General Information |
---|
Analysis ID: | 35502 |
Start time: | 14:04:37 |
Start date: | 11/09/2013 |
Overall analysis duration: | 0h 12m 9s |
Report type: | full |
Sample file name: | g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe |
Cookbook file name: | Bypass long sleeps.jbs |
Analysis system description: | XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8) |
Number of analysed new started processes analysed: | 1 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
HCA enabled: | true |
HCA success: | true, ratio: 98% |
Warnings: |
|
Detection |
---|
Strategy | Detection | Index | Report FP/FN | |
---|---|---|---|---|
Threshold | malicious | 0.040 |
Signature Overview |
---|
Networking: |
---|
Contains functionality to download additional files from the internet | Show sources | ||
Tries to download non-existing http data (HTTP/1.1 404 Not Found) | Show sources | ||
Urls found in memory or binary data | Show sources | ||
Downloads files from webservers via HTTP | Show sources |
Boot Survival: |
---|
Creates an autostart registry key | Show sources |
Persistence and Installation Behavior: |
---|
Drops PE files | Show sources |
Data Obfuscation: |
---|
Binary may include packed or encrypted data | Show sources | ||
Contains functionality to dynamically determine API calls | Show sources | ||
PE file contains an invalid checksum | Show sources | ||
PE sections with suspicious entropy found | Show sources |
Spreading: |
---|
Contains functionality to enumerate / list files inside a directory | Show sources |
System Summary: |
---|
Contains functionality to adjust token privileges (e.g. debug / backup) | Show sources | ||
Contains functionality to enum processes or threads | Show sources | ||
Contains functionality to load and extract PE file embedded resources | Show sources | ||
Creates files inside the user directory | Show sources | ||
Creates mutexes | Show sources | ||
Enables driver privileges | Show sources | ||
Tries to load missing DLLs | Show sources |
HIPS / PFW / Operating System Protection Evasion: |
---|
May try to detect the Windows Explorer process (often used for injection) | Show sources |
Anti Debugging: |
---|
Contains functionality to register its own exception handler | Show sources | ||
Contains functionality to check if a debugger is running (IsDebuggerPresent) | Show sources | ||
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems) | Show sources | ||
Contains functionality to dynamically determine API calls | Show sources | ||
Creates guard pages, often used to prevent reverse engineering and debugging | Show sources | ||
Found dropped PE file which has not been started or loaded | Show sources | ||
Executes massive amount of sleeps in a loop | Show sources |
Virtual Machine Detection: |
---|
Contains functionality to enumerate / list files inside a directory | Show sources | ||
Queries a list of all running processes | Show sources | ||
May tried to detect the virtual machine to hinder analysis (VM artifact strings found in memory) | Show sources | ||
Contains long sleeps (>= 3 min) | Show sources |
Language, Device and Operating System Detection: |
---|
Contains functionality to query local / system time | Show sources | ||
Contains functionality to query the account / user name | Show sources | ||
Contains functionality to query windows version | Show sources | ||
Queries device information via Setup API | Show sources | ||
Queries the volume information (name, serial number etc) of a device | Show sources |
Screenshot |
---|
Startup |
---|
|
Created / dropped Files |
---|
File Path | Hashes |
---|---|
C:\Documents and Settings\All Users\Application Data\sasrrU33\sasrrU33.exe |
