General Information |
---|
Analysis ID: | 27406 |
Start time: | 12:00:01 |
Start date: | 16/11/2012 |
Overall analysis duration: | 0h 3m 21s |
Sample file name: | fxsst.dll.dr |
Cookbook file name: | default.jbs |
Analysis system description: | XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8) |
Number of analysed new started processes analysed: | 2 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
SCAE enabled: | true |
SCAE success: | true, ratio: 93% |
Classification / Threat Score |
---|
Persistence, Installation, Boot Survival: | |
Hiding, Stealthiness, Detection and Removal Protection: | |
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection: | |
Spreading: | |
Exploiting: | |
Networking: | |
Data spying, Sniffing, Keylogging, Ebanking Fraud: |
Matching Signatures |
---|
Behavior Signatures | |
Binary may include packed or crypted data | |
Creates mutexes | |
PE sections with suspicious entropy found | |
Performs DNS lookups |
Code Signatures | |
Contains functionality to adjust token privileges (e.g. debug / backup) | |
Contains functionality to download additional files from the internet |
Startup |
---|
|
Created / dropped Files |
---|
File Path | MD5 |
---|---|
\ROUTER | A9A1EB35B5399430B66643E533B7D6B1 |
Contacted Domains |
---|
Name | IP | Name Server | Active | Registrar | |
---|---|---|---|---|---|
mxquery.ddns.info | 178.32.240.212 | true | unknown | unknown |
Contacted IPs |
---|
IP | Country | Pingable | Open Ports |
---|---|---|---|
195.186.1.121 | SWITZERLAND | false | |
178.32.240.212 | FRANCE | true | 80 443 3389 |
Static File Info |
---|
File type: | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
File name: | fxsst.dll.dr |
File size: | 9728 |
MD5: | 08727a7100766e60026243601fa6ce3b |
SHA1: | 318c188233fb47cde6b6a7a1907cb207bbc8f373 |
SHA256: | e4a5378c232012508de4d3554e764d37969394ccf44d6866ec8344550c0f4c8f |
SHA512: | 698f9afb0542861db7cd6bdb2abdbd6c686e3aabfc753737f890a0c2468e6a894ef8cdbf52d0fd77f075ce28b072d98db75dc4335beeb0b77a53c0e8d0281ca0 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x100011d3 |
Entrypoint Section: | .text |
Imagebase: | 0x10000000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x50A230BB [Tue Nov 13 11:36:27 2012 UTC] |
TLS Callbacks: |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
BIN | 0x4060 | 0x13d6 | data | English | United States |
Imports |
---|
DLL | Import |
---|---|
MSVCRT.dll | _adjust_fdiv, malloc, _initterm, free, memset, memcpy |
KERNEL32.dll | CreateThread, GetModuleHandleA, GetProcAddress, FindResourceA, LockResource, SizeofResource, VirtualAlloc, CreateMutexA, GetLastError, LoadLibraryA, GetModuleFileNameA |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Entropy |
---|---|---|---|---|
.text | 0x1000 | 0x276 | 0x400 | 4.15042492165 |
.rdata | 0x2000 | 0x238 | 0x400 | 2.91803297773 |
.data | 0x3000 | 0x170 | 0x200 | 0.7991397192 |
.rsrc | 0x4000 | 0x1438 | 0x1600 | 6.5636280893 |
.reloc | 0x6000 | 0xb8 | 0x200 | 1.56559838055 |
Exports |
---|
Name | Ordinal | Address |
---|---|---|
_DllMain@12 | 1 | 0x10001000 |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
String Analysis |
---|
Network Behavior |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 16, 2012 12:01:58.820745945 CET | 51208 | 53 | 192.168.0.10 | 195.186.1.121 |
Nov 16, 2012 12:01:59.200261116 CET | 53 | 51208 | 195.186.1.121 | 192.168.0.10 |
Nov 16, 2012 12:01:59.293520927 CET | 1040 | 80 | 192.168.0.10 | 178.32.240.212 |
Nov 16, 2012 12:01:59.293548107 CET | 80 | 1040 | 178.32.240.212 | 192.168.0.10 |
Nov 16, 2012 12:01:59.293884039 CET | 1040 | 80 | 192.168.0.10 | 178.32.240.212 |
