Hey all.
Got a naughty email sent with malicious links, so I ran it in my
sendbox and got an image. I'm trying to locate the injected code:
Offset(V) Name PID PPID Thds Hnds Sess
Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------
------ -------------------- --------------------
0x89e23830 System 4 0 76 206 ------
0
0x89c207e8 smss.exe 640 4 3 19 ------
0 2013-02-27 22:05:55
0x89c093e0 csrss.exe 712 640 11 369 0
0 2013-02-27 22:05:59
0x89c0ab10 winlogon.exe 748 640 18 516 0
0 2013-02-27 22:06:04
0x89b72020 services.exe 792 748 16 277 0
0 2013-02-27 22:06:05
0x89bc9980 lsass.exe 804 748 18 370 0
0 2013-02-27 22:06:05
0x89d74da0 nvsvc32.exe 996 792 4 200 0
0 2013-02-27 22:06:05
0x89c067e8 svchost.exe 1056 792 19 199 0
0 2013-02-27 22:06:05
0x894dbda0 svchost.exe 1124 792 11 243 0
0 2013-02-27 22:06:05
0x894e8638 svchost.exe 1260 792 69 1188 0
0 2013-02-27 22:06:06
0x89d7a360 svchost.exe 1308 792 6 77 0
0 2013-02-27 22:06:06
0x894fa3e0 svchost.exe 1392 792 4 81 0
0 2013-02-27 22:06:06
0x89cd4c08 explorer.exe 1676 1632 23 529 0
0 2013-02-27 22:06:06
0x89af39e0 rundll32.exe 1760 1676 4 116 0
0 2013-02-27 22:06:06
0x89bdb1d0 Bootcamp.exe 1768 1676 5 246 0
0 2013-02-27 22:06:06
0x89ba7558 RTHDCPL.EXE 1788 1676 4 197 0
0 2013-02-27 22:06:06
0x89bf8c10 rundll32.exe 1800 1676 1 88 0
0 2013-02-27 22:06:06
0x89b78da0 ctfmon.exe 1828 1676 3 145 0
0 2013-02-27 22:06:06
0x89b8e620 svchost.exe 668 792 4 107 0
0 2013-02-27 22:06:17
0x89c0dc10 AppleOSSMgr.exe 716 792 3 39 0
0 2013-02-27 22:06:17
0x89ac32c8 AppleTimeSrv.ex 872 792 1 44 0
0 2013-02-27 22:06:17
0x89aca958 svchost.exe 1088 792 4 86 0
0 2013-02-27 22:06:17
0x89ad7c18 svchost.exe 1304 792 8 141 0
0 2013-02-27 22:06:17
0x89397918 wmiprvse.exe 1896 1056 6 140 0
0 2013-02-27 15:06:42
0x89152020 qegyas.exe 2364 2236 0 -------- 0
0 2013-02-27 15:08:35 2013-02-27 15:08:44
0x89160558 rundll32.exe 3032 1260 0 -------- 0
0 2013-02-27 15:08:49 2013-02-27 15:08:49
0x89399638 ntvdm.exe 3992 1676 0 -------- 0
0 2013-02-27 15:09:42 2013-02-27 15:09:43
0x8951f020 rundll32.exe 4016 1260 0 -------- 0
0 2013-02-27 15:13:51 2013-02-27 15:13:51
0x890fb648 DumpIt.exe 3720 1676 0 -------- 0
0 2013-02-27 15:13:59 2013-02-27 15:14:01
0x89124da0 DumpIt.exe 368 1676 2 68 0
0 2013-02-27 15:14:22
malfind shows the following:
Process: csrss.exe Pid: 712 Address: 0x7f6f0000
Process: explorer.exe Pid: 1676 Address: 0x3d920000
Process: explorer.exe Pid: 1676 Address: 0x23f0000
Process: rundll32.exe Pid: 1760 Address: 0xb30000
Process: rundll32.exe Pid: 1760 Address: 0x3d920000
Process: Bootcamp.exe Pid: 1768 Address: 0x10c0000
Process: Bootcamp.exe Pid: 1768 Address: 0x3d920000
Process: RTHDCPL.EXE Pid: 1788 Address: 0x1bd0000
Process: RTHDCPL.EXE Pid: 1788 Address: 0x4af0000
Process: RTHDCPL.EXE Pid: 1788 Address: 0x3d920000
Process: rundll32.exe Pid: 1800 Address: 0xda0000
Process: rundll32.exe Pid: 1800 Address: 0x3d920000
Process: ctfmon.exe Pid: 1828 Address: 0xeb0000
Process: ctfmon.exe Pid: 1828 Address: 0x3d920000
Process: DumpIt.exe Pid: 368 Address: 0x130000
Process: DumpIt.exe Pid: 368 Address: 0x6fff0000
Just how would I go about seeing the injected code? Thanks for the
assist.
James
Show replies by date