Loading ...

General Information

Analysis ID:28014
Start time:11:27:22
Start date:11/01/2013
Overall analysis duration:0h 3m 30s
Sample file name:1-237f8ffc0c24191c5bb7bd9099802ee4.exe
Cookbook file name:default.jbs
Analysis system description:XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8)
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
SCAE enabled:true
SCAE success:true, ratio: 100%

Classification / Threat Score

Persistence, Installation, Boot Survival:
Hiding, Stealthiness, Detection and Removal Protection:
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection:
Spreading:
Exploiting:
Networking:
Data spying, Sniffing, Keylogging, Ebanking Fraud:

Matching Signatures

Behavior Signatures
Creates temporary files
Queries a list of all running processes
Reads ini files
Spawns processes
Urls found in memory or binary data
Binary may include packed or crypted data
Creates files inside the system directory
Creates guard pages, often used to prevent reverse engineering and debugging
Downloads files from webservers via HTTP
Drops PE files
May tried to detect the virtual machine to hinder analysis (VM artifact strings found in memory)
PE sections with suspicious entropy found
Performs DNS lookups
Posts data to webserver
AV process strings found (often used to terminate AV products)
Checks the online ip address of the machinewww.ip-address.org
Contains capabilities to detect virtual machines
Creates an autostart registry key
Deletes itself after installation
Deletes keys which are related to windows safe boot (disables safe mode boot)
Found dropped PE file which has not been started or loadedC:\WINDOWS\system32\1-237f8ffc0c24191c5bb7bd9099802ee4.exe
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queries disk information (often used to detect virtual machines)

Code Signatures
Contains functionality to create a new security descriptor
Contains functionality to create pipes a new desktop
Contains functionality to download additional files from the internet
Contains functionality to enum processes or threads
Contains functionality to query local / system time
Contains functionality to query windows version
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to hide windows to a different desktop

Startup

  • system is xp
  • cleanup

Created / dropped Files

File PathMD5
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp129C.tmp.gifF560BF7BA58628B6B7D89CEEC97FBB2F
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp3092.tmp.gif6D1C9B8721FA24390A361420B868A6D5
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp6F8C.tmp.jpgAF8F571D37E66513D01510F4DBF73571
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp7239.tmp.jpg7FB84A91F0672B7C7F5806CC8F614DC2
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp7708.tmp.jpg85E7BA0D1A93F36CDB1BCB4C5CC75BE2
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp7B2C.tmp.gif7939A167B9497C21906431107F23CB5C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp7DE6.tmp.jpg85FCF87FF2B2C025854E1AE4FCCA6862
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpA06.tmp.gifEFEE4DA97365CC42AFC02428952171BC
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpE973.tmp.gifE33F4B5E5E491920BD64FE0BFA46F7B5
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpF20.tmp.gifDE463C61019A555994FA530BF47028CA
C:\WINDOWS\system32\1-237f8ffc0c24191c5bb7bd9099802ee4.exe237F8FFC0C24191C5BB7BD9099802EE4
\ROUTER9EE29DE553FC6640B99B92E3E67F93CA

Contacted Domains

NameIPName ServerActiveRegistrare-Mail
www.ip-address.org192.162.136.86trueunknownunknown

Contacted IPs

IPCountryPingableOpen Ports
192.162.136.86unknowntrue21 22 80 443
78.46.86.137GERMANYtrue22 80
195.186.1.121SWITZERLANDfalse
195.186.4.121SWITZERLANDfalse

Static File Info

File type:PE32 executable (GUI) Intel 80386, for MS Windows
File name:1-237f8ffc0c24191c5bb7bd9099802ee4.exe
File size:127752
MD5:237f8ffc0c24191c5bb7bd9099802ee4
SHA1:0264fdbb9e05b07a689aaf0ee7b60209eca15b6b
SHA256:8c4991ddd46b7adee31bacb30d9efe572c426d79bf5f3e8edffed65e55cd0e7a
SHA512:cbec7372cfddc87ace452bdf06cf93555908c31aca768820025ab6dd561230aaa5494182cdf0665c97b20b205220e00d129329b43a22eaf174d5ca56dcfa821e

Static PE Info

General
Entrypoint:0x401840
Entrypoint Section:.text
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:
Time Stamp:0x50ED518F [Wed Jan 9 11:16:31 2013 UTC]
TLS Callbacks:
Imports
DLLImport
KERNEL32.dllReadFile, ExitProcess, VirtualAllocEx, GetWindowsDirectoryA, lstrcatA, CreateFileA
USER32.dllRegisterClassExA
GDI32.dllGetStockObject
ADVAPI32.dllRegOpenKeyExW
WINMM.dllPlaySoundA
Sections
NameVirtual AddressVirtual SizeRaw SizeEntropy
.text0x10000xda80xe005.29306544227
.rdata0x20000x1a6350x1a8007.94582373968
.data0x1d0000x2b80x4003.21167866906
.reloc0x1e0000x740x2001.83713353723

