ArcadeFAQSearchLogin
Register
It is currently Sat Nov 07, 2009 3:52 pm

View unanswered posts | View active topics


Board index » Malware Analysis » Analyze Malwares

All times are UTC + 5:30 hours [ DST ]


Welcome
Welcome to <strong>Malware Analysis Forum</strong>.

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. Registration is fast, simple, and absolutely free, so please, <a href="/profile.php?mode=register">join our community today</a>!


Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 
  Previous topic | Next topic 
Author Message
maliciousbrains
 Post subject: picshunter.info/out.php?e=1&t=22 --> 222.exe
PostPosted: Sun Apr 13, 2008 2:15 am 
Offline
Site Admin
User avatar

Joined: Thu Mar 27, 2008 1:06 pm
Posts: 163
Location: India
Download Link: hxxp://picshunter.info/out.php?e=1&t=22

Downloads 222.gif

File Name: 222.gif

VirusTotal Result: 4/32 (12.5%)
AntiVir 7.6.0.85 2008.04.11 HEUR/Crypted.E
eSafe 7.0.15.0 2008.04.09 suspicious Trojan/Worm
F-Secure 6.70.13260.0 2008.04.11 Suspicious:W32/Malware!Gemini
Panda 9.0.0.4 2008.04.11 Suspicious file

File Info:
File size: 24064 bytes
MD5...: 3eef3cffea06a5eea66ed3dac8f598c8
SHA1..: 9f47593dd806269267a94edf45b7ea4a656a7456
SHA256: 3b77dadf79b5ea3125e911cc1a252852a3d46adf3d88abd656445956f012e7af
SHA512: 04dc5b935fed17f25d4a07bb2dd91c6960de65ba1812e8d9ccda8c8aa0492f95
e761f4ef7d6ab801ea63e9b00d7b056b68e35114f6f8e4aea1afbe0876e1fa95
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

PE Header
Signature: 00004550
Machine: 014C - Intel 386
Number of sections: 0003
Time/Date stamp: 48007AC9
Pointer to symbol table: 00000000
Number of symbols: 00000000
Size of optional header: 00E0
Characteristics: 010F
Magic: 010B
Linker version (major): 06
Linker version (minor): 00
Size of code: 00005000
Size of initialized data: 00001000
Size of uninitialized data: 00012000
Address of entry point: 00017E20
Base of code: 00013000
Base of data: 00018000
Image base: 00400000
Section alignment: 00001000
File alignment: 00000200
OS version (major): 0004
OS version (minor): 0000
Image version (major): 0001
Image version (minor): 0000
Sub system version (major): 0004
Sub system version (minor): 0000
Win32 version: 00000000
Size of image: 00019000
Size of headers: 00001000
Checksum: 00000000
Sub system: 0002 - Windows graphical user interface (GUI) subsystem
DLL characteristics: 0000
Size of stack reserve: 00100000
Size of stack commit: 00001000
Size of heap reserve: 00100000
Size of heap commit: 00001000
Loader flags: 00000000
Number of RVA: 00000010

PE Sections
Section VirtSize VirtAddr PhysSize PhysAddr Flags
UPX0 00012000 00001000 00000000 00000400 E0000080
UPX1 00005000 00013000 00005000 00000400 E0000040
.rsrc 00001000 00018000 00000A00 00005400 C0000040

Import table (libraries: 2)
KERNEL32.DLL (imports: 3)
LoadLibraryA
GetProcAddress
ExitProcess
MSVBVM60.DLL (imports: 1)
#581

Checking the PE Header shows its a binary executable. Renamed the file to 222.exe

Unpacking with UPX:
File size Ratio Format Name
-------------------- ------ ----------- -----------
90112 <- 24064 26.70% win32/pe 222.exe

VirusTotal Result: 0/31 (0%)

File Info:
File size: 90112 bytes <-- Unpacked with UPX
MD5...: 222b98fe3dcf02d89907c8651ac501b5
SHA1..: 8c49b90c98099859ba8ce9a33bc8292727a6da99
SHA256: 80bb4870938a774d9e993c8bae6335833b466f19bf0543ca31d381a7327edf06
SHA512: ef9067aae2a53ce97610a4e8c0cfb9714965a9ade55742a0bb07b1f98e16a923
4ebfed92b39e52cfdbfb3315ff379a4cb1d5515c9fa1646b5a8b1bb31214cf04

