Infosec Binary Analisys. updatewin2.exe

Size: px

Start display at page:

Download "Infosec Binary Analisys. updatewin2.exe"

Gillian Atkinson
5 years ago
Views:

1 updatewin2.exe MalScore: 100 File type: File size: PE32 executable (GUI) Intel 80386, for MS Windows KB ( bytes) Compile time: :08:45 MD5: SHA1: Import hash: 996ba35165bb62473d2a6743a5200d b0b5cce95c b8d12a759c234bd2e0 5921adaaf66f8c259aeda9e22686cd4b Submitted: :48:04 URL(s) file hosting Antivirus Report Report date Detection Ratio Permalink :24:39 48/71 Import library SHELL32.dll KERNEL32.dll GDI32.dll USER32.dll Page 1 Date: :04:06

2 7 Behaviors detected by system signatures Attempts to repeatedly call a single API many times in order to delay analysis time - Spam: updatewin2.exe (2696) called API NtClose times The sample wrote data to the system hosts file. - added: ds.download.windowsupdate.com - added: added: download.windowsupdate.com - added: fe2.update.microsoft.com - added: whoer.net - added: added: windowsupdate.com - added: added: microsoft.com - added: added: added: windowsupdate.com - added: added: added: totalsecurity.com - added: added: gratissoftwaresite.com - added: tweakers.net - added: added: added: avg.com - added: added: bestevirusscanner.net - added: added: consumentenbond.nl - added: cheaplicensing.com - added: added: global.ahnlab.com - added: added: added: ahnlab.com - added: downloads.tomsguide.com - added: added: added: download82.com - added: download.cnet.com - added: added: added: avast.com - added: support.avast.com - added: added: added: consumentenbond.com - added: added: goedkoopsteantivirus.com - added: added: toptenreviews.com - added: added: antivirus.nl - added: added: bol.com - added: added: avira.com - added: added: bitdefender.com Page 2 Date: :04:06

3 - added: licentie2go.com - added: added: added: bullguard.com - added: added: kpn.com - added: virusscanner.software - added: added: added: comodo.com - added: added: drweb.com - added: download.drweb.com - added: added: vms.drweb.com - added: added: alternativeto.ne - added: added: softonic.com - added: added: added: softpedia.com - added: added: flipkart.com - added: virustotal.com - added: added: added: emsisoft.com - added: added: antimalwaresoftware.com - added: added: pcwebplus.com - added: added: pcmag.com - added: added: eset.com - added: added: surfspot.com - added: added: topantivirus.com - added: added: techzine.com - added: added: eset.com - added: added: fortinet.com - added: fortiguard.com - added: added: forticlient.com - added: added: added: kpn.com - added: added: kaspersky.com - added: added: consumentenbond.com - added: added: surfspot.com - added: added: topreviews.com - added: added: amecomputers.com - added: Page 3 Date: :04:06

4 - added: instantsoftware.com - added: added: malwarebytes.com - added: added: malwarebytes.org - added: download.cnet.com - added: added: added: bleepingcomputer.com - added: added: majorgeeks.com - added: added: seniorweb.com - added: added: amazon.com - added: added: techspot.com - added: filehippo.com - added: added: added: idealsoftware.com - added: uptodown.com - added: added: added: mcafee.com - added: home.mcafee.com - added: added: added: coolblue.com - added: added: pcmag.com - added: added: sky.com - added: norton.com - added: added: added: kieskeurig.com - added: internetsecurity.xfinity.com - added: added: added: symantec.com - added: added: campusshop.com - added: added: pandasecurity.com - added: added: paradigit.com - added: added: sophos.com - added: home.sophos.com - added: added: sophos.virtualsecurity.com - added: added: added: gratissoftware.com - added: added: seniorweb.com - added: added: softwareadvice.com - added: added: symantec.com - added: hostedendpoint.spn.com - added: Page 4 Date: :04:06

5 - added: added: g2crowd.com - added: added: trendmicro.com - added: added: goedkoopsteantivirus.com - added: download.cnet.com - added: added: added: ign.com - added: added: trusteer.com - added: my.webrootanywhere.com - added: added: added: webroot.com - added: added: techradar.com - added: support.microsoft.com - added: added: added: microsoft.com - added: pulse.microsoft.com - added: added: pcmweb.com - added: added: added: security.com - added: ccm.net - added: added: added: enigmasoftware.com - added: howtoremove.guide - added: added: added: viruses.com - added: added: spyware.com - added: sensorstechforum.com - added: added: greatis.com - added: added: added: pchubs.com - added: added: pcrisk.com - added: added: malware-board.com - added: pcthreatskiller.com - added: added: pcfixhelp.net - added: added: stepsforkillingthreats.com - added: added: added: removemalwarevirus.com - added: spyware-techie.com - added: added: anti-spyware-101.com - added: added: added: removeallvirus.com - added: Page 5 Date: :04:06

