ArcadeFAQSearchLogin
Register
It is currently Tue Dec 01, 2009 12:47 pm

View unanswered posts | View active topics


Board index » Malware Analysis » Analyze Malwares

All times are UTC + 5:30 hours [ DST ]


Welcome
Welcome to <strong>Malware Analysis Forum</strong>.

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. Registration is fast, simple, and absolutely free, so please, <a href="/profile.php?mode=register">join our community today</a>!


Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 
  Previous topic | Next topic 
Author Message
maliciousbrains
 Post subject: ssex.hard-core-xxx.com/adult.exe
PostPosted: Sun Apr 13, 2008 12:31 am 
Offline
Site Admin
User avatar

Joined: Thu Mar 27, 2008 1:06 pm
Posts: 163
Location: India
Download Link: hxxp://ssex.hard-core-xxx.com/adult.exe

File Name: adult.exe

VirusTotal Result: 9/32 (28.13%)
Avast 4.8.1169.0 2008.04.12 Win32:Agent-MIO
ClamAV 0.92.1 2008.04.12 Dialer-872
DrWeb 4.44.0.09170 2008.04.12 Dialer.Adultchat.origin
Ewido 4.0 2008.04.12 Heuristic.Win32.Dialer
Ikarus T3.1.1.26.0 2008.04.12 not-a-virus:Porn-Dialer.Win32.Agent.aj
Panda 9.0.0.4 2008.04.12 Suspicious file
Prevx1 V2 2008.04.12 Heuristic: Suspicious Self Modifying File
Rising 20.39.52.00 2008.04.12 Trojan.Win32.Dialer.usx
Sophos 4.28.0 2008.04.12 ITDialer

File Info:
File size: 49152 bytes
MD5...: f074b0098ffaaf2691b61263280833b0
SHA1..: f4880d79e6cc1e9f0a35e2c4e80f87afa0c40f7a
SHA256: 93ae299ce25e16e520ac75977faf5ed0f08dfc80dc893d960ab05b275ef70e11
SHA512: 6e0a60d20f51c12925baa51bea3decafacabe06726d29c02d55f40663d2e30fd
331d82177c423ba2b5c77cda3759497698cdb9aac2a099d7fb8dbfecf2b2c46a

PE Info:

PE Structure information
Base Data:
Entry Point Address.: 0x405250
Time Date Stamp.....: 0x47f8c639 (Sun Apr 06 12:46:49 2008)
Machine Type.......: 0x14c (I386)

PE Header
Signature: 00004550
Machine: 014C - Intel 386
Number of sections: 0004
Time/Date stamp: 47F8C639
Pointer to symbol table: 00000000
Number of symbols: 00000000
Size of optional header: 00E0
Characteristics: 010F
Magic: 010B
Linker version (major): 06
Linker version (minor): 00
Size of code: 00005000
Size of initialized data: 00007000
Size of uninitialized data: 00000000
Address of entry point: 00005250
Base of code: 00001000
Base of data: 00006000
Image base: 00400000
Section alignment: 00001000
File alignment: 00001000
OS version (major): 0004
OS version (minor): 0000
Image version (major): 0000
Image version (minor): 0000
Sub system version (major): 0004
Sub system version (minor): 0000
Win32 version: 00000000
Size of image: 0000D000
Size of headers: 00001000
Checksum: 00000000
Sub system: 0002 - Windows graphical user interface (GUI) subsystem
DLL characteristics: 0000
Size of stack reserve: 00100000
Size of stack commit: 00001000
Size of heap reserve: 00100000
Size of heap commit: 00001000
Loader flags: 00000000
Number of RVA: 00000010

PE Sections
Section VirtSize VirtAddr PhysSize PhysAddr Flags
.text 000043F2 00001000 00005000 00001000 60000020
.rdata 00000A34 00006000 00001000 00006000 40000040
.data 0000239C 00007000 00002000 00007000 C0000040
.rsrc 000025E0 0000A000 00003000 00009000 40000040

Import table (libraries: 8)
> MSVCRT.dll: _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __getmainargs, __set_app_type, _except_handler3, _controlfp, _acmdln, exit, _XcptFilter, _exit, _onexit, __dllonexit, strcat, strcspn, __3@YAXPAX@Z, mbstowcs, strrchr, fopen, fwrite, fclose, strstr, strchr, memcpy, strlen, atoi, sprintf, memset, _snprintf, strcpy, strncat, strncpy, __p__fmode
> USER32.dll: EnableWindow, DispatchMessageA, TranslateMessage, IsDialogMessageA, GetMessageA, SetDlgItemTextA, SendMessageA, SetWindowTextA, ShowWindow, CreateDialogParamA, LoadStringA, RegisterClassExA, LoadImageA, GetSystemMetrics, GetClientRect, PostMessageA, KillTimer, GetDlgItemTextA, MessageBoxA, SetTimer, EndDialog, PostQuitMessage, GetDlgItem
> SHELL32.dll: ShellExecuteA, SHGetSpecialFolderPathA
> WS2_32.dll:
> ole32.dll: CoUninitialize, CoInitialize, CoCreateInstance
> OLEAUT32.dll: -, -, -, -, -, -, -
> ADVAPI32.dll: RegQueryValueExA, RegCreateKeyExA, RegCloseKey
> KERNEL32.dll: CloseHandle, ReleaseMutex, GetLastError, CreateMutexA, GetModuleFileNameA, CreateThread, GetTickCount, lstrcatA, FreeLibrary, GetProcAddress, LoadLibraryA, MultiByteToWideChar, lstrlenA, CopyFileA, GetVersionExA, GlobalFree, GlobalAlloc, Sleep, lstrcpyA, GetModuleHandleA, GetStartupInfoA

