INFORMACIÓN PARA REPORTE

REQUERIMIENTO
Nombre del archivo
Hash SHA 256
Tipo archivo
Fecha compilación
Análisis Estático Básico Arquitectura
Strings interesantes
Librerías
Funciones
Datos externos (inteligencia)

Otras DLL
Lenguaje
Otros archivos y librerías
URL
Análisis Dinámico Básico IP
C2
Procesos creados
Registros modificados
Otros datos

Observaciones en código
API's y funciones utilizadas

Análisis avanzado
Apreciación
FORMACIÓN PARA REPORTE
DETALLE
C:\Users\Mfelipe.Isla\Desktop\diplomado\Malware\1-. MAN - Introducción al Analisis de Malware\Contenido Apoyo\Factura_
AB3AAF45907AA8655A61427A68CEB13DF85B0B96DCF57AF21889C99F9C9DBEA5
Unknown format
Thursday 15 February 2024, 18.48.42
alware\Contenido Apoyo\Factura_pendiente.zip
Accept
AdjustTokenPrivileges
AttachThreadInput
Bind
BitBlt
CertOpenSystemStore
Connect
ConnectNamedPipe
ControlService
CreateFile
CreateFileMapping
CreateMutex
CreateProcess
CreateRemoteThread
CreateService
CreateToolhelp32Snapshot
CryptAcquireContext
DeviceIoControl
EnableExecuteProtectionSupport
EnumProcesses
EnumProcessModules
FindFirstFile/FindNextFile
FindResource
FindWindow
FtpPutFile
GetAdaptersInfo
GetAsyncKeyState
GetDC
GetForegroundWindow
Gethostbyname
Gethostname
GetKeyState
GetModuleFilename
GetModuleHandle
GetProcAddress
GetStartupInfo
GetSystemDefaultLangId
GetTempPath
GetThreadContext
GetVersionEx
GetWindowsDirectory
inet_addr
InternetOpen
InternetOpenUrl
InternetReadFile
InternetWriteFile
IsNTAdmin
IsWoW64Process
LdrLoadDll
LoadResource
LsaEnumerateLogonSessions
MapViewOfFile
MapVirtualKey
Module32First/Module32Next
NetScheduleJobAdd
NetShareEnum
NtQueryDirectoryFile
NtQueryInformationProcess
NtSetInformationProcess
OpenMutex
OpenProcess
OutputDebugString
PeekNamedPipe
Process32First/Process32Next
QueueUserAPC
ReadProcessMemory
Recv
RegisterHotKey
RegOpenKey
ResumeThread
RtlCreateRegistryKey
RtlWriteRegistryValue
SamIConnect
SamIGetPrivateData
SamQueryInformationUse
Send
SetFileTime
SetThreadContext
SetWindowsHookEx
SfcTerminateWatcherThread
ShellExecute
StartServiceCtrlDispatcher
SuspendThread
System
Thread32First/Thread32Next
Toolhelp32ReadProcessMemory
URLDownloadToFile
VirtualAllocEx
VirtualProtectEx
WideCharToMultiByte
WinExec
WriteProcessMemory
WSAStartup
 COMMON FUNCT

