fff000a:	lcall	[edi]
+0x5fff000d:	add	byte ptr [eax], al
+0x5fff000f:	add	byte ptr [eax], al
+0x5fff0011:	add	byte ptr [eax], al
+0x5fff0013:	add	byte ptr [eax], al
+0x5fff0015:	add	byte ptr [eax], al
+0x5fff0017:	add	byte ptr [eax], al
+0x5fff0019:	add	byte ptr [eax], al
+0x5fff001b:	add	byte ptr [eax], al
+0x5fff001d:	add	byte ptr [eax], al
+0x5fff001f:	add	byte ptr [eax], al
+0x5fff0021:	add	byte ptr [eax], al
+0x5fff0023:	add	byte ptr [eax], al
+0x5fff0025:	add	byte ptr [eax], al
+0x5fff0027:	add	byte ptr [eax], al
+0x5fff0029:	add	byte ptr [eax], al
+0x5fff002b:	add	byte ptr [eax], al
+0x5fff002d:	add	byte ptr [eax], al
+0x5fff002f:	add	byte ptr [eax], al
+0x5fff0031:	add	byte ptr [eax], al
+0x5fff0033:	add	byte ptr [eax], al
+0x5fff0035:	add	byte ptr [eax], al
+0x5fff0037:	add	byte ptr [eax], al
+0x5fff0039:	add	byte ptr [eax], al
+0x5fff003b:	add	byte ptr [eax], al
+0x5fff003d:	add	byte ptr [eax], al
+2700	powershell.exe	0x1100000	0x113ffff	VadS	PAGE_EXECUTE_READWRITE	1	1	Disabled	
+f2 44 93 9f 1e 46 00 01	.D...F..
+ee ff ee ff 00 00 00 00	........
+a8 00 10 01 a8 00 10 01	........
+00 00 10 01 00 00 10 01	........
+40 00 00 00 88 05 10 01	@.......
+00 00 14 01 3f 00 00 00	....?...
+01 00 00 00 00 00 00 00	........
+f0 0f 10 01 f0 0f 10 01	........	
+0x1100000:	inc	esp
+0x1100002:	xchg	eax, ebx
+0x1100003:	lahf	
+0x1100004:	push	ds
+0x1100005:	inc	esi
+0x1100006:	add	byte ptr [ecx], al
+0x1100008:	out	dx, al
+2700	powershell.exe	0x1b10000	0x1b4ffff	VadS	PAGE_EXECUTE_READWRITE	4	1	Disabled	
+fb e8 fc 8b e3 61 00 01	.....a..
+ee ff ee ff 00 00 00 00	........
+a8 00 b1 01 a8 00 b1 01	........
+00 00 b1 01 00 00 b1 01	........
+40 00 00 00 88 05 b1 01	@.......
+00 00 b5 01 3c 00 00 00	....<...
+01 00 00 00 00 00 00 00	........
+f0 3f b1 01 f0 3f b1 01	.?...?..	
+0x1b10000:	sti	
+0x1b10001:	call	0x63948c02
+0x1b10006:	add	byte ptr [ecx], al
+0x1b10008:	out	dx, al
+2700	powershell.exe	0x7ff50000	0x7ff5ffff	VadS	PAGE_EXECUTE_READWRITE	1	1	Disabled	
+00 00 00 00 97 19 00 00	........
+00 00 00 00 0e 00 00 00	........
+68 00 00 00 00 e9 b2 38	h......8
+bc 81 68 01 00 00 00 e9	..h.....
+a8 38 bc 81 68 02 00 00	.8..h...
+00 e9 9e 38 bc 81 68 03	...8..h.
+00 00 00 e9 94 38 bc 81	.....8..
+68 04 00 00 00 e9 8a 38	h......8	
+0x7ff50000:	add	byte ptr [eax], al
+0x7ff50002:	add	byte ptr [eax], al
+0x7ff50004:	xchg	eax, edi
+0x7ff50005:	sbb	dword ptr [eax], eax
+0x7ff50007:	add	byte ptr [eax], al
+0x7ff50009:	add	byte ptr [eax], al
+0x7ff5000b:	add	byte ptr [esi], cl
+0x7ff5000d:	add	byte ptr [eax], al
+0x7ff5000f:	add	byte ptr [eax], ch
+0x7ff50012:	add	byte ptr [eax], al
+0x7ff50014:	add	cl, ch
+0x7ff50016:	mov	dl, 0x38
+0x7ff50018:	mov	esp, 0x16881
+0x7ff5001d:	add	byte ptr [eax], al
+0x7ff5001f:	jmp	0x1b138cc
+0x7ff50024:	push	2
+0x7ff50029:	jmp	0x1b138cc
+0x7ff5002e:	push	3
+0x7ff50033:	jmp	0x1b138cc
+0x7ff50038:	push	4
+2700	powershell.exe	0x7ff60000	0x7ffaffff	VadS	PAGE_EXECUTE_READWRITE	1	1	Disabled	
+ec ff ff ff 04 00 00 00	........
+01 00 00 00 00 00 08 01	........
+1c 00 00 00 15 00 0e 00	........
+0e 00 00 00 64 09 ab 6a	....d..j
+00 10 84 6a 5c 70 86 6a	...j\p.j
+2c 30 84 6a 00 00 00 00	,0.j....
+00 00 00 00 10 00 f5 7f	........
+1a 00 f5 7f 24 00 f5 7f	....$...	
+0x7ff60000:	in	al, dx