aaron/htb-santa-ctf
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
f739c09cc4bfce0ea66b21d52ee11c87e6887fd7
htb-santa-ctf/forensics/honeypot/win_malware
aaron c8936555c9 add malware scan
2021-12-02 23:04:51 +01:00

413 lines
13 KiB
Plaintext
Raw Blame History

Volatility 3 Framework 1.0.1
PID Process Start VPN End VPN Tag Protection CommitCharge PrivateMemory File output Hexdump Disasm
1556 explorer.exe 0x3130000 0x3130fff VadS PAGE_EXECUTE_READWRITE 1 1 Disabled
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 13 03 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
10 00 13 03 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
20 00 13 03 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
0x3130000: add byte ptr [eax], al
0x3130002: add byte ptr [eax], al
0x3130004: add byte ptr [eax], al
0x3130006: add byte ptr [eax], al
0x3130008: add byte ptr [eax], al
0x313000a: add byte ptr [eax], al
0x313000c: add byte ptr [eax], al
0x313000e: add byte ptr [eax], al
0x3130010: add byte ptr [eax], al
0x3130012: adc eax, dword ptr [ebx]
0x3130014: add byte ptr [eax], al
0x3130016: add byte ptr [eax], al
0x3130018: add byte ptr [eax], al
0x313001a: add byte ptr [eax], al
0x313001c: add byte ptr [eax], al
0x313001e: add byte ptr [eax], al
0x3130020: adc byte ptr [eax], al
0x3130022: adc eax, dword ptr [ebx]
0x3130024: add byte ptr [eax], al
0x3130026: add byte ptr [eax], al
0x3130028: add byte ptr [eax], al
0x313002a: add byte ptr [eax], al
0x313002c: add byte ptr [eax], al
0x313002e: add byte ptr [eax], al
0x3130030: and byte ptr [eax], al
0x3130032: adc eax, dword ptr [ebx]
0x3130034: add byte ptr [eax], al
0x3130036: add byte ptr [eax], al
0x3130038: add byte ptr [eax], al
0x313003a: add byte ptr [eax], al
0x313003c: add byte ptr [eax], al
0x313003e: add byte ptr [eax], al
2460 SearchFilterHo 0x730000 0x76ffff VadS PAGE_EXECUTE_READWRITE 1 1 Disabled
c5 2f 31 e7 87 c4 00 01 ./1.....
ee ff ee ff 00 00 00 00 ........
a8 00 73 00 a8 00 73 00 ..s...s.
00 00 73 00 00 00 73 00 ..s...s.
40 00 00 00 88 05 73 00 @.....s.
00 00 77 00 3f 00 00 00 ..w.?...
01 00 00 00 00 00 00 00 ........
f0 0f 73 00 f0 0f 73 00 ..s...s.
0x730000: lds ebp, ptr [edi]
0x730002: xor edi, esp
0x730004: xchg esp, eax
0x730006: add byte ptr [ecx], al
0x730008: out dx, al
2856 explorer.exe 0x16e0000 0x16e0fff VadS PAGE_EXECUTE_READWRITE 1 1 Disabled
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 6e 01 00 00 00 00 ..n.....
00 00 00 00 00 00 00 00 ........
10 00 6e 01 00 00 00 00 ..n.....
00 00 00 00 00 00 00 00 ........
20 00 6e 01 00 00 00 00 ..n.....
00 00 00 00 00 00 00 00 ........
