Joe Sandbox - Analysis Report 31962

General Information

Analysis ID:	31962
Start time:	17:23:58
Start date:	05/06/2013
Overall analysis duration:	0h 3m 20s
Sample file name:	gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe
Cookbook file name:	default.jbs
Analysis system description:	XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8)
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
HCA enabled:	true
HCA success:	true, ratio: 98%

Signature Overview

DDOS:

Contains functionality to access network services in a loop (often DDOS functionality)			Show sources
Source: C:\gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe	Code function: 0_0_00407D68 WSAStartup,htons,inet_addr,socket,connect,send,Sleep,closesocket,WSACleanup,

Networking:

Contains functionality to download additional files from the internet		Show sources
Source: C:\gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe	Code function: 0_0_00405CB0 DeleteFileA,URLDownloadToFileA,ShellExecuteA,
Urls found in memory or binary data		Show sources
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://er.ru/
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://fc-zenit.ru/
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://kremlin.ru/
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://kvk-business.com/sozdanie-saytov/
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://mvd.ru/
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://pella.ru/
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://premier.gov.ru/
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://pvppw.ru/
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://vkontakte.ru/
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://www.gofuckbiz.com/
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://www.niagarastar.ru/
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://www.odnoklassniki.ru/
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://www.pfc-cska.com/splash/
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://www.rfs.ru/
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://zhyk.ru/
Contains functionality to download and execute PE files		Show sources
Source: C:\gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe	Code function: 0_0_00405CB0 DeleteFileA,URLDownloadToFileA,ShellExecuteA,
Found strings which match to known social media urls		Show sources
Source: svchost.exe, gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe, svchost.exe.dr	String found in binary or memory: http://vkontakte.ru/ equals www.vkontakte.ru (VKontakte)
Performs DNS lookups		Show sources
Source: unknown	DNS traffic detected: queries for: ddos.prv
Tries to resolve domain names, but no domain seems valid (experied dropper behavior)		Show sources
Source: unknown	DNS traffic detected:

Boot Survival:

Creates or modifies windows services			Show sources
Source: C:\gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe	Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

Persistence and Installation Behavior:

Drops PE files			Show sources
Source: C:\Documents and Settings\Administrator\Application Data\nightupdate\svchost.exe	File created: C:\Documents and Settings\Administrator\Application Data\nightupdate\svchost.exe

Data Obfuscation:

Binary may include packed or crypted data		Show sources
Source: initial sample	Static PE information: section name: CODE entropy: 6.51744412832
Entrypoint lies outside standard sections		Show sources
Source: initial sample	Static PE information: section where entrypoint is pointing to: CODE
PE file contains sections with non-standard names		Show sources
Source: initial sample	Static PE information: section name: CODE
PE sections with suspicious entropy found		Show sources
Source: initial sample	Static PE information: section name: BSS entropy: 0.0 raw section size: 0x0

System Summary:

Creates files inside the user directory		Show sources
Source: C:\gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe	File created: C:\Documents and Settings\Administrator\Application Data\nightupdate\
Reads ini files		Show sources
Source: C:\gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe	File read: C:\Documents and Settings\Administrator\My Documents\desktop.ini
Spawns processes		Show sources
Source: C:\gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe	Process created: C:\Documents and Settings\Administrator\Application Data\nightupdate\svchost.exe C:\Documents and Settings\Administrator\Application Data\nightupdate\svchost.exe
Enables driver privileges		Show sources
Source: C:\gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe	Process token adjusted: Load Driver

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to create a new security descriptor		Show sources
Source: C:\gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe	Code function: 0_0_004050A0 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,CloseHandle,AllocateAndInitializeSid,EqualSid,FreeSid,
Benign windows process drops PE files		Show sources
Source: C:\Documents and Settings\Administrator\Application Data\nightupdate\svchost.exe	File created: svchost.exe.dr

Anti Debugging:

Creates guard pages, often used to prevent reverse engineering and debugging			Show sources
Source: C:\gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe	Memory protected: page read and write and page guard

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies the windows firewall			Show sources
Source: C:\gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List UpdateSvchost

Language, Device and Operating System Detection:

Contains functionality to query windows version			Show sources
Source: C:\gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe	Code function: 0_1_00403B5D GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,

