ArcadeFAQSearchLogin
Register
It is currently Sat Nov 07, 2009 3:51 pm

View unanswered posts | View active topics


Board index » Malware Analysis » Analyze Malwares

All times are UTC + 5:30 hours [ DST ]


Welcome
Welcome to <strong>Malware Analysis Forum</strong>.

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. Registration is fast, simple, and absolutely free, so please, <a href="/profile.php?mode=register">join our community today</a>!


Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 
  Previous topic | Next topic 
Author Message
maliciousbrains
 Post subject: scdown.qq.com/download/Setup.exe
PostPosted: Sun Apr 13, 2008 10:29 am 
Offline
Site Admin
User avatar

Joined: Thu Mar 27, 2008 1:06 pm
Posts: 163
Location: India
Download Link: hxxp://scdown.qq.com/download/Setup.exe

File Name: Setup.exe

VirusTotal Result: 13/32 (40.63%)
AntiVir 7.6.0.85 2008.04.11 ADSPY/Tencent.DD.1
Avast 4.8.1169.0 2008.04.12 Win32:Adware-gen
BitDefender 7.2 2008.04.13 Adware.Generic.15813
DrWeb 4.44.0.09170 2008.04.12 Adware.Tencent.origin
eSafe 7.0.15.0 2008.04.09 suspicious Trojan/Worm
FileAdvisor 1 2008.04.13 Low threat detected
Fortinet 3.14.0.0 2008.04.13 Adware/Agent
Ikarus T3.1.1.26.0 2008.04.13 Virus.Win32.AdWare
McAfee 5272 2008.04.11 potentially unwanted program Adware-TCent
Panda 9.0.0.4 2008.04.12 Suspicious file
Prevx1 V2 2008.04.13 ADWARE.TCENT.B
Sunbelt 3.0.1041.0 2008.04.12 Tencent AddressBar
Webwasher-Gateway 6.6.2 2008.04.11 Ad-Spyware.Tencent.DD.1

Fle Info:
File size: 364032 bytes
MD5...: 9ac15c8e87aafa07177746cc682e6b9a
SHA1..: 008969802274284d4ce32916253026406c9411b4
SHA256: bf165d29e5240452a260f03d032350797adee27059963a74968eb33d556aa404
SHA512: 17fd0e7400fc4421eb2d55ef038b0720e577aa638e81fcf88b2e8d7f16aaabda
3ecd626f334c91c99f96d5e73d97ced44128e72089fac0116b7621eb2e7b4715
PEiD..: UPX 2.90

PE Header
Signature: 00004550
Machine: 014C - Intel 386
Number of sections: 0003
Time/Date stamp: 466F4F9D
Pointer to symbol table: 00000000
Number of symbols: 00000000
Size of optional header: 00E0
Characteristics: 010F
Magic: 010B
Linker version (major): 06
Linker version (minor): 00
Size of code: 00058000
Size of initialized data: 00001000
Size of uninitialized data: 00017000
Address of entry point: 0006FB80
Base of code: 00018000
Base of data: 00070000
Image base: 00400000
Section alignment: 00001000
File alignment: 00000200
OS version (major): 0004
OS version (minor): 0000
Image version (major): 0000
Image version (minor): 0000
Sub system version (major): 0004
Sub system version (minor): 0000
Win32 version: 00000000
Size of image: 00071000
Size of headers: 00001000
Checksum: 00000000
Sub system: 0002 - Windows graphical user interface (GUI) subsystem
DLL characteristics: 0000
Size of stack reserve: 00100000
Size of stack commit: 00001000
Size of heap reserve: 00100000
Size of heap commit: 00001000
Loader flags: 00000000
Number of RVA: 00000010

PE Sections
Section VirtSize VirtAddr PhysSize PhysAddr Flags
UPX0 00017000 00001000 00000000 00000400 E0000080
UPX1 00058000 00018000 00057E00 00000400 E0000040
.rsrc 00001000 00070000 00000C00 00058200 C0000040

Import table (libraries: 5)
KERNEL32.DLL (imports: 3)
LoadLibraryA
GetProcAddress
ExitProcess
ADVAPI32.dll (imports: 1)
RegOpenKeyA
MSVCRT.dll (imports: 1)
exit
ole32.dll (imports: 1)
CoTaskMemFree
SHLWAPI.dll (imports: 1)
StrStrIA

Unpacked with UPX:
File size Ratio Format Name
-------------------- ------ ----------- -----------
450560 <- 364032 80.80% win32/pe Setup_unpacked.exe