0x16e0000: add byte ptr [eax], al
0x16e0002: add byte ptr [eax], al
0x16e0004: add byte ptr [eax], al
0x16e0006: add byte ptr [eax], al
0x16e0008: add byte ptr [eax], al
0x16e000a: add byte ptr [eax], al
0x16e000c: add byte ptr [eax], al
0x16e000e: add byte ptr [eax], al
0x16e0010: add byte ptr [eax], al
0x16e0012: outsb dx, byte ptr [esi]
0x16e0013: add dword ptr [eax], eax
0x16e0015: add byte ptr [eax], al
0x16e0017: add byte ptr [eax], al
0x16e0019: add byte ptr [eax], al
0x16e001b: add byte ptr [eax], al
0x16e001d: add byte ptr [eax], al
0x16e001f: add byte ptr [eax], dl
0x16e0021: add byte ptr [esi + 1], ch
0x16e0024: add byte ptr [eax], al
0x16e0026: add byte ptr [eax], al
0x16e0028: add byte ptr [eax], al
0x16e002a: add byte ptr [eax], al
0x16e002c: add byte ptr [eax], al
0x16e002e: add byte ptr [eax], al
0x16e0030: and byte ptr [eax], al
0x16e0032: outsb dx, byte ptr [esi]
0x16e0033: add dword ptr [eax], eax
0x16e0035: add byte ptr [eax], al
0x16e0037: add byte ptr [eax], al
0x16e0039: add byte ptr [eax], al
0x16e003b: add byte ptr [eax], al
0x16e003d: add byte ptr [eax], al
2856 explorer.exe 0x38d0000 0x38d1fff VadS PAGE_EXECUTE_READWRITE 2 1 Disabled
b0 00 eb 70 b0 01 eb 6c ...p...l
b0 02 eb 68 b0 03 eb 64 ...h...d
b0 04 eb 60 b0 05 eb 5c ...`...\
b0 06 eb 58 b0 07 eb 54 ...X...T
b0 08 eb 50 b0 09 eb 4c ...P...L
b0 0a eb 48 b0 0b eb 44 ...H...D
b0 0c eb 40 b0 0d eb 3c ...@...<
b0 0e eb 38 b0 0f eb 34 ...8...4
0x38d0000: mov al, 0
0x38d0002: jmp 0x38d0074
0x38d0004: mov al, 1
0x38d0006: jmp 0x38d0074
0x38d0008: mov al, 2
0x38d000a: jmp 0x38d0074
0x38d000c: mov al, 3
0x38d000e: jmp 0x38d0074
0x38d0010: mov al, 4
0x38d0012: jmp 0x38d0074
0x38d0014: mov al, 5
0x38d0016: jmp 0x38d0074
0x38d0018: mov al, 6
0x38d001a: jmp 0x38d0074
0x38d001c: mov al, 7
0x38d001e: jmp 0x38d0074
0x38d0020: mov al, 8
0x38d0022: jmp 0x38d0074
0x38d0024: mov al, 9
0x38d0026: jmp 0x38d0074
0x38d0028: mov al, 0xa
0x38d002a: jmp 0x38d0074
0x38d002c: mov al, 0xb
0x38d002e: jmp 0x38d0074
0x38d0030: mov al, 0xc
0x38d0032: jmp 0x38d0074
0x38d0034: mov al, 0xd
0x38d0036: jmp 0x38d0074
0x38d0038: mov al, 0xe
0x38d003a: jmp 0x38d0074
0x38d003c: mov al, 0xf
0x38d003e: jmp 0x38d0074
3324 iexplore.exe 0x1fd0000 0x1fd1fff VadS PAGE_EXECUTE_READWRITE 2 1 Disabled
b0 00 eb 70 b0 01 eb 6c ...p...l
b0 02 eb 68 b0 03 eb 64 ...h...d
b0 04 eb 60 b0 05 eb 5c ...`...\
b0 06 eb 58 b0 07 eb 54 ...X...T
b0 08 eb 50 b0 09 eb 4c ...P...L
