6f8393d4e1d0c9b23a44bc1c04633bcd

From aldeid
Jump to: navigation, search

Description

Summary

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Identification

MD5 6f8393d4e1d0c9b23a44bc1c04633bcd
SHA1 4a644dc1036aaf9ffe56d9802a3abd671509f307
SHA256 a6dd12e7a4fdd679b4a165bb9a9f0e7ef11514d828996484498b73d6e4835082
ssdeep 768:A/0skGip8rQbJ9kX1owiZwTQyeg5KZvHO0QcoN52A:xs30bzrwUyeg5KZvroz2A
imphash 723e05b1ed716ac47dc010aba61abbb0
File size 44.0 KB ( 45056 bytes )
File type Win32 EXE
Magic literal PE32 executable for MS Windows (console) Intel 80386 32-bit

Antivirus detection

Antivirus Result Update
AVG Generic_c.VPG 20140225
Ad-Aware Application.Sniffer.Ksniff.A 20140225
Agnitum Sniffer.Ksniff!9m6V8ar2qT8 20140225
AhnLab-V3 Win-Trojan/Ksniff.45056 20140225
AntiVir TR/Sniffer.Ksniff 20140225
Antiy-AVL HackTool/Win32.Ksniff 20140225
Avast Win32:Trojan-gen 20140225
Baidu-International HackTool.Win32.Sniffer.aqI 20140225
BitDefender Application.Sniffer.Ksniff.A 20140225
Bkav W32.Clod677.Trojan.aa8f 20140225
CMC Generic.Win32.6f8393d4e1!MD 20140220
ClamAV Trojan.Ksniff 20140225
Commtouch W32/Sniffer.QCQO-8999 20140225
Comodo ApplicUnsaf.Win32.HackTool.Sniffer.Ksniff 20140225
DrWeb Win32.HLLW.Billy 20140225
F-Prot W32/Sniffer.H 20140225
F-Secure Application.Sniffer.Ksniff 20140225
Fortinet W32/Ksniff!tr 20140225
GData Application.Sniffer.Ksniff.A 20140225
Jiangmin Sniffer.Ksniff 20140225
K7AntiVirus Riskware ( a9dcac7a0 ) 20140225
K7GW Riskware ( 0040eff71 ) 20140225
Kaspersky HackTool.Win32.Sniffer.Ksniff 20140225
Kingsoft Win32.Hack.Ksniffer.(kcloud) 20140225
McAfee Artemis!6F8393D4E1D0 20140225
McAfee-GW-Edition Artemis!6F8393D4E1D0 20140225
MicroWorld-eScan Application.Sniffer.Ksniff.A 20140225
Microsoft Trojan:Win32/Ksniff.A 20140225
NANO-Antivirus Riskware.Win32.Sniffer.hrkb 20140225
Norman Suspicious_Gen2.NZYPT 20140224
Panda Trj/Spy.C 20140225
Rising PE:Trojan.Win32.Generic.122E2704!305014532 20140225
Sophos Mal/Generic-S 20140225
Symantec Trojan Horse 20140225
TheHacker Trojan/Hacktool.Sniffer.ksniff 20140224
TrendMicro HKTL_KSNIFF.A 20140225
TrendMicro-HouseCall HKTL_KSNIFF.A 20140225
VIPRE Sniffer.Win32.Ksniff (not malicious) 20140225
ViRobot Trojan.Win32.Sniffer.45056 20140225
nProtect Trojan/W32.HackTool.45056.BF 20140225
ByteHero 20140225
CAT-QuickHeal 20140225
ESET-NOD32 20140225
Emsisoft 20140225
Ikarus 20140225
Malwarebytes 20140225
Qihoo-360 20140225
SUPERAntiSpyware 20140225
TotalDefense 20140225
VBA32 20140225

Usage

Syntax

Usage: rksniffer.exe [options]

Options

 -l                    list all active adapters on the machine
 -i [adapter]          select adapter
 -s [port]             source port for filtering received packets
 -d [port]             destination port for filtering received packets
 -o [file]             print results in file or in stdout if not specified
 -c [count]            snif [count] packets
 -a                    display packet content in ASCII format
 -x                    display packet content in hex format
 -X                    display packet content in hex and ASCII format
 -t                    display time information
 -h                    display this help

Example

List available adapters

C:\tools>rksniffer.exe -l
Adapter 0 -> 192.168.102.129

Sniff

C:\tools>rksniffer.exe -i "Adapter 0" -X -t -o output.txt
29 packet(s) received.
CTRL-C, Exiting...

