Joe Sandbox - Abstract Analysis File
16207
Generated with Joe Sandbox 6.0.2
General information | |
Start time: | 20:23:47 |
Start date: | 02/07/2012 |
Overall analysis duration: | 0h 2m 13s |
Sample file name: | 7db482f5469dfeb0a6b2b4f66c062314 |
Cookbook file name: | Analyse Banking Trojan.jbs |
Analysis system description: | XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8) |
Number of analysed new started processes analysed: | 1 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 1 |
Errors: |
|
Classification / Threat Score | |||||||
Persistence, Installation, Boot Survival: | |||||||
Hiding, Stealthiness, Detection and Removal Protection: | |||||||
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection: | |||||||
Spreading: | |||||||
Exploiting: | |||||||
Networking: | |||||||
Data spying, Sniffing, Keylogging, Ebanking Fraud: |
Signature Detections | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Static File Information
General Information | |
File name: | 7db482f5469dfeb0a6b2b4f66c062314 |
File size: | 178688 |
MD5: | 7db482f5469dfeb0a6b2b4f66c062314 |
SHA1: | ecd273776ac122017f13d3548050ec47f31fd71e |
SHA256: | 8dfc964f3cd4630df0b06e9142b1aac0ab19e4307bfe475e254181cea4a7283a |
File type: | PE32 executable for MS Windows (GUI) Intel 80386 32-bit |
PE Information | ||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||
|
String Analysis
Formattings for printf style functions | |
String value | Source |
Content-Length: %u | 7db482f5469dfeb0a6b2b4f66c062314.exe |
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d | 7db482f5469dfeb0a6b2b4f66c062314.exe |
[ERROR] : Empty report. Unknown error : dwErr == %d | 7db482f5469dfeb0a6b2b4f66c062314.exe |
[ERROR] : DumpPage("%s", "%s") fails : dwErr == %d | 7db482f5469dfeb0a6b2b4f66c062314.exe |
threadmetadata!nfo%d | 7db482f5469dfeb0a6b2b4f66c062314.exe |
%s&tid=%s&%s | 7db482f5469dfeb0a6b2b4f66c062314.exe |
%d-%d-%d | 7db482f5469dfeb0a6b2b4f66c062314.exe |
%s\Content.IE5\%s | 7db482f5469dfeb0a6b2b4f66c062314.exe |
[ERROR] : Cannot create thread. 0o : dwErr == %d | 7db482f5469dfeb0a6b2b4f66c062314.exe |
[ERROR] : Empty szLink? : dwErr == %d | 7db482f5469dfeb0a6b2b4f66c062314.exe |
%s%s%s | 7db482f5469dfeb0a6b2b4f66c062314.exe |
[ERROR] : CreateProcess("%s", ..., "%s") fails : dwFileSize == 0x%08X; dwCrc32 == 0x%08X : dwErr == %d | 7db482f5469dfeb0a6b2b4f66c062314.exe |
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d | 7db482f5469dfeb0a6b2b4f66c062314.exe |
[ERROR] : Thread is really sloppy : dwErr == %d | 7db482f5469dfeb0a6b2b4f66c062314.exe |
(GMT %s%02u:%02u) %s | 7db482f5469dfeb0a6b2b4f66c062314.exe |
(%d bytes) | 7db482f5469dfeb0a6b2b4f66c062314.exe |
%d.%d.%d | 7db482f5469dfeb0a6b2b4f66c062314.exe |
&gHo%E-UH | 7db482f5469dfeb0a6b2b4f66c062314.exe |
URLs | |
String value | Source |
http://www.autoitscript.com/autoit3/ | explorer.exe |
Analysis Overview
Startup | |
|
Global Network Data
Hooks
Sections | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
File Activities:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Section Activities:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Registry Activities:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Mutant Activities:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Process Activities:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Memory Activities:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
System Activities:
|
Chronological sections | |||
Operation | Data | Completion | Time |
Section loaded | Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid | success or wait | 544300427 |
Process information queried | PID: 1616 Info Class: Cookie | success or wait | 544306643 |
Section loaded | Path: unknown Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid | success or wait | 544309999 |
Section loaded | Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 260000 Size: 90112 Protection: readonly Mapped to pid: own pid | success or wait | 544365869 |