b0 0a eb 48 b0 0b eb 44 ...H...D
b0 0c eb 40 b0 0d eb 3c ...@...<
b0 0e eb 38 b0 0f eb 34 ...8...4
0x1fd0000: mov al, 0
0x1fd0002: jmp 0x1fd0074
0x1fd0004: mov al, 1
0x1fd0006: jmp 0x1fd0074
0x1fd0008: mov al, 2
0x1fd000a: jmp 0x1fd0074
0x1fd000c: mov al, 3
0x1fd000e: jmp 0x1fd0074
0x1fd0010: mov al, 4
0x1fd0012: jmp 0x1fd0074
0x1fd0014: mov al, 5
0x1fd0016: jmp 0x1fd0074
0x1fd0018: mov al, 6
0x1fd001a: jmp 0x1fd0074
0x1fd001c: mov al, 7
0x1fd001e: jmp 0x1fd0074
0x1fd0020: mov al, 8
0x1fd0022: jmp 0x1fd0074
0x1fd0024: mov al, 9
0x1fd0026: jmp 0x1fd0074
0x1fd0028: mov al, 0xa
0x1fd002a: jmp 0x1fd0074
0x1fd002c: mov al, 0xb
0x1fd002e: jmp 0x1fd0074
0x1fd0030: mov al, 0xc
0x1fd0032: jmp 0x1fd0074
0x1fd0034: mov al, 0xd
0x1fd0036: jmp 0x1fd0074
0x1fd0038: mov al, 0xe
0x1fd003a: jmp 0x1fd0074
0x1fd003c: mov al, 0xf
0x1fd003e: jmp 0x1fd0074
3324 iexplore.exe 0x3030000 0x3030fff VadS PAGE_EXECUTE_READWRITE 1 1 Disabled
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 03 03 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
10 00 03 03 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
20 00 03 03 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
0x3030000: add byte ptr [eax], al
0x3030002: add byte ptr [eax], al
0x3030004: add byte ptr [eax], al
0x3030006: add byte ptr [eax], al
0x3030008: add byte ptr [eax], al
0x303000a: add byte ptr [eax], al
0x303000c: add byte ptr [eax], al
0x303000e: add byte ptr [eax], al
0x3030010: add byte ptr [eax], al
0x3030012: add eax, dword ptr [ebx]
0x3030014: add byte ptr [eax], al
0x3030016: add byte ptr [eax], al
0x3030018: add byte ptr [eax], al
0x303001a: add byte ptr [eax], al
0x303001c: add byte ptr [eax], al
0x303001e: add byte ptr [eax], al
0x3030020: adc byte ptr [eax], al
0x3030022: add eax, dword ptr [ebx]
0x3030024: add byte ptr [eax], al
0x3030026: add byte ptr [eax], al
0x3030028: add byte ptr [eax], al
0x303002a: add byte ptr [eax], al
0x303002c: add byte ptr [eax], al
0x303002e: add byte ptr [eax], al
0x3030030: and byte ptr [eax], al
0x3030032: add eax, dword ptr [ebx]
0x3030034: add byte ptr [eax], al
0x3030036: add byte ptr [eax], al
0x3030038: add byte ptr [eax], al
0x303003a: add byte ptr [eax], al
0x303003c: add byte ptr [eax], al
0x303003e: add byte ptr [eax], al
3324 iexplore.exe 0x5fff0000 0x5fffffff VadS PAGE_EXECUTE_READWRITE 16 1 Disabled
64 74 72 52 00 00 00 00 dtrR....
00 02 ff 5f 00 00 00 00 ..._....
