General Information |
---|
Analysis ID: | 31962 |
Start time: | 17:23:58 |
Start date: | 05/06/2013 |
Overall analysis duration: | 0h 3m 20s |
Sample file name: | gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe |
Cookbook file name: | default.jbs |
Analysis system description: | XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8) |
Number of analysed new started processes analysed: | 2 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
HCA enabled: | true |
HCA success: | true, ratio: 98% |
Signature Overview |
---|
DDOS: |
---|
Contains functionality to access network services in a loop (often DDOS functionality) | Show sources |
Networking: |
---|
Contains functionality to download additional files from the internet | Show sources | ||
Urls found in memory or binary data | Show sources | ||
Contains functionality to download and execute PE files | Show sources | ||
Found strings which match to known social media urls | Show sources | ||
Performs DNS lookups | Show sources | ||
Tries to resolve domain names, but no domain seems valid (experied dropper behavior) | Show sources |
Boot Survival: |
---|
Creates or modifies windows services | Show sources |
Persistence and Installation Behavior: |
---|
Drops PE files | Show sources |
Data Obfuscation: |
---|
Binary may include packed or crypted data | Show sources | ||
Entrypoint lies outside standard sections | Show sources | ||
PE file contains sections with non-standard names | Show sources | ||
PE sections with suspicious entropy found | Show sources |
System Summary: |
---|
Creates files inside the user directory | Show sources | ||
Reads ini files | Show sources | ||
Spawns processes | Show sources | ||
Enables driver privileges | Show sources |
HIPS / PFW / Operating System Protection Evasion: |
---|
Contains functionality to create a new security descriptor | Show sources | ||
Benign windows process drops PE files | Show sources |
Anti Debugging: |
---|
Creates guard pages, often used to prevent reverse engineering and debugging | Show sources |
Lowering of HIPS / PFW / Operating System Security Settings: |
---|
Modifies the windows firewall | Show sources |
Language, Device and Operating System Detection: |
---|
Contains functionality to query windows version | Show sources |
Startup |
---|
|
Created / dropped Files |
---|
File Path | Hashes |
---|---|
C:\Documents and Settings\Administrator\Application Data\nightupdate\svchost.exe |
|
Contacted Domains |
---|
Name | IP | Name Server | Active | Registrar | |
---|---|---|---|---|---|
ddos.prv | unknown | unknown | false | unknown | unknown |
Contacted IPs |
---|
IP | Country | Pingable | Open Ports |
---|---|---|---|
195.186.1.121 | SWITZERLAND | false |
Static File Info |
---|
File type: | PE32 executable (GUI) Intel 80386, for MS Windows |
File name: | gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe |
File size: | 41472 |
MD5: | 3eebf8a3de8fbb1a92aeae7b22f81e23 |
SHA1: | 9be566e5cb43b09e62b90013079caf1eec3544ce |
SHA256: | 0016c910ae1f81a16ec1a1ed5d1344c798073d92bdfcf3d1ca0eba2c43e689e7 |
SHA512: | 99a3bc7da03f96ab27e06e590c33ff70e49907b554a142176aaea119b2b9b8156758c0273c5749a36b8cb644a3c7148761383b9349a14a7d00265afa3beada9f |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x4092e0 |
Entrypoint Section: | CODE |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI |
DLL Characteristics: | |
Time Stamp: | 0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC] |
TLS Callbacks: |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_RCDATA | 0x100b0 | 0x10 | Sendmail frozen configuration | ||
RT_RCDATA | 0x100c0 | 0x98 | data |
Imports |
---|
DLL | Import |
---|---|
kernel32.dll | DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, GetThreadLocale, GetStartupInfoA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, ExitProcess, CreateThread, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle |
user32.dll | GetKeyboardType, MessageBoxA, CharNextA |
advapi32.dll | RegQueryValueExA, RegOpenKeyExA, RegCloseKey |
oleaut32.dll | SysFreeString |
kernel32.dll | TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA |
advapi32.dll | RegSetValueExA, RegCreateKeyExA, RegCloseKey, OpenThreadToken, OpenProcessToken, GetTokenInformation, FreeSid, EqualSid, AllocateAndInitializeSid |
kernel32.dll | Sleep, SetFileAttributesA, GetVolumeInformationA, GetLastError, GetEnvironmentVariableA, GetCurrentThread, GetCurrentProcess, CreateDirectoryA, CloseHandle |
shell32.dll | ShellExecuteA |
