JBX Analysis Report

Loading ...

General Information

Analysis ID:27405
Start time:11:43:48
Start date:16/11/2012
Overall analysis duration:0h 3m 19s
Sample file name:46e6a921eef3dafb97bf041147244f76.doc
Cookbook file name:default.jbs
Analysis system description:XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8)
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
SCAE enabled:true
SCAE success:true, ratio: 75%

Classification / Threat Score

Persistence, Installation, Boot Survival:
Hiding, Stealthiness, Detection and Removal Protection:
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection:
Spreading:
Exploiting:
Networking:
Data spying, Sniffing, Keylogging, Ebanking Fraud:

Matching Signatures

Behavior Signatures
Creates files inside the user directory
Creates temporary files
Queries a list of all running processes
Reads ini files
Spawns processes
Urls found in memory or binary data
Creates files inside the system directory
Creates mutexes\BaseNamedObjects\Local\Mso97SharedDg19211106568_S-1-5-21-507921405-1960408961-839522115-500Mutex \BaseNamedObjects\oleacc-msaa-loaded \BaseNamedObjects\Local\Mso97SharedDg19531106568_S-1-5-21-507921405-1960408961-839522115-500Mutex \BaseNamedObjects\Local\Mutex_MSOSharedMem \BaseNamedObjects\Local\Mso97SharedDg20321106568_S-1-5-21-507921405-1960408961-839522115-500Mutex \BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-507921405-1960408961-839522115-500 \BaseNamedObjects\OfficeAssistantStateMutex \BaseNamedObjects\Local\Mso97SharedDg19521106568_S-1-5-21-507921405-1960408961-839522115-500Mutex \BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-507921405-1960408961-839522115-500 \BaseNamedObjects\Local\SqmSysTray
Drops PE files
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
AV process strings found (often used to terminate AV products)
Document exploit detected (droppes PE files)
Document exploit detected (process start blacklist hit)
One or more processes crash
Potential document exploit detected (Application instantly terminates)

Code Signatures
Contains functionality to enumerate / list files inside a directory
Contains functionality to dynamically determine API calls

Startup

  • system is xp
  • WINWORD.EXE (PID: 648 MD5: 7A0FA3A0282B4630F3768A74441D4BAE)
    • dw20.EXE (PID: 1816 MD5: AC7B9760A499D342D165B8A70BE52FEE)
    • WINWORD.EXE (PID: 1936 MD5: 7A0FA3A0282B4630F3768A74441D4BAE)
  • cleanup

Created / dropped Files

File PathMD5
C:\46e6a921eef3dafb97bf041147244f76.doc38127D7381C8D2FA2E3BC93E36B75BE9
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dw20.EXEAC7B9760A499D342D165B8A70BE52FEE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~$INWORD05A02048D6F36640223C02FE5E3F1D00
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~WINWORD38127D7381C8D2FA2E3BC93E36B75BE9
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~WRC0000.tmpD6F83722463EBE648B7F882AE4078CCC
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\Temp.LNK3CD32D9B98EB392C834FE893C1FDB4D6
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\index.dat2AA6A240AF5BCCB5A1BE10AF07111FBB
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\~WINWORD.LNKA0504484140647E9448415099C80A7F5
C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\CUSTOM.DICA8A040B900A54102E3D8DD8C458138A5
C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\~$CUSTOM.DIC24C5F34DE468172070B602738919987B
C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\~$Normal.dot05A02048D6F36640223C02FE5E3F1D00
C:\WINDOWS\fxsst.dll08727A7100766E60026243601FA6CE3B
C:\~$e6a921eef3dafb97bf041147244f76.doc05A02048D6F36640223C02FE5E3F1D00
\srvsvc00010789CF97BAA5F49E8C7BF0605D58

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

File type:Rich Text Format data, version 1, unknown character set
File name:46e6a921eef3dafb97bf041147244f76.doc
File size:237273
MD5:46e6a921eef3dafb97bf041147244f76
SHA1:fbcc554ef9ef7c0181cd9f924ddf9b42b88ae2f0
SHA256:a69c52cfbd315706bb23fc85a682c879557357f000756c015e9e8f6d147dd356
SHA512:ee8d49c4061fc90981ae51d36df103f1e12ab74c0300c7a85e59d2c465c0b094cb90075fe900732653dda8b46809e3d8307c1f14b60de133a6dbf84e1d5b4f9d

String Analysis

URLs
String valueSource
http://schemas.microsoft.com/office/word/2003/wordml46e6a921eef3dafb97bf041147244f76.doc
AV process names
String valueSource
SCFManager.exedw20.EXE, dw20.EXE.dr

Network Behavior

No network behavior found

Code Manipulation Behavior

System Behavior

Analysis Process: WINWORD.EXE PID: 648 Parent PID: 1696

General
Start time:09:46:18
Start date:24/01/2012
Path:C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
Wow64 process (32bit):false
Commandline:unknown
Imagebase:0x30000000
File size:12061896 bytes
MD5 hash:7A0FA3A0282B4630F3768A74441D4BAE

Chronological Activities

Analysis Process: dw20.EXE PID: 1816 Parent PID: 648

General
Start time:09:46:21
Start date:24/01/2012
Path:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dw20.EXE
Wow64 process (32bit):false
Commandline:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dw20.EXE
Imagebase:0x400000
File size:32768 bytes
MD5 hash:AC7B9760A499D342D165B8A70BE52FEE