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
0x5fff0000: je 0x5fff0075
0x5fff0003: push edx
0x5fff0004: add byte ptr [eax], al
0x5fff0006: add byte ptr [eax], al
0x5fff0008: add byte ptr [edx], al
0x5fff000a: lcall [edi]
0x5fff000d: add byte ptr [eax], al
0x5fff000f: add byte ptr [eax], al
0x5fff0011: add byte ptr [eax], al
0x5fff0013: add byte ptr [eax], al
0x5fff0015: add byte ptr [eax], al
0x5fff0017: add byte ptr [eax], al
0x5fff0019: add byte ptr [eax], al
0x5fff001b: add byte ptr [eax], al
0x5fff001d: add byte ptr [eax], al
0x5fff001f: add byte ptr [eax], al
0x5fff0021: add byte ptr [eax], al
0x5fff0023: add byte ptr [eax], al
0x5fff0025: add byte ptr [eax], al
0x5fff0027: add byte ptr [eax], al
0x5fff0029: add byte ptr [eax], al
0x5fff002b: add byte ptr [eax], al
0x5fff002d: add byte ptr [eax], al
0x5fff002f: add byte ptr [eax], al
0x5fff0031: add byte ptr [eax], al
0x5fff0033: add byte ptr [eax], al
0x5fff0035: add byte ptr [eax], al
0x5fff0037: add byte ptr [eax], al
0x5fff0039: add byte ptr [eax], al
0x5fff003b: add byte ptr [eax], al
0x5fff003d: add byte ptr [eax], al
3344 iexplore.exe 0x25c0000 0x25c1fff VadS PAGE_EXECUTE_READWRITE 2 1 Disabled
b0 00 eb 70 b0 01 eb 6c ...p...l
b0 02 eb 68 b0 03 eb 64 ...h...d
b0 04 eb 60 b0 05 eb 5c ...`...\
b0 06 eb 58 b0 07 eb 54 ...X...T
b0 08 eb 50 b0 09 eb 4c ...P...L
b0 0a eb 48 b0 0b eb 44 ...H...D
b0 0c eb 40 b0 0d eb 3c ...@...<
b0 0e eb 38 b0 0f eb 34 ...8...4
0x25c0000: mov al, 0
0x25c0002: jmp 0x25c0074
0x25c0004: mov al, 1
0x25c0006: jmp 0x25c0074
0x25c0008: mov al, 2
0x25c000a: jmp 0x25c0074
0x25c000c: mov al, 3
0x25c000e: jmp 0x25c0074
0x25c0010: mov al, 4
0x25c0012: jmp 0x25c0074
0x25c0014: mov al, 5
0x25c0016: jmp 0x25c0074
0x25c0018: mov al, 6
0x25c001a: jmp 0x25c0074
0x25c001c: mov al, 7
0x25c001e: jmp 0x25c0074
0x25c0020: mov al, 8
0x25c0022: jmp 0x25c0074
0x25c0024: mov al, 9
0x25c0026: jmp 0x25c0074
0x25c0028: mov al, 0xa
0x25c002a: jmp 0x25c0074
0x25c002c: mov al, 0xb
0x25c002e: jmp 0x25c0074
0x25c0030: mov al, 0xc
0x25c0032: jmp 0x25c0074
0x25c0034: mov al, 0xd
0x25c0036: jmp 0x25c0074
0x25c0038: mov al, 0xe
0x25c003a: jmp 0x25c0074
0x25c003c: mov al, 0xf
0x25c003e: jmp 0x25c0074
3344 iexplore.exe 0x5fff0000 0x5fffffff VadS PAGE_EXECUTE_READWRITE 16 1 Disabled
64 74 72 52 00 00 00 00 dtrR....
20 03 ff 5f 00 00 00 00 ..._....
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
0x5fff0000: je 0x5fff0075
0x5fff0003: push edx
0x5fff0004: add byte ptr [eax], al
0x5fff0006: add byte ptr [eax], al
0x5fff0008: and byte ptr [ebx], al
0x5fff000a: lcall [edi]
0x5fff000d: add byte ptr [eax], al
0x5fff000f: add byte ptr [eax], al
0x5fff0011: add byte ptr [eax], al
0x5fff0013: add byte ptr [eax], al
0x5fff0015: add byte ptr [eax], al
0x5fff0017: add byte ptr [eax], al
0x5fff0019: add byte ptr [eax], al
0x5fff001b: add byte ptr [eax], al
0x5fff001d: add byte ptr [eax], al
0x5fff001f: add byte ptr [eax], al
0x5fff0021: add byte ptr [eax], al
0x5fff0023: add byte ptr [eax], al
0x5fff0025: add byte ptr [eax], al
0x5fff0027: add byte ptr [eax], al
0x5fff0029: add byte ptr [eax], al
0x5fff002b: add byte ptr [eax], al
0x5fff002d: add byte ptr [eax], al
0x5fff002f: add byte ptr [eax], al
0x5fff0031: add byte ptr [eax], al
0x5fff0033: add byte ptr [eax], al
0x5fff0035: add byte ptr [eax], al
0x5fff0037: add byte ptr [eax], al
0x5fff0039: add byte ptr [eax], al
0x5fff003b: add byte ptr [eax], al
0x5fff003d: add byte ptr [eax], al
2700 powershell.exe 0x1100000 0x113ffff VadS PAGE_EXECUTE_READWRITE 1 1 Disabled
f2 44 93 9f 1e 46 00 01 .D...F..
ee ff ee ff 00 00 00 00 ........
a8 00 10 01 a8 00 10 01 ........