.idata:00401000 ; Format : Portable executable for 80386 (PE)
.idata:00401000 ; Imagebase : 400000
.idata:00401000 ; Section 1. (virtual address 00001000)
.idata:00401000 ; Virtual size : 00012EF4 ( 77556.)
.idata:00401000 ; Section size in file : 00013000 ( 77824.)
.idata:00401000 ; Offset to raw data for section: 00001000
.idata:00401000 ; Flags 60000020: Text Executable Readable
.idata:00401000 ; Alignment : default

PE Header
Signature: 00004550
Machine: 014C - Intel 386
Number of sections: 0003
Time/Date stamp: 48007AC9
Pointer to symbol table: 00000000
Number of symbols: 00000000
Size of optional header: 00E0
Characteristics: 010F
Magic: 010B
Linker version (major): 06
Linker version (minor): 00
Size of code: 00013000
Size of initialized data: 00002000
Size of uninitialized data: 00000000
Address of entry point: 00001E14
Base of code: 00001000
Base of data: 00014000
Image base: 00400000
Section alignment: 00001000
File alignment: 00001000
OS version (major): 0004
OS version (minor): 0000
Image version (major): 0001
Image version (minor): 0000
Sub system version (major): 0004
Sub system version (minor): 0000
Win32 version: 00000000
Size of image: 00016000
Size of headers: 00001000
Checksum: 00000000
Sub system: 0002 - Windows graphical user interface (GUI) subsystem
DLL characteristics: 0000
Size of stack reserve: 00100000
Size of stack commit: 00001000
Size of heap reserve: 00100000
Size of heap commit: 00001000
Loader flags: 00000000
Number of RVA: 00000010
Base Address:
Entry Point Address.: 0x401e14
Time Date Stamp.....: 0x48007ac9 (Sat Apr 12 09:03:05 2008)
Machine Type.......: 0x14c (I386)

PE Sections
Section VirtSize VirtAddr PhysSize PhysAddr Flags
.text 00012EF4 00001000 00013000 00001000 60000020
.data 00000D04 00014000 00001000 00014000 C0000040
.rsrc 000008B0 00015000 00001000 00015000 40000040

Import table (libraries: 1)
> MSVBVM60.DLL: __vbaVarTstGt, __vbaStrI2, _CIcos, _adj_fptan, __vbaStrI4, __vbaVarMove, __vbaVarVargNofree, __vbaFreeVar, __vbaAryMove, __vbaLateIdCall, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaCopyBytes, __vbaStrCat, __vbaLsetFixstr, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenVar, _adj_fdiv_m32, __vbaAryDestruct, -, -, -, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, -, __vbaStrFixstr, -, __vbaBoolVar, __vbaFpR8, __vbaBoolVarNull, __vbaVarTstLt, _CIsin, -, __vbaVargVarMove, -, __vbaVarCmpGt, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaVarTstEq, __vbaObjVar, __vbaI2I4, DllFunctionCall, __vbaVarOr, __vbaVarLateMemSt, __vbaStrR4, __vbaLbound, _adj_fpatan, __vbaFixstrConstruct, __vbaLateIdCallLd, __vbaStrR8, __vbaRedim, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, __vbaVarAnd, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, -, -, __vbaFPException, __vbaInStrVar, __vbaStrVarVal, __vbaUbound, __vbaVarCat, __vbaI2Var, -, _CIlog, __vbaErrorOverflow, __vbaNew2, __vbaR8Str, __vbaVarLateMemCallLdRf, __vbaInStr, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, -, __vbaI4Var, __vbaVarCmpEq, __vbaLateMemCall, __vbaVarAdd, __vbaStrToAnsi, __vbaFpI4, -, __vbaVarLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

When executed shows the msgbox:
---------------------------
del_ici_us
---------------------------
logstr=[697] Pause for 108328 msecs.
---------------------------
OK
---------------------------