URLMON.DLL | URLDownloadToFileA |
kernel32.dll | Sleep, DeleteFileA, CopyFileA |
wsock32.dll | WSACleanup, WSAStartup, gethostbyname, socket, sendto, send, recv, inet_ntoa, inet_addr, htons, connect, closesocket |
ICMP.DLL | IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Entropy |
---|---|---|---|---|
CODE | 0x1000 | 0x84d4 | 0x8600 | 6.51744412832 |
DATA | 0xa000 | 0x1bc | 0x200 | 4.23962661432 |
BSS | 0xb000 | 0x6c5 | 0x0 | 0.0 |
.idata | 0xc000 | 0x7bc | 0x800 | 4.38317373245 |
.tls | 0xd000 | 0x8 | 0x0 | 0.0 |
.rdata | 0xe000 | 0x18 | 0x200 | 0.20448815744 |
.reloc | 0xf000 | 0x858 | 0xa00 | 6.08576418932 |
.rsrc | 0x10000 | 0x200 | 0x200 | 3.19612927808 |
Network Behavior |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jun 5, 2013 17:25:42.373361111 CEST | 55597 | 53 | 192.168.0.10 | 195.186.1.121 |
Jun 5, 2013 17:25:42.791187048 CEST | 53 | 55597 | 195.186.1.121 | 192.168.0.10 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jun 5, 2013 17:25:42.373361111 CEST | 55597 | 53 | 192.168.0.10 | 195.186.1.121 |
Jun 5, 2013 17:25:42.791187048 CEST | 53 | 55597 | 195.186.1.121 | 192.168.0.10 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Jun 5, 2013 17:25:42.373361111 CEST | 192.168.0.10 | 195.186.1.121 | 0x79bf | Standard query (0) | ddos.prv | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Replay Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jun 5, 2013 17:25:42.791187048 CEST | 195.186.1.121 | 192.168.0.10 | 0x79bf | Name error (3) | ddos.prv | none | none | A (IP address) | IN (0x0001) |
Code Manipulation Behavior |
---|
System Behavior |
---|
General |
---|
Start time: | 09:50:00 |
Start date: | 24/01/2012 |
Path: | C:\gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe.exe |
Wow64 process (32bit): | false |
Commandline: | unknown |
Imagebase: | 0x400000 |
File size: | 41472 bytes |
MD5 hash: | 3EEBF8A3DE8FBB1A92AEAE7B22F81E23 |
General |
---|
Start time: | 09:50:27 |
Start date: | 24/01/2012 |
Path: | C:\Documents and Settings\Administrator\Application Data\nightupdate\svchost.exe |
Wow64 process (32bit): | false |
Commandline: | C:\Documents and Settings\Administrator\Application Data\nightupdate\svchost.exe |
Imagebase: | 0x400000 |
File size: | 41472 bytes |
MD5 hash: | 3EEBF8A3DE8FBB1A92AEAE7B22F81E23 |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
APIs |
|
Strings |
Memory Dump Source |
|
|
APIs |
|
Memory Dump Source |
|
|
APIs |
Memory Dump Source |
|
|
APIs |
|
Memory Dump Source |
|
|
APIs |
Memory Dump Source |
|
|
APIs |
Memory Dump Source |
|
|
APIs |
|
Memory Dump Source |
|
|
APIs |
|
Memory Dump Source |
|
|
Non-executed Functions |
---|
APIs |
|
Memory Dump Source |
|
|
APIs |
|
Memory Dump Source |
|
|
APIs |
|
Memory Dump Source |
|
|
APIs |
Strings |
|
Memory Dump Source |
|
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Strings |
Memory Dump Source |
|
|
APIs |
|
Memory Dump Source |
|
|
APIs |
|
Memory Dump Source |
|
|
APIs |
|
Strings |
Memory Dump Source |
|
|
APIs |
Memory Dump Source |
|
|
APIs |
|
Memory Dump Source |
|
|
APIs |
|
Memory Dump Source |
|
|
APIs |
Strings |
Memory Dump Source |
|
|
APIs |
|
Memory Dump Source |
|
|
Strings |
Memory Dump Source |
|
|
Strings |
Memory Dump Source |
|
|
Strings |
Memory Dump Source |
|
|
Strings |
Memory Dump Source |
|
|
Executed Functions |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
APIs |
|
Memory Dump Source |
|
|
APIs |
Memory Dump Source |
|
|
APIs |
Memory Dump Source |
|
|
APIs |
|
Memory Dump Source |
|
|
APIs |
Memory Dump Source |
|
|
APIs |
|
Memory Dump Source |
|
|
APIs |
|
Memory Dump Source |
|
|
APIs |
|
Memory Dump Source |
|
|
Non-executed Functions |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
APIs |
|
Strings |
Memory Dump Source |
|
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
APIs |
|
Memory Dump Source |
|
|
Strings |
Memory Dump Source |
|
|
APIs |
|
Memory Dump Source |
|
|
APIs |
|
Memory Dump Source |
|
|
APIs |
|
Strings |
Memory Dump Source |
|
|
APIs |
Memory Dump Source |
|
|
APIs |
|
Memory Dump Source |
|
|
APIs |
|
Memory Dump Source |
|
|
APIs |
|
Strings |
Memory Dump Source |
|
|
APIs |
|
Memory Dump Source |
|
|
APIs |
Strings |
Memory Dump Source |
|
|
APIs |
|
Memory Dump Source |
|
|
APIs |
|
Memory Dump Source |
|
|
Strings |
Memory Dump Source |
|
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Strings |
Memory Dump Source |
|
|
Strings |
Memory Dump Source |
|
|
Strings |
Memory Dump Source |
|
|