Winupdate 14/9/2011
VMWare Tools 8.8.0
VM 6.5/7.x
DHCP client enabled (without DHCP 192.168.102.1/24 GW .1)
WinUpdate DISABLED - Automatic Updates Service disabled.
>>BEHAVIOURAL<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
-Sysinternals Suite 25-7-2011
(procmon.exe,procexp.exe,tcpview.exe e RootkitRevealer.exe filename renamed to monproc.exe e expproc.exe viewtcp.exe rr.exe)
(ProcMon custom filters:
QUIET - all baseline events filtered
MONITORING TOOLS FILTER - all monitoring events filtered (refer Capturebat,Procmon,Procexp,TCPView)
NOT FOUND
REGISTRY STARTUP RUN KEY
)
-RegShot 1.8.2
-Process Hacker 2.21
-HBGary Flypaper 1.0.0.1
-ProcHeap Viewer 3.0
>SANDBOX
-Sandboxie 3.58 & SandBoxDiff 2.3
-Buster Sandbox Analyzer 1.33
-CaptureBAT 2.0.0.0 (-c -l ../desktop/log, mod default CaptureBAT filter to avoid logging Procmon,Procexp,TCPview,VMWare Tools events)
>API MONITORING & INSTRUMENTATION
-API Monitor 2.0r7
-WinAPI Override 32 5.5.3 (added Mutex & CreateProcess+Thread)
-oSPY 1.10.04
-Dynamo RIO 2.1.0.3
>NETWORK
-Wireshark 1.6.2
-Network Miner 1.1
-SmartSniff 1.82
-TrivialProxy 1.7.0.0
-WinPCAP 4.1.2
-IPtools 1.99.2.0
-Putty 0.61 beta
-WinSCP 4.3.4
-ProXPN (in openvpn)
>ROOTKIT DETECT
-Tuluka anti-rootkit 1.0.394.77
-HookExplorer 1.0.0.0
-GMER 1.0.15.15530
-Rootkit Hook analyzer 3.02
-Kernel detective 1.4.1
-Rootkit unhooker LE 3.8.342.554
-PowerTool 3.7.1
>>CODE & DATA<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
-VisualSTUDIO 2010 Ultimate
-IDA PRO 6.1 ESET ***
-OllyDbg 1.10
-OllyDbg 2.01 Alpha 3
-WinDBG 6.12
-Immunity Dbg 1.82
-Dependency Walker 2.1.3623
-Nasm 2.07
-W32Dasm 8.93
-Visda 1.0a-build 118
-CMP Disasm 0.71
-Metasploit 3.6.0
>IDA 6.1 Plugin
-IDAPython 1.5.2.3 (Python 2.6)
-IDAstealth v1.3.3
-MyNav 1.1
-Optimice 0.12
-Patchdiff 2.0.10
-Delphi 6&7 signature
-GetKeys.py script
Old IDA 5.5 Plugin not installed
-CodeDoctor (not working)
-PDBext_0.2 plugin (for working with symbols)
-SABRE BinDiff2
-Optimice v0.11 (python)
-IDA Function String Associate 1.0B
-IDA ExtraPass PlugIn 3.0
>Ollydbg plugin
-Olly Advanced 1.27
-Olly Bookmark 1.06
-Olly Command Line 1.10
-CodeDoctor 0.90 Beta
-OllyDump 3.00.110
-OllyScript 0.94
-Dejunk 0.13
-HideOD 0.1.8.1
-AdvancedOlly 1.27
-SEHSpy 0.1.0.0
-ODBGScript 1.82
-Phant0m 1.54
-OllySocketTrace 1.0
-XP Sp3 Symbols + config IDA/OllyDBG symbols path
>TEXT & PATTERN SEARCHING/MATCHING
-BinTEXT 3.0.3
-Yara 1.5
-Yara_1.6-python_2.7
>DECODE & DECRYPT
-Converter (data conversion & mangling)
-CrypTool 1.4.30
>JAVA
-JD-GUI 0.3.3 (JD-CORE 0.6.0)
-DJ Java Decompiler 3.11.11.95
-jEdit 4.4.1
>DotNET
-Redgate Reflector 6.6
-ILSpy 1.0.0.655
>VISUAL BASIC
-Ex-Dec
-WKTVBDE 4.3
-vb Decompiler Lite 8.2
>ANDROID
-Dex2Jar 0.0.7.11
-Dexid (1.04)
-Android SDK (include emulator)
-APK Tool 1.4.1
-Dedexer 1.15
-Smali/Baksmali 1.2.8
>DELPHI
-Interactive Delphi reconstructor 2.5.2.66 Beta
>>TOOLS<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
>PE HEADER
-Stud_PE 2.6.0.5
-ImpREC 1.7c
-LordPE
-PeID 0.9.5
-xPELister 0.4b
-NW PE Builder 0.7
>MEMORY ANALYSIS
-Volatility 1.3 Beta
-Mandiant Memoryze 1.4.4200