Registry Values Modified:
Key Name New Value
HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyEnable 0
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Common AppData C:\Documents and Settings\All Users\Application Data
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders AppData C:\Documents and Settings\user\Application Data
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cache C:\Documents and Settings\user\Local Settings\Temporary Internet Files
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cookies C:\Documents and Settings\user\Cookies
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders History C:\Documents and Settings\user\Local Settings\History
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ AutoDetect 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ IntranetName 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ProxyBypass 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ UNCAsIntranet 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings MigrateProxy 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyEnable 0
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ windows\CurrentVersion\Internet Settings\Connections SavedLegacySettings 0x460000005f00000001000000000000000000000000000000040000000000

Registry Reads:
Key Name Value Times
HKLM\SOFTWARE\CLASSES\MIME\DATABASE\CONTENT TYPE\TEXT/HTML Extension .htm 2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings EnablePunycode 1 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings UrlEncoding 0x00000000 2
HKLM\SYSTEM\CurrentControlSet\Services\Winsock\Parameters Transports 0x5400630070006900700000004e0065007400420049004f00530000000000 2
HKLM\Software\Microsoft\CTF\SystemShared CUAS 0 1
HKLM\Software\Microsoft\Rpc\SecurityService 10 secur32.dll 1
HKLM\Software\Microsoft\Tracing EnableConsoleTracing 0 1
HKLM\Software\Microsoft\Tracing\RASAPI32 ConsoleTracingMask 4294901760 2
HKLM\Software\Microsoft\Tracing\RASAPI32 EnableConsoleTracing 0 2
HKLM\Software\Microsoft\Tracing\RASAPI32 EnableFileTracing 0 2
HKLM\Software\Microsoft\Tracing\RASAPI32 FileDirectory %windir%\tracing 4
HKLM\Software\Microsoft\Tracing\RASAPI32 FileTracingMask 4294901760 2
HKLM\Software\Microsoft\Tracing\RASAPI32 MaxFileSize 1048576 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\IMM Ime File msctfime.ime 1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList AllUsersProfile All Users 5
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList DefaultUserProfile Default User 5
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ProfilesDirectory %SystemDrive%\Documents and Settings 10
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1229272821-1004336348-527237240-1003 ProfileImagePath %SystemDrive%\Documents and Settings\user 5
HKLM\Software\Microsoft\Windows\CurrentVersion CommonFilesDir C:\Program Files\Common Files 5
HKLM\Software\Microsoft\Windows\CurrentVersion ProgramFilesDir C:\Program Files 5
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Common AppData %ALLUSERSPROFILE%\Application Data 1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content PerUserItem 1 1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies PerUserItem 1 1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History PerUserItem 1 1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\msn.com 1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\msn.com\related http 4 1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ComputerName USER 7
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll Capabilities 16464 1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll Comment Digest SSPI Authentication Package 2
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll Name Digest 2
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll RpcId 65535 1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll TokenSize 65535 1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll Type 49 1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll Version 1 1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll Capabilities 55 1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll Comment DPA Security Package 2
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll Name DPA 2
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll RpcId 17 1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll TokenSize 768 1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll Type 49 1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll Version 1 1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll Capabilities 55 1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll Comment MSN Security Package 2
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll Name MSN 2
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll RpcId 18 1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll TokenSize 768 1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll Type 49 1
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll Version 1 1
HKLM\System\CurrentControlSet\Control\Nls\Codepage 932 c_932.nls 1
HKLM\System\CurrentControlSet\Control\Nls\Codepage 936 c_936.nls 1
HKLM\System\CurrentControlSet\Control\Nls\Codepage 949 c_949.nls 1
HKLM\System\CurrentControlSet\Control\Nls\Codepage 950 c_950.nls 1
HKLM\System\CurrentControlSet\Control\SecurityProviders SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll 2
HKLM\System\CurrentControlSet\Control\SecurityProviders\SaslProfiles GSSAPI Kerberos 1
HKLM\System\CurrentControlSet\Control\Session Manager\Environment ComSpec %SystemRoot%\system32\cmd.exe 10
HKLM\System\CurrentControlSet\Control\Session Manager\Environment FP_NO_HOST_CHECK NO 10
HKLM\System\CurrentControlSet\Control\Session Manager\Environment NUMBER_OF_PROCESSORS 1 10
HKLM\System\CurrentControlSet\Control\Session Manager\Environment OS Windows_NT 10
HKLM\System\CurrentControlSet\Control\Session Manager\Environment PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH 10
HKLM\System\CurrentControlSet\Control\Session Manager\Environment PROCESSOR_ARCHITECTURE x86 10
HKLM\System\CurrentControlSet\Control\Session Manager\Environment PROCESSOR_IDENTIFIER x86 Family 6 Model 3 Stepping 3, GenuineIntel 10
HKLM\System\CurrentControlSet\Control\Session Manager\Environment PROCESSOR_LEVEL 6 10
HKLM\System\CurrentControlSet\Control\Session Manager\Environment PROCESSOR_REVISION 0303 10
HKLM\System\CurrentControlSet\Control\Session Manager\Environment Path %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem 10
HKLM\System\CurrentControlSet\Control\Session Manager\Environment TEMP %SystemRoot%\TEMP 10
HKLM\System\CurrentControlSet\Control\Session Manager\Environment TMP %SystemRoot%\TEMP 10
HKLM\System\CurrentControlSet\Control\Session Manager\Environment _NT_SYMBOL_PATH srv*C:\Symbols*http://msdl.microsoft.com/download/symbols 10
HKLM\System\CurrentControlSet\Control\Session Manager\Environment windir %SystemRoot% 10
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters Domain 2
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters Hostname user 2
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock HelperDllName %SystemRoot%\System32\wshtcpip.dll 1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock Mapping 0x0b0000000300000002000000010000000600000002000000010000000000 1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock MaxSockaddrLength 16 1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock MinSockaddrLength 16 1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock UseDelayedAcceptance 0 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters WinSock_Registry_Version 2.0 4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 Num_Catalog_Entries 3 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 Serial_Access_Num 4 2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 DisplayString Tcpip 4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 Enabled 1 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 LibraryPath %SystemRoot%\System32\mswsock.dll 2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ProviderId 0x409d05229e7ecf11ae5a00aa00a7112b 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 StoresServiceClassInfo 0 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 SupportedNameSpace 12 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 Version 0 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 DisplayString NTDS 4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 Enabled 1 