MoVP 3.2 Shellbags in Memory, SetRegTime, and TrueCrypt Volumes
Tags
| attack-pattern: | Data Indirect Malware - T1587.001 Malware - T1588.001 Python - T1059.006 Software - T1592.002 Timestomp - T1070.006 Tool - T1588.002 Timestomp - T1099 |
Common Information
| Type | Value |
|---|---|
| UUID | 9074fb53-4c59-442b-a585-0d32c123dabe |
| Fingerprint | 3f5d1657c72e8691 |
| Analysis status | DONE |
| Considered CTI value | 0 |
| Text language | |
| Published | Sept. 25, 2012, 2:31 p.m. |
| Added to db | Jan. 18, 2023, 10:43 p.m. |
| Last updated | Nov. 12, 2024, 8:53 a.m. |
| Headline | Volatility Labs |
| Title | MoVP 3.2 Shellbags in Memory, SetRegTime, and TrueCrypt Volumes |
| Detected Hints/Tags/Attributes | 48/1/41 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 1 | shellbagmru.py |
|
| Details | Domain | 3 | key.name |
|
| Details | Domain | 89 | vol.py |
|
| Details | Domain | 10 | item.name |
|
| Details | Domain | 79 | code.google.com |
|
| Details | File | 1 | shellbagmru.py |
|
| Details | File | 193 | ntuser.dat |
|
| Details | File | 28 | usrclass.dat |
|
| Details | File | 1 | registryapi.reg |
|
| Details | File | 3 | 'ntuser.dat |
|
| Details | File | 1 | regapi.reg |
|
| Details | File | 1 | filename.obj |
|
| Details | File | 1 | fdatasize.obj |
|
| Details | File | 1 | eversion.obj |
|
| Details | File | 1 | unknown1.obj |
|
| Details | File | 1 | unknown2.obj |
|
| Details | File | 1 | createddate.obj |
|
| Details | File | 1 | accessdate.obj |
|
| Details | File | 1 | unknown3.obj |
|
| Details | File | 85 | vol.py |
|
| Details | File | 4 | obj.obj |
|
| Details | File | 156 | 1.exe |
|
| Details | File | 1 | acrobat60.exe |
|
| Details | File | 4 | item.dat |
|
| Details | File | 1 | idapro_931_42287435c1a6ed5a6d6039345b7c49c2.exe |
|
| Details | File | 88 | 1.txt |
|
| Details | File | 5 | blah.txt |
|
| Details | File | 12 | document.txt |
|
| Details | File | 7 | 1.py |
|
| Details | File | 1 | poison_ivy.py |
|
| Details | File | 12 | 1.log |
|
| Details | File | 100 | ntuser.dat.log |
|
| Details | Url | 1 | http://code.google.com/p/volatility/wiki/volatilitybranches. |
|
| Details | Windows Registry Key | 1 | HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell |
|
| Details | Windows Registry Key | 1 | HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags |
|
| Details | Windows Registry Key | 1 | HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU |
|
| Details | Windows Registry Key | 1 | HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam |
|
| Details | Windows Registry Key | 1 | HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU |
|
| Details | Windows Registry Key | 1 | HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags |
|
| Details | Windows Registry Key | 4 | HKEY_CURRENT_USER\Software\Classes\Local |
|
| Details | Windows Registry Key | 1 | HKEY_CURRENT_USER\Software\Classes\Wow6432Node\Local |