JBX Analysis Report

Loading ...

General Information

Analysis ID:27418
Start time:15:14:13
Start date:16/11/2012
Overall analysis duration:0h 11m 32s
Sample file name:2uZtGQEF.pdf
Cookbook file name:Ret Dump.jbs
Analysis system description:XP SP3 (Office 2003 SP1, Java 1.5.0, Acrobat Reader 8.1.2, Internet Explorer 6, Flash 10.1.82.76)
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
SCAE enabled:true
SCAE success:false, ratio: 0%

Classification / Threat Score

Persistence, Installation, Boot Survival:
Hiding, Stealthiness, Detection and Removal Protection:
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection:
Spreading:
Exploiting:
Networking:
Data spying, Sniffing, Keylogging, Ebanking Fraud:

Matching Signatures

Behavior Signatures
Reads ini files
Urls found in memory or binary data
Creates mutexes\BaseNamedObjects\Global\AcrobatViewerIsRunning
Found strings which match to known social media urls
May tried to detect the virtual machine to hinder analysis (VM artifact strings found in memory)
Performs DNS lookups
Allocates a big amount of memory (probably used for heap spraying)
Detected shellcode (checkout the disassembly section)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (performs DNS queries)
NOP-sled detected (often used during heap spraying before exploitation)
Tries to resolve domain names, but no domain seems valid (experied dropper behavior)

Code Signatures
Contains functionality to download additional files from the internet

Startup

  • system is xp2
  • AcroRd32.exe (PID: 1472 MD5: 80660C611B596FFE8AF4074B31AA6FB7)
  • cleanup

Created / dropped Files

No created / dropped files found

Contacted Domains

NameIPName ServerActiveRegistrare-Mail
justresins.comunknownunknownfalseunknownunknown

Contacted IPs

IPCountryPingableOpen Ports
195.186.1.121SWITZERLANDfalse

Static File Info

File type:PDF document, version 1.3
File name:2uZtGQEF.pdf
File size:5408
MD5:6c95034d7506af5d3de408d1d2dfbd7d
SHA1:6e5319db3f104521b7e1331f2914bbc8ac2f1c35
SHA256:44ff50a0fc160977c66fa783b64401ab1b5f7e4db3abbf76afaec7afdfcd691c
SHA512:498389edfe3cd19d62e9bb2e73ab7eb86ff0dd58d7fa018aabe3a6f3ce098a0d40867c9e1265301c90f013a55dadc43a0b2957374a9c71cff9e554abc379965d

String Analysis

URLs
String valueSource
http://a.ads2.msads.net/cis/11/000/000/000/022/056.jAcroRd32.exe
http://a.ads2.msads.net/cis/56/000/000/000/000/000.gAcroRd32.exe
http://a.rad.msn.com/adsadclient31.dll?getsad=&dpjs=4&pn=msft&id=1be25b89169c67282f395932129c67da&muAcroRd32.exe
http://ad.doubleclick.net/ad/n6374.132541.msn.com/b5976918;sz=1x1;ord=189708926AcroRd32.exe
http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/2373.1225.tk.177x20/9920374AcroRd32.exe
http://adobe.tt.omtrdc.net/m2/adobe/sc/standard?mboxhost=kb2.adobe.com&mboxsession=1327395957406-706AcroRd32.exe
http://ads1.msn.com/library/dapmsn.AcroRd32.exe
http://ads2.msads.net/cis/18/000/000/000/021/868.pAcroRd32.exe
http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.AcroRd32.exe
http://amch.questionmarket.com/adsc/d944682/3/944772/randm.AcroRd32.exe
http://api-public.addthis.com/url/shares.json?url=http%3a%2f%2fwww.oldapps.com%2fadobe_reader.php%3fAcroRd32.exe
http://api-public.addthis.com/url/shares.json?url=http%3a%2f%2fwww.oldapps.com%2fadobe_reader.php&caAcroRd32.exe
http://api-public.addthis.com/url/shares.json?url=http%3a%2f%2fwww.oldapps.com&callback=_ate.cbs.sc_AcroRd32.exe
http://api.bing.com/qsonhs.aspx?form=msn005&AcroRd32.exe
http://api.demandbase.com/api/v2/ip.js?key=e4086fa3ea9d74ac2aae2719a0e5285dc7075d7b&var=s_dmdbase_v_AcroRd32.exe
http://apis.google.com/js/plusone.AcroRd32.exe
http://blst.msn.com/as/wea3/i/en-us/law/32.gAcroRd32.exe
http://cache.oahermes.com/css/main_1.cAcroRd32.exe
http://cache.oahermes.com/css/oa.cAcroRd32.exe
http://cache.oahermes.com/css/style.cAcroRd32.exe
http://cache.oahermes.com/css/style1.cAcroRd32.exe
http://cache.oahermes.com/fancybox/blank.gAcroRd32.exe
http://cache.oahermes.com/fancybox/fancy_close.pAcroRd32.exe
http://cache.oahermes.com/fancybox/fancy_nav_left.pAcroRd32.exe
http://cache.oahermes.com/fancybox/fancy_nav_right.pAcroRd32.exe
http://cache.oahermes.com/fancybox/fancybox.pAcroRd32.exe
http://cache.oahermes.com/image/arrow_green.gAcroRd32.exe
http://cache.oahermes.com/image/arrow_grey.gAcroRd32.exe
http://cache.oahermes.com/image/bg_midcon.gAcroRd32.exe
http://cache.oahermes.com/image/bg_midconpr.pAcroRd32.exe
http://cache.oahermes.com/image/dotted_bg.gAcroRd32.exe
http://cache.oahermes.com/image/download.pAcroRd32.exe
http://cache.oahermes.com/image/footer_bg.pAcroRd32.exe
http://cache.oahermes.com/image/grey_tab.pAcroRd32.exe
http://cache.oahermes.com/image/logo.pAcroRd32.exe
http://cache.oahermes.com/image/mid_blackbg.gAcroRd32.exe
http://cache.oahermes.com/image/mid_bottom.gAcroRd32.exe
http://cache.oahermes.com/image/mid_cat_ind.gAcroRd32.exe
http://cache.oahermes.com/image/mid_leftcorner.pAcroRd32.exe
http://cache.oahermes.com/image/mid_rightcorner.pAcroRd32.exe
http://cache.oahermes.com/image/midnv1.pAcroRd32.exe
http://cache.oahermes.com/image/more.gAcroRd32.exe
http://cache.oahermes.com/image/nav_1.gAcroRd32.exe
http://cache.oahermes.com/image/oasprite2.pAcroRd32.exe
http://cache.oahermes.com/image/os1.pAcroRd32.exe
http://cache.oahermes.com/image/point.gAcroRd32.exe
http://cache.oahermes.com/image/search.pAcroRd32.exe
http://cache.oahermes.com/image/sep1.gAcroRd32.exe
http://cache.oahermes.com/image/shadow.gAcroRd32.exe
http://cache.oahermes.com/image/top_curve_midbottompr.pAcroRd32.exe
http://cache.oahermes.com/image/top_curve_midcontpr.pAcroRd32.exe
http://cache.oahermes.com/image/windowtab.pAcroRd32.exe
http://cache.oahermes.com/images/input_bg_slice.pAcroRd32.exe
http://cache.oahermes.com/images/open_new_window.pAcroRd32.exe
http://cache.oahermes.com/js/custom01.AcroRd32.exe
http://cache.oahermes.com/softimg/pdf-logo.gAcroRd32.exe
http://cdn.api.twitter.com/1/urls/count.json?url=http%3a%2f%2fwww.oldapps.com%2f&callback=twttr.receAcroRd32.exe
http://cgi.adobe.com/special/acrobat/updaAcroRd32.exe
http://ch.questionmarket.com/w3c/audit2007/p3p_dynamiclogic.xmAcroRd32.exe
http://col.stb.s-msn.com/i/25/b339a1e8e65447642b9f0ddad0e.jAcroRd32.exe
http://col.stb.s-msn.com/i/26/d59641387bf748337c126ad1957c2.jAcroRd32.exe
http://col.stb.s-msn.com/i/30/24fdf2cd8be5e4cfb52e27f92bdef4.jAcroRd32.exe
http://col.stb.s-msn.com/i/37/423d8428977d46cc6ebfecc452b0d0.jAcroRd32.exe
http://col.stb.s-msn.com/i/3a/b0da1e93d2fae7a81098776a2efdfd.jAcroRd32.exe
http://col.stb.s-msn.com/i/3e/7cef4323cd2894f4fb6a6d5ae5aa9e.jAcroRd32.exe
http://col.stb.s-msn.com/i/55/f3731528f70d131f63b12e5ce4ce.jAcroRd32.exe
http://col.stb.s-msn.com/i/5a/a825aeb11f7fbaa1682967885b0bb.jAcroRd32.exe
http://col.stb.s-msn.com/i/65/cdab2f44a1591d2b308c20c6c15375.jAcroRd32.exe
http://col.stb.s-msn.com/i/6f/40e0e7b0930b1dfead9e668b98d6.jAcroRd32.exe
http://col.stb.s-msn.com/i/98/bc71769ba96df69cfe934397d8824a.jAcroRd32.exe
http://col.stb.s-msn.com/i/9d/5ee4ca92f2c86b9b7969e3851ff30.jAcroRd32.exe
http://col.stb.s-msn.com/i/9e/f415cf42cce232a2532ba451bef3.jAcroRd32.exe
http://col.stb.s-msn.com/i/a4/f1284a44194776bf5c17c6e522a529.jAcroRd32.exe
http://col.stb.s-msn.com/i/b7/eb75d45b8948f72ee451223e95a96.gAcroRd32.exe
http://col.stb.s-msn.com/i/d0/4278717f7c190e446356444e97f5a.jAcroRd32.exe
http://col.stb.s-msn.com/i/d1/2a789319d730bbfee7294a39a8c679.jAcroRd32.exe
http://col.stb.s-msn.com/i/d2/61c2fc3513db668220918204e27.jAcroRd32.exe
http://col.stb.s-msn.com/i/d8/9e3c8db312445bb97be3c0469d3731.jAcroRd32.exe
http://col.stb.s-msn.com/i/e2/37ba92e210d341bfdbf4126422a3d2.gAcroRd32.exe
http://col.stb.s-msn.com/i/e9/ae875fab1f44e47994f2fee50c187.jAcroRd32.exe
http://col.stb.s-msn.com/i/fd/c7a5cbf8b632766bf5188569661116.jAcroRd32.exe
http://col.stc.s-msn.com/br/sc/css/36/8c1ae01e8fd4f4408590d43df0f4e3.cAcroRd32.exe
http://col.stc.s-msn.com/br/sc/css/3c/e52849405b21b1b7b78858e8f94f2f.cAcroRd32.exe
http://col.stc.s-msn.com/br/sc/i/07/617475cf39bf6f5c0bd6ecb985335c.gAcroRd32.exe
http://col.stc.s-msn.com/br/sc/i/0c/c57bc2a7d38843d7c4aa8028fc9f82.gAcroRd32.exe
http://col.stc.s-msn.com/br/sc/i/5f/5280118e68aedbc5821d17132a5340.gAcroRd32.exe
http://col.stc.s-msn.com/br/sc/i/7d/7fda667169fb45760dd7152ddafd78.gAcroRd32.exe
http://col.stc.s-msn.com/br/sc/i/c1/cc36ca69630adc1a2052edc7351a47.gAcroRd32.exe
http://col.stc.s-msn.com/br/sc/i/f8/614595fba50d96389708a4135776e4.gAcroRd32.exe
http://col.stc.s-msn.com/br/sc/i/ff/adchoices_gif2.gAcroRd32.exe
http://col.stc.s-msn.com/br/sc/i/icons/bing_websearch_2.jAcroRd32.exe
http://col.stj.s-msn.com/br/sc/js/51/anatm.AcroRd32.exe
http://col.stj.s-msn.com/br/sc/js/cf/ece838bdac41f565b1c59d87c4c9cf63.AcroRd32.exe
http://col.stj.s-msn.com/br/sc/js/jquery/jquery-1.4.2.min.AcroRd32.exe
http://community.adobe.com/help/badge/ionsupport.AcroRd32.exe
http://connect.facebook.net/en_us/all.AcroRd32.exe
http://download-euro.oldapps.com/adobe_reader/adberdr812_en_us.eAcroRd32.exe
http://ec.atdmt.com/bAcroRd32.exe
http://edge.quantserve.com/quant.AcroRd32.exe
http://feeds.feedburner.com/~fc/oldapps?bg=ff6600&fg=000000&animAcroRd32.exe
http://google.com/pagead/drt/AcroRd32.exe
http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2739591798241468&output=html&h=280&slotnAcroRd32.exe
http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2739591798241468&output=html&h=60&slotnaAcroRd32.exe
http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2739591798241468&output=html&h=600&slotnAcroRd32.exe
http://googleads.g.doubleclick.net/pagead/drtAcroRd32.exe
http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xmlAcroRd32.exe
http://googleads.g.doubleclick.net/pagead/imgad?id=cicagicqzv7ypxdqahiyajii5h9ywd4r-AcroRd32.exe
http://googleads.g.doubleclick.net/pagead/imgad?id=cicagmdo7cc9vhdqahiyajiihogkdjt61AcroRd32.exe
http://googleads.g.doubleclick.net/pagead/imgad?id=cin76tkr2bqv2aeq0aiymaiycfin0jjcqpAcroRd32.exe
http://googleads.g.doubleclick.net/pagead/imgad?id=ckjbp_hsivvsdbdqahiyajiiind9b_dwcAcroRd32.exe
http://googleads.g.doubleclick.net/pagead/imgad?id=cksvvrfn2tgqjaeq0aiymaiycpwvqa7rs7AcroRd32.exe
http://googleads.g.doubleclick.net/pagead/imgad?id=clxtyc3fj4klugeq0aiymaiycnfy3iuegkAcroRd32.exe
http://googleads.g.doubleclick.net/pagead/imgad?id=colbhodsp-iarrduaxg8mgg2iu8vplicAcroRd32.exe
http://iptc.org/std/iptc4xmpcore/1.0/xmlnAcroRd32.exe
http://js.dmtry.com/antenna2.js?246_1807_36579_9&sz=300x2AcroRd32.exe
http://justresins.com/tg/f5fa5d27babf7c7f5b46fb711e2745e5.php?showtopic=7&showuser=28394956&showforuAcroRd32.exe
http://kb2.adobe.com/cps/155/tn_15507.htAcroRd32.exe
http://kb2.adobe.com/cps/css/feedbackbadge.cAcroRd32.exe
http://kb2.adobe.com/cps/css/kb2style.cAcroRd32.exe
http://kb2.adobe.com/cps/ssi/assets/jquery-1.5.1.min.AcroRd32.exe
http://kb2.adobe.com/cps/ssi/assets/jquery.query.AcroRd32.exe
http://kb2.adobe.com/cps/ssi/assets/search_button.pAcroRd32.exe
http://kb2.adobe.com/css/support/cps.cAcroRd32.exe
http://kb2.adobe.com/include/img/truste_seal_eu.gAcroRd32.exe