String Analysis

URLs
String valueSource
http://ns.adobe.com/xap/1.0/tmp3092.tmp.gif.dr
http://ns.adobe.com/xap/1.0/mm/tmp3092.tmp.gif.dr
http://ns.adobe.com/xap/1.0/stype/resourceref#tmp3092.tmp.gif.dr
http://www.w3.org/1999/02/22-rdf-syntax-ns#tmp3092.tmp.gif.dr
VM Artifacts
String valueSource
VMWAREsvchost.exe
AV process names
String valueSource
wireshark.exe1-237f8ffc0c24191c5bb7bd9099802ee4.exe

Network Behavior

TCP Packets
TimestampSource PortDest PortSource IPDest IP
Jan 11, 2013 11:28:17.293838024 CET6040153192.168.0.10195.186.1.121
Jan 11, 2013 11:28:18.294051886 CET6040153192.168.0.10195.186.4.121
Jan 11, 2013 11:28:19.296561003 CET6040153192.168.0.10195.186.1.121
Jan 11, 2013 11:28:21.293451071 CET6040153192.168.0.10195.186.1.121
Jan 11, 2013 11:28:21.294487000 CET6040153192.168.0.10195.186.4.121
Jan 11, 2013 11:28:25.293307066 CET6040153192.168.0.10195.186.1.121
Jan 11, 2013 11:28:25.294342995 CET6040153192.168.0.10195.186.4.121
Jan 11, 2013 11:28:29.502634048 CET5360401195.186.4.121192.168.0.10
Jan 11, 2013 11:28:29.686904907 CET5360401195.186.1.121192.168.0.10
Jan 11, 2013 11:28:29.723196983 CET5360401195.186.4.121192.168.0.10
Jan 11, 2013 11:28:29.723232985 CET5360401195.186.1.121192.168.0.10
Jan 11, 2013 11:28:29.723267078 CET5360401195.186.1.121192.168.0.10
Jan 11, 2013 11:28:29.723294020 CET5360401195.186.4.121192.168.0.10
Jan 11, 2013 11:28:29.723347902 CET5360401195.186.1.121192.168.0.10
Jan 11, 2013 11:28:29.742233992 CET103180192.168.0.10192.162.136.86
Jan 11, 2013 11:28:29.742260933 CET801031192.162.136.86192.168.0.10
Jan 11, 2013 11:28:29.742600918 CET103180192.168.0.10192.162.136.86
Jan 11, 2013 11:28:29.746618986 CET103180192.168.0.10192.162.136.86
Jan 11, 2013 11:28:29.746632099 CET801031192.162.136.86192.168.0.10
Jan 11, 2013 11:28:52.918301105 CET801031192.162.136.86192.168.0.10
Jan 11, 2013 11:28:52.954636097 CET801031192.162.136.86192.168.0.10
Jan 11, 2013 11:28:52.955142975 CET103180192.168.0.10192.162.136.86
Jan 11, 2013 11:28:52.956044912 CET103180192.168.0.10192.162.136.86
Jan 11, 2013 11:28:52.956058979 CET801031192.162.136.86192.168.0.10
Jan 11, 2013 11:28:54.032778978 CET103280192.168.0.1078.46.86.137
Jan 11, 2013 11:28:54.032807112 CET80103278.46.86.137192.168.0.10
Jan 11, 2013 11:28:54.032972097 CET103280192.168.0.1078.46.86.137
Jan 11, 2013 11:28:54.033302069 CET103280192.168.0.1078.46.86.137
Jan 11, 2013 11:28:54.033313036 CET80103278.46.86.137192.168.0.10
Jan 11, 2013 11:28:55.857000113 CET80103278.46.86.137192.168.0.10
Jan 11, 2013 11:28:55.994759083 CET80103278.46.86.137192.168.0.10
Jan 11, 2013 11:28:55.995234013 CET103280192.168.0.1078.46.86.137
Jan 11, 2013 11:28:55.996102095 CET103280192.168.0.1078.46.86.137
Jan 11, 2013 11:28:55.996117115 CET80103278.46.86.137192.168.0.10
UDP Packets
TimestampSource PortDest PortSource IPDest IP
Jan 11, 2013 11:28:17.293838024 CET6040153192.168.0.10195.186.1.121
Jan 11, 2013 11:28:18.294051886 CET6040153192.168.0.10195.186.4.121
Jan 11, 2013 11:28:19.296561003 CET6040153192.168.0.10195.186.1.121
Jan 11, 2013 11:28:21.293451071 CET6040153192.168.0.10195.186.1.121
Jan 11, 2013 11:28:21.294487000 CET6040153192.168.0.10195.186.4.121
Jan 11, 2013 11:28:25.293307066 CET6040153192.168.0.10195.186.1.121
Jan 11, 2013 11:28:25.294342995 CET6040153192.168.0.10195.186.4.121
Jan 11, 2013 11:28:29.502634048 CET5360401195.186.4.121192.168.0.10
Jan 11, 2013 11:28:29.686904907 CET5360401195.186.1.121192.168.0.10
Jan 11, 2013 11:28:29.723196983 CET5360401195.186.4.121192.168.0.10
Jan 11, 2013 11:28:29.723232985 CET5360401195.186.1.121192.168.0.10
Jan 11, 2013 11:28:29.723267078 CET5360401195.186.1.121192.168.0.10
Jan 11, 2013 11:28:29.723294020 CET5360401195.186.4.121192.168.0.10
Jan 11, 2013 11:28:29.723347902 CET5360401195.186.1.121192.168.0.10
