From 8c860199de05a7d811756862384f52401ebc66d1 Mon Sep 17 00:00:00 2001 From: eladyesh <102996033+eladyesh@users.noreply.github.com> Date: Fri, 16 Jun 2023 10:12:50 +0300 Subject: [PATCH] Create log_python.txt --- python_logs/log_python.txt | 91 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 python_logs/log_python.txt diff --git a/python_logs/log_python.txt b/python_logs/log_python.txt new file mode 100644 index 0000000..2b03555 --- /dev/null +++ b/python_logs/log_python.txt @@ -0,0 +1,91 @@ +Variable name: value +Library name: winsock +Function name: socket +Parameters: 2, 1, 6 + +Library name: winsock +Function name: getaddrinfo +Parameters: target, None, None, ctypes.byref(address) + +Library name: winsock +Function name: closesocket +Parameters: s + +Variable name: result +Library name: winsock +Function name: connect +Parameters: s, address, ctypes.sizeof(address), port + +==============PORT SCANNING============== +Trying to scan through ports [78, 79, 80] +Trying to connect to website ctypes.create_string_buffer(b'google.com\x00') +==============PORT SCANNING============== + +==============REGISTRY CHANGE============== +Trying to add or change key 'Sotware\\Microsot\\Windows\\CurrentVersion\\RunOnce' +Trying to add key 'open\\command' +Trying to set key to 'C:\\Users\\IEUser\\Desktop\\research\\2023-01-20-malware-pers-21\\hack.exe'.encode('utf-8') +==============REGISTRY CHANGE============== + +Variable name: +Library name: advapi32 +Function name: RegCloseKey +Parameters: hkey + +Variable name: res +Library name: advapi32 +Function name: RegSetValueExW +Parameters: hkR, None, 0, 1, exe, len(exe) + +Variable name: file_handle +Library name: kernel32 +Function name: CreateFileA +Parameters: 'example.txt'.encode('ascii'), GENERIC_ALL, 0, None, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, None + +Variable name: res +Library name: advapi32 +Function name: RegCreateKeyExW +Parameters: hkey, 'open\\command', 0, None, 0, 983103, None, ctypes.byref(hkR), None + +Variable name: hProcess +Library name: kernel32 +Function name: OpenProcess +Parameters: ctypes.c_int(2035711), False, ctypes.c_int(pid) + +Variable name: +Library name: kernel32 +Function name: CloseHandle +Parameters: hProcess + +Variable name: +Library name: kernel32 +Function name: Sleep +Parameters: 3000 + +Variable name: res +Library name: advapi32 +Function name: RegOpenKeyExW +Parameters: ctypes.c_uint32(8), shell, 0, 131097, ctypes.byref(hkey) + +Variable name: +Library name: advapi32 +Function name: RegCloseKey +Parameters: hkR + +Variable name: address +Library name: kernel32 +Function name: VirtualAllocEx +Parameters: hProcess, None, ctypes.c_int(len(data)), ctypes.c_int(4096), ctypes.c_int(64) + +Variable name: +Library name: kernel32 +Function name: WriteProcessMemory +Parameters: hProcess, address, data, ctypes.c_int(len(data)), None + +==============INJECTION============== +Found Injection to process: python.exe +PID: 16600 +Parent PID: 16600 +The data being injected: binascii.unhexlify('b80a000000c3') +==============INJECTION============== +