http://kb2.adobe.com/lib/com.adobe/hover.hAcroRd32.exe
http://kb2.adobe.com/uber/js/omniture/mbox.AcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/adobe.AcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/adobe/cookie.AcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/adobe/globalfooter.AcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/adobe/pane/screen.cAcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/adobe/screen/tag-title.cAcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/adobe/tabnav/tabzen.cAcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/adobe/tree.AcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/adobe/u/adaptcustommouse.AcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/adobe/u/link.AcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/lib/animator.AcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/lib/sifr3-r419/css/sifr-print.cAcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/lib/sifr3-r419/css/sifr-screen.cAcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/lib/style-nurse.hAcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/product.cs4/invoke/fire_sifr.AcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/product.cs4/screen/content-header.sifr.cAcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/product.cs4/tree/print.cAcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/product.cs4/tree/white.cAcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/product.cs4/xnav.AcroRd32.exe
http://kb2.adobe.com/ubi/template/identity/product.cs4/xnav/screen.cAcroRd32.exe
http://mediacdn.disqus.com/1322687430/build/system//defaults.cAcroRd32.exe
http://mediacdn.disqus.com/1322687430/build/system/def.htAcroRd32.exe
http://mediacdn.disqus.com/1322687430/build/system/disqus.jAcroRd32.exe
http://mediacdn.disqus.com/1322687430/build/system/embed.AcroRd32.exe
http://mediacdn.disqus.com/1322687430/build/system/reply.htAcroRd32.exe
http://mediacdn.disqus.com/1322687430/build/themes/dsq7884a9652e94555c70f96b6be63be216.csAcroRd32.exe
http://mediacdn.disqus.com/1322687430/build/themes/dsq7884a9652e94555c70f96b6be63be216.jAcroRd32.exe
http://mediacdn.disqus.com/1322687430/images/noavatar32.pAcroRd32.exe
http://mediacdn.disqus.com/1322687430/images/themes/houdini/backgrounds-sprite.pAcroRd32.exe
http://mediacdn.disqus.com/1322687430/images/themes/narcissus/dsq-loader-dark.gAcroRd32.exe
http://mediacdn.disqus.com/1322687430/images/toolbar/toolbar-bg.pAcroRd32.exe
http://mediacdn.disqus.com/1322687430/images/toolbar/toolbar-sprite-2.0.pAcroRd32.exe
http://mediacdn.disqus.com/1322687430/js/dist/lib.AcroRd32.exe
http://ns.adobe.com/acrobat/rss/inboAcroRd32.exe
http://ns.adobe.com/acrobat/rss/inbox/:hiddAcroRd32.exe
http://ns.adobe.com/acrobat/rss/rAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviewAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:AcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:bAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:connectionstatAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:docAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:docliAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:doctitAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:hasconnectAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:isinitiatAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:isoffliAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:isonliAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:lastsyAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:latestversiAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:locatiAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:methAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:remoteuAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:serverrevieAcroRd32.exe
http://ns.adobe.com/acrobat/rss/reviews/:workspaAcroRd32.exe
http://ns.adobe.com/album/1.AcroRd32.exe
http://ns.adobe.com/camera-raw-settings/1.AcroRd32.exe
http://ns.adobe.com/exif/1.AcroRd32.exe
http://ns.adobe.com/exif/1.0/auAcroRd32.exe
http://ns.adobe.com/ix/1.AcroRd32.exe
http://ns.adobe.com/jp2k/1.AcroRd32.exe
http://ns.adobe.com/jpeg/1.AcroRd32.exe
http://ns.adobe.com/pdf/1.AcroRd32.exe
http://ns.adobe.com/pdfx/1.AcroRd32.exe
http://ns.adobe.com/photoshop/1.AcroRd32.exe
http://ns.adobe.com/plain-xmp/1.AcroRd32.exe
http://ns.adobe.com/png/1.AcroRd32.exe
