Loading ...

General Information

Analysis ID:31962
Start time:17:23:58
Start date:05/06/2013
Overall analysis duration:0h 3m 20s
Sample file name:gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe
Cookbook file name:default.jbs
Analysis system description:XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8)
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
HCA enabled:true
HCA success:true, ratio: 98%

Signature Overview

DDOS:

Contains functionality to access network services in a loop (often DDOS functionality)Show sources

Networking:

Contains functionality to download additional files from the internetShow sources
Urls found in memory or binary dataShow sources
Contains functionality to download and execute PE filesShow sources
Found strings which match to known social media urlsShow sources
Performs DNS lookupsShow sources
Tries to resolve domain names, but no domain seems valid (experied dropper behavior)Show sources

Boot Survival:

Creates or modifies windows servicesShow sources

Persistence and Installation Behavior:

Drops PE filesShow sources

Data Obfuscation:

Binary may include packed or crypted dataShow sources
Entrypoint lies outside standard sectionsShow sources
PE file contains sections with non-standard namesShow sources
PE sections with suspicious entropy foundShow sources

System Summary:

Creates files inside the user directoryShow sources
Reads ini filesShow sources
Spawns processesShow sources
Enables driver privilegesShow sources

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to create a new security descriptorShow sources
Benign windows process drops PE filesShow sources

Anti Debugging:

Creates guard pages, often used to prevent reverse engineering and debuggingShow sources

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies the windows firewallShow sources

Language, Device and Operating System Detection:

Contains functionality to query windows versionShow sources

Startup

  • system is xp
  • cleanup

Created / dropped Files

File PathHashes
C:\Documents and Settings\Administrator\Application Data\nightupdate\svchost.exe
  • MD5: 3EEBF8A3DE8FBB1A92AEAE7B22F81E23
  • SHA: 9BE566E5CB43B09E62B90013079CAF1EEC3544CE
  • SHA-256: 0016C910AE1F81A16EC1A1ED5D1344C798073D92BDFCF3D1CA0EBA2C43E689E7
  • SHA-512: 99A3BC7DA03F96AB27E06E590C33FF70E49907B554A142176AAEA119B2B9B8156758C0273C5749A36B8CB644A3C7148761383B9349A14A7D00265AFA3BEADA9F

Contacted Domains

NameIPName ServerActiveRegistrare-Mail
ddos.prvunknownunknownfalseunknownunknown

Contacted IPs

IPCountryPingableOpen Ports
195.186.1.121SWITZERLANDfalse

Static File Info

File type:PE32 executable (GUI) Intel 80386, for MS Windows
File name:gbot-ddos.prv-3eebf8a3de8fbb1a92aeae7b22f81e23.exe
File size:41472
MD5:3eebf8a3de8fbb1a92aeae7b22f81e23
SHA1:9be566e5cb43b09e62b90013079caf1eec3544ce
SHA256:0016c910ae1f81a16ec1a1ed5d1344c798073d92bdfcf3d1ca0eba2c43e689e7
SHA512:99a3bc7da03f96ab27e06e590c33ff70e49907b554a142176aaea119b2b9b8156758c0273c5749a36b8cb644a3c7148761383b9349a14a7d00265afa3beada9f

Static PE Info

General
Entrypoint:0x4092e0
Entrypoint Section:CODE
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
Resources
NameRVASizeTypeLanguageCountry
RT_RCDATA0x100b00x10Sendmail frozen configuration
RT_RCDATA0x100c00x98data
Imports
DLLImport
kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, GetThreadLocale, GetStartupInfoA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, ExitProcess, CreateThread, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
user32.dllGetKeyboardType, MessageBoxA, CharNextA
advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dllSysFreeString
kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dllRegSetValueExA, RegCreateKeyExA, RegCloseKey, OpenThreadToken, OpenProcessToken, GetTokenInformation, FreeSid, EqualSid, AllocateAndInitializeSid
kernel32.dllSleep, SetFileAttributesA, GetVolumeInformationA, GetLastError, GetEnvironmentVariableA, GetCurrentThread, GetCurrentProcess, CreateDirectoryA, CloseHandle
shell32.dllShellExecuteA
URLMON.DLLURLDownloadToFileA
kernel32.dllSleep, DeleteFileA, CopyFileA
wsock32.dllWSACleanup, WSAStartup, gethostbyname, socket, sendto, send, recv, inet_ntoa, inet_addr, htons, connect, closesocket
ICMP.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
Sections
NameVirtual AddressVirtual SizeRaw SizeEntropy
CODE0x10000x84d40x86006.51744412832
DATA0xa0000x1bc0x2004.23962661432
BSS0xb0000x6c50x00.0
.idata0xc0000x7bc0x8004.38317373245
.tls0xd0000x80x00.0
.rdata0xe0000x180x2000.20448815744
.reloc0xf0000x8580xa006.08576418932
.rsrc0x100000x2000x2003.19612927808

Network Behavior

TCP Packets
TimestampSource PortDest PortSource IPDest IP
Jun 5, 2013 17:25:42.373361111 CEST5559753192.168.0.10195.186.1.121
Jun 5, 2013 17:25:42.791187048 CEST5355597195.186.1.121192.168.0.10
UDP Packets
TimestampSource PortDest PortSource IPDest IP
Jun 5, 2013 17:25:42.373361111 CEST5559753192.168.0.10195.186.1.121
Jun 5, 2013 17:25:42.791187048 CEST5355597195.186.1.121192.168.0.10
DNS Queries
TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
Jun 5, 2013 17:25:42.373361111 CEST192.168.0.10195.186.1.1210x79bfStandard query (0)ddos.prvA (IP address)IN (0x0001)
DNS Answers
TimestampSource IPDest IPTrans IDReplay CodeNameCNameAddressTypeClass
Jun 5, 2013 17:25:42.791187048 CEST195.186.1.121192.168.0.100x79bfName error (3)ddos.prvnonenoneA (IP address)IN (0x0001)

Code Manipulation Behavior

System Behavior