Analysis # Sample: ss32.exe ( a6e6d b453e73d) Analysis # /08/ :33 pm

Size: px

Start display at page:

Download "Analysis # Sample: ss32.exe ( a6e6d b453e73d) Analysis # /08/ :33 pm"

Antonia Farmer
5 years ago
Views:

1 Analysis # /08/ :33 pm 1/14

2 Table of Contents Analysis Summary... 3 Analysis Summary... 3 Digital Behavior Traits... 3 File Activity... 4 Stored Modified Files... 4 Created Mutexes... 5 Created Mutexes... 5 Registry Activity... 6 Created Keys... 6 Set Values... 7 Network Activity... 9 Network Events... 9 Network Traffic DNS Requests Screen Shots Virus Total Results /14

3 Analysis Summary Submitted File: ss32.exe MD5: a6e6d b453e73d File Size: File Type: PE32 executable for MS Windows (GUI) Intel Analysis Time: :33:04 Start Reason: AnalysisTarget Termination Reason: Timeout Start Time: Mon, 08 Jul :33: Termination Time: Mon, 08 Jul :34: Analysis Time: :33:04 Sandbox: XPSP3-00-0C-29-5E-B4-D8 Total Processes: 1 Sample Notes: Digital Behavior Traits Alters Windows Firewall Checks For Debugger Copies to Windows Could Not Load Creates DLL in System Creates EXE in System Creates Hidden File Creates Mutex Creates Service Deletes File in System Deletes Original Sample Hooks Keyboard Injected Code Makes Network Connection Modifies File in System Modifies Local DNS More than 5 Processes Opens Physical Memory Starts EXE in Documents Starts EXE in Recycle Starts EXE in System Windows/Run Registry Key Set 3/14

4 Stored Modified Files C:\Documents and Settings\Administrator\Application Data\v125.txt 4/14

5 Created Mutexes mutex Name: Local\ZonesCounterMutex Desired Access: DELETE READ_CONTROL SYNCHRONIZE WRITE_DAC WRITE_OWNER MUTEX_MODIFY_STATE Name: Local\ZoneAttributeCacheCounterMutex Desired Access: DELETE READ_CONTROL SYNCHRONIZE WRITE_DAC WRITE_OWNER MUTEX_MODIFY_STATE Name: Local\ZonesCacheCounterMutex Desired Access: DELETE READ_CONTROL SYNCHRONIZE WRITE_DAC WRITE_OWNER MUTEX_MODIFY_STATE 5/14

6 Created Keys key \REGISTRY\MACHINE\Software\Description\Microsoft\Rpc\UuidTemporaryData \REGISTRY\MACHINE\SOFTWARE\ \REGISTRY\MACHINE\SOFTWARE\Description\ \REGISTRY\MACHINE\SOFTWARE\Description\Microsoft\ \REGISTRY\MACHINE\SOFTWARE\Description\Microsoft\Rpc\ 6/14

7 Set Values key entversion\run Value: ss32.exe Value: ProxyBypass Value: IntranetName Value: UNCAsIntranet Value: AutoDetect Value: ProxyBypass Value: IntranetName Value: UNCAsIntranet Value: AutoDetect entversion\explorer\shell Folders Value: AppData Key Name: \REGISTRY\MACHINE\Software\Description\Microsoft\Rpc\UuidTemporaryData Value: NetworkAddress Key Name: \REGISTRY\MACHINE\Software\Description\Microsoft\Rpc\UuidTemporaryData 7/14

8 Value: NetworkAddressLocal 8/14

9 Network Events Remote IP Local IP HTTP Command GET /15aDtjB none 9/14

10 Network Traffic Remote IP Local IP Connection # /14

11 DNS Requests Request Result bit.ly mssql.maurosouza9899.kinghost.net /14

12 12/14

13 Virus Total Results Last Scanned: :24:28 MicroWorld-eScan: nprotect: CAT-QuickHeal: McAfee: Malwarebytes: TheHacker: K7GW: Trojan K7AntiVirus: Trojan NANO-Antivirus: F-Prot: Symantec: Norman: TotalDefense: Avast: esafe: ClamAV: Kaspersky: BitDefender: Gen:Variant.Symmi Agnitum: Suspicious!SA SUPERAntiSpyware: Emsisoft: Gen:Variant.Symmi (B) Comodo: DrWeb: VIPRE: AntiVir: TR/Crypt.TPM.Gen TrendMicro: McAfee-GW-Edition: Heuristic.BehavesLike.Win32.Suspicious-BAY.O Sophos: Jiangmin: Antiy-AVL: Kingsoft: Microsoft: ViRobot: AhnLab-V3: GData: Gen:Variant.Symmi Commtouch: ByteHero: PCTools: ESET-NOD32: Rising: Ikarus: Fortinet: AVG: Panda: 13/14

14 Powered by TCPDF ( Analysis # ThreatTrack Security, Inc. 33 North Garden Avenue, Suite 1200, Clearwater, Florida, USA Telephone: (855) Intl: +1(813) Sales@ThreatTrack.com Disclaimer ThreatTrack Security, Inc. All rights reserved. All product and company names herein may be trademarks of their respective owners. The information and content in this document is provided for informational purposes only and is provided as is with no warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. ThreatTrack Security, Inc. is not liable for any damages, including any consequential damages, of any kind that may result from the use of this document. The information is obtained from publicly available sources. Though reasonable effort has been made to ensure the accuracy of the data provided, ThreatTrack Security makes no claim, promise or guarantee about the completeness, accuracy, recency or adequacy of information and is not responsible for misprints, out-of-date information, or errors. ThreatTrack Security makes no warranty, express or implied, and assumes no legal liability or responsibility for the accuracy or completeness of any information contained in this document. If you believe there are any factual errors in this document, please contact us and we will review your concerns as soon as practical. 14/14

Analysis # Sample: Important_WellsFargo_Doc.exe (70e604777a66980bcc751dcb00eafee5) Analysis # /10/ :12 pm

Analysis # Sample: Important_WellsFargo_Doc.exe (70e604777a66980bcc751dcb00eafee5) Analysis # /10/ :12 pm Analysis # 31139 06/10/2013 14:12 pm 1/11 Table of Contents Analysis Summary... 3 Analysis Summary... 3 Digital Behavior Traits... 3 Created Mutexes... 4 Created Mutexes... 4 Registry Activity... 5 Created