File Name: Setup_unpacked.exe

VirusTotal Result: 10/32 (31.25%)
Avast 4.8.1169.0 2008.04.12 Win32:Adware-gen
DrWeb 4.44.0.09170 2008.04.12 Adware.Tencent.origin
F-Prot 4.4.2.54 2008.04.13 W32/Trojan.ARDK
Fortinet 3.14.0.0 2008.04.13 Adware/Agent
Ikarus T3.1.1.26.0 2008.04.13 Win32.SuspectCrc
Panda 9.0.0.4 2008.04.12 Suspicious file
Prevx1 V2 2008.04.13 Heuristic: Suspicious File With Bad Parent Associations
Sophos 4.28.0 2008.04.13 Sus/Emogen-X
VBA32 3.12.6.4 2008.04.06 AdWare.Win32.Agent.dd
Webwasher-Gateway 6.6.2 2008.04.11 Trojan.Agent.159744

File Info:
File size: 450560 bytes <-- Unpacked with UPX
MD5...: ad9888895c6daee653c7a743225d5349
SHA1..: 11d8a73cace743ce3496882555967dfa6bf822fb
SHA256: c0b3fc7e17385f760755960ffa60e5fc5bf1484e52d42541ba0b7a5b7195679d
SHA512: 6758843ad8989e283d52772f6e76ae83ae6b8182f452f42a47317cfb30337c3e
5cd5595e8868ceb021fcd55a41bdfd066400e30c4b4beabb7ee52e83c04a2f5b

PE Structure information:
Base Data:
Entry Point Address.: 0x4049a6
Time Date Stamp.....: 0x466f4f9d (Wed Jun 13 01:59:57 2007)
Machine Type.......: 0x14c (I386)

PE Sections
Section VirtSize VirtAddr PhysSize PhysAddr Flags
.text 00003C0A 00001000 00004000 00001000 60000020
.rdata 000016E2 00005000 00002000 00005000 40000040
.data 00000DEC 00007000 00001000 00007000 C0000040
.rsrc 00065F28 00008000 00066000 00008000 40000040

Import table (libraries: 5)
> KERNEL32.DLL: GetShortPathNameA, GetLongPathNameA, GetSystemDirectoryA, DeleteFileA, EnterCriticalSection, GetTempPathA, FreeLibrary, LoadLibraryA, RemoveDirectoryA, LeaveCriticalSection, UnmapViewOfFile, OpenFileMappingA, CreateFileMappingA, MapViewOfFile, DeleteCriticalSection, InitializeCriticalSection, GetWindowsDirectoryA, FindFirstFileA, lstrcpynA, FindClose, CreateMutexA, GetLastError, GetCommandLineA, SetLastError, WideCharToMultiByte, lstrcmpiA, GetCurrentProcessId, Module32First, Module32Next, CloseHandle, GetModuleHandleA, GetCurrentProcess, FlushInstructionCache, GetSystemInfo, GetProcAddress, CreateDirectoryA, GetStartupInfoA, MultiByteToWideChar, MoveFileExA, IsBadStringPtrA, CreateFileA, GetVersion, WriteFile, FindResourceA, LoadResource, LockResource, SizeofResource, GetACP, lstrcmpA, GetModuleFileNameA, LoadLibraryExA, ReadProcessMemory
> ADVAPI32.dll: RegSetValueExW, RegQueryValueExW, RegOpenKeyExW, RegOpenKeyA, RegEnumKeyExA, RegCloseKey
> MSVCRT.dll: __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, _onexit, __dllonexit, ftell, fread, strchr, strrchr, fwrite, wcslen, fopen, rewind, strstr, fputs, fseek, fclose, sprintf, __2@YAPAXI@Z, tmpnam, _mbschr, _mbsnbicmp, _mbsicmp, __3@YAXPAX@Z, _snprintf, __CxxFrameHandler, _stricmp, _strlwr, _wcsicmp, _wcsnicmp, fgets, _strnicmp
> ole32.dll: CoTaskMemFree, StringFromCLSID
> SHLWAPI.dll: StrStrIA, PathFindFileNameA, SHGetValueA, PathFileExistsA, PathRemoveFileSpecA, PathAppendA

Process Details:
Process ID 1528
Filename C:\file.exe
Filesize 364032 bytes
MD5 9ac15c8e87aafa07177746cc682e6b9a
Start Reason AnalysisTarget

