Loading ...

General Information

Analysis ID:35502
Start time:14:04:37
Start date:11/09/2013
Overall analysis duration:0h 12m 9s
Report type:full
Sample file name:g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe
Cookbook file name:Bypass long sleeps.jbs
Analysis system description:XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8)
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
HCA enabled:true
HCA success:true, ratio: 98%
Warnings:
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.


Detection

StrategyDetectionIndexReport FP/FN
Threshold malicious0.040


Signature Overview

Networking:

Contains functionality to download additional files from the internetShow sources
Tries to download non-existing http data (HTTP/1.1 404 Not Found)Show sources
Urls found in memory or binary dataShow sources
Downloads files from webservers via HTTPShow sources

Boot Survival:

Creates an autostart registry keyShow sources

Persistence and Installation Behavior:

Drops PE filesShow sources

Data Obfuscation:

Binary may include packed or encrypted dataShow sources
Contains functionality to dynamically determine API callsShow sources
PE file contains an invalid checksumShow sources
PE sections with suspicious entropy foundShow sources

Spreading:

Contains functionality to enumerate / list files inside a directoryShow sources

System Summary:

Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Contains functionality to enum processes or threadsShow sources
Contains functionality to load and extract PE file embedded resourcesShow sources
Creates files inside the user directoryShow sources
Creates mutexesShow sources
Enables driver privilegesShow sources
Tries to load missing DLLsShow sources

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)Show sources

Anti Debugging:

Contains functionality to register its own exception handlerShow sources
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Contains functionality to dynamically determine API callsShow sources
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Found dropped PE file which has not been started or loadedShow sources
Executes massive amount of sleeps in a loopShow sources

Virtual Machine Detection:

Contains functionality to enumerate / list files inside a directoryShow sources
Queries a list of all running processesShow sources
May tried to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Contains long sleeps (>= 3 min)Show sources