Section loaded | Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 280000 Size: 266240 Protection: readonly Mapped to pid: own pid | success or wait | 544368092 |
Section loaded | Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 2D0000 Size: 266240 Protection: readonly Mapped to pid: own pid | success or wait | 544371661 |
Section loaded | Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 320000 Size: 24576 Protection: readonly Mapped to pid: own pid | success or wait | 544374536 |
Section loaded | Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown | object name not found | 544376782 |
Section loaded | Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown | object name not found | 544377150 |
Process information queried | PID: 1616 Info Class: ImageInformation | success or wait | 544382936 |
Memory attributes changed | PID: 1616 Path: C:\7db482f5469dfeb0a6b2b4f66c062314.exe Base: 400000 Length: 1000 New Protection: page read and write New Protection: page readonly | success or wait | 544541075 |
Memory attributes changed | PID: 1616 Path: C:\7db482f5469dfeb0a6b2b4f66c062314.exe Base: 400000 Length: 1000 New Protection: page readonly New Protection: page read and write | success or wait | 544543746 |
Memory attributes changed | PID: 1616 Path: C:\7db482f5469dfeb0a6b2b4f66c062314.exe Base: 45115C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write | success or wait | 544544593 |
Memory attributes changed | PID: 1616 Path: C:\7db482f5469dfeb0a6b2b4f66c062314.exe Base: 464384 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write | success or wait | 544544888 |
Memory allocated | PID: 1616 Path: C:\7db482f5469dfeb0a6b2b4f66c062314.exe Base: 330000 Length: 12FFAC Allocation Type: unknown Protection: page execute and read and write | success or wait | 544547225 |
Key value queried | Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName Name: ComputerName | success or wait | 544551504 |
File created | Path: C:\skhfushjflw\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Attributes: normal Content Overwritten: null | success or wait | 544560630 |
Mutant created | Name: \BaseNamedObjects\ofjwkwufhdjfgki | success or wait | 544568788 |
Memory attributes changed | PID: 1616 Path: C:\7db482f5469dfeb0a6b2b4f66c062314.exe Base: 463784 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write | success or wait | 544569138 |
System info queried | Type: ProcessInformation | success or wait | 544570393 |
Section loaded | Path: unknown Access: query and write and read Type: commit Baseaddress: 330000 Size: 16384 Protection: read write Mapped to pid: own pid | success or wait | 544577450 |
Memory allocated | PID: 1552 Path: C:\WINDOWS\explorer.exe Base: BA0000 Length: 12FFAC Allocation Type: unknown Protection: page execute and read and write | success or wait | 544596239 |
Memory written | PID: 1552 Path: C:\WINDOWS\explorer.exe Base: BA0000 Length: 4096 Value: 55 8B EC 81 EC C8 06 00 00 83 65 E0 00 53 56 57 33 C0 8D 7D E4 AB AB AB 8D 85 54 FF FF FF C7 45 B8 5C 3F 3F 5C C6 45 BC 00 89 85 50 FF FF FF E8 00 00 00 00 58 89 45 F8 8B 45 F8 8B D0 81 E2 FF 0F 00 00 33 C9 2B C2 41 05 20 0B 00 00 81 38 21 45 59 45 8B F8 89 7D C4 74 0B 41 05 00 10 00 00 83 F9 0A 76 E8 83 F9 0A 75 01 CC 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 E8 93 43 77 6A 01 8B F0 E8 36 04 00 00 59 59 85 C0 74 15 89 65 C0 68 04 01 00 00 8D 8D 44 FC FF FF 51 56 FF D0 8B 65 C0 68 AE B1 A6 C2 33 F6 56 E8 0E 04 00 00 59 59 3B C6 74 11 89 65 9C 8D 4D FF 51 56 6A 01 6A 14 FF D0 8B 65 9C 64 A1 18 00 00 00 68 77 35 07 0A 6A 01 89 70 34 E8 E2 03 00 00 59 59 3B C6 74 14 89 65 A4 56 8D 8F 08 01 00 00 51 FF D0 8B 65 A4 3B C6 75 13 64 A1 18 00 00 00 81 78 34 | unknown | 550280668 |
Sections | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Registry Activities:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Process Activities:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Memory Activities:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
User Activities:
|
Chronological sections | |||
Operation | Data | Completion | Time |
Message sent | HWND: 10084 Message: 41A WParam: 1584 LParam: 70536 | error | 655980997 |