Process Details:
Process ID 304
Filename C:\adult.exe
Filesize 49152 bytes
MD5 f074b0098ffaaf2691b61263280833b0
Start Reason AnalysisTarget

COM Activity:
COM Create Instance: shell32.dll, ProgID: (lnkfile), Interface ID: ({000214EE-0000-0000-C000-000000000046})
COM Create Instance: %SystemRoot%\system32\shdocvw.dll, ProgID: (), Interface ID: ({000214E6-0000-0000-C000-000000000046})

New Files Created:
C:\Documents and Settings\Sandbox\Favorites\vm18.url
C:\vm18.exe
C:\Documents and Settings\Sandbox\Start Menu\Programs\vm18.LNK
\Device\Tcp
\Device\Ip
\Device\Ip

Activity in Sequential Order:
Create File: C:\Documents and Settings\Sandbox\Favorites\vm18.url
Copy File: C:\adult.exe to C:\vm18.exe
Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\shdocvw.dll (OPEN_EXISTING)
Get File Attributes: C:\vm18.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\Sandbox\Start Menu\Programs\vm18.LNK Flags: (SECURITY_ANONYMOUS)
Create File: C:\Documents and Settings\Sandbox\Start Menu\Programs\vm18.LNK
Get File Attributes: C:\Documents and Settings\Sandbox\Start Menu\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\All Users\Start Menu\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\All Users\Application Data\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\Sandbox\Application Data\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\Sandbox\My Documents\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\Sandbox\My Documents\My Pictures\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Program Files\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\All Users\Documents\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\All Users\Documents\My Pictures\desktop.ini Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\wkssvc (OPEN_EXISTING)
Get File Attributes: C:\Documents and Settings\All Users\Documents\My Music\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\All Users\Documents\My Videos\desktop.ini Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\ROUTER (OPEN_EXISTING)
Create/Open File: \Device\Tcp (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Open File: \\.\Ip (OPEN_EXISTING)

Read INI File:
C:\Documents and Settings\Sandbox\Start Menu\desktop.ini [DeleteOnCopy] Owner =
C:\Documents and Settings\Sandbox\Start Menu\desktop.ini [.ShellClassInfo] LocalizedResourceName =
C:\Documents and Settings\All Users\Start Menu\desktop.ini [DeleteOnCopy] Owner =
C:\Documents and Settings\All Users\Start Menu\desktop.ini [.ShellClassInfo] LocalizedResourceName =
C:\Documents and Settings\All Users\Application Data\desktop.ini [DeleteOnCopy] Owner =
C:\Documents and Settings\All Users\Application Data\desktop.ini [.ShellClassInfo] LocalizedResourceName =
C:\Documents and Settings\Sandbox\Application Data\desktop.ini [DeleteOnCopy] Owner =
C:\Documents and Settings\Sandbox\Application Data\desktop.ini [.ShellClassInfo] LocalizedResourceName =
C:\Documents and Settings\Sandbox\My Documents\desktop.ini [DeleteOnCopy] Owner =
C:\Documents and Settings\Sandbox\My Documents\desktop.ini [DeleteOnCopy.A] Owner =
C:\Documents and Settings\Sandbox\My Documents\desktop.ini [DeleteOnCopy] PersonalizedName =
C:\Documents and Settings\Sandbox\My Documents\desktop.ini [DeleteOnCopy.A] PersonalizedName =
C:\Documents and Settings\Sandbox\My Documents\My Pictures\desktop.ini [DeleteOnCopy] Owner =
C:\Documents and Settings\Sandbox\My Documents\My Pictures\desktop.ini [DeleteOnCopy.A] Owner =
C:\Documents and Settings\Sandbox\My Documents\My Pictures\desktop.ini [DeleteOnCopy] PersonalizedName =
C:\Documents and Settings\Sandbox\My Documents\My Pictures\desktop.ini [DeleteOnCopy.A] PersonalizedName =
C:\Documents and Settings\All Users\Documents\desktop.ini [DeleteOnCopy] Owner =
C:\Documents and Settings\All Users\Documents\desktop.ini [.ShellClassInfo] LocalizedResourceName =
C:\Documents and Settings\All Users\Documents\My Pictures\desktop.ini [DeleteOnCopy] Owner =
C:\Documents and Settings\All Users\Documents\My Pictures\desktop.ini [.ShellClassInfo] LocalizedResourceName =
C:\Documents and Settings\All Users\Documents\My Music\desktop.ini [DeleteOnCopy] Owner =
C:\Documents and Settings\All Users\Documents\My Music\desktop.ini [.ShellClassInfo] LocalizedResourceName =
C:\Documents and Settings\All Users\Documents\My Videos\desktop.ini [DeleteOnCopy] Owner =
C:\Documents and Settings\All Users\Documents\My Videos\desktop.ini [.ShellClassInfo] LocalizedResourceName =

Mutex:
Creates Mutex: ITDialer
Creates Mutex: RasPbFile

Registry Reads
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility "DisableAppCompat"
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32 ""
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "10"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders "SecurityProviders"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Name"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Comment"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Capabilities"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "RpcId"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Version"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Type"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "TokenSize"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Name"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Comment"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Capabilities"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "RpcId"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Version"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Type"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "TokenSize"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Name"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Comment"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Capabilities"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "RpcId"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Version"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Type"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "TokenSize"

_________________
.:: MaliciousBrains ::.
http://www.malwareinfo.org

There are no patches or service packs for IGNORANCE!!

Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 

Board index » Malware Analysis » Analyze Malwares

All times are UTC + 5:30 hours [ DST ]

Who is online

Users browsing this forum: No registered users and 1 guest

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Donate Now
Donate Now
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Hosted by FreeForums.org | Create a free forum