-Mandiant Redline
-Mandiant audit-Viewer (for memoryze)
>PDF & FLASH
-PDF Streamdumper 0.9.270
-pdf-parser v0.3.7 (command line)
-Inflater v1.0 (command line)
-pdftk v1.41 (command line)
-AS3 Sorcerer 1.34 Trial
-SWFreTool 1.4
>REMOVER
-Zbot & Zbot V3 remover (NoVirusThanks)
-TDSS/TDL3 remover 1.8.0 (Esegelabs)
-Bootkit remover 1.2.0.0 (Esegelabs)
-CheckMutex & EnumerateMutex
-TDSSKiller 2.5.17.0 (Kaspersky)
>MACHINE CHECK
-Securable
-ScoopyNG
-NX-DEP detect
>WEB ANALYSIS
-Firefox v3.6.18 + Noscript + FireBug + FiddlerHook
-Paros v3.2.13 (nouseragent)
-Fiddler v2.3.6.2 beta + Addons
-NSDecoder Gui 1.0
-SEND HTTP Tool 2.5.5
-Mdecoder v0.67
-jjencoder
-server2go 1.8.2 (WAMP) apache 2.2, PHP 5.3.2, SQLite, MySQL 5.1.46
-FileZilla 3.5.0
-OpenVPN 2.2.1
>OFFENSIVE
-Havij 1.14 Pro ****
-Havij 1.15 Pro ****
-Albaloo 1.3 (web vulnerability scanner)
-XCode Exploit Sept2011 Patch (SQLI/LFI/XSS/Webshell Hunter with Google Engine)
-SQLMap 0.9
-ncrack 0.4a (password checker)
-Softperfect network scanner
-McAfee Sharescan 1.0.0.2
-McAfee Superscan 4
-TSGrinder 2.03 & TSEnum 1.0 & ProbeTS 1.1
>UNPACKER
-UPX v3.05w
-Qunpack 2.2
-dumbassembly 0.4 (smartassembly unpacker)
>EDITOR
-HXD 1.7.7.0
-Hex Workshop 6.5.1.5060 ***
-Notepad++ v5.9.3
-FileInsight HexEditor 2.1b90 + plugin
-Mandiant Highlighter
-WinHEX 16.6 SR2 ***
-010 Editor 3.2.2 + Template + PDF Template by Didier + Scripts ***
-Winmerge 2.12.4
>>REF<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
-Book "Reverse Engineering Code with IDA Pro" ***
-Adobe Acrobat JS Reference
-Ida Pro Unofficial guide ***
-SEH Exploitation Paper
-Windows Service Used Port Reference
-PECOFF v8
-Malicious PDF analysis book
-Win32 API reference
-Windows Anti-debug techniques reference
-Anti-unpacking techniques reference
-Symbian debugging with IDA
-An Anti-Reverse Engineering Guide
-Windows Autostart Entrypoint
-Bypassing SEH Overwrite Protection
-OllyDbg: Debugging Fundamentals for Exploit Development
-AdobeReaders Custom Memory Management Heap of Trouble.pdf
>>CMD LINE<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
-SquashFS tool (command line)
-xor v0.2 (command line)
-zpipe (command line)
-UPX v3.05w
-TDL FsReader
>>OTHER<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
-.NET 3.5SP1
-JRE 1.6.0_27 & JSE 1.6.0_27
-Flash Player 10.3.183.7
-Adobe Reader 9.4.6.252
-WinRAR 4.01
-ActiveState Perl v5.12.4
-Python 2.6.6 & 2.7.2
-XCA 0.9.0 (Certification Authority Manager)
-Greenshoot 0.8.0-b627
-HashTab 3.0.0
>>CONFIG<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
-IP 192.168.102.2/24 GW .1 DNS .1
-On desktop HTML empty template/ TinyPE Empty template
-Remove time_update service
-Added on desktop default "NOT INFECTED" open port
-Add to regedit many startup entrypoint
-Add favorites to regedit for run key
-Add CMD Line tool dir in path
-Create Analyzed dir e modified CMD lnk to CMD currently analyzed
-Shortcut to host file on desktop
-"Open with HXD" in command file list
@sprint.com ONLY. Law Enforcement requests should call the Corporate Security Hotline at 800-877-7330, option 3