Process information queried | PID: 576 Info Class: BasicInformation | success or wait | 655986842 |
Memory read | PID: 576 Path: C:\WINDOWS\system32\winlogon.exe Base: 7FFDF008 Length: 4 Value: 00 00 00 01 | success or wait | 655987190 |
Memory read | PID: 576 Path: C:\WINDOWS\system32\winlogon.exe Base: 7FFDF00C Length: 4 Value: 90 1E 17 00 | success or wait | 655987534 |
Memory read | PID: 576 Path: C:\WINDOWS\system32\winlogon.exe Base: 171EA4 Length: 4 Value: C8 1E 17 00 | success or wait | 655987873 |
Memory read | PID: 576 Path: C:\WINDOWS\system32\winlogon.exe Base: 171EC0 Length: 80 Value: 18 1F 17 00 9C 1E 17 00 20 1F 17 00 A4 1E 17 00 00 00 00 00 00 00 00 00 00 00 00 01 E1 E5 03 01 00 10 08 00 48 00 4A 00 34 05 02 00 18 00 1A 00 64 05 02 00 00 50 00 00 FF FF 00 00 54 2B 17 00 30 E3 97 7C 49 75 02 48 00 00 00 00 00 00 00 00 | success or wait | 655988309 |
Memory read | PID: 576 Path: C:\WINDOWS\system32\winlogon.exe Base: 20534 Length: 74 Value: 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 73 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 77 00 69 00 6E 00 6C 00 6F 00 67 00 6F 00 6E 00 2E 00 65 00 78 00 65 00 00 00 | success or wait | 655988743 |
Process information queried | PID: 1552 Info Class: DefaultHardErrorMode | success or wait | 655990607 |
Process information queried | PID: 1552 Info Class: DefaultHardErrorMode | success or wait | 655991178 |
Process information queried | PID: 1552 Info Class: DefaultHardErrorMode | success or wait | 655993581 |
Process information queried | PID: 1552 Info Class: DefaultHardErrorMode | success or wait | 655994120 |
Message sent | HWND: 140124 Message: GETICON WParam: 2 LParam: 0 | success | 655994727 |
Message sent | HWND: 140124 Message: GETICON WParam: 0 LParam: 0 | success | 655995187 |
Message sent | HWND: 140124 Message: GETICON WParam: 1 LParam: 0 | success | 655995622 |
Process information queried | PID: 1552 Info Class: DefaultHardErrorMode | success or wait | 655996210 |
Process information queried | PID: 1552 Info Class: DefaultHardErrorMode | success or wait | 655996739 |
Process information queried | PID: 1552 Info Class: DefaultHardErrorMode | success or wait | 655998907 |
Process information queried | PID: 1552 Info Class: DefaultHardErrorMode | success or wait | 655999448 |
Windows enumerated | Desktop: 0 Parent: 0 Enum Children: false TID: 0 HWNDs: 140124, 2003E, 20044, 900A4, 900A8, 90098, 90086, 10076, 10074, 10082, 10070, 3004E, 1008E, E0128, 170114 | success or wait | 656000607 |
Key value replaced with new | Path: HKEY_USERS\SessionInformation Name: ProgramCount Type: dword Data: 1 Old data: 0 | success or wait | 656001208 |
Message sent | HWND: 10084 Message: 41A WParam: 0 LParam: 0 | error | 656002477 |
Windows enumerated | Desktop: 0 Parent: 0 Enum Children: false TID: 0 HWNDs: 140124, 2003E, 20044, 900A4, 900A8, 90098, 90086, 10076, 10074, 10082, 10070, 3004E, 1008E, E0128, 170114 | success or wait | 656003007 |
Windows enumerated | Desktop: 0 Parent: 0 Enum Children: false TID: 0 HWNDs: 140124, 2003E, 20044, 900A4, 900A8, 90098, 90086, 10076, 10074, 10082, 10070, 3004E, 1008E, E0128, 170114 | success or wait | 659619758 |
Windows enumerated | Desktop: 0 Parent: 0 Enum Children: false TID: 0 HWNDs: 140124, 2003E, 20044, 900A4, 900A8, 90098, 90086, 10076, 10074, 10082, 10070, 3004E, 1008E, E0128, 170114 | success or wait | 663252200 |
Windows enumerated | Desktop: 0 Parent: 0 Enum Children: false TID: 0 HWNDs: 140124, 2003E, 20044, 900A4, 900A8, 90098, 90086, 10076, 10074, 10082, 10070, 3004E, 1008E, E0128, 170114 | success or wait | 666831890 |
Windows enumerated | Desktop: 0 Parent: 0 Enum Children: false TID: 0 HWNDs: 140124, 2003E, 20044, 900A4, 900A8, 90098, 90086, 10076, 10074, 10082, 10070, 3004E, 1008E, E0128, 170114 | success or wait | 670411370 |
Windows enumerated | Desktop: 0 Parent: 0 Enum Children: false TID: 0 HWNDs: 140124, 2003E, 20044, 900A4, 900A8, 90098, 90086, 10076, 10074, 10082, 10070, 3004E, 1008E, E0128, 170114 | success or wait | 673990855 |