Startup

system is xp gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe (PID: 1604 MD5: 3EEBF8A3DE8FBB1A92AEAE7B22F81E23) svchost.exe (PID: 336 MD5: 3EEBF8A3DE8FBB1A92AEAE7B22F81E23) cleanup

system is xp

gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe (PID: 1604 MD5: 3EEBF8A3DE8FBB1A92AEAE7B22F81E23)

svchost.exe (PID: 336 MD5: 3EEBF8A3DE8FBB1A92AEAE7B22F81E23)

cleanup

Created / dropped Files

File Path	Hashes
C:\Documents and Settings\Administrator\Application Data\nightupdate\svchost.exe	MD5: 3EEBF8A3DE8FBB1A92AEAE7B22F81E23 SHA: 9BE566E5CB43B09E62B90013079CAF1EEC3544CE SHA-256: 0016C910AE1F81A16EC1A1ED5D1344C798073D92BDFCF3D1CA0EBA2C43E689E7 SHA-512: 99A3BC7DA03F96AB27E06E590C33FF70E49907B554A142176AAEA119B2B9B8156758C0273C5749A36B8CB644A3C7148761383B9349A14A7D00265AFA3BEADA9F

Contacted Domains

Name	IP	Name Server	Active	Registrar	e-Mail
ddos.prv	unknown	unknown	false	unknown	unknown

Contacted IPs

IP	Country	Pingable	Open Ports
195.186.1.121	SWITZERLAND	false

Static File Info

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
File name:	gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe
File size:	41472
MD5:	3eebf8a3de8fbb1a92aeae7b22f81e23
SHA1:	9be566e5cb43b09e62b90013079caf1eec3544ce
SHA256:	0016c910ae1f81a16ec1a1ed5d1344c798073d92bdfcf3d1ca0eba2c43e689e7
SHA512:	99a3bc7da03f96ab27e06e590c33ff70e49907b554a142176aaea119b2b9b8156758c0273c5749a36b8cb644a3c7148761383b9349a14a7d00265afa3beada9f

Static PE Info

General
Entrypoint:	0x4092e0
Entrypoint Section:	CODE
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:

Resources

Name	RVA	Size	Type	Language	Country
RT_RCDATA	0x100b0	0x10	Sendmail frozen configuration
RT_RCDATA	0x100c0	0x98	data

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, GetThreadLocale, GetStartupInfoA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, ExitProcess, CreateThread, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
user32.dll	GetKeyboardType, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegSetValueExA, RegCreateKeyExA, RegCloseKey, OpenThreadToken, OpenProcessToken, GetTokenInformation, FreeSid, EqualSid, AllocateAndInitializeSid
kernel32.dll	Sleep, SetFileAttributesA, GetVolumeInformationA, GetLastError, GetEnvironmentVariableA, GetCurrentThread, GetCurrentProcess, CreateDirectoryA, CloseHandle
shell32.dll	ShellExecuteA
URLMON.DLL	URLDownloadToFileA
kernel32.dll	Sleep, DeleteFileA, CopyFileA
wsock32.dll	WSACleanup, WSAStartup, gethostbyname, socket, sendto, send, recv, inet_ntoa, inet_addr, htons, connect, closesocket
ICMP.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile

Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy
CODE	0x1000	0x84d4	0x8600	6.51744412832
DATA	0xa000	0x1bc	0x200	4.23962661432
BSS	0xb000	0x6c5	0x0	0.0
.idata	0xc000	0x7bc	0x800	4.38317373245
.tls	0xd000	0x8	0x0	0.0
.rdata	0xe000	0x18	0x200	0.20448815744
.reloc	0xf000	0x858	0xa00	6.08576418932
.rsrc	0x10000	0x200	0x200	3.19612927808

Network Behavior

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 5, 2013 17:25:42.373361111 CEST	55597	53	192.168.0.10	195.186.1.121
Jun 5, 2013 17:25:42.791187048 CEST	53	55597	195.186.1.121	192.168.0.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 5, 2013 17:25:42.373361111 CEST	55597	53	192.168.0.10	195.186.1.121
Jun 5, 2013 17:25:42.791187048 CEST	53	55597	195.186.1.121	192.168.0.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 5, 2013 17:25:42.373361111 CEST	192.168.0.10	195.186.1.121	0x79bf	Standard query (0)	ddos.prv	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Replay Code	Name	CName	Address	Type	Class
Jun 5, 2013 17:25:42.791187048 CEST	195.186.1.121	192.168.0.10	0x79bf	Name error (3)	ddos.prv	none	none	A (IP address)	IN (0x0001)

Code Manipulation Behavior

System Behavior

Loading ...

Warning!

Error!

General Information

Signature Overview

DDOS:

Networking:

Boot Survival:

Persistence and Installation Behavior:

Data Obfuscation:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Lowering of HIPS / PFW / Operating System Security Settings:

Language, Device and Operating System Detection:

Startup

Created / dropped Files

Contacted Domains

Contacted IPs

Static File Info

Static PE Info

Network Behavior

Code Manipulation Behavior

System Behavior