ArcadeFAQSearchLogin
Register
It is currently Mon Dec 28, 2009 2:28 am

View unanswered posts | View active topics


Board index » Malware Analysis » Analyze Malwares

All times are UTC + 5:30 hours [ DST ]


Welcome
Welcome to <strong>Malware Analysis Forum</strong>.

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. Registration is fast, simple, and absolutely free, so please, <a href="/profile.php?mode=register">join our community today</a>!


Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 
  Previous topic | Next topic 
Author Message
maliciousbrains
 Post subject: c1af15a78340f248d365f6f9b0b1f2c1 --> 19a.exe
PostPosted: Tue May 06, 2008 5:57 pm 
Offline
Site Admin
User avatar

Joined: Thu Mar 27, 2008 1:06 pm
Posts: 163
Location: India
Download Link: hxxp://125.91.11.7/19a.exe

File Name: 19a.exe
File size: 17877 bytes
MD5...: c1af15a78340f248d365f6f9b0b1f2c1
SHA1..: 448f31c5eeafe2bf57d3f76bdadbd3f444428d33
SHA256: c8d118c0e11d1ba2543fc905f024462d323e35bfacc16f726a5f8895d0b59935
SHA512: ef10e675248ffc41b7dd1bdc8e2818a581d2891f8c94d1846315b2f62f7aa20e
6c208f587ea415aab3a9f3657116aaf7176937e30d4fbe1a2b8777aaf04cec81

VirusTotal Result: 22/32 (68.75%)
AntiVir 7.8.0.11 2008.05.02 TR/Hijacker.Gen
AVG 7.5.0.516 2008.05.03 PSW.OnlineGames.ANGP
BitDefender 7.2 2008.05.04 Dropped:Generic.Malware.SBdld.B735CCF5
CAT-QuickHeal 9.50 2008.05.03 TrojanDownloader.Zlob.gen
ClamAV None 2008.05.04 PUA.Packed.UPack-2
DrWeb 4.44.0.09170 2008.05.03 DLOADER.Trojan
eSafe 7.0.15.0 2008.04.28 Suspicious File
eTrust-Vet 31.3.5755 2008.05.03 Win32/PerroldStealer!generic
F-Prot 4.4.2.54 2008.05.02 W32/Agent.L.gen!Eldorado
F-Secure 6.70.13260.0 2008.05.04 W32/Malware
Fortinet 3.14.0.0 2008.05.04 W32/OnLineGames.ACTB!tr.pws
Kaspersky 7.0.0.125 2008.05.04 Trojan-PSW.Win32.OnLineGames.actb
McAfee 5287 2008.05.02 PWS-WoW.gen.a
NOD32v2 3072 2008.05.03 a variant of Win32/PSW.OnLineGames.XZN
Norman 5.80.02 2008.05.02 W32/Suspicious_U.gen
Panda 9.0.0.4 2008.05.03 Suspicious file
Sophos 4.29.0 2008.05.03 Mal/Behav-112
Sunbelt 3.0.1097.0 2008.05.03 VIPRE.Suspicious
Symantec 10 2008.05.04 Trojan.Farfli
TheHacker 6.2.92.300 2008.05.03 W32/Behav-Heuristic-060
VirusBuster 4.3.26:9 2008.05.03 Packed/Upack
Webwasher-Gateway 6.6.2 2008.05.04 Trojan.Hijacker.Gen

PE Structure information

( base data )
entrypointaddress.: 0x401018
timedatestamp.....: 0x4011b0be (Fri Jan 23 23:39:42 2004)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
PS 0x1000 0x6000 0x1f0 5.14 41e9183a37af30c789143e14735c604b
@@ 0x7000 0x9000 0x14cc 7.93 904bea2d946c7e1c0db75a1ff3f37737
_d@@ 0x10000 0x1000 0x1f0 5.14 41e9183a37af30c789143e14735c604b

( 0 imports )
( 0 exports )

Process Details:
Process ID 1648
Filename C:\19a.exe
Filesize 17877 bytes
MD5 c1af15a78340f248d365f6f9b0b1f2c1
Start Reason AnalysisTarget

New Files
C:\WINDOWS\System32\drivers\XNGAnti.sys
C:\WINDOWS\System32\ttKAFKAF1074.exe
C:\b3b4f3ed789848484.bat