http://ns.adobe.com/stockphoto/1.AcroRd32.exe
http://ns.adobe.com/tiff/1.AcroRd32.exe
http://ns.adobe.com/xAcroRd32.exe
http://ns.adobe.com/xap/1.AcroRd32.exe
http://ns.adobe.com/xap/1.0/AcroRd32.exe
http://ns.adobe.com/xap/1.0/bAcroRd32.exe
http://ns.adobe.com/xap/1.0/g/imAcroRd32.exe
http://ns.adobe.com/xap/1.0/mAcroRd32.exe
http://ns.adobe.com/xap/1.0/rightAcroRd32.exe
http://ns.adobe.com/xap/1.0/stype/dimensionAcroRd32.exe
http://ns.adobe.com/xap/1.0/stype/fonAcroRd32.exe
http://ns.adobe.com/xap/1.0/stype/joAcroRd32.exe
http://ns.adobe.com/xap/1.0/stype/manifestiteAcroRd32.exe
http://ns.adobe.com/xap/1.0/stype/resourceevenAcroRd32.exe
http://ns.adobe.com/xap/1.0/stype/resourcereAcroRd32.exe
http://ns.adobe.com/xap/1.0/stype/versioAcroRd32.exe
http://ns.adobe.com/xap/1.0/t/pAcroRd32.exe
http://ns.adobe.com/xmp/1.0/dynamicmediAcroRd32.exe
http://ns.adobe.com/xmp/identifier/qual/1.AcroRd32.exe
http://ns.adobe.com/xmp/notAcroRd32.exe
http://ns.adobe.com/xmp/transient/1.AcroRd32.exe
http://oa-comments.disqus.com/embed.AcroRd32.exe
http://oa-comments.disqus.com/thread.js?url=http%3a%2f%2fwww.oldapps.com%2fadobe_reader.php%3fold_adAcroRd32.exe
http://oldapps.coAcroRd32.exe
http://oldapps.com/betasearch.php?cx=007779823686351122034%3ai7o_lb6edjm&cof=forid%3a9&ie=utf-8&q=acAcroRd32.exe
http://oldapps.com/favicon.iAcroRd32.exe
http://p4.fsuqxtdj4673q.i6pflvtd7ttkkl76.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/iframe.htAcroRd32.exe
http://p4.fsuqxtdj4673q.i6pflvtd7ttkkl76.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/redir.htAcroRd32.exe
http://pagead2.googlesyndication.com/pagead/abglogo/adc-en-100c-000000.pAcroRd32.exe
http://pagead2.googlesyndication.com/pagead/expansion_embed.AcroRd32.exe
http://pagead2.googlesyndication.com/pagead/images/ad_choices_en.pAcroRd32.exe
http://pagead2.googlesyndication.com/pagead/images/ad_choices_i.pAcroRd32.exe
http://pagead2.googlesyndication.com/pagead/js/graphics.AcroRd32.exe
http://pagead2.googlesyndication.com/pagead/js/r20111110/r20110914/abg.AcroRd32.exe
http://pagead2.googlesyndication.com/pagead/js/r20111110/r20110914/show_ads_impl.AcroRd32.exe
http://pagead2.googlesyndication.com/pagead/render_ads.AcroRd32.exe
http://pagead2.googlesyndication.com/pagead/show_ads.AcroRd32.exe
http://pagead2.googlesyndication.com/pagead/sma8.AcroRd32.exe
http://platform.twitter.com/js/xd/jsonrpc.AcroRd32.exe
http://platform.twitter.com/js/xd/parent.AcroRd32.exe
http://platform.twitter.com/widgets.AcroRd32.exe
http://platform.twitter.com/widgets/hub.htAcroRd32.exe
http://platform.twitter.com/widgets/images/tweet.dfbf1dd98bad9f5b5addd80494650dca.pAcroRd32.exe
http://platform.twitter.com/widgets/tweet_button.htAcroRd32.exe
http://purl.org/dc/elements/1.AcroRd32.exe
http://rad.msn.com/adsadclient31.dll?getsad=&dpjs=4&pn=msft&id=1be25b89169c67282f395932129c67da&muidAcroRd32.exe
http://s1.2mdn.net/viewad/2809226/1x1.gAcroRd32.exe
http://s7.addthis.com/js/250/addthis_widget.AcroRd32.exe
http://s7.addthis.com/js/250/plugin.sharecounter.AcroRd32.exe
http://s7.addthis.com/static/r07/counter71.cAcroRd32.exe
http://s7.addthis.com/static/r07/sh69.htAcroRd32.exe
http://s7.addthis.com/static/r07/widget35_32x32.pAcroRd32.exe
http://s7.addthis.com/static/r07/widget71.cAcroRd32.exe
http://s7.addthis.com/static/r07/widgetbig71.cAcroRd32.exe
http://s7.addthis.com/static/t00/nsc01.gAcroRd32.exe
http://s7.addthis.com/static/t00/tbc02.gAcroRd32.exe
http://schemas.microsoft.com/sharepoint/soaAcroRd32.exe
http://screenshots.oahermes.com/10/small_1_adobe_raeder-9.pAcroRd32.exe
http://screenshots.oahermes.com/10/small_2_adobe_raeder-9-tools.pAcroRd32.exe
http://screenshots.oahermes.com/10/small_3_adobe_raeder-9-about.pAcroRd32.exe
http://screenshots.oahermes.com/10/small_41_adobe%20reader%208.1.2-about.pAcroRd32.exe
http://screenshots.oahermes.com/10/small_42_adobe%20reader%208.1.2-main-window.pAcroRd32.exe
http://screenshots.oahermes.com/10/small_43_adobe%20reader%208.1.2-tools.pAcroRd32.exe
http://static.ak.fbcdn.net/rsrc.php/v1/y7/r/ql9vukdcc4r.pAcroRd32.exe
http://static.ak.fbcdn.net/rsrc.php/v1/yc/r/3vr-wui-xma.cAcroRd32.exe
http://static.ak.fbcdn.net/rsrc.php/v1/yh/r/2y3yodppa_k.AcroRd32.exe
http://tps30.doubleverify.com/visit.gif?ctx=965891&cmp=1113445&sid=772433&plc=123456&adid=&dvtagver=AcroRd32.exe
http://www.adobe.com/images/shared/download_buttons/get_flash_player.gAcroRd32.exe
http://www.adobe.com/pdfe/1.AcroRd32.exe