6 - added: pcthreat.com - added: added: pcinfectionsupport.com - added: added: howtouninstallpcmalware.com - added: computerprotectionpro.com - added: Creates RWX memory Possible date expiration check, exits too soon after checking local time - process: updatewin2.exe, PID 2696 Dynamic (imported) function loading detected - DynamicLoader: kernel32.dll/createtoolhelp32snapshot - DynamicLoader: kernel32.dll/module32firstw - DynamicLoader: kernel32.dll/globalalloc - DynamicLoader: kernel32.dll/loadlibrarya - DynamicLoader: kernel32.dll/virtualalloc - DynamicLoader: kernel32.dll/virtualprotect - DynamicLoader: kernel32.dll/virtualfree - DynamicLoader: kernel32.dll/getversionexa - DynamicLoader: kernel32.dll/terminateprocess - DynamicLoader: kernel32.dll/exitprocess - DynamicLoader: kernel32.dll/seterrormode - DynamicLoader: kernel32.dll/createfilew - DynamicLoader: kernel32.dll/getfilesize - DynamicLoader: kernel32.dll/setfilepointer - DynamicLoader: kernel32.dll/writefile - DynamicLoader: kernel32.dll/closehandle - DynamicLoader: kernel32.dll/writeconsolew - DynamicLoader: kernel32.dll/setfilepointerex - DynamicLoader: kernel32.dll/getconsolemode - DynamicLoader: kernel32.dll/getconsolecp - DynamicLoader: kernel32.dll/flushfilebuffers - DynamicLoader: kernel32.dll/heaprealloc - DynamicLoader: kernel32.dll/heapsize - DynamicLoader: kernel32.dll/getprocessheap - DynamicLoader: kernel32.dll/lcmapstringw - DynamicLoader: kernel32.dll/getstringtypew - DynamicLoader: kernel32.dll/getfiletype - DynamicLoader: kernel32.dll/setstdhandle - DynamicLoader: kernel32.dll/freeenvironmentstringsw - DynamicLoader: kernel32.dll/getenvironmentstringsw - DynamicLoader: kernel32.dll/unhandledexceptionfilter - DynamicLoader: kernel32.dll/setunhandledexceptionfilter - DynamicLoader: kernel32.dll/getcurrentprocess - DynamicLoader: kernel32.dll/terminateprocess - DynamicLoader: kernel32.dll/isprocessorfeaturepresent - DynamicLoader: kernel32.dll/queryperformancecounter - DynamicLoader: kernel32.dll/getcurrentprocessid - DynamicLoader: kernel32.dll/getcurrentthreadid - DynamicLoader: kernel32.dll/getsystemtimeasfiletime - DynamicLoader: kernel32.dll/initializeslisthead - DynamicLoader: kernel32.dll/isdebuggerpresent - DynamicLoader: kernel32.dll/getstartupinfow - DynamicLoader: kernel32.dll/getmodulehandlew - DynamicLoader: kernel32.dll/rtlunwind - DynamicLoader: kernel32.dll/raiseexception - DynamicLoader: kernel32.dll/getlasterror - DynamicLoader: kernel32.dll/setlasterror - DynamicLoader: kernel32.dll/entercriticalsection Page 6 Date: :04:06

7 - DynamicLoader: kernel32.dll/leavecriticalsection - DynamicLoader: kernel32.dll/deletecriticalsection - DynamicLoader: kernel32.dll/initializecriticalsectionandspincount - DynamicLoader: kernel32.dll/tlsalloc - DynamicLoader: kernel32.dll/tlsgetvalue - DynamicLoader: kernel32.dll/tlssetvalue - DynamicLoader: kernel32.dll/tlsfree - DynamicLoader: kernel32.dll/freelibrary - DynamicLoader: kernel32.dll/getprocaddress - DynamicLoader: kernel32.dll/loadlibraryexw - DynamicLoader: kernel32.dll/getstdhandle - DynamicLoader: kernel32.dll/getmodulefilenamew - DynamicLoader: kernel32.dll/multibytetowidechar - DynamicLoader: kernel32.dll/widechartomultibyte - DynamicLoader: kernel32.dll/exitprocess - DynamicLoader: kernel32.dll/getmodulehandleexw - DynamicLoader: kernel32.dll/getacp - DynamicLoader: kernel32.dll/heapalloc - DynamicLoader: kernel32.dll/heapfree - DynamicLoader: kernel32.dll/findclose - DynamicLoader: kernel32.dll/findfirstfileexw - DynamicLoader: kernel32.dll/findnextfilew - DynamicLoader: kernel32.dll/isvalidcodepage - DynamicLoader: kernel32.dll/getoemcp - DynamicLoader: kernel32.dll/getcpinfo - DynamicLoader: kernel32.dll/getcommandlinea - DynamicLoader: kernel32.dll/getcommandlinew - DynamicLoader: USER32.dll/MessageBoxA - DynamicLoader: SHELL32.dll/SHGetFolderPathW - DynamicLoader: SHLWAPI.dll/PathAppendW - DynamicLoader: msvcr100.dll/atexit - DynamicLoader: kernel32.dll/initializecriticalsectionex - DynamicLoader: kernel32.dll/flsalloc - DynamicLoader: kernel32.dll/flssetvalue - DynamicLoader: kernel32.dll/initializecriticalsectionex - DynamicLoader: kernel32.dll/flsalloc - DynamicLoader: kernel32.dll/flsgetvalue - DynamicLoader: kernel32.dll/flssetvalue - DynamicLoader: kernel32.dll/lcmapstringex Unconventionial language used in binary resources: Serbian SetUnhandledExceptionFilter detected (possible anti-debug) Page 7 Date: :04:06

Infosec Binary Analisys. dew.fgh

Infosec Binary Analisys. dew.fgh dew.fgh MalFamily: Malicious MalScore: 100 File type: File size: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive 344.03 KB (352285 bytes) Compile time: 2014-10-07