This function is used to listen for incoming connections. This function indicates that the program will listen for incoming connect
This function is used to enable or disable specific access privileges. In a process injection attack, this function is used by malwa
This function attaches the input processing from one thread to another so that the second thread receives input events such as
This function is used to associate a local address to a socket in order to listen for incoming connections.
This function is used to copy graphic data from one device to another. Spyware sometimes uses this function to capture screen
This function is used to access the certificates stored on the local system.
This function is used to connect to a remote socket. Malware often uses low-level functionality to connect to a command-and-co
This function is used to create a server pipe for interprocess communication that will wait for a client pipe to connect. Backdoor
This function is used to start, stop, modify, or send a signal to a running service. If malware is using its own malicious service, c
Creates a new file or opens an existing file.
This function is used to create a handle to a file mapping that loads a file into memory and makes it accessible via memory add
This function creates a mutual exclusion object that can be used by malware to ensure that only a single instance of the malwa
This function creates and launches a new process. If malware creates a new process, new process needs to be analyzed as w
This function is used to start a thread in a remote process. Launchers and stealth malware use CreateRemoteThread to inject c
This function is used to create a service that can be started at boot time. Malware uses CreateService for persistence, stealth, o
This function is used to create a snapshot of processes, heaps, threads, and modules. Malware often uses this function as part
This function is often the first function used by malware to initialize the use of Windows encryption.
This function sends a control message from user space to a device driver. Kernel malware that needs to pass information betw
This function is used to modify the Data Execution Protection (DEP) settings of the host, making it more susceptible to attack.
This function is used to enumerate through running processes on the system. Malware often enumerates through processes to
This function is used to enumerate the loaded modules (executables and DLLs) for a given process. Malware enumerates throu
This function is used to search through a directory and enumerate the file system.
This function is used to find a resource in an executable or loaded DLL. Malware sometimes uses resources to store strings, co
This function is used to search for an open window on the desktop. Sometimes this function is used as an anti-debugging techn
This function is used to upload a file to remote FTP server.
This function is used to obtain information about the network adapters on the system. Backdoors sometimes call GetAdaptersIn
This function is used to determine whether a particular key is being pressed. Malware sometimes uses this function to impleme
This function returns a handle to a device context for a window or the whole screen. Spyware that takes screen captures often
This function returns a handle to the window currently in the foreground of the desktop. Keyloggers commonly use this function
This function is used to perform a DNS lookup on a particular hostname prior to making an IP connection to a remote host. Hos
This function is used to retrieve the hostname of the computer. Backdoors sometimes use gethostname in information gatherin
This function is used by keyloggers to obtain the status of a particular key on the keyboard.
This function returns the filename of a module that is loaded in the current process. Malware can use this function to modify or
This function is used to obtain a handle to an already loaded module. Malware may use GetModuleHandle to locate and modify
This function is used to retrieve the address of a function in a DLL loaded into memory. This is used to import functions from oth
This function is used to retrieve a structure containing details about how the current process was configured to run, such as wh
This function returns the default language settings for the system. These are used by malwares by specifically designed for reg
This function returns the temporary file path. If malware call this function, check whether it reads or writes any files in the tempo
This function returns the context structure of a given thread. The context for a thread stores all the thread information, such as t
This function returns information about which version of Windows is currently running. This can be used as part of a victim surv
This function returns the file path to the Windows directory (usually C
This function converts an IP address string like 127.0.0.1 so that it can be used by functions such as connect. The string specif
This function initializes the high-level Internet access functions from WinINet, such as InternetOpenUrl and InternetReadFile. S
This function opens a specific URL for a connection using FTP, HTTP, or HTTPS.URLs, if fixed, can often be good network-bas
This function reads data from a previously opened URL.
This function writes data to a previously opened URL.
This function checks if the user has administrator privileges.
This function is used by a 32-bit process to determine if it is running on a 64-bit operating system.
This is a low-level function to load a DLL into a process, just like LoadLibrary. Normal programs use LoadLibrary, and the prese
This function loads a resource from a PE file into memory. Malware sometimes uses resources to store strings, configuration in
This function is used to enumerate through logon sessions on the current system, which can be used as part of a credential ste
This function is used to map a file into memory and makes the contents of the file accessible via memory addresses. Launchers
This function is used to translate a virtual-key code into a character value. It is often used by keylogging malware.
This function is used to enumerate through modules loaded into a process. Injectors use this function to determine where to inje
This function submits a request for a program to be run at a specified date and time. Malware can use NetScheduleJobAdd to r
This function is used to enumerate network shares.
This function returns information about files in a directory. Rootkits commonly hook this function in order to hide files.
This function is used to return various information about a specified process. This function is sometimes used as an anti-debug
This function is used to change the privilege level of a program or to bypass Data Execution Prevention (DEP).
This function opens a handle to a mutual exclusion object that can be used by malware to ensure that only a single instance of
This function is used to open a handle to another process running on the system. This handle can be used to read and write to
This function is used to output a string to a debugger if one is attached. This can be used as an anti-debugging technique.
This function is used to copy data from a named pipe without removing data from the pipe. This function is popular with reverse
This function is used to begin enumerating processes from a previous call to CreateToolhelp32Snapshot. Malware often enume
This function is used to execute code for a different thread. Malware sometimes uses QueueUserAPC to inject code into anothe
This function is used to read the memory of a remote process.
This function is used to receive data from a remote machine. Malware often uses this function to receive data from a remote co
This function is used to register a handler to be notified anytime a user enters a particular key combination (like CTRL-ALT-J), r
This function is used to open a handle to a registry key for reading and editing. Registry keys are sometimes written as a way fo
This function is used to resume a previously suspended thread. ResumeThread is used as part of several injection techniques.
This function is used to create a registry from kernel-mode code.
This function is used to write a value to the registry from kernel-mode code.
This function is used to connect to the Security Account Manager (SAM) in order to make future calls that access credential info
This function is used to query the private information about a specific user from the Security Account Manager (SAM) database
This function is used to query information about a specific user in the Security Account Manager (SAM) database. Hash-dumpin
This function is used to send data to a remote machine. It is often used by malwares to send data to a remote command-and-co
This function is used to modify the creation, access, or last modified time of a file. Malware often uses this function to conceal m
This function is used to modify the context of a given thread. Some injection techniques use SetThreadContext.
This function is used to set a hook function to be called whenever a certain event is called. Commonly used with keyloggers an
This function is used to disable Windows file protection and modify files that otherwise would be protected.
This function is used to execute another program.
This function is used by a service to connect the main thread of the process to the service control manager. Any process that ru
This function is used to suspend a thread so that it stops running. Malware will sometimes suspend a thread in order to modify
This function is used to run another program provided by some C runtime libraries. On Windows, this function serves as a wrap
This function is used to iterate through the threads of a process. Injectors use these functions to find an appropriate thread into
This function is used to read the memory of a remote process.
This function is used to download a file from a web server and save it to disk. This function is popular with downloaders becaus
This function is a memory-allocation routine that can allocate memory in a remote process. Malware sometimes uses VirtualAllo
This function is used to change the protection on a region of memory. Malware may use this function to change a read-only sec
This function is used to convert a Unicode string into an ASCII string.
This function is used to execute another program.
This function is used to write data to a remote process. Malware uses WriteProcessMemory as part of process injection.
This function is used to initialize low-level network functionality. Finding calls to WSAStartup can often be an easy way to locate
i-virtual machine techniques.

ake a good network-based signature.