http://www.adobe.com/products/acrobat/readstep2.htAcroRd32.exe
http://www.aiim.org/pdfa/ns/extensioAcroRd32.exe
http://www.aiim.org/pdfa/ns/fielAcroRd32.exe
http://www.aiim.org/pdfa/ns/iAcroRd32.exe
http://www.aiim.org/pdfa/ns/propertAcroRd32.exe
http://www.aiim.org/pdfa/ns/schemAcroRd32.exe
http://www.aiim.org/pdfa/ns/typAcroRd32.exe
http://www.bing.com/partner/primedns.gAcroRd32.exe
http://www.bing.com/s/as/899538/en.AcroRd32.exe
http://www.dictionary.com/cgi-bin/dict.pl?terAcroRd32.exe
http://www.google-analytics.com/ga.AcroRd32.exe
http://www.google.ch/extern_js/f/cgjkzricy2grmeu4acwrmfo4acwrma44acwrmbc4acwrmdw4acwrmfe4acwrmao4ajoAcroRd32.exe
http://www.google.ch/extern_js/f/cgjkzricy2grmfo4acwrma44acwrmao4ajocamhllcswgdgaliacujacza/i-5po2l6AcroRd32.exe
http://www.google.ch/images/mgyhp_sm.pAcroRd32.exe
http://www.google.ch/images/nav_logo_hp2.pAcroRd32.exe
http://www.google.ch/images/srpr/nav_logo80.pAcroRd32.exe
http://www.google.ch/intl/en_com/images/srpr/logo1w.pAcroRd32.exe
http://www.google.ch/search?hl=de&source=hp&q=flashAcroRd32.exe
http://www.google.ch/url?q=http://kb2.adobe.com/cps/155/tn_15507.html&sa=u&ei=jg80t6pwkmkp8aozwog_agAcroRd32.exe
http://www.google.comAcroRd32.exe
http://www.google.com/adsense/search/ads.js?vAcroRd32.exe
http://www.google.com/afsonline/show_afs_search.AcroRd32.exe
http://www.google.com/cse/api/branding.cAcroRd32.exe
http://www.google.com/cse/style/look/default.cAcroRd32.exe
http://www.google.com/cse?cx=007779823686351122034%3ai7o_lb6edjm&cof=forid%3a9&ie=utf-8&q=acrobatAcroRd32.exe
http://www.google.com/cse?q=acrobat%20reader&client=google-coop&hl=en&r=s&cx=007779823686351122034%3AcroRd32.exe
http://www.google.com/jsaAcroRd32.exe
http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657AcroRd32.exe
http://www.google.com/uds/?file=ads&v=3&packages=search&asyncAcroRd32.exe
http://www.google.com/uds/?file=search&vAcroRd32.exe
http://www.google.com/uds/api/ads/3.0/727076703967082c2c700dd75598e13c/search.i.AcroRd32.exe
http://www.google.com/uds/api/ads/3.0/727076703967082c2c700dd75598e13c/search.in.AcroRd32.exe
http://www.google.com/uds/api/search/1.0/80172cf7a55bd7af40ed212a27aba261/defaultAcroRd32.exe
http://www.google.com/uds/gwebsearch?callback=google.search.websearch.rawcompletion&rsz=filtered_cseAcroRd32.exe
http://www.google.com/uds/stats?r0=afs_render&u_his=2&u_tz=-480&dt=1322772175029&u_w=792&u_h=660&bs=AcroRd32.exe
http://www.google.com/url?q=http://www.oldapps.com/adobe_reader.php&sa=u&ei=y-vxtq2lc8e78gph9nxjdq&vAcroRd32.exe
http://www.googleadservices.com/pagead/p3p.xmlAcroRd32.exe
http://www.msn.coAcroRd32.exe
http://www.npes.org/pdfx/ns/iAcroRd32.exe
http://www.oldapps.com/adobe_reader.pAcroRd32.exe
http://www.oldapps.com/adobe_reader.php?app=9940256ca2663d6cd21f6704b564c5AcroRd32.exe
http://www.oldapps.com/adobe_reader.php?old_adobe=AcroRd32.exe
http://www.oldapps.com/adobe_reader.php?old_adobe=17?downloAcroRd32.exe
http://www.oldapps.com/favicon.iAcroRd32.exe
http://www.w3.org/1999/02/22-rdf-syntax-nAcroRd32.exe
http://www.w3.org/1999/xhtAcroRd32.exe
http://www.w3.org/1999/xhtmlAcroRd32.exe
http://www.w3.org/xml/1998/namespaAcroRd32.exe
http://wwwimages.adobe.com/uber/js/omniture_s_code.AcroRd32.exe
http://wwwimages.adobe.com/ubi/template/identity/adobe/screen/sitefooter/close.pAcroRd32.exe
http://wwwimages.adobe.com/ubi/template/identity/adobe/screen/sitefooter/region_black.pAcroRd32.exe
http://wwwimages.adobe.com/ubi/template/identity/adobe/screen/sitefooter/region_blue.pAcroRd32.exe
http://wwwimages.adobe.com/ubi/template/identity/adobe/screen/sitefooter/tile_fat_8bit.pAcroRd32.exe
http://wwwimages.adobe.com/ubi/template/identity/adobe/screen/siteheader/arrow_dark.pAcroRd32.exe
http://wwwimages.adobe.com/ubi/template/identity/adobe/screen/siteheader/cart_dark.pAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/images/shared/download_buttons/get_flash_player.gAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/lib/com.adobe/module/productselector/gvascript.AcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/lib/com.adobe/module/searchbuddy.AcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/lib/com.adobe/template/search/buddy/screen.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/lib/com.adobe/urlparser.AcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/carousel/noscript.