00 00 10 01 00 00 10 01 ........
40 00 00 00 88 05 10 01 @.......
00 00 14 01 3f 00 00 00 ....?...
01 00 00 00 00 00 00 00 ........
f0 0f 10 01 f0 0f 10 01 ........
0x1100000: inc esp
0x1100002: xchg eax, ebx
0x1100003: lahf
0x1100004: push ds
0x1100005: inc esi
0x1100006: add byte ptr [ecx], al
0x1100008: out dx, al
2700 powershell.exe 0x1b10000 0x1b4ffff VadS PAGE_EXECUTE_READWRITE 4 1 Disabled
fb e8 fc 8b e3 61 00 01 .....a..
ee ff ee ff 00 00 00 00 ........
a8 00 b1 01 a8 00 b1 01 ........
00 00 b1 01 00 00 b1 01 ........
40 00 00 00 88 05 b1 01 @.......
00 00 b5 01 3c 00 00 00 ....<...
01 00 00 00 00 00 00 00 ........
f0 3f b1 01 f0 3f b1 01 .?...?..
0x1b10000: sti
0x1b10001: call 0x63948c02
0x1b10006: add byte ptr [ecx], al
0x1b10008: out dx, al
2700 powershell.exe 0x7ff50000 0x7ff5ffff VadS PAGE_EXECUTE_READWRITE 1 1 Disabled
00 00 00 00 97 19 00 00 ........
00 00 00 00 0e 00 00 00 ........
68 00 00 00 00 e9 b2 38 h......8
bc 81 68 01 00 00 00 e9 ..h.....
a8 38 bc 81 68 02 00 00 .8..h...
00 e9 9e 38 bc 81 68 03 ...8..h.
00 00 00 e9 94 38 bc 81 .....8..
68 04 00 00 00 e9 8a 38 h......8
0x7ff50000: add byte ptr [eax], al
0x7ff50002: add byte ptr [eax], al
0x7ff50004: xchg eax, edi
0x7ff50005: sbb dword ptr [eax], eax
0x7ff50007: add byte ptr [eax], al
0x7ff50009: add byte ptr [eax], al
0x7ff5000b: add byte ptr [esi], cl
0x7ff5000d: add byte ptr [eax], al
0x7ff5000f: add byte ptr [eax], ch
0x7ff50012: add byte ptr [eax], al
0x7ff50014: add cl, ch
0x7ff50016: mov dl, 0x38
0x7ff50018: mov esp, 0x16881
0x7ff5001d: add byte ptr [eax], al
0x7ff5001f: jmp 0x1b138cc
0x7ff50024: push 2
0x7ff50029: jmp 0x1b138cc
0x7ff5002e: push 3
0x7ff50033: jmp 0x1b138cc
0x7ff50038: push 4
2700 powershell.exe 0x7ff60000 0x7ffaffff VadS PAGE_EXECUTE_READWRITE 1 1 Disabled
ec ff ff ff 04 00 00 00 ........
01 00 00 00 00 00 08 01 ........
1c 00 00 00 15 00 0e 00 ........
0e 00 00 00 64 09 ab 6a ....d..j
00 10 84 6a 5c 70 86 6a ...j\p.j
2c 30 84 6a 00 00 00 00 ,0.j....
00 00 00 00 10 00 f5 7f ........
1a 00 f5 7f 24 00 f5 7f ....$...
0x7ff60000: in al, dx
Reference in New Issue View Git Blame Copy Permalink