mirror of
https://github.com/overcuriousity/autopsy-flatpak.git
synced 2025-07-17 02:07:42 +00:00
fe62624541
Added additional RegRipper modules to support STIX data. Stopped RecentActivity IE parser from generating empty user accounts.
70 lines
2.1 KiB
Perl
Executable File
70 lines
2.1 KiB
Perl
Executable File
#-----------------------------------------------------------
|
|
# brisv.pl
|
|
# Plugin to detect the presence of Trojan.Brisv.A
|
|
# Symantec write-up: http://www.symantec.com/security_response/writeup.jsp
|
|
# ?docid=2008-071823-1655-99
|
|
#
|
|
# Change History:
|
|
# 20130429: added alertMsg() functionality
|
|
# 20090210: Created
|
|
#
|
|
# Info on URLAndExitCommandsEnabled value:
|
|
# http://support.microsoft.com/kb/828026
|
|
# http://www.hispasec.com/laboratorio/GetCodecAnalysis.pdf
|
|
#
|
|
# copyright 2013 QAR, LLC
|
|
# Author: H. Carvey, keydet89@yahoo.com
|
|
#-----------------------------------------------------------
|
|
package brisv;
|
|
use strict;
|
|
|
|
my %config = (hive => "NTUSER\.DAT",
|
|
category => "malware",
|
|
osmask => 22,
|
|
hasShortDescr => 1,
|
|
hasDescr => 0,
|
|
hasRefs => 0,
|
|
version => 20130429);
|
|
|
|
sub getConfig{return %config}
|
|
|
|
sub getShortDescr {
|
|
return "Detect artifacts of a Troj\.Brisv\.A infection";
|
|
}
|
|
sub getDescr{}
|
|
sub getRefs {}
|
|
sub getHive {return $config{hive};}
|
|
sub getVersion {return $config{version};}
|
|
|
|
my $VERSION = getVersion();
|
|
|
|
sub pluginmain {
|
|
my $class = shift;
|
|
my $hive = shift;
|
|
::logMsg("Launching brisv v.".$VERSION);
|
|
::rptMsg("brisv v.".$VERSION); # banner
|
|
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
|
|
my $reg = Parse::Win32Registry->new($hive);
|
|
my $root_key = $reg->get_root_key;
|
|
|
|
my $key_path = "Software\\Microsoft\\PIMSRV";
|
|
my $key;
|
|
if ($key = $root_key->get_subkey($key_path)) {
|
|
::rptMsg($key_path);
|
|
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
|
|
::rptMsg("");
|
|
|
|
my $mp_path = "Software\\Microsoft\\MediaPlayer\\Preferences";
|
|
my $url;
|
|
eval {
|
|
$url = $key->get_subkey($mp_path)->get_value("URLAndExitCommandsEnabled")->get_data();
|
|
::rptMsg($mp_path."\\URLAndExitCommandsEnabled value set to ".$url);
|
|
::alertMsg($mp_path."\\URLAndExitCommandsEnabled value set: ".$url);
|
|
};
|
|
# if an error occurs within the eval{} statement, do nothing
|
|
}
|
|
else {
|
|
::rptMsg($key_path." not found.");
|
|
}
|
|
}
|
|
1; |