Nov 16, 2012 12:01:59.295357943 CET | 1040 | 80 | 192.168.0.10 | 178.32.240.212 |
Nov 16, 2012 12:01:59.295372963 CET | 80 | 1040 | 178.32.240.212 | 192.168.0.10 |
Nov 16, 2012 12:01:59.778911114 CET | 80 | 1040 | 178.32.240.212 | 192.168.0.10 |
Nov 16, 2012 12:01:59.869503975 CET | 80 | 1040 | 178.32.240.212 | 192.168.0.10 |
Nov 16, 2012 12:01:59.870265961 CET | 1040 | 80 | 192.168.0.10 | 178.32.240.212 |
Nov 16, 2012 12:01:59.870280027 CET | 80 | 1040 | 178.32.240.212 | 192.168.0.10 |
Nov 16, 2012 12:01:59.870973110 CET | 1040 | 80 | 192.168.0.10 | 178.32.240.212 |
Nov 16, 2012 12:01:59.876761913 CET | 80 | 1040 | 178.32.240.212 | 192.168.0.10 |
Nov 16, 2012 12:01:59.889344931 CET | 80 | 1040 | 178.32.240.212 | 192.168.0.10 |
Nov 16, 2012 12:01:59.890140057 CET | 1040 | 80 | 192.168.0.10 | 178.32.240.212 |
Nov 16, 2012 12:01:59.890157938 CET | 80 | 1040 | 178.32.240.212 | 192.168.0.10 |
Nov 16, 2012 12:01:59.890727043 CET | 1040 | 80 | 192.168.0.10 | 178.32.240.212 |
Nov 16, 2012 12:01:59.891143084 CET | 80 | 1040 | 178.32.240.212 | 192.168.0.10 |
Nov 16, 2012 12:01:59.971276045 CET | 80 | 1040 | 178.32.240.212 | 192.168.0.10 |
Nov 16, 2012 12:01:59.971988916 CET | 1040 | 80 | 192.168.0.10 | 178.32.240.212 |
Nov 16, 2012 12:01:59.972003937 CET | 80 | 1040 | 178.32.240.212 | 192.168.0.10 |
Nov 16, 2012 12:01:59.972244978 CET | 1040 | 80 | 192.168.0.10 | 178.32.240.212 |
Nov 16, 2012 12:02:00.082770109 CET | 1040 | 80 | 192.168.0.10 | 178.32.240.212 |
Nov 16, 2012 12:02:00.082784891 CET | 80 | 1040 | 178.32.240.212 | 192.168.0.10 |
Nov 16, 2012 12:02:00.301413059 CET | 1040 | 80 | 192.168.0.10 | 178.32.240.212 |
Nov 16, 2012 12:02:00.723994017 CET | 1040 | 80 | 192.168.0.10 | 178.32.240.212 |
Nov 16, 2012 12:02:00.724031925 CET | 80 | 1040 | 178.32.240.212 | 192.168.0.10 |
Nov 16, 2012 12:02:01.022100925 CET | 80 | 1040 | 178.32.240.212 | 192.168.0.10 |
Nov 16, 2012 12:02:01.051703930 CET | 1040 | 80 | 192.168.0.10 | 178.32.240.212 |
Nov 16, 2012 12:02:01.051723003 CET | 80 | 1040 | 178.32.240.212 | 192.168.0.10 |
Nov 16, 2012 12:02:45.278589010 CET | 80 | 1040 | 178.32.240.212 | 192.168.0.10 |
Nov 16, 2012 12:02:45.302141905 CET | 1040 | 80 | 192.168.0.10 | 178.32.240.212 |
Nov 16, 2012 12:02:45.302159071 CET | 80 | 1040 | 178.32.240.212 | 192.168.0.10 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 16, 2012 12:01:58.820745945 CET | 51208 | 53 | 192.168.0.10 | 195.186.1.121 |
Nov 16, 2012 12:01:59.200261116 CET | 53 | 51208 | 195.186.1.121 | 192.168.0.10 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Nov 16, 2012 12:01:58.820745945 CET | 192.168.0.10 | 195.186.1.121 | 0x2cd5 | Standard query (0) | mxquery.ddns.info | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Replay Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Nov 16, 2012 12:01:59.200261116 CET | 195.186.1.121 | 192.168.0.10 | 0x2cd5 | No error (0) | mxquery.ddns.info | 178.32.240.212 | A (IP address) | IN (0x0001) |
Code Manipulation Behavior |
---|
System Behavior |
---|
General |
---|
Start time: | 09:46:18 |
Start date: | 24/01/2012 |
Path: | C:\WINDOWS\system32\loaddll.exe |
Wow64 process (32bit): | false |
Commandline: | unknown |
Imagebase: | 0x400000 |
File size: | 53248 bytes |
MD5 hash: | B437D1322F2A1C600C2AD1BDACDA986C |
General |
---|
Start time: | 09:46:21 |
Start date: | 24/01/2012 |
Path: | C:\WINDOWS\system32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | unknown |
Imagebase: | 0x1000000 |
File size: | 33280 bytes |
MD5 hash: | 037B1E7798960E0420003D05BB577EE6 |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
APIs |
|
APIs |
|
APIs |
|
APIs |
|
APIs |
|
APIs |
|
APIs |
|
APIs |
|
APIs |
|
APIs |
|
Non-executed Functions |
---|