Language, Device and Operating System Detection:

Contains functionality to query local / system timeShow sources
Contains functionality to query the account / user nameShow sources
Contains functionality to query windows versionShow sources
Queries device information via Setup APIShow sources
Queries the volume information (name, serial number etc) of a deviceShow sources

Screenshot

Startup

  • system is xp
  • cleanup

Created / dropped Files

File PathHashes
C:\Documents and Settings\All Users\Application Data\sasrrU33\sasrrU33.exe
  • MD5: 9FAC72A50A7F756D0D3319C686850516
  • SHA: 44C0C63E78A7CFE90E748A44C99951DC59C5AA29
  • SHA-256: 5D349792F053BF0B410A7E89FEDF065D413C80CF113368040CBDED9E0BD758C7
  • SHA-512: 0D7980E2D93CC93A62371FEA6824028FE488FBF9716D29A5468B46642B6F4AB79878C00C58C378779660AD68A09ED7DF9E6844034D2DE823569DAE4152177062
C:\Documents and Settings\All Users\Application Data\sasrrU33\sasrrU33.exe.manifest
  • MD5: 9FFFC81F7CB3C76097DB6A7397450850
  • SHA: 8528BEA71CBC1B5494C4CDC975278612EE4B0243
  • SHA-256: 41F146D5CB10313FC2A7BE20F31847BC1877197CBFE76EA594EE77DF1F1F749C
  • SHA-512: BA3B6EE390C25942CAF8FDD790F94F60F0E38C7A49F09C28A9825FDDC1DB811D1C3CF080ABE598264D7D4D90BC23473DFEF1D7D24914D1F546E9BE20EF32E40B
C:\Documents and Settings\All Users\Application Data\sasrrU33\sasrrU33.ico
  • MD5: E6D7C185280DB54CFC2F6EB247C1F960
  • SHA: 4BB754999CC2B6F39FDB286FDE59A49C5DF8E8E0
  • SHA-256: 5333BA8E31A41394DE77E9C65B3C482386B127788C4C6CDC94C9A7DACC9447D7
  • SHA-512: AA62754B67099FABE9C57E5570A2A0B16D459E1D040876F7A63CFC534F13CFBBF90A25504D417AC370D367D5D63E59B1F39A7598CEAFA4DDB037C7A64B528D70
C:\Documents and Settings\All Users\Application Data\sasrrU33\sasrrU33NwixDxva.in
  • MD5: F160C7D92B1700407E9FD84D53BF6D9D
  • SHA: D55A9BD3E370626C0B1F01DD26DF610DC05A86DF
  • SHA-256: 007D9E759C9A7894F4418A2CF1BEF0AD6F606E5536B74B426BA4D5B055C8BFFA
  • SHA-512: A53E16EBBF6EFA352F3CD1C484A29BFFE7F835EE3F5358232FDCFD619CEDB931B8D7BC1DC080E5B3305A9219080049AF0282293EEF0A00A00ACB6954A75637D3
\ROUTER
  • MD5: 1E83B2814FEBD334463FE800FDEA51E3
  • SHA: BB3F61B15AE767F501C67AE840B98E9D41E3959A
  • SHA-256: A2210C779EF463BE5BF27375BFED442A55B159FFDE8F7A1E1EEB92D34387D67C
  • SHA-512: C2F398DC770F91AC81E7641C1BDA86E294023484208B14AB1EAB1ED8F8011DC6EA2637816EBCC6551219F0344395076C74D31077E3BCDB2544D6676D24138C52