ICMP Packets
TimestampSource IPDest IPChecksumCodeType
Jan 11, 2013 11:28:29.687268972 CET192.168.0.10195.186.1.1218330(Port unreachable)Destination Unreachable
Jan 11, 2013 11:28:29.723541975 CET192.168.0.10195.186.4.1218630(Port unreachable)Destination Unreachable
Jan 11, 2013 11:28:29.723622084 CET192.168.0.10195.186.1.1218330(Port unreachable)Destination Unreachable
Jan 11, 2013 11:28:29.723700047 CET192.168.0.10195.186.1.1218330(Port unreachable)Destination Unreachable
Jan 11, 2013 11:28:29.723776102 CET192.168.0.10195.186.4.1218630(Port unreachable)Destination Unreachable
Jan 11, 2013 11:28:29.723985910 CET192.168.0.10195.186.1.1218330(Port unreachable)Destination Unreachable
DNS Queries
TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
Jan 11, 2013 11:28:17.293838024 CET192.168.0.10195.186.1.1210x3ce8Standard query (0)www.ip-address.orgA (IP address)IN (0x0001)
Jan 11, 2013 11:28:18.294051886 CET192.168.0.10195.186.4.1210x3ce8Standard query (0)www.ip-address.orgA (IP address)IN (0x0001)
Jan 11, 2013 11:28:19.296561003 CET192.168.0.10195.186.1.1210x3ce8Standard query (0)www.ip-address.orgA (IP address)IN (0x0001)
Jan 11, 2013 11:28:21.293451071 CET192.168.0.10195.186.1.1210x3ce8Standard query (0)www.ip-address.orgA (IP address)IN (0x0001)
Jan 11, 2013 11:28:21.294487000 CET192.168.0.10195.186.4.1210x3ce8Standard query (0)www.ip-address.orgA (IP address)IN (0x0001)
Jan 11, 2013 11:28:25.293307066 CET192.168.0.10195.186.1.1210x3ce8Standard query (0)www.ip-address.orgA (IP address)IN (0x0001)
Jan 11, 2013 11:28:25.294342995 CET192.168.0.10195.186.4.1210x3ce8Standard query (0)www.ip-address.orgA (IP address)IN (0x0001)
DNS Answers
TimestampSource IPDest IPTrans IDReplay CodeNameCNameAddressTypeClass
Jan 11, 2013 11:28:29.502634048 CET195.186.4.121192.168.0.100x3ce8No error (0)www.ip-address.org192.162.136.86A (IP address)IN (0x0001)
Jan 11, 2013 11:28:29.686904907 CET195.186.1.121192.168.0.100x3ce8No error (0)www.ip-address.org192.162.136.86A (IP address)IN (0x0001)
Jan 11, 2013 11:28:29.723196983 CET195.186.4.121192.168.0.100x3ce8No error (0)www.ip-address.org192.162.136.86A (IP address)IN (0x0001)
Jan 11, 2013 11:28:29.723232985 CET195.186.1.121192.168.0.100x3ce8No error (0)www.ip-address.org192.162.136.86A (IP address)IN (0x0001)
Jan 11, 2013 11:28:29.723267078 CET195.186.1.121192.168.0.100x3ce8No error (0)www.ip-address.org192.162.136.86A (IP address)IN (0x0001)
Jan 11, 2013 11:28:29.723294020 CET195.186.4.121192.168.0.100x3ce8No error (0)www.ip-address.org192.162.136.86A (IP address)IN (0x0001)
Jan 11, 2013 11:28:29.723347902 CET195.186.1.121192.168.0.100x3ce8No error (0)www.ip-address.org192.162.136.86A (IP address)IN (0x0001)
HTTP Request Dependency Graph
  • www.ip-address.org
  • 78.46.86.137
HTTP Packets
TimestampSource PortDest PortSource IPDest IPHeaderTotal Bytes Transfered (KB)
Jan 11, 2013 11:28:29.746618986 CET103180192.168.0.10192.162.136.86GET /ip-checker.php HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: www.ip-address.org
2
Jan 11, 2013 11:28:52.918301105 CET801031192.162.136.86192.168.0.10HTTP/1.1 200 OK
Date: Fri, 11 Jan 2013 10:28:51 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.17
Content-Type: text/html
Content-Length: 735
Vary: User-Agent
2
Jan 11, 2013 11:28:54.033302069 CET103280192.168.0.1078.46.86.137POST /index.php HTTP/1.1
Content-Type: multipart/form-data; boundary=213218
Host: 78.46.86.137
Connection: close
Cache-Control: no-cache
Content-Length: 354
4
Jan 11, 2013 11:28:55.857000113 CET80103278.46.86.137192.168.0.10HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Jan 2013 10:28:54 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.3-7+squeeze14
Vary: Accept-Encoding
Content-Length: 60
4

Code Manipulation Behavior

System Behavior