JBX Analysis Report

Loading ...

General Information

Analysis ID:27406
Start time:12:00:01
Start date:16/11/2012
Overall analysis duration:0h 3m 21s
Sample file name:fxsst.dll.dr
Cookbook file name:default.jbs
Analysis system description:XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8)
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
SCAE enabled:true
SCAE success:true, ratio: 93%

Classification / Threat Score

Persistence, Installation, Boot Survival:
Hiding, Stealthiness, Detection and Removal Protection:
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection:
Spreading:
Exploiting:
Networking:
Data spying, Sniffing, Keylogging, Ebanking Fraud:

Matching Signatures

Behavior Signatures
Binary may include packed or crypted data
Creates mutexes\BaseNamedObjects\22834_04532_08345
PE sections with suspicious entropy found
Performs DNS lookups

Code Signatures
Contains functionality to adjust token privileges (e.g. debug / backup)
Contains functionality to download additional files from the internet

Startup

  • system is xp
  • loaddll.exe (PID: 1472 MD5: B437D1322F2A1C600C2AD1BDACDA986C)
  • rundll32.exe (PID: 164 MD5: 037B1E7798960E0420003D05BB577EE6)
  • cleanup

Created / dropped Files

File PathMD5
\ROUTERA9A1EB35B5399430B66643E533B7D6B1

Contacted Domains

NameIPName ServerActiveRegistrare-Mail
mxquery.ddns.info178.32.240.212trueunknownunknown

Contacted IPs

IPCountryPingableOpen Ports
195.186.1.121SWITZERLANDfalse
178.32.240.212FRANCEtrue80 443 3389

Static File Info

File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
File name:fxsst.dll.dr
File size:9728
MD5:08727a7100766e60026243601fa6ce3b
SHA1:318c188233fb47cde6b6a7a1907cb207bbc8f373
SHA256:e4a5378c232012508de4d3554e764d37969394ccf44d6866ec8344550c0f4c8f
SHA512:698f9afb0542861db7cd6bdb2abdbd6c686e3aabfc753737f890a0c2468e6a894ef8cdbf52d0fd77f075ce28b072d98db75dc4335beeb0b77a53c0e8d0281ca0

Static PE Info

General
Entrypoint:0x100011d3
Entrypoint Section:.text
Imagebase:0x10000000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
DLL Characteristics:
Time Stamp:0x50A230BB [Tue Nov 13 11:36:27 2012 UTC]
TLS Callbacks:
Resources
NameRVASizeTypeLanguageCountry
BIN0x40600x13d6dataEnglishUnited States
Imports
DLLImport
MSVCRT.dll_adjust_fdiv, malloc, _initterm, free, memset, memcpy
KERNEL32.dllCreateThread, GetModuleHandleA, GetProcAddress, FindResourceA, LockResource, SizeofResource, VirtualAlloc, CreateMutexA, GetLastError, LoadLibraryA, GetModuleFileNameA
Sections
NameVirtual AddressVirtual SizeRaw SizeEntropy
.text0x10000x2760x4004.15042492165
.rdata0x20000x2380x4002.91803297773
.data0x30000x1700x2000.7991397192
.rsrc0x40000x14380x16006.5636280893
.reloc0x60000xb80x2001.56559838055
Exports
NameOrdinalAddress
_DllMain@1210x10001000
Possible Origin
Language of compilation systemCountry where language is spokenMap
EnglishUnited States

String Analysis

Network Behavior

TCP Packets
TimestampSource PortDest PortSource IPDest IP
Nov 16, 2012 12:01:58.820745945 CET5120853192.168.0.10195.186.1.121
Nov 16, 2012 12:01:59.200261116 CET5351208195.186.1.121192.168.0.10
Nov 16, 2012 12:01:59.293520927 CET104080192.168.0.10178.32.240.212
Nov 16, 2012 12:01:59.293548107 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:01:59.293884039 CET104080192.168.0.10178.32.240.212
Nov 16, 2012 12:01:59.295357943 CET104080192.168.0.10178.32.240.212
Nov 16, 2012 12:01:59.295372963 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:01:59.778911114 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:01:59.869503975 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:01:59.870265961 CET104080192.168.0.10178.32.240.212
Nov 16, 2012 12:01:59.870280027 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:01:59.870973110 CET104080192.168.0.10178.32.240.212
Nov 16, 2012 12:01:59.876761913 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:01:59.889344931 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:01:59.890140057 CET104080192.168.0.10178.32.240.212
Nov 16, 2012 12:01:59.890157938 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:01:59.890727043 CET104080192.168.0.10178.32.240.212
Nov 16, 2012 12:01:59.891143084 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:01:59.971276045 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:01:59.971988916 CET104080192.168.0.10178.32.240.212
Nov 16, 2012 12:01:59.972003937 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:01:59.972244978 CET104080192.168.0.10178.32.240.212
Nov 16, 2012 12:02:00.082770109 CET104080192.168.0.10178.32.240.212
Nov 16, 2012 12:02:00.082784891 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:02:00.301413059 CET104080192.168.0.10178.32.240.212
Nov 16, 2012 12:02:00.723994017 CET104080192.168.0.10178.32.240.212
Nov 16, 2012 12:02:00.724031925 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:02:01.022100925 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:02:01.051703930 CET104080192.168.0.10178.32.240.212
Nov 16, 2012 12:02:01.051723003 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:02:45.278589010 CET801040178.32.240.212192.168.0.10
Nov 16, 2012 12:02:45.302141905 CET104080192.168.0.10178.32.240.212
Nov 16, 2012 12:02:45.302159071 CET801040178.32.240.212192.168.0.10
UDP Packets
TimestampSource PortDest PortSource IPDest IP
Nov 16, 2012 12:01:58.820745945 CET5120853192.168.0.10195.186.1.121
Nov 16, 2012 12:01:59.200261116 CET5351208195.186.1.121192.168.0.10
DNS Queries
TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
Nov 16, 2012 12:01:58.820745945 CET192.168.0.10195.186.1.1210x2cd5Standard query (0)mxquery.ddns.infoA (IP address)IN (0x0001)
DNS Answers
TimestampSource IPDest IPTrans IDReplay CodeNameCNameAddressTypeClass
Nov 16, 2012 12:01:59.200261116 CET195.186.1.121192.168.0.100x2cd5No error (0)mxquery.ddns.info178.32.240.212A (IP address)IN (0x0001)

