Analysis # 1828 Sample: fax_ _ exe (4ba43f0b82f86efed437c8523f7a4dee) Analysis # /25/ :05 am

Transcription

1 Analysis # :05 am 114

2 Table of Contents Analysis Summary... 3 Analysis Summary... 3 Digital Behavior Traits... 3 File Activity... 4 Deleted Files... 4 Stored Modified Files... 5 Created Mutexes... 6 Created Mutexes... 6 Registry Activity... 7 Set Values... 7 Deleted Values... 8 Network Activity... 9 Network Events... 9 Network Traffic DNS Requests Virus Total Results

3 Analysis Summary Submitted File: fax_ _ exe MD5: 4ba43f0b82f86efed437c8523f7a4dee File Size: File Type: PE32 executable for MS Windows (GUI) Intel Analysis Time: :05:08 Start Reason: AnalysisTarget Termination Reason: TerminatedBySelf Start Time: Fri, 25 Jul :08: Termination Time: Fri, 25 Jul :09: Analysis Time: :05:08 Sandbox: XP-SP2-00-0C-29-B2-D2-62 Total Processes: 3 Sample Notes: Digital Behavior Traits Alters Windows Firewall Checks For Debugger Copies to Windows Could Not Load Creates DLL in System Creates EXE in System Creates Hidden File Creates Mutex Creates Service Deletes File in System Deletes Original Sample Hooks Keyboard Injected Code Makes Network Connection Modifies File in System Modifies Local DNS More than 5 Processes Opens Physical Memory Starts EXE in Documents Starts EXE in Recycle Starts EXE in System WindowsRun Registry Key Set 314

4 Deleted Files C:\fax_ _ exe 414

5 Stored Modified Files [process 1] C:\Documents and Settings\Charlie\Application Data\cmd.exe C:\Documents and Settings\Charlie\Application Data\userdata.dat C:\Documents and Settings\Charlie\Application Data\userdata.dat 514

6 Created Mutexes [process 1] [process 1] [process 1] [process 1] [process 1] mutex Name: CTF.LBES.MutexDefaultS Name: CTF.Compart.MutexDefaultS Name: CTF.Asm.MutexDefaultS Name: CTF.Layouts.MutexDefaultS Name: CTF.TMD.MutexDefaultS Name: CTF.TimListCache.FMPDefaultS MUTEX.DefaultS Name: CTF.LBES.MutexDefaultS Name: CTF.Compart.MutexDefaultS Name: CTF.Asm.MutexDefaultS Name: CTF.Layouts.MutexDefaultS Name: CTF.TMD.MutexDefaultS Name: CTF.TimListCache.FMPDefaultS MUTEX.DefaultS Name: Xider78 Name: Local\c:!documents and settings!charlie!local settings!temporary internet files!content.ie5! Name: Local\c:!documents and settings!charlie!cookies! Name: Local\c:!documents and settings!charlie!local settings!history!history.ie5! Name: Local\WininetConnectionMutex 614

7 Set Values [process 1] [process 1] key Key Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG Value: Seed rentversion\explorer\shell Folders Value: AppData Key Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG Value: Seed rentversion\explorer\shell Folders Value: AppData rentversion\run Value: GoogleUpdate rentversion\explorer\shell Folders Value: AppData rentversion\explorer\shell Folders Value: History Key Name: \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Value: Common AppData rentversion\explorer\shell Folders Value: AppData Value: ProxyEnable Key Name: \REGISTRY\USER\S \Software\Microsoft\windows\Cur \Connections Value: SavedLegacySettings Value: ProxyEnable Key Name: \REGISTRY\USER\S \Software\Microsoft\windows\Cur \Connections Value: SavedLegacySettings Key Name: \REGISTRY\MACHINE\Software\Microsoft\Rpc Value: UuidSequenceNumber 714

8 Deleted Values key Value: ProxyServer Value: ProxyOverride Value: AutoConfigURL Value: ProxyServer Value: ProxyOverride Value: AutoConfigURL 814

9 Network Events Remote IP Local IP HTTP Command none none none none GET GET GET GET GET GET F55publickey F50Win_XP_32bit F55replace F51oXrLlkNDxOipccQNoopqPLqXuxeySeE F514NATSymmetric%20NAT F51RqJmFMsFYABMxwsknpYjiangYdpUgER POST GET GET GET privatesandbox_status.php F51IkGKynkMBNUTxfeoCgcoPbHIsGoGhVc F51PocaHJNdOQCMViLnBBnpEwfQweJGoos F51jJalspNrecqvjMIbclhaAXimPiBfMbe POST GET privatesandbox_status.php F51QEklbUJqfEXQSgldVAfGBTlukDrPpWv POST GET privatesandbox_status.php F51KRBkcjdudJBCTdYfbKvwKKeAFQEaOnN

10 GET F51WbgkAGuxstAgRcKvyKSfxIbcIPUxCGd POST privatesandbox_status.php GET F51bOEBivIpUaAUabcEOpVdTqGjGJFFTIu POST privatesandbox_status.php GET F51UdJQMNoLejmGayjbjPfnnHxYvjobEVq GET F51pIHHbYXFAnAVfWlNQDemgVHXgTTLXDa POST privatesandbox_status.php 1014

11 Network Traffic Remote IP Local IP Connection # Connection # Connection # Connection #

12 DNS Requests Request Result google.com stun.voipstunt.com

13 Virus Total Results Last Scanned: :05:13 MicroWorld-eScan: nprotect: CMC: McAfee: Malwarebytes: AegisLab: K7AntiVirus: K7GW: Agnitum: Norman: TotalDefense: Avast: Kaspersky: BitDefender: NANO-Antivirus: ViRobot: F-Secure: AntiVir: Emsisoft: Antiy-AVL: Kingsoft: SUPERAntiSpyware: GData: AhnLab-V3: Zoner: Tencent: Ikarus: AVG: Panda: TrjGenetic.gen Qihoo-360: 1314

14 Powered by TCPDF ( Analysis # 1828 ThreatTrack Security, Inc. 33 North Garden Avenue, Suite 1200, Clearwater, Florida, USA Telephone: (855) Intl: +1(813) Sales@ThreatTrack.com Disclaimer ThreatTrack Security, Inc. All rights reserved. All product and company names herein may be trademarks of their respective owners. The information and content in this document is provided for informational purposes only and is provided as is with no warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. ThreatTrack Security, Inc. is not liable for any damages, including any consequential damages, of any kind that may result from the use of this document. The information is obtained from publicly available sources. Though reasonable effort has been made to ensure the accuracy of the data provided, ThreatTrack Security makes no claim, promise or guarantee about the completeness, accuracy, recency or adequacy of information and is not responsible for misprints, out-of-date information, or errors. ThreatTrack Security makes no warranty, express or implied, and assumes no legal liability or responsibility for the accuracy or completeness of any information contained in this document. If you believe there are any factual errors in this document, please contact us and we will review your concerns as soon as practical. 1414