|
C:\Documents and Settings\All Users\Application Data\sasrrU33\sasrrU33.exe.manifest |
|
C:\Documents and Settings\All Users\Application Data\sasrrU33\sasrrU33.ico |
|
C:\Documents and Settings\All Users\Application Data\sasrrU33\sasrrU33NwixDxva.in |
|
\ROUTER |
|
Contacted Domains |
---|
No contacted domains info |
---|
Contacted IPs |
---|
No contacted IP infos |
---|
Static File Info |
---|
File type: | Users\admin\Desktop\35502\sample\g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe; PE32 executable for MS Windows (GUI) Intel 80386 32-bit |
File name: | g3nVg3g3-9fac72a50a7f756d0d3319c686850516.exe |
File size: | 688128 |
MD5: | 9fac72a50a7f756d0d3319c686850516 |
SHA1: | 44c0c63e78a7cfe90e748a44c99951dc59c5aa29 |
SHA256: | 5d349792f053bf0b410a7e89fedf065d413c80cf113368040cbded9e0bd758c7 |
SHA512: | 0d7980e2d93cc93a62371fea6824028fe488fbf9716d29a5468b46642b6f4ab79878c00c58c378779660ad68a09ed7df9e6844034d2de823569dae4152177062 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x403c90 |
Entrypoint Section: | .text |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x4C36E8CC [Fri Jul 09 09:15:56 2010 UTC] |
TLS Callbacks: | |
Digitally signed: | False |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0xfe310 | 0x468 | ump; data | Chinese | China |
RT_DIALOG | 0x106578 | 0x116 | ump; data | English | United States |
RT_DIALOG | 0x106690 | 0x26e | ump; data | English | United States |
RT_DIALOG | 0x106900 | 0x26e | ump; data | Japanese | Japan |
RT_DIALOG | 0x106b70 | 0x26e | ump; data | Korean | North Korea |
RT_DIALOG | 0x106b70 | 0x26e | ump; data | Korean | South Korea |
RT_DIALOG | 0x106de0 | 0x26e | ump; data | Chinese | China |
RT_DIALOG | 0x107050 | 0xc2 | ump; data | English | United States |
RT_DIALOG | 0x107114 | 0xc2 | ump; data | Japanese | Japan |
RT_DIALOG | 0x1071d8 | 0xc2 | ump; data | Korean | North Korea |
RT_DIALOG | 0x1071d8 | 0xc2 | ump; data | Korean | South Korea |
RT_DIALOG | 0x10729c | 0xb2 | ump; data | Chinese | China |
RT_STRING | 0x107350 | 0xc2 | ump; data | English | United States |
RT_STRING | 0x107414 | 0xc2 | ump; data | Japanese | Japan |
RT_STRING | 0x1074d8 | 0x6e | ump; data | Chinese | China |
RT_GROUP_ICON | 0x107548 | 0x4c | ump; MS Windows icon resource - 1 icon | Chinese | China |
Imports |
---|
DLL | Import |
---|---|
MFC42.DLL | |
MSVCRT.dll | __set_app_type, __p__fmode, _setmbcp, __CxxFrameHandler, _mbscmp, free, malloc, _mbsrchr, atoi, sprintf, __dllonexit, _onexit, _except_handler3, ?terminate@@YAXXZ, _exit, _XcptFilter, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, _controlfp |
KERNEL32.dll | SetLastError, GetStartupInfoA, GetPrivateProfileStringA, LocalFree, GetLastError, WritePrivateProfileStringA, lstrlenA, CopyFileA, GetTempPathA, Sleep, GetSystemDirectoryA, GetVersionExA, GetModuleFileNameA, GetPrivateProfileIntA, GetSystemDefaultLCID, GetCurrentProcess, CloseHandle, WriteFile, CreateFileA, DeleteFileA, FreeLibrary, GetModuleHandleA, LoadLibraryA, GetProcAddress |
USER32.dll | SetTimer, ExitWindowsEx, SetDlgItemTextA, MsgWaitForMultipleObjects, GetForegroundWindow, PeekMessageA, DispatchMessageA, GetWindowLongA, IsIconic, GetWindowTextA, DrawIcon, UpdateWindow, GetSystemMenu, AppendMenuA, SetParent, LoadIconA, EnableWindow, DrawFocusRect, SetRect, FillRect, GetClientRect, GetParent, SendMessageA, InflateRect, DrawStateA, InvalidateRect, LoadImageA, CopyRect, PostMessageA, GetSystemMetrics, KillTimer |
GDI32.dll | GetTextExtentPoint32A, CreatePen, CreateSolidBrush, RoundRect |
ADVAPI32.dll | RegEnumKeyExA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyA, RegQueryInfoKeyA, RegQueryValueExA, RegDeleteValueA, RegCreateKeyA, RegSetValueExA, RegCloseKey, RegOpenKeyExA |