New Files Created:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\s1c4\TBH.cab
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\s1c4.1\InstallDll.cab
C:\WINDOWS\SCRCFG.ini
C:\WINDOWS\System32\Scrax.dll (147,456 bytes)
C:\WINDOWS\System32\Scrax.dll.bak1 (0 Bytes)
C:\WINDOWS\System32\SSup.dll (135,168 Bytes)
C:\WINDOWS\System32\SSup.dll.bak1 (0 Bytes)
C:\Program Files\TENCENT\SSPlus\SAddr.dll (192,000 Bytes)
C:\Program Files\TENCENT\SSPlus\SAddr.dll.bak1 (0 Bytes)
C:\Program Files\TENCENT\SSPlus\SData.dat (127,824 Bytes)
C:\Program Files\TENCENT\SSPlus\SPlus.dll (159,744 Bytes)
C:\Program Files\TENCENT\SSPlus\SPlus.dll.bak1 (0 Bytes)
C:\Program Files\TENCENT\SSPlus\stdtbh.dat (0 Bytes)
C:\Program Files\TENCENT\SSPlus\Update
C:\Program Files\TENCENT\SSPlus\Update\file12.dat.bak1 (135,168 Bytes)

Opened Files:
\\.\CnsMinKP
\\.\adsrsvc
\\.\BDGuard
\\.\cdnprot
\\.\cdntran
\\.\fad
\\.\anfad

Deleted Files:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\s1fo.\TBH.cab
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\s1fo.\InstallDll.cab

File System Activity in Sequential Order:
Find File: C:\WINDOWS
Get File Attributes: \s1fo. Flags: (SECURITY_ANONYMOUS)
Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\s1fo.\TBH.cab
Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\s1fo.\InstallDll.cab
Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\s1fo.\TBH.cab
Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\s1fo.\InstallDll.cab
Get File Attributes: Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Program Files\TENCENT\SSPlus Flags: (SECURITY_ANONYMOUS)
Open File: \\.\CnsMinKP (OPEN_EXISTING)
Open File: \\.\adsrsvc (OPEN_EXISTING)
Open File: \\.\BDGuard (OPEN_EXISTING)
Open File: \\.\cdnprot (OPEN_EXISTING)
Open File: \\.\cdntran (OPEN_EXISTING)
Open File: \\.\fad (OPEN_EXISTING)
Open File: \\.\anfad (OPEN_EXISTING)
Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\s1fo.\TBH.cab Flags: (SECURITY_ANONYMOUS)

Read INI File:
C:\Program Files\TENCENT\SSPlus\SData.dat [AT3] FT16H =
SCRCFG.ini [Main] Owner_ID =
SCRCFG.ini [Main] Custom_ID =

Mutexes:
Creates Mutex: 29702838366457702

Registry Reads:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "{D157330A-9EF3-49F8-9A67-4141AC41ADD4}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar "{406F94F0-504F-4a40-8DFD-58B0666ABEBD}"

When the file is executed:
Files & Folder Created:
Folder: C:\Program Files\TENCENT\SSPlus
Files:
C:\Program Files\TENCENT\SSPlus\SAddr.dll (192,000 Bytes)
C:\Program Files\TENCENT\SSPlus\SAddr.dll.bak1 (0 Bytes)
C:\Program Files\TENCENT\SSPlus\SData.dat (127,824 Bytes)
C:\Program Files\TENCENT\SSPlus\SPlus.dll (159,744 Bytes)
C:\Program Files\TENCENT\SSPlus\SPlus.dll.bak1 (0 Bytes)
C:\Program Files\TENCENT\SSPlus\stdtbh.dat (0 Bytes)
Folder:
C:\Program Files\TENCENT\SSPlus\Update
Files:
C:\Program Files\TENCENT\SSPlus\Update\file12.dat.bak1 (135,168 Bytes)
Folder:
C:\DOCUME~1\ADMINI~1\Local Settings\Temp\s1c4
File:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\s1c4\TBH.cab
Folder:
C:\DOCUME~1\ADMINI~1\Local Settings\Temp\s1c4.1
File :
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\s1c4.1\InstallDll.cab

Drops the file:
C:\WINDOWS\SCRCFG.ini
C:\WINDOWS\System32\Scrax.dll (147,456 bytes)
C:\WINDOWS\System32\Scrax.dll.bak1 (0 Bytes)
C:\WINDOWS\System32\SSup.dll (135,168 Bytes)
C:\WINDOWS\System32\SSup.dll.bak1 (0 Bytes)

Content of SCRCFG.ini
[Main]
Custom_ID=71259558EBACDC418F96EE4940BC8C3A55
Owner_ID=010001

_________________
.:: MaliciousBrains ::.
http://www.malwareinfo.org

There are no patches or service packs for IGNORANCE!!

Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 

Board index » Malware Analysis » Analyze Malwares

All times are UTC + 5:30 hours [ DST ]

Who is online

Users browsing this forum: No registered users and 0 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Donate Now
Donate Now
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Hosted by FreeForums.org | Create a free forum