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/globalnav.AcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/modal.AcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/print.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/common.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/data.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/gfooter.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/gfooter_override.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/gnav.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/icon.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/icon/search.gAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/layout.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/list.menu.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/sitefooter/evidon.pAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/sitefooter/icon_acrobat.AcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/sitefooter/icon_creativeAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/sitefooter/icon_digipub.AcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/sitefooter/icon_flashserAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/sitefooter/icon_mobile.pAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/sitefooter/icon_omnitureAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/sitefooter/icon_photoshoAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/siteheader/icon_search_mAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/siteheader/info.pAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/siteheader/logo.pAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/siteheader/search.pAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/siteheader/sh_divider.pAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/star.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/wcms.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/lib/prototype.AcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/lib/sifr3-r419/flash/myriad-semi-boldAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/lib/sifr3-r419/js/source/sifr.AcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/lib/style-nurse.AcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/lib/swfobject.AcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/lib/swfobject.addon.AcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/product.cs4/screen.css?whiAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/product.cs4/screen/gfooter_override.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/product.cs4/screen/gnav_override.cAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/product.cs4/screen/no-pocket.css?whiAcroRd32.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/product.cs4/xnav/noscript.cAcroRd32.exe
https://apis.google.com/js/plusone.AcroRd32.exe
https://googleads.g.doubleclick.net/pagead/drt/si?p=caa&ut=afakxlqaaaaattfuxi4tmhrc-kjskin8shs2ap-vnAcroRd32.exe
https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xmlAcroRd32.exe
https://idisk.mac.coAcroRd32.exe
https://plus.google.com/_/apps-static/_/js/widget/gcm_ppbAcroRd32.exe
https://plus.google.com/_/apps-static/_/js/widget/googleapis_clientAcroRd32.exe
https://plusone.google.com/_/apps-static/_/js/plusone/p1bAcroRd32.exe
https://plusone.google.com/_/apps-static/_/ss/plusone/ver=27trch45rjpg/am=AcroRd32.exe
https://ssl.gstatic.com/s2/oz/images/stars/po/publisher/sprite.pAcroRd32.exe
Social media names
String valueSource
http://cdn.api.twitter.com/1/urls/count.json?url=http%3A%2F%2Fwww.oldapps.com%2F&callback=twttr.receiveCou equals www.twitter.com (Twitter)AcroRd32.exe
http://connect.facebook.net/en_US/all. equals www.facebook.com (Facebook)AcroRd32.exe
http://platform.twitter.com/js/xd/jsonrpc. equals www.twitter.com (Twitter)AcroRd32.exe
http://platform.twitter.com/js/xd/parent. equals www.twitter.com (Twitter)AcroRd32.exe
http://platform.twitter.com/widgets. equals www.twitter.com (Twitter)AcroRd32.exe
http://platform.twitter.com/widgets/hub.ht equals www.twitter.com (Twitter)AcroRd32.exe
http://platform.twitter.com/widgets/images/tweet.dfbf1dd98bad9f5b5addd80494650dca.p equals www.twitter.com (Twitter)AcroRd32.exe
http://platform.twitter.com/widgets/tweet_button.ht equals www.twitter.com (Twitter)AcroRd32.exe
VM Artifacts
String valueSource
\??\C:\WINDOWS\system32\VBoxService.eAcroRd32.exe
\??\C:\WINDOWS\system32\VBoxTray.eAcroRd32.exe