SHELL32.dll | ShellExecuteA, ShellExecuteExA |
COMCTL32.dll | _TrackMouseEvent |
VERSION.dll | GetFileVersionInfoA, VerQueryValueA, GetFileVersionInfoSizeA |
SHLWAPI.dll | PathFileExistsA |
SETUPAPI.dll | SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInfo, SetupDiGetClassDevsW, SetupDiGetDeviceRegistryPropertyW |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Entropy |
---|---|---|---|---|
.text | 0x1000 | 0x85d2 | 0x9000 | 6.09931624224 |
.rdata | 0xa000 | 0x2b3c | 0x3000 | 4.493124447 |
.data | 0xd000 | 0xf0560 | 0x91000 | 7.12738207246 |
.rsrc | 0xfe000 | 0xa095a0 | 0xa000 | 5.33524932677 |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Chinese | China | |
English | United States | |
Japanese | Japan | |
Korean | North Korea | |
Korean | South Korea |
Network Behavior |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 11, 2013 14:05:58.783783913 MESZ | 1031 | 80 | 192.168.0.10 | 219.235.1.127 |
Sep 11, 2013 14:05:58.783812046 MESZ | 80 | 1031 | 219.235.1.127 | 192.168.0.10 |
Sep 11, 2013 14:05:58.784151077 MESZ | 1031 | 80 | 192.168.0.10 | 219.235.1.127 |
Sep 11, 2013 14:05:58.785469055 MESZ | 1032 | 80 | 192.168.0.10 | 219.235.1.127 |
Sep 11, 2013 14:05:58.785499096 MESZ | 80 | 1032 | 219.235.1.127 | 192.168.0.10 |
Sep 11, 2013 14:05:58.785815001 MESZ | 1032 | 80 | 192.168.0.10 | 219.235.1.127 |
Sep 11, 2013 14:05:58.790313959 MESZ | 1032 | 80 | 192.168.0.10 | 219.235.1.127 |
Sep 11, 2013 14:05:58.790330887 MESZ | 80 | 1032 | 219.235.1.127 | 192.168.0.10 |
Sep 11, 2013 14:05:58.791136026 MESZ | 1031 | 80 | 192.168.0.10 | 219.235.1.127 |
Sep 11, 2013 14:05:58.791147947 MESZ | 80 | 1031 | 219.235.1.127 | 192.168.0.10 |
Sep 11, 2013 14:06:09.030019045 MESZ | 80 | 1032 | 219.235.1.127 | 192.168.0.10 |
Sep 11, 2013 14:06:09.209880114 MESZ | 1032 | 80 | 192.168.0.10 | 219.235.1.127 |
Sep 11, 2013 14:06:18.610122919 MESZ | 1032 | 80 | 192.168.0.10 | 219.235.1.127 |
Sep 11, 2013 14:06:18.610140085 MESZ | 80 | 1032 | 219.235.1.127 | 192.168.0.10 |
Sep 11, 2013 14:06:24.238883972 MESZ | 80 | 1032 | 219.235.1.127 | 192.168.0.10 |
Sep 11, 2013 14:06:24.242336988 MESZ | 1032 | 80 | 192.168.0.10 | 219.235.1.127 |
Sep 11, 2013 14:06:24.242353916 MESZ | 80 | 1032 | 219.235.1.127 | 192.168.0.10 |
Sep 11, 2013 14:06:29.316023111 MESZ | 1031 | 80 | 192.168.0.10 | 219.235.1.127 |
Sep 11, 2013 14:06:29.316122055 MESZ | 80 | 1031 | 219.235.1.127 | 192.168.0.10 |
Sep 11, 2013 14:06:29.316428900 MESZ | 1031 | 80 | 192.168.0.10 | 219.235.1.127 |
Sep 11, 2013 14:06:34.390074968 MESZ | 80 | 1032 | 219.235.1.127 | 192.168.0.10 |
Sep 11, 2013 14:06:34.576905012 MESZ | 1032 | 80 | 192.168.0.10 | 219.235.1.127 |
Sep 11, 2013 14:07:39.354384899 MESZ | 80 | 1032 | 219.235.1.127 | 192.168.0.10 |
Sep 11, 2013 14:07:39.354948997 MESZ | 1032 | 80 | 192.168.0.10 | 219.235.1.127 |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP | Header | Total Bytes Transfered (KB) |
---|---|---|---|---|---|---|
Sep 11, 2013 14:05:58.790313959 MESZ | 1032 | 80 | 192.168.0.10 | 219.235.1.127 | 0 | |
Sep 11, 2013 14:05:58.791136026 MESZ | 1031 | 80 | 192.168.0.10 | 219.235.1.127 | 1 | |
Sep 11, 2013 14:06:09.030019045 MESZ | 80 | 1032 | 219.235.1.127 | 192.168.0.10 | 1 | |
Sep 11, 2013 14:06:18.610122919 MESZ | 1032 | 80 | 192.168.0.10 | 219.235.1.127 | 1 | |
Sep 11, 2013 14:06:24.238883972 MESZ | 80 | 1032 | 219.235.1.127 | 192.168.0.10 | 2 | |
Sep 11, 2013 14:06:24.242336988 MESZ | 1032 | 80 | 192.168.0.10 | 219.235.1.127 | 2 | |
Sep 11, 2013 14:06:34.390074968 MESZ | 80 | 1032 | 219.235.1.127 | 192.168.0.10 | 2 |
Code Manipulation Behavior |
---|
System Behavior |
---|