Code Manipulation Behavior

System Behavior

Analysis Process: loaddll.exe PID: 1472 Parent PID: 2028

General
Start time:09:46:18
Start date:24/01/2012
Path:C:\WINDOWS\system32\loaddll.exe
Wow64 process (32bit):false
Commandline:unknown
Imagebase:0x400000
File size:53248 bytes
MD5 hash:B437D1322F2A1C600C2AD1BDACDA986C

Chronological Activities

Analysis Process: rundll32.exe PID: 164 Parent PID: 2028

General
Start time:09:46:21
Start date:24/01/2012
Path:C:\WINDOWS\system32\rundll32.exe
Wow64 process (32bit):false
Commandline:unknown
Imagebase:0x1000000
File size:33280 bytes
MD5 hash:037B1E7798960E0420003D05BB577EE6

Chronological Activities

Disassembly

Code Analysis

Analysis Process: loaddll.exe PID: 1472 Parent PID: 2028

Executed Functions
Function 00E00000, API count: 2, instr count: 155
APIs
  • VirtualAlloc.KERNEL32, ref: 00E00079
  • VirtualAlloc.KERNEL32, ref: 00E0009D
Function 00E10000, API count: 1, instr count: 87
APIs
  • GlobalAlloc.KERNEL32, ref: 00E100AA
Function 00C70000, API count: 9, instr count: 754
APIs
  • SetErrorMode.KERNEL32, ref: 00C70085
  • VirtualAlloc.KERNEL32, ref: 00C70113
  • VirtualAlloc.KERNEL32, ref: 00C70200
  • VirtualAlloc.KERNEL32, ref: 00C70270
  • VirtualAlloc.KERNEL32, ref: 00C7044B
  • VirtualAlloc.KERNEL32, ref: 00C704EC
  • VirtualAlloc.KERNEL32, ref: 00C707E2
  • VirtualAlloc.KERNEL32, ref: 00C707F7
  • CreateThread.KERNEL32, ref: 00C7082C
Function 00E70000, API count: 13, instr count: 389
APIs
  • CreateThread.KERNEL32, ref: 00E7006C
  • LookupPrivilegeValueA.ADVAPI32, ref: 00E7008B
  • AdjustTokenPrivileges.ADVAPI32, ref: 00E700BD
  • AdjustTokenPrivileges.ADVAPI32, ref: 00E700F0
  • CreateFileA.KERNEL32, ref: 00E70155
  • getsockname.WS2_32, ref: 00E702B9
  • VirtualAlloc.KERNEL32, ref: 00E702FA
  • GetComputerNameA.KERNEL32, ref: 00E70308
  • VirtualAlloc.KERNEL32, ref: 00E70336
  • GetPriorityClass.KERNEL32, ref: 00E703CF
  • Sleep.KERNEL32, ref: 00E7040A
  • Sleep.KERNEL32, ref: 00E7041D
  • GlobalMemoryStatus.KERNEL32, ref: 00E7046E
Function 003700BD, API count: 5, instr count: 233
APIs
  • socket.WS2_32, ref: 00370246
  • gethostbyname.WS2_32, ref: 0037026B
  • connect.WS2_32, ref: 0037029D
  • VirtualAlloc.KERNEL32, ref: 003704E8
  • Sleep.KERNEL32, ref: 0037055A
Function 003705BB, API count: 3, instr count: 49
APIs
  • select.WS2_32, ref: 00370611
  • recv.WS2_32, ref: 0037062D
  • send.WS2_32, ref: 00370632
Function 00DC0000, API count: 2, instr count: 546
APIs
  • VirtualAlloc.KERNEL32, ref: 00DC00C3
  • Sleep.KERNEL32, ref: 00DC05E1
Function 003710F6, API count: 1, instr count: 25
APIs
  • LoadLibraryA.KERNEL32, ref: 003710F6
Function 003712F5, API count: 2, instr count: 95
APIs
  • LoadLibraryA.KERNEL32, ref: 003712F5
  • GetUrlCacheEntryInfoW.WININET, ref: 0037131A
Function 00DB0000, API count: 3, instr count: 1039
APIs
  • VirtualAlloc.KERNEL32, ref: 00DB0085
  • LoadLibraryA.KERNEL32, ref: 00DB00A6
  • VirtualAlloc.KERNEL32, ref: 00DB01A3
Non-executed Functions

Analysis Process: rundll32.exe PID: 164 Parent PID: 2028

Executed Functions
Non-executed Functions