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

File type:Users\admin\Desktop\35502\sample\g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe; PE32 executable for MS Windows (GUI) Intel 80386 32-bit
File name:g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe
File size:688128
MD5:9fac72a50a7f756d0d3319c686850516
SHA1:44c0c63e78a7cfe90e748a44c99951dc59c5aa29
SHA256:5d349792f053bf0b410a7e89fedf065d413c80cf113368040cbded9e0bd758c7
SHA512:0d7980e2d93cc93a62371fea6824028fe488fbf9716d29a5468b46642b6f4ab79878c00c58c378779660ad68a09ed7df9e6844034d2de823569dae4152177062

Static PE Info

General
Entrypoint:0x403c90
Entrypoint Section:.text
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:0x4C36E8CC [Fri Jul 09 09:15:56 2010 UTC]
TLS Callbacks:
Digitally signed:False
Resources
NameRVASizeTypeLanguageCountry
RT_ICON0xfe3100x468ump; dataChineseChina
RT_DIALOG0x1065780x116ump; dataEnglishUnited States
RT_DIALOG0x1066900x26eump; dataEnglishUnited States
RT_DIALOG0x1069000x26eump; dataJapaneseJapan
RT_DIALOG0x106b700x26eump; dataKoreanNorth Korea
RT_DIALOG0x106b700x26eump; dataKoreanSouth Korea
RT_DIALOG0x106de00x26eump; dataChineseChina
RT_DIALOG0x1070500xc2ump; dataEnglishUnited States
RT_DIALOG0x1071140xc2ump; dataJapaneseJapan
RT_DIALOG0x1071d80xc2ump; dataKoreanNorth Korea
RT_DIALOG0x1071d80xc2ump; dataKoreanSouth Korea
RT_DIALOG0x10729c0xb2ump; dataChineseChina
RT_STRING0x1073500xc2ump; dataEnglishUnited States
RT_STRING0x1074140xc2ump; dataJapaneseJapan
RT_STRING0x1074d80x6eump; dataChineseChina
RT_GROUP_ICON0x1075480x4cump; MS Windows icon resource - 1 iconChineseChina
Imports
DLLImport
MFC42.DLL
MSVCRT.dll__set_app_type, __p__fmode, _setmbcp, __CxxFrameHandler, _mbscmp, free, malloc, _mbsrchr, atoi, sprintf, __dllonexit, _onexit, _except_handler3, ?terminate@@YAXXZ, _exit, _XcptFilter, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, _controlfp
KERNEL32.dllSetLastError, GetStartupInfoA, GetPrivateProfileStringA, LocalFree, GetLastError, WritePrivateProfileStringA, lstrlenA, CopyFileA, GetTempPathA, Sleep, GetSystemDirectoryA, GetVersionExA, GetModuleFileNameA, GetPrivateProfileIntA, GetSystemDefaultLCID, GetCurrentProcess, CloseHandle, WriteFile, CreateFileA, DeleteFileA, FreeLibrary, GetModuleHandleA, LoadLibraryA, GetProcAddress
USER32.dllSetTimer, ExitWindowsEx, SetDlgItemTextA, MsgWaitForMultipleObjects, GetForegroundWindow, PeekMessageA, DispatchMessageA, GetWindowLongA, IsIconic, GetWindowTextA, DrawIcon, UpdateWindow, GetSystemMenu, AppendMenuA, SetParent, LoadIconA, EnableWindow, DrawFocusRect, SetRect, FillRect, GetClientRect, GetParent, SendMessageA, InflateRect, DrawStateA, InvalidateRect, LoadImageA, CopyRect, PostMessageA, GetSystemMetrics, KillTimer
GDI32.dllGetTextExtentPoint32A, CreatePen, CreateSolidBrush, RoundRect
ADVAPI32.dllRegEnumKeyExA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyA, RegQueryInfoKeyA, RegQueryValueExA, RegDeleteValueA, RegCreateKeyA, RegSetValueExA, RegCloseKey, RegOpenKeyExA
SHELL32.dllShellExecuteA, ShellExecuteExA
COMCTL32.dll_TrackMouseEvent
VERSION.dllGetFileVersionInfoA, VerQueryValueA, GetFileVersionInfoSizeA
SHLWAPI.dllPathFileExistsA
SETUPAPI.dllSetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInfo, SetupDiGetClassDevsW, SetupDiGetDeviceRegistryPropertyW
Sections
NameVirtual AddressVirtual SizeRaw SizeEntropy
.text0x10000x85d20x90006.09931624224
.rdata0xa0000x2b3c0x30004.493124447
.data0xd0000xf05600x910007.12738207246
.rsrc0xfe0000xa095a00xa0005.33524932677
Possible Origin
Language of compilation systemCountry where language is spokenMap
ChineseChina
EnglishUnited States
JapaneseJapan
KoreanNorth Korea
KoreanSouth Korea