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 LibraryPath %SystemRoot%\System32\winrnr.dll 2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ProviderId 0xee37263b80e5cf11a55500c04fd8d4ac 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 StoresServiceClassInfo 0 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 SupportedNameSpace 32 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 Version 0 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 DisplayString Network Location Awareness (NLA) Namespace 4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 Enabled 1 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 LibraryPath %SystemRoot%\System32\mswsock.dll 2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ProviderId 0x3a244266a83ba64abaa52e0bd71fdd83 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 StoresServiceClassInfo 0 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 SupportedNameSpace 15 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 Version 0 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 Next_Catalog_Entry_ID 1012 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 Num_Catalog_Entries 11 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 Serial_Access_Num 4 2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 PackedCatalogItem %SystemRoot%\system32\mswsock. 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 PackedCatalogItem %SystemRoot%\system32\mswsock. 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 PackedCatalogItem %SystemRoot%\system32\mswsock. 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 PackedCatalogItem %SystemRoot%\system32\rsvpsp.d 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 PackedCatalogItem %SystemRoot%\system32\rsvpsp.d 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 PackedCatalogItem %SystemRoot%\system32\mswsock. 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 PackedCatalogItem %SystemRoot%\system32\mswsock. 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 PackedCatalogItem %SystemRoot%\system32\mswsock. 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 PackedCatalogItem %SystemRoot%\system32\mswsock. 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 PackedCatalogItem %SystemRoot%\system32\mswsock. 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 PackedCatalogItem %SystemRoot%\system32\mswsock. 1
HKLM\System\Setup SystemSetupInProgress 0 2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Environment TEMP %USERPROFILE%\Local Settings\Temp 10
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Environment TMP %USERPROFILE%\Local Settings\Temp 10
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings CertificateRevocation 0 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings DisableCachingOfSSLPages 0 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings EnableHttp1_1 1 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings EnableNegotiate 1 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings MimeExclusionListForCache multipart/mixed multipart/x-mixed-replace multipart/x-byteranges 4
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings SecureProtocols 160 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings WarnOnPost 0x01000000 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings WarnOnZoneCrossing 0 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ParseAutoexec 1 5
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders AppData %USERPROFILE%\Application Data 4
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Cache %USERPROFILE%\Local Settings\Temporary Internet Files 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Cookies %USERPROFILE%\Cookies 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders History %USERPROFILE%\Local Settings\History 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache Signature Client UrlCache MMF Ver 5.2 2
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Content CacheLimit 163410 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Content CachePrefix 2
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies CacheLimit 8192 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies CachePrefix Cookie: 2
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022 CacheLimit 8192 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022 CacheOptions 11 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022 CachePath %USERPROFILE%\Local Settings\History\History.IE5\MSHist012007101520071022 2
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022 CachePrefix :2007101520071022: 2
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022 CacheRepair 0 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029 CacheLimit 8192 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029 CacheOptions 11 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029 CachePath %USERPROFILE%\Local Settings\History\History.IE5\MSHist012007102220071029 2
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029 CachePrefix :2007102220071029: 2
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029 CacheRepair 0 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102 CacheLimit 8192 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102 CacheOptions 11 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102 CachePath %USERPROFILE%\Local Settings\History\History.IE5\MSHist012007110120071102 2
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102 CachePrefix :2007110120071102: 2
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102 CacheRepair 0 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData CacheLimit 1000 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData CacheOptions 8 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData CachePath %USERPROFILE%\UserData 2
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData CachePrefix UserData 2
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData CacheRepair 0 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat CacheLimit 8192 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat CacheOptions 0 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat CachePath %USERPROFILE%\Local Settings\Application Data\Microsoft\Feeds Cache 2
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat CachePrefix feedplat: 2
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat CacheRepair 0 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\History CacheLimit 8192 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\5.0\Cache\History CachePrefix Visited: 2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ AutoDetect 1 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ @ivt 1 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ file 3 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ ftp 3 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ http 3 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ https 3 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ shell 0 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 Flags 33 2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Flags 475 2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Flags 71 2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1A10 1 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Flags 1 2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Flags 3 2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings MigrateProxy 1 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyEnable 0 1
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ windows\CurrentVersion\Internet Settings\Connections DefaultConnectionSettings 0x3c0000000200000001000000000000000000000000000000040000000000 2
HKU\ S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ windows\CurrentVersion\Internet Settings\Connections SavedLegacySettings 0x460000005e00000001000000000000000000000000000000040000000000 4
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment APPDATA C:\Documents and Settings\user\Application Data 10
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment CLIENTNAME Console 10
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment HOMEDRIVE C: 10
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment HOMEPATH \Documents and Settings\user 10
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment HOMESHARE 10
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment LOGONSERVER \\USER 10
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile Environment SESSIONNAME Console 10

