File: input_file.bin
| Field | Value |
|---|
| Parser | FooParser |
| File Path | C:/input_file.bin |
| Description | SuperMalware Implant |
| Architecture | |
| MD5 | 1e50210a0202497fb79bc38b6ade6c34 |
| SHA1 | baf34551fecb48acc3da868eb85e1b6dac9de356 |
| SHA256 | 1307990e6ba5ca145eb35e99182a9bec46531bc54ddf656a602c780fa0240dee |
| Compile Time | |
Alphabet
| Alphabet | Base |
|---|
| 0123456789ABCDEF | 16 |
| ABCDEFGHIJKLMNOPQRSTUVWXYZ234567= | 32 |
| ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/= | 64 |
Credential
| Username | Password |
|---|
| admin | 123456 |
| mruser | |
| | secrets |
| admin | pass |
Decoded String
| Value | Key | Algorithm |
|---|
| GetProcess | | |
| badstring | 0xffff | xor |
Email Address
Encryption Key
| Key | Algorithm | Mode | Iv |
|---|
| 0x68656c6c6f ("hello") | rc4 | | |
| 0xffffffff | aes | ecb | 0x00000000 |
| 0xffff | xor | | |
Event
Injection Process
Interval
Mission ID
Mutex
Path
| Path | Directory Path | Name | Is Dir |
|---|
| C:\windows\temp\1\log\keydb.txt | C:\windows\temp\1\log | keydb.txt | False |
| %APPDATA%\foo | %APPDATA% | foo | True |
| C:\foo\bar.txt | C:\foo | bar.txt | False |
| | | malware.exe | False |
| %System%\svohost.exe | %System% | svohost.exe | False |
Pipe
RSA Private Key
| Value |
|---|
Modulus (n):
187 (0xbb)
Public Exponent (e):
7 (0x7)
Private Exponent (d):
23 (0x17)
p:
17 (0x11)
q:
11 (0xb)
d mod (p-1):
7 (0x7)
d mod (q-1):
3 (0x3)
(inverse of q) mod p:
14 (0xe)
|
RSA Public Key
| Value |
|---|
Modulus (n):
187 (0xbb)
Public Exponent (e):
7 (0x7)
|
Registry
| Tags | Path | Key | Value | Data |
|---|
| | HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Updater | HKLM\Software\Microsoft\Windows\CurrentVersion\Run | Updater | c:\update.exe |
| | | HKLM\Foo\Bar | | |
| tag2 | | | Baz | |
Service
| Name | Display Name | Description | Image |
|---|
| WindowsUserManagement | Windows User Management | Provides a common management to access information about windows user. | %System%\svohost.exe |
Socket
| Address | Port | Network Protocol | Listen |
|---|
| bad.com | 21 | tcp | |
| | 1635 | udp | |
| | 4568 | tcp | True |
| 10.11.10.13 | 443 | | |
| 192.168.1.1 | 80 | tcp | |
| badhost.com | 21 | | |
URL
| Tags | Url | Address | Port | Path | Application Protocol | Network Protocol | Username | Password |
|---|
| | https://10.11.10.13:443/images/baner.jpg | 10.11.10.13 | 443 | /images/baner.jpg | https | | | |
| proxy | | 192.168.1.1 | 80 | | | tcp | admin | pass |
| | ftp://badhost.com:21 | badhost.com | 21 | | ftp | | admin | pass |
UUID
| Value |
|---|
| 654e5cff-817c-4e3d-8b01-47a6f45ae09a |
User Agent
| Value |
|---|
| Mozilla/4.0 (compatible; MISE 6.0; Windows NT 5.2) |
Version
Miscellaneous
| Tags | Key | Value |
|---|
| | misc_info | some miscellaneous info |
| | random_data | b'\xde\xad\xbe\xef' |
| | keylogger | True |
| tag1 | misc_integer | 432 |
Residual Files
| Filename | Description | MD5 | Arch | Compile Time |
|---|
| config.xml | Extracted backdoor Foo config file | 8c41f2802904e53469390845cfeb2b28 | | |
File Tree
<input_file.bin (1e50210a0202497fb79bc38b6ade6c34) : SuperMalware Implant>