Network Behavior

TCP Packets
TimestampSource PortDest PortSource IPDest IP
Nov 16, 2012 15:22:50.831875086 CET5689753192.168.0.13195.186.1.121
Nov 16, 2012 15:22:51.442137003 CET5356897195.186.1.121192.168.0.13
UDP Packets
TimestampSource PortDest PortSource IPDest IP
Nov 16, 2012 15:22:50.831875086 CET5689753192.168.0.13195.186.1.121
Nov 16, 2012 15:22:51.442137003 CET5356897195.186.1.121192.168.0.13
DNS Queries
TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
Nov 16, 2012 15:22:50.831875086 CET192.168.0.13195.186.1.1210xcd37Standard query (0)justresins.comA (IP address)IN (0x0001)
DNS Answers
TimestampSource IPDest IPTrans IDReplay CodeNameCNameAddressTypeClass
Nov 16, 2012 15:22:51.442137003 CET195.186.1.121192.168.0.130xcd37Name error (3)justresins.comnonenoneA (IP address)IN (0x0001)

Code Manipulation Behavior

System Behavior

Analysis Process: AcroRd32.exe PID: 1472 Parent PID: 1376

General
Start time:10:12:47
Start date:24/01/2012
Path:C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
Wow64 process (32bit):false
Commandline:unknown
Imagebase:0x400000
File size:341616 bytes
MD5 hash:80660C611B596FFE8AF4074B31AA6FB7

Chronological Activities

Disassembly

Shellcode Analysis

Function 3042E000, API count: 4, instr count: 7879
APIs
  • LoadLibraryA.KERNEL32, ref: 3042FF37
  • URLDownloadToFileA.URLMON, ref: 3042FF51
  • WinExec.KERNEL32, ref: 3042FF5E
  • ExitThread.KERNEL32, ref: 3042FF67
Function 3042FEB2, API count: 0, instr count: 40
Strings
AddressValue
3042ff6ahttp://justresins.com/tg/f5fa5d27babf7c7f5b46fb711e2745e5.php?showtopic=7&showuser=28394956&showforum=us&&reader_version=8.102

Code Analysis

Analysis Process: AcroRd32.exe PID: 1472 Parent PID: 1376

Executed Functions
Non-executed Functions