Chronological Activities

Analysis Process: WINWORD.EXE PID: 1936 Parent PID: 648

General
Start time:09:46:22
Start date:24/01/2012
Path:C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
Wow64 process (32bit):false
Commandline:C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE /n /dde C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~WINWORD
Imagebase:0x30000000
File size:12061896 bytes
MD5 hash:7A0FA3A0282B4630F3768A74441D4BAE

Chronological Activities

Disassembly

Code Analysis

Analysis Process: WINWORD.EXE PID: 648 Parent PID: 1696

Executed Functions
Function 02A9000E, API count: 15, instr count: 495
APIs
  • SetFilePointer.KERNEL32, ref: 02A900C9
  • VirtualAlloc.KERNEL32, ref: 02A900D9
  • ReadFile.KERNEL32, ref: 02A900FD
  • WriteFile.KERNEL32, ref: 02A901CE
  • CloseHandle.KERNEL32, ref: 02A901D8
  • SetFilePointer.KERNEL32, ref: 02A90232
  • WriteFile.KERNEL32, ref: 02A90250
  • WriteFile.KERNEL32, ref: 02A9026E
  • SetFilePointer.KERNEL32, ref: 02A90280
  • SetFilePointer.KERNEL32, ref: 02A90292
  • WriteFile.KERNEL32, ref: 02A902C3
  • WriteFile.KERNEL32, ref: 02A902E1
  • CloseHandle.KERNEL32, ref: 02A902EB
  • CloseHandle.KERNEL32, ref: 02A902F5
  • ExitProcess.KERNEL32, ref: 02A90359
Non-executed Functions

Analysis Process: dw20.EXE PID: 1816 Parent PID: 648

Executed Functions
Function 00401212, API count: 8, instr count: 62
APIs
  • memset.MSVCRT, ref: 0040122D
  • CreateToolhelp32Snapshot.KERNEL32, ref: 0040123C
  • GetLastError.KERNEL32, ref: 00401247
  • printf.MSVCRT, ref: 00401253
  • Process32First.KERNEL32, ref: 0040126B
  • _stricmp.MSVCRT, ref: 00401284
  • Process32Next.KERNEL32, ref: 00401294
  • CloseHandle.KERNEL32, ref: 004012B0
Strings
  • CreateToolhelp32Snapshot Failed:%d, va: 00407AFC
Function 004011B8, API count: 3, instr count: 35
APIs
  • CreateFileA.KERNEL32, ref: 004011D1
  • WriteFile.KERNEL32, ref: 004011FF
  • CloseHandle.KERNEL32, ref: 00401206
Function 00401000, API count: 16, instr count: 138
APIs
    • CreateFileA.KERNEL32, ref: 004011D1
    • WriteFile.KERNEL32, ref: 004011FF
    • CloseHandle.KERNEL32, ref: 00401206
    • memset.MSVCRT, ref: 0040122D
    • CreateToolhelp32Snapshot.KERNEL32, ref: 0040123C
    • GetLastError.KERNEL32, ref: 00401247
    • printf.MSVCRT, ref: 00401253
    • Process32First.KERNEL32, ref: 0040126B
    • _stricmp.MSVCRT, ref: 00401284
    • Process32Next.KERNEL32, ref: 00401294
    • CloseHandle.KERNEL32, ref: 004012B0
  • memset.MSVCRT, ref: 0040105E
  • GetEnvironmentVariableA.KERNEL32, ref: 00401073
  • memset.MSVCRT, ref: 00401082
  • memset.MSVCRT, ref: 00401095
  • strcpy.MSVCRT, ref: 004010A8
  • strcat.MSVCRT, ref: 004010B9
  • FindFirstFileA.KERNEL32, ref: 004010CF
  • memset.MSVCRT, ref: 004010E3
  • memset.MSVCRT, ref: 004010F1
  • strcpy.MSVCRT, ref: 00401104
  • strcat.MSVCRT, ref: 00401115
  • strcat.MSVCRT, ref: 00401129
  • memset.MSVCRT, ref: 00401156
  • GetEnvironmentVariableA.KERNEL32, ref: 0040116B
  • strcat.MSVCRT, ref: 0040117D
  • strcat.MSVCRT, ref: 0040119B
Strings
  • USERPROFILE, va: 00407AF0
  • \AppData\Local\Google\Chrome\Application, va: 00407AC4
  • \rasadhlp.dll, va: 00407A78
  • SCFManager.exe, va: 00407A68
  • WINDIR, va: 00407A60
  • \fxsst.dll, va: 00407A54
  • \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe, va: 00407A08
  • \Local Settings\Application Data\Google\Chrome\Application, va: 00407A88
Non-executed Functions
Function 004012C4, API count: 1, instr count: 1
Function 004012D6, API count: 1, instr count: 1
Function 004012D0, API count: 1, instr count: 1
Function 004012DC, API count: 1, instr count: 1
Function 004012BE, API count: 1, instr count: 1
Function 004012CA, API count: 1, instr count: 1

Analysis Process: WINWORD.EXE PID: 1936 Parent PID: 648

Executed Functions
Non-executed Functions