Network Behavior

TCP Packets
TimestampSource PortDest PortSource IPDest IP
Sep 11, 2013 14:05:58.783783913 MESZ103180192.168.0.10219.235.1.127
Sep 11, 2013 14:05:58.783812046 MESZ801031219.235.1.127192.168.0.10
Sep 11, 2013 14:05:58.784151077 MESZ103180192.168.0.10219.235.1.127
Sep 11, 2013 14:05:58.785469055 MESZ103280192.168.0.10219.235.1.127
Sep 11, 2013 14:05:58.785499096 MESZ801032219.235.1.127192.168.0.10
Sep 11, 2013 14:05:58.785815001 MESZ103280192.168.0.10219.235.1.127
Sep 11, 2013 14:05:58.790313959 MESZ103280192.168.0.10219.235.1.127
Sep 11, 2013 14:05:58.790330887 MESZ801032219.235.1.127192.168.0.10
Sep 11, 2013 14:05:58.791136026 MESZ103180192.168.0.10219.235.1.127
Sep 11, 2013 14:05:58.791147947 MESZ801031219.235.1.127192.168.0.10
Sep 11, 2013 14:06:09.030019045 MESZ801032219.235.1.127192.168.0.10
Sep 11, 2013 14:06:09.209880114 MESZ103280192.168.0.10219.235.1.127
Sep 11, 2013 14:06:18.610122919 MESZ103280192.168.0.10219.235.1.127
Sep 11, 2013 14:06:18.610140085 MESZ801032219.235.1.127192.168.0.10
Sep 11, 2013 14:06:24.238883972 MESZ801032219.235.1.127192.168.0.10
Sep 11, 2013 14:06:24.242336988 MESZ103280192.168.0.10219.235.1.127
Sep 11, 2013 14:06:24.242353916 MESZ801032219.235.1.127192.168.0.10
Sep 11, 2013 14:06:29.316023111 MESZ103180192.168.0.10219.235.1.127
Sep 11, 2013 14:06:29.316122055 MESZ801031219.235.1.127192.168.0.10
Sep 11, 2013 14:06:29.316428900 MESZ103180192.168.0.10219.235.1.127
Sep 11, 2013 14:06:34.390074968 MESZ801032219.235.1.127192.168.0.10
Sep 11, 2013 14:06:34.576905012 MESZ103280192.168.0.10219.235.1.127
Sep 11, 2013 14:07:39.354384899 MESZ801032219.235.1.127192.168.0.10
Sep 11, 2013 14:07:39.354948997 MESZ103280192.168.0.10219.235.1.127
HTTP Request Dependency Graph
  • 219.235.1.127
HTTP Packets
TimestampSource PortDest PortSource IPDest IPHeaderTotal Bytes Transfered (KB)
Sep 11, 2013 14:05:58.790313959 MESZ103280192.168.0.10219.235.1.127GET /api/stats/debug/1/?ts=4ab975b8b3b7e69e13380bf46a335a6e3dad2fa2&token=sysdocx1&group=asp&nid=264D4000&lid=0072&ver=0072&affid=51800 HTTP/1.1
Host: 219.235.1.127
Connection: Keep-Alive
0
Sep 11, 2013 14:05:58.791136026 MESZ103180192.168.0.10219.235.1.127GET /api/dom/no_respond/?ts=4ab975b8b3b7e69e13380bf46a335a6e3dad2fa2&token=sysdocx1&group=asp&nid=264D4000&lid=0072&ver=0072&affid=51800&dx=0 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 1.0.3705);(b:2600;c:x86_Family_6_Model_30_Stepping_5,_GenuineIntel;l:1033)
Host: 219.235.1.127
Connection: Keep-Alive
1
Sep 11, 2013 14:06:09.030019045 MESZ801032219.235.1.127192.168.0.10HTTP/1.1 404 NOT FOUND
Server: nginx/1.4.1
Date: Wed, 11 Sep 2013 12:04:57 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
1
Sep 11, 2013 14:06:18.610122919 MESZ103280192.168.0.10219.235.1.127GET /api/stats/debug/2/?ts=4ab975b8b3b7e69e13380bf46a335a6e3dad2fa2&token=sysdocx1&group=asp&nid=264D4000&lid=0072&ver=0072&affid=51800 HTTP/1.1
Host: 219.235.1.127
Connection: Keep-Alive
1
Sep 11, 2013 14:06:24.238883972 MESZ801032219.235.1.127192.168.0.10HTTP/1.1 404 NOT FOUND
Server: nginx/1.4.1
Date: Wed, 11 Sep 2013 12:05:10 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
2
Sep 11, 2013 14:06:24.242336988 MESZ103280192.168.0.10219.235.1.127GET /api/stats/debug/3/?ts=4ab975b8b3b7e69e13380bf46a335a6e3dad2fa2&token=sysdocx1&group=asp&nid=264D4000&lid=0072&ver=0072&affid=51800 HTTP/1.1
Host: 219.235.1.127
Connection: Keep-Alive
2
Sep 11, 2013 14:06:34.390074968 MESZ801032219.235.1.127192.168.0.10HTTP/1.1 404 NOT FOUND
Server: nginx/1.4.1
Date: Wed, 11 Sep 2013 12:05:23 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
2

Code Manipulation Behavior

System Behavior