Irregular Expressions

Jul 26 2012   10:59PM GMT

Discount Gift Certificates

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Wow really I can’t wait to get those.

I got a fake groupon email today with a zip attachment that had a an exe inside.

First thing was to get it copied on to my VM system ( and hope it does not do something silly while running in a VM ).
Then get a few of my favorite utils fired up. For this I am going to just start with CaptureBAT and see what happens then go from there.

We are off to a good start, it did run. It went off as a running process of the same name. Here is some other things it did;
– Dropped a file to “Documents and Settings\All Users\svchost.exe”
– Created a persistent method of launching, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched: “C:\Documents and Settings\All Users\svchost.exe”

What I have not seen yet is it make a network connection out.
Yet anyway.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: