Loading ...

General Information

Analysis ID:27406
Start time:12:00:01
Start date:16/11/2012
Overall analysis duration:0h 3m 21s
Sample file name:fxsst.dll.dr
Cookbook file name:default.jbs
Analysis system description:XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8)
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
SCAE enabled:true
SCAE success:true, ratio: 93%

Classification / Threat Score

Persistence, Installation, Boot Survival:
Hiding, Stealthiness, Detection and Removal Protection:
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection:
Spreading:
Exploiting:
Networking:
Data spying, Sniffing, Keylogging, Ebanking Fraud:

Matching Signatures

Behavior Signatures
Binary may include packed or crypted data
Creates mutexes\BaseNamedObjects\22834_04532_08345
PE sections with suspicious entropy found
Performs DNS lookups

Code Signatures
Contains functionality to adjust token privileges (e.g. debug / backup)
Contains functionality to download additional files from the internet

Startup

  • system is xp
  • loaddll.exe (PID: 1472 MD5: B437D1322F2A1C600C2AD1BDACDA986C)
  • rundll32.exe (PID: 164 MD5: 037B1E7798960E0420003D05BB577EE6)
  • cleanup

Created / dropped Files

File PathMD5
\ROUTERA9A1EB35B5399430B66643E533B7D6B1

Contacted Domains

NameIPName ServerActiveRegistrare-Mail
mxquery.ddns.info178.32.240.212trueunknownunknown

Contacted IPs

IPCountryPingableOpen Ports
195.186.1.121SWITZERLANDfalse
178.32.240.212FRANCEtrue80 443 3389

Static File Info

File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
File name:fxsst.dll.dr
File size:9728
MD5:08727a7100766e60026243601fa6ce3b
SHA1:318c188233fb47cde6b6a7a1907cb207bbc8f373
SHA256:e4a5378c232012508de4d3554e764d37969394ccf44d6866ec8344550c0f4c8f
SHA512:698f9afb0542861db7cd6bdb2abdbd6c686e3aabfc753737f890a0c2468e6a894ef8cdbf52d0fd77f075ce28b072d98db75dc4335beeb0b77a53c0e8d0281ca0

Static PE Info

General
Entrypoint:0x100011d3
Entrypoint Section:.text
Imagebase:0x10000000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
DLL Characteristics:
Time Stamp:0x50A230BB [Tue Nov 13 11:36:27 2012 UTC]
TLS Callbacks:
Resources
NameRVASizeTypeLanguageCountry
BIN0x40600x13d6dataEnglishUnited States
Imports
DLLImport
MSVCRT.dll_adjust_fdiv, malloc, _initterm, free, memset, memcpy
KERNEL32.dllCreateThread, GetModuleHandleA, GetProcAddress, FindResourceA, LockResource, SizeofResource, VirtualAlloc, CreateMutexA, GetLastError, LoadLibraryA, GetModuleFileNameA
Sections
NameVirtual AddressVirtual SizeRaw SizeEntropy
.text0x10000x2760x4004.15042492165
.rdata0x20000x2380x4002.91803297773
.data0x30000x1700x2000.7991397192
.rsrc0x40000x14380x16006.5636280893
.reloc0x60000xb80x2001.56559838055
Exports
NameOrdinalAddress
_DllMain@1210x10001000
Possible Origin
Language of compilation systemCountry where language is spokenMap
EnglishUnited States

String Analysis

Network Behavior

TCP Packets
TimestampSource PortDest PortSource IPDest IP
Nov 16, 2012 12:01:58.820745945 CET5120853192.168.0.10195.186.1.121
Nov 16, 2012 12:01:59.200261116 CET5351208195.186.1.121192.168.0.10
Nov 16, 2012 12:01:59.293520927 CET104080192.168.0.10178.32.240.212
Nov 16, 2012 12:01:59.293548107 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:01:59.293884039 CET104080192.168.0.10178.32.240.212
Nov 16, 2012 12:01:59.295357943 CET104080192.168.0.10178.32.240.212
Nov 16, 2012 12:01:59.295372963 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:01:59.778911114 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:01:59.869503975 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:01:59.870265961 CET104080192.168.0.10178.32.240.212
Nov 16, 2012 12:01:59.870280027 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:01:59.870973110 CET104080192.168.0.10178.32.240.212
Nov 16, 2012 12:01:59.876761913 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:01:59.889344931 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:01:59.890140057 CET104080192.168.0.10178.32.240.212
Nov 16, 2012 12:01:59.890157938 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:01:59.890727043 CET104080192.168.0.10178.32.240.212
Nov 16, 2012 12:01:59.891143084 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:01:59.971276045 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:01:59.971988916 CET104080192.168.0.10178.32.240.212
Nov 16, 2012 12:01:59.972003937 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:01:59.972244978 CET104080192.168.0.10178.32.240.212
Nov 16, 2012 12:02:00.082770109 CET104080192.168.0.10178.32.240.212
Nov 16, 2012 12:02:00.082784891 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:02:00.301413059 CET104080192.168.0.10178.32.240.212
Nov 16, 2012 12:02:00.723994017 CET104080192.168.0.10178.32.240.212
Nov 16, 2012 12:02:00.724031925 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:02:01.022100925 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:02:01.051703930 CET104080192.168.0.10178.32.240.212
Nov 16, 2012 12:02:01.051723003 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:02:45.278589010 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:02:45.302141905 CET104080192.168.0.10178.32.240.212
Nov 16, 2012 12:02:45.302159071 CET801040178.32.240.212192.168.0.10
UDP Packets
TimestampSource PortDest PortSource IPDest IP
Nov 16, 2012 12:01:58.820745945 CET5120853192.168.0.10195.186.1.121
Nov 16, 2012 12:01:59.200261116 CET5351208195.186.1.121192.168.0.10
DNS Queries
TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
Nov 16, 2012 12:01:58.820745945 CET192.168.0.10195.186.1.1210x2cd5Standard query (0)mxquery.ddns.infoA (IP address)IN (0x0001)
DNS Answers
TimestampSource IPDest IPTrans IDReplay CodeNameCNameAddressTypeClass
Nov 16, 2012 12:01:59.200261116 CET195.186.1.121192.168.0.100x2cd5No error (0)mxquery.ddns.info178.32.240.212A (IP address)IN (0x0001)

Code Manipulation Behavior

System Behavior