View output file

C:\tools>more output.txt
08:59:15 UDP 192.168.102.129:1027 > 192.168.102.128:53 id 145 ttl 128 tos 0 len
56 udplen 36

DATAS
[HEX & ASCII]
00000000 45 00 00 38 00 91 00 00 80 11 eb d1 c0 a8 66 81 E..8..........f.
00000010 c0 a8 66 80 04 03 00 35 00 24 7a f3 1e 6f 01 00 ..f....5.$z..o..
00000020 00 01 00 00 00 00 00 00 06 67 6f 6f 67 6c 65 03 .........google.
00000030 63 6f 6d 00 00 01 00 01                         com.....

▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒

08:59:15 ICMP 192.168.102.128 > 192.168.102.129 destination unreachable(Port unreachable) id 22155 ttl 64 tos 192 len 84

DATAS
[HEX & ASCII]
00000000 45 c0 00 54 56 8b 00 00 40 01 d5 0b c0 a8 66 80 [email protected]
00000010 c0 a8 66 81 03 03 4b 85 00 00 00 00 45 00 00 38 ..f...K.....E..8
00000020 00 91 00 00 80 11 eb d1 c0 a8 66 81 c0 a8 66 80 ..........f...f.
00000030 04 03 00 35 00 24 7a f3 1e 6f 01 00 00 01 00 00 ...5.$z..o......
00000040 00 00 00 00 06 67 6f 6f 67 6c 65 03 63 6f 6d 00 .....google.com.
00000050 00 01 00 01                                     ....

Dynamic analysis

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Static analysis

Sections

Name       VirtAddr     VirtSize     RawSize      Entropy     
--------------------------------------------------------------------------------
.text      0x1000       0x6f54       0x7000       6.636845    
.rdata     0x8000       0xa2e        0x1000       3.940224    
.data      0x9000       0x2c44       0x2000       3.557306

IAT

KERNEL32.dll

  • GetLastError
  • HeapFree
  • GetStdHandle
  • LCMapStringW
  • SetHandleCount
  • GetOEMCP
  • LCMapStringA
  • HeapDestroy
  • HeapAlloc
  • SetConsoleTextAttribute
  • GetEnvironmentStringsW
  • FlushFileBuffers
  • LoadLibraryA
  • RtlUnwind
  • GetModuleFileNameA
  • GetLocalTime
  • FreeEnvironmentStringsA
  • GetCurrentProcess
  • GetEnvironmentStrings
  • SetConsoleCtrlHandler
  • GetCPInfo
  • UnhandledExceptionFilter
  • MultiByteToWideChar
  • FreeEnvironmentStringsW
  • GetCommandLineA
  • GetProcAddress
  • GetConsoleScreenBufferInfo
  • GetFileType
  • SetStdHandle
  • CompareStringW
  • WideCharToMultiByte
  • GetStringTypeA
  • SetFilePointer
  • ReadFile
  • WriteFile
  • GetStartupInfoA
  • SetConsoleTitleA
  • CloseHandle
  • GetComputerNameA
  • GetACP
  • HeapReAlloc
  • GetStringTypeW
  • SetEnvironmentVariableA
  • TerminateProcess
  • HeapCreate
  • VirtualFree
  • FormatMessageA
  • SetEndOfFile
  • CreateFileA
  • ExitProcess
  • GetVersion
  • VirtualAlloc
  • CompareStringA

WS2_32.dll

  • WSAStartup
  • WSASocketA
  • socket
  • bind
  • recvfrom
  • gethostbyname
  • ntohs
  • WSAIoctl
  • inet_ntoa
  • htons
  • closesocket
  • WSAGetLastError

Strings

QPPh
PWhP
PPPj
XSVWj ^3
YY_^]
YY_^[]
QQSVW
QPShL
CY;]
YY_^[
QQSVW
YY_^[
SVWj
SVWj
SVWj
_^[]
SVWj
tYhX
-t09]
tG9U
X_^[
^QQSUVW3
hh#@
j4UV
HHtSHt
t"Ht
Y_^][YY
9^(u&
9^(u
9^ t
9^$u
u	VW
YY9^ u	VW
YY9^$u	VW
YY9^
9^ t
9^$u
YY9^
9^ t
9^$u+
t	VW
YY9^ u
t	VW
YY9^$u
t	VW
YY9^
9^ t
9^$u
Y_^3
Yu!j
^_[3
GIt#
t&:a
<8=u
_9=(
YYh(
SUVW
_^][
[email protected]
NNtS
t-NuT
~&WP
SVW3
F;[email protected]
X_[^
HHtpHHtl
 Yt	f
RPWV
DSUVWh
_^][
u+Vj
^[email protected]
F;[email protected]
j?I_
u	9}
ulSj
uY;]
pD#U
j #M
j?^;
X_^[
_WPS
QSUV
WWWWj
t/WWUPj
_^][Y
SUVW
_^][
QQSV
btHHt.
SUV3
_^][
t9UW
?=t"U
QQS3
PSSW
8"uD
8"[email protected]
8"u,
@@f9
@@f9
[email protected]
t#SSUP
t$$VSS
_^][YY
SVWUj
]_^[
h$]@
t.;t$$t(
VC20XC00U
SVWU
tEVU
t3x<
]_^[
VWss
0SVW
[email protected]
PWPSS
PWPSS
9] u
t	9]
tySS
t-VW
90tr
0B=H
[email protected]
t7SW
    