Opened Files
\\.\PIPE\svcctl
\\.\XNGAntiSL
C:\19a.exe
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\WINDOWS\System32\ttKAFKAF1074.exe
C:\b3b4f3ed789848484.bat

Chronological order
Create File: C:\WINDOWS\System32\drivers\XNGAnti.sys
Open File: \\.\PIPE\svcctl (OPEN_EXISTING)
Open File: \\.\XNGAntiSL (OPEN_EXISTING)
Open File: C:\19a.exe (OPEN_EXISTING)
Create/Open File: C:\WINDOWS\System32\ttKAFKAF1074.exe (OPEN_ALWAYS)
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\WINDOWS\System32\ttKAFKAF1074.exe ()
Find File: ttKAFKAF1074.exe
Create/Open File: C:\b3b4f3ed789848484.bat (OPEN_ALWAYS)
Open File: C:\b3b4f3ed789848484.bat ()
Find File: b3b4f3ed789848484.bat

Creates Process
CommandLine: (C:\WINDOWS\System32\ttKAFKAF1074.exe) As User:
CommandLine: (C:\b3b4f3ed789848484.bat)

Create Service
Name: (XNGAnti) Display Name: (XNGAnti) File Name: (C:\WINDOWS\System32\drivers\XNGAnti.sys)
Start Service - Name: (XNGAnti)
Load Driver - Name: (\Registry\Machine\System\CurrentControlSet\Services\XNGAnti)

Process Started:
Process ID 1776
Filename C:\WINDOWS\System32\ttKAFKAF1074.exe
Filesize 17877 bytes
MD5 c1af15a78340f248d365f6f9b0b1f2c1
Start Reason CreateProcess

New Files
C:\WINDOWS\System32\ttKAFKAF1074.dll
Opened Files
C:\WINDOWS\System32\ttKAFKAF1074.exe

Chronological order
Open File: C:\WINDOWS\System32\ttKAFKAF1074.exe (OPEN_EXISTING)
Create/Open File: C:\WINDOWS\System32\ttKAFKAF1074.dll (OPEN_ALWAYS)
Find File: C:\WINDOWS\System32\verCLsiD.exe

Registry Changes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{df14157d-3ce2-4d9b-b0cc-7f47e3e31fdb}\InprocServer32 "" = ttKAFKAF1074.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{df14157d-3ce2-4d9b-b0cc-7f47e3e31fdb}\InprocServer32 "" = Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "" = ttKAFKAF1074.dll

Process ID 1824
Filename C:\b3b4f3ed789848484.bat
Filesize 114 bytes
MD5 f1acfbccf74fe741701aa4b2dd04b6dd

Opened Files
C:\b3b4f3ed789848484.bat
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\WINDOWS\system32\attrib.exe
Deleted Files
C:\19a.exe
C:\B3B4F3~1.BAT
Chronological order
Get File Attributes: C:\ Flags: (SECURITY_ANONYMOUS)
Find File: C:\
Find File: C:\b3b4f3ed789848484.bat
Open File: C:\b3b4f3ed789848484.bat (OPEN_EXISTING)
Find File: C:\attrib.*
Find File: C:\attrib
Find File: C:\WINDOWS\system32\attrib.*
Find File: C:\WINDOWS\system32\attrib.COM
Find File: C:\WINDOWS\system32\attrib.EXE
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\attrib.exe ()
Find File: attrib.exe
Get File Attributes: C:\19a.exe Flags: (SECURITY_ANONYMOUS)
Find File: C:\19a.exe
Delete File: C:\19a.exe
Get File Attributes: C:\b3b4f3ed789848484.bat Flags: (SECURITY_ANONYMOUS)
Delete File: C:\B3B4F3~1.BAT

Creates Process - Filename (C:\WINDOWS\system32\attrib.exe) CommandLine: (attrib "C:\19a.exe " -r -a -s -h)

Process ID 1856
Filename C:\WINDOWS\system32\attrib.exe attrib C:\19a.exe -r -a -s -h
Filesize -1 bytes
MD5
Start Reason CreateProcess

_________________
.:: MaliciousBrains ::.
http://www.malwareinfo.org

There are no patches or service packs for IGNORANCE!!

Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 

Board index » Malware Analysis » Analyze Malwares

All times are UTC + 5:30 hours [ DST ]

Who is online

Users browsing this forum: No registered users and 0 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Donate Now
Donate Now
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Hosted by FreeForums.org | Create a free forum