Registry Keys Monitored:
Key Name Watch subtree Notify Filter Count
HKLM\Software\Microsoft\Tracing\RASAPI32 0 Attributes Change,Value Change,Security Descriptor Change 2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 0 Key Change 1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 0 Key Change 1

Registry Modified:
Key Name New Value
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control ActiveService RasMan
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control ActiveService TapiSrv

Files Created:
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\BNPHK11H\log20[1].htm

Files Deleted:
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\BNPHK11H\log20[1].htm

Files Read:
PIPE\ROUTER
PIPE\lsarpc
c:\autoexec.bat

Files Modified:
PIPE\ROUTER
PIPE\lsarpc
\Device\Afd\AsyncConnectHlp
\Device\RasAcd

Network Activity:
Name Query Type Query Result Successful Protocol
adultlisting.info DNS_TYPE_A 91.192.117.120 1

Unknown UDP Traffic:
From SandBox:1025 to 192.168.0.1:53
State: Normal establishment and termination - Transferred outbound Bytes: 35 - Transferred inbound Bytes: 87

Unknown HTTP Traffic:
From SandBox:1034 to 91.192.117.120:80 - [adultlisting.info]
Request: POST /dis/log20.php?0.1156209
Response: 200 "OK"

_________________
.:: MaliciousBrains ::.
http://www.malwareinfo.org

There are no patches or service packs for IGNORANCE!!

Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 

Board index » Malware Analysis » Analyze Malwares

All times are UTC + 5:30 hours [ DST ]

Who is online

Users browsing this forum: No registered users and 0 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Donate Now
Donate Now
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Hosted by FreeForums.org | Create a free forum