@AA;
QQSVW3
tUj=
[email protected]
uT9}
8<=t
^][_
t-Ht!Ht
5t.;
PVh|
VWuBh
tzVS
GIt%
t/Ku
uFWWj
"WWSh|
9} u
E WW
tMWWS
[email protected]}
VSh 
wDVSU
_^][
@}>j
W;5 
 (8PX
700WP
`h````
ppxxxx
(null)
runtime error 
TLOSS error
SING error
DOMAIN error
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
abnormal program termination
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program: 
<program name unknown>
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
GetComputerNameA
SetConsoleTextAttribute
GetConsoleScreenBufferInfo
GetStdHandle
GetLocalTime
FormatMessageA
GetLastError
SetConsoleTitleA
KERNEL32.dll
WSAIoctl
WSASocketA
WS2_32.dll
HeapFree
HeapAlloc
ExitProcess
TerminateProcess
GetCurrentProcess
SetConsoleCtrlHandler
GetCommandLineA
GetVersion
SetHandleCount
GetFileType
GetStartupInfoA
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
HeapReAlloc
WideCharToMultiByte
CloseHandle
UnhandledExceptionFilter
FlushFileBuffers
WriteFile
GetModuleFileNameA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
RtlUnwind
SetFilePointer
MultiByteToWideChar
GetCPInfo
CompareStringA
CompareStringW
GetACP
GetOEMCP
SetEnvironmentVariableA
SetStdHandle
CreateFileA
GetStringTypeA
GetStringTypeW
GetProcAddress
LoadLibraryA
LCMapStringA
LCMapStringW
SetEndOfFile
ReadFile
WSAIoctl(), %s
socket(), %s
Adapter %d -> %s
Error: This box doesn't have any adapter.
Exiting...
Required option missing
IP header bad
TTL equals 0 during reassembly
TTL equals 0 during transit
Redirect for TOS and host
Redirect for TOS and network
Redirect for host
Redirect for network
Precedence cutoff in effect
Host precedence violation
Communication administratively filtered
Host unreachable for TOS
Network unreachable for TOS
Host administratively prohibited
Network administratively prohibited
Source host isolated
Destination host unknown
Destination network unknown
Source route failed
Fragmentation needed
Port unreachable
Protocol unreachable
Host unreachable
Network unreachable
recvfrom failed: %d
bind(), %s
GetAdapter(), %s
gethostbyname(), %s
GetComputerName(), %s
unknown icmp (obsolete or malformed?)
address mask reply
address mask request
information reply
information request
timestamp reply
timestamp request
(unknown - error?)
(%s)
parameter problem
(%s)
ttl exceeded
router solicitation
mobile ip advertisement
router advertisement
echo request
redirect
source quench (flow control)
destination unreachable
echo reply
%02x 
[HEX]
%08x 
%08x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x 
[HEX & ASCII]
No Datas.
[ASCII]
%02d:%02d:%02d 
 id %d ttl %d tos %d len %d
 %s 
 %s >
ICMP
 len %d tos %d
 ttl %d win %d id %d
 %s:%d
 %s:%d >
 id %d ttl %d tos %d len %d udplen %d
%s: invalid option -- %c
%s: illegal option -- %c
%s: option requires an argument -- %c
%s: unrecognized option `%c%s'
%s: unrecognized option `--%s'
%s: option `%s' requires an argument
%s: option `%c%s' doesn't allow an argument
%s: option `--%s' doesn't allow an argument
%s: option `%s' is ambiguous
POSIXLY_CORRECT
icmp
Usage: rksniffer.exe [options]
[options]
  -l            	list all active adapters on the machine
  -i [adapter]  	select adapter
  -s [port]     	source port for filtering received packets
  -d [port]     	destination port for filtering received packets
  -o [file]     	print results in file or in stdout if not specified
  -c [count]    	snif [count] packets
  -a            	display packet content in ASCII format
  -x            	display packet content in hex format
  -X            	display packet content in hex and ASCII format
  -t            	display time information
  -h            	display this help
CTRL-C, Exiting...
%d packet(s) received.
WSASocket() failed: %s
fopen() failed: %s
%d Error(s), Exiting...
Error: "%s" Incorrect protocol.
Error: Incorrect count. Specify a count superior at 0.
Error: Incorrect port. Specify a port between 0 and 65535.
li:s:d:p:o:c:axXth
WSAStartup() failed: %s
SetConsoleTitle() failed: %s
RKSniffer
DATAS
! Another protocol was sniffed !


Comments

blog comments powered by Disqus