Joe Sandbox - Abstract Analysis File
16198
Generated with Joe Sandbox 6.0.2
General information | |
Start time: | 19:43:47 |
Start date: | 02/07/2012 |
Overall analysis duration: | 0h 1m 40s |
Sample file name: | explorerprotect.sys |
Cookbook file name: | default.jbs |
Analysis system description: | XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8) |
Number of analysed new started processes analysed: | 0 |
Number of new started drivers analysed: | 1 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Errors: |
|
Classification / Threat Score | |||||||
Persistence, Installation, Boot Survival: | |||||||
Hiding, Stealthiness, Detection and Removal Protection: | |||||||
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection: | |||||||
Spreading: | |||||||
Exploiting: | |||||||
Networking: | |||||||
Data spying, Sniffing, Keylogging, Ebanking Fraud: |
Signature Detections | |
|
|
|
|
|
|
|
Static File Information
General Information | |
File name: | explorerprotect.sys |
File size: | 4736 |
MD5: | ceb8e116ce430ba5a9a84bf7c1bee099 |
SHA1: | 46b260d339648657c2013f2ffa34cb833530a083 |
SHA256: | ccd92524f93bb4b0c70de5d9bb889681ad4192951fb902fccbd879606d50d26e |
File type: | PE32 executable for MS Windows (native) Intel 80386 32-bit |
PE Information | |||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||
|
String Analysis
Debug symbol paths | |
String value | Source |
k:\joesec~1\projects\joebox\trunk\src\windows\kernel~1\joebox~1\build\i386\explorerprotect.pdb | explorerprotect.sys |
Analysis Overview
Startup | |
|
Global Network Data
Hooks
SSDT | |
Function Name | New Address |
NtWriteVirtualMemory | FB0E6610 |
NtCreateThread | FB0E6650 |
IRP Handler | |||
Handler Function | Driver | Address | Type |
IRP_MJ_SET_VOLUME_INFORMATION | \Driver\zhnPdBIMcN | 804F355A | new |
IRP_MJ_QUERY_QUOTA | \Driver\zhnPdBIMcN | 804F355A | new |
IRP_MJ_PNP | \Driver\zhnPdBIMcN | 804F355A | new |
IRP_MJ_CREATE_MAILSLOT | \Driver\zhnPdBIMcN | 804F355A | new |
IRP_MJ_POWER | \Driver\zhnPdBIMcN | 804F355A | new |
IRP_MJ_DEVICE_CONTROL | \Driver\zhnPdBIMcN | 804F355A | new |
IRP_MJ_READ | \Driver\zhnPdBIMcN | 804F355A | new |
IRP_MJ_DIRECTORY_CONTROL | \Driver\zhnPdBIMcN | 804F355A | new |
IRP_MJ_QUERY_VOLUME_INFORMATION | \Driver\zhnPdBIMcN | 804F355A | new |
IRP_MJ_SET_SECURITY | \Driver\zhnPdBIMcN | 804F355A | new |
IRP_MJ_WRITE | \Driver\zhnPdBIMcN | 804F355A | new |
IRP_MJ_LOCK_CONTROL | \Driver\zhnPdBIMcN | 804F355A | new |
IRP_MJ_CLEANUP | \Driver\zhnPdBIMcN | 804F355A | new |
IRP_MJ_CLOSE | \Driver\zhnPdBIMcN | 804F355A | new |
IRP_MJ_INTERNAL_DEVICE_CONTROL | \Driver\zhnPdBIMcN | 804F355A | new |
IRP_MJ_CREATE | \Driver\zhnPdBIMcN | 804F355A | new |
IRP_MJ_CREATE_NAMED_PIPE | \Driver\zhnPdBIMcN | 804F355A | new |
IRP_MJ_SET_INFORMATION | \Driver\zhnPdBIMcN | 804F355A | new |
IRP_MJ_DEVICE_CHANGE | \Driver\zhnPdBIMcN | 804F355A | new |
IRP_MJ_QUERY_EA | \Driver\zhnPdBIMcN | 804F355A | new |
IRP_MJ_FILE_SYSTEM_CONTROL | \Driver\zhnPdBIMcN | 804F355A | new |
IRP_MJ_FLUSH_BUFFERS | \Driver\zhnPdBIMcN | 804F355A | new |
IRP_MJ_SET_EA | \Driver\zhnPdBIMcN | 804F355A | new |
IRP_MJ_SYSTEM_CONTROL | \Driver\zhnPdBIMcN | 804F355A | new |
IRP_MJ_QUERY_SECURITY | \Driver\zhnPdBIMcN | 804F355A | new |
IRP_MJ_SET_QUOTA | \Driver\zhnPdBIMcN | 804F355A | new |
IRP_MJ_QUERY_INFORMATION | \Driver\zhnPdBIMcN | 804F355A | new |
IRP_MJ_SHUTDOWN | \Driver\zhnPdBIMcN | 804F355A | new |
Sections | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
File Activities:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Section Activities:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Registry Activities:
|
Chronological sections | |||
Operation | Data | Completion | Time |
Key value queried | Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zhnPdBIMcN\Enum Name: Count | success or wait | 545166383 |
Key value queried | Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ZHNPDBIMCN\0000 Name: ConfigFlags | success or wait | 545168088 |
Key value set | Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ZHNPDBIMCN\0000\Control Name: ActiveService Type: unicode Data: zhnPdBIMcN Old data: | success or wait | 545171099 |
Key value queried | Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zhnPdBIMcN Name: ImagePath | buffer overflow | 545171995 |
Key value queried | Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zhnPdBIMcN Name: ImagePath | success or wait | 545172480 |
File opened | Path: C:\WINDOWS\AppPatch\drvmain.sdb Access: generic read Options: no options Overwritten: false | success or wait | 545172986 |
Section loaded | Path: C:\WINDOWS\AppPatch\drvmain.sdb Access: read Type: commit Baseaddress: 40000 Size: 12288 Protection: readonly Mapped to pid: own pid | success or wait | 545173832 |