| Type | Mode/Class | Details (Path/Message/Protocol/Hostname/Qtype/ListenPort etc.) | Process ID | Parent ID | File Size | ||
|---|---|---|---|---|---|---|---|
| Analysis |
Malware
| ||||||
| Os |
Name: windows Version: 5.1.2600 Service Pack: 0
| ||||||
| Os Monitor |
Build: 69105 Date: Jan 24 2012 Time: 14:44:55
| ||||||
| Process |
Started
|
C:\Print_label.exe
Parentname: C:\WINDOWS\system32\cmd.exe Command Line: "c:\Print_label.exe" MD5: ab5a9f8c735487bf15b98a8c10cb582a SHA1: f64682ba5d65b4b08ae7c4fe9b910b853e5ffe31 | 1292 | 1264 | 53248 | ||
| Malicious Alert |
Anomaly Tag
|
Message: Startup behavior anomalies observed Detail: A new process has been launched
| |||||
| Mutex |
Imagepath: C:\Print_label.exe
| 1292 | |||||
| Process |
Started
|
C:\WINDOWS\system32\svchost.exe
Parentname: C:\Print_label.exe Command Line: svchost.exe | 640 | 1292 | |||
| Malicious Alert |
Misc Anomaly
|
Message: New service host started Detail: Malware starting new instance of svchost.exe
| |||||
| API Call |
API Name: Sleep Address: 0x00405fcf
Params: [500] Imagepath: C:\Print_label.exe DLL Name: kernel32 | 1292 | |||||
| Malicious Alert |
Misc Anomaly
|
Message: Tracking Sleep/SleepEx API Call Detail: Malware Sleep
| |||||
| Codeinjection |
Create process suspended section mapped code injection
|
Source: C:\Print_label.exe
Target: C:\WINDOWS\system32\svchost.exe |
| ||||
| Malicious Alert |
Misc Anomaly
|
Message: Code injection detected
| |||||
| Mutex |
Imagepath: C:\WINDOWS\system32\svchost.exe
| 640 | |||||
| Process |
Terminated
|
C:\Print_label.exe
Parentname: C:\WINDOWS\system32\cmd.exe Command Line: N/A | 1292 | 1264 | |||
| Regkey |
Setval
|
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\"Directory
" = C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5 | 640 | ||||
| Regkey |
Setval
|
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\"Paths" =
0x00000004 | 640 | ||||
| Regkey |
Setval
|
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\"Cac
hePath" = C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\Cac he1 | 640 | ||||
| Regkey |
Setval
|
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\"Cac
hePath" = C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\Cac he2 | 640 | ||||
| Regkey |
Setval
|
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\"Cac
hePath" = C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\Cac he3 | 640 | ||||
| Regkey |
Setval
|
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\"Cac
hePath" = C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\Cac he4 | 640 | ||||
| Regkey |
Setval
|
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\"Cac
heLimit" = 0x000fffac | 640 | ||||
| Regkey |
Setval
|
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\"Cac
heLimit" = 0x000fffac | 640 | ||||
| Regkey |
Setval
|
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\"Cac
heLimit" = 0x000fffac | 640 | ||||
| Regkey |
Setval
|
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\"Cac
heLimit" = 0x000fffac | 640 | ||||
| File |
Open
|
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat
MD5: 8507f2e0f5dcc75be3f84412a5c4ce79 SHA1: ab960305a3fe8610fb420be033b022891f352abe | 640 | 65536 | |||
| File |
Close
|
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat
MD5: f5a5270f78fbba9605b0211736506452 SHA1: 605fc4af8b9a9ff0d0a2694fc9ffedd228ffa25f | 640 | 65536 | |||
| Folder |
Open
|
C:\Documents and Settings\admin\Cookies
| 640 | ||||
| File |
Open
|
C:\Documents and Settings\admin\Cookies\index.dat
MD5: 5b8619de7a4b3491feab3fd6e3b507d7 SHA1: 02b14f6cdc1592b070cd192fdaaa008cfaa74fcd | 640 | 32768 | |||
| Malicious Alert |
Data Theft
|
Message: Internet Explorer cookie index read Detail: Malware reading IE cookie index
| |||||
| File |
Close
|
C:\Documents and Settings\admin\Cookies\index.dat
MD5: 5b8619de7a4b3491feab3fd6e3b507d7 SHA1: 02b14f6cdc1592b070cd192fdaaa008cfaa74fcd | 640 | 32768 | |||
| File |
Open
|
C:\Documents and Settings\admin\Local Settings\History\History.IE5\index.dat
MD5: f5b5fdbc8d8acfda71a6a428206d5ff3 SHA1: fb14e5c0b024fae6e5860205cce8b7c4b69379d8 | 640 | 32768 | |||
| Malicious Alert |
Data Theft
|
Message: Internet Explorer history index read Detail: Malware reading IE history index
| |||||
| File |
Close
|
C:\Documents and Settings\admin\Local Settings\History\History.IE5\index.dat
MD5: f5b5fdbc8d8acfda71a6a428206d5ff3 SHA1: fb14e5c0b024fae6e5860205cce8b7c4b69379d8 | 640 | 32768 | |||
| Mutex |
Imagepath: C:\WINDOWS\system32\svchost.exe
| 640 | |||||
| Regkey |
Setval
|
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
n\Internet Settings\"ProxyEnable" = 0x00000000 | 640 | ||||
| Malicious Alert |
Misc Anomaly
|
Message: Browser settings tampered Detail: Malware modifying browser proxy settings
| |||||
| Regkey |
Setval
|
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVers
ion\Internet Settings\"ProxyEnable" = 0x00000000 | 640 | ||||
| Regkey |
Setval
|
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
n\Internet Settings\Connections\"SavedLegacySettings" = 3c 00 00 00 0a 00 00 00 01 00 00 00 0d 00 00 00 31 30 2e 30 2e 30 2e 32 3a 38 30 38 30 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 c0 7e dd d3 73 dc cc 01 01 00 00 00 0a 00 02 0f 00 00 00 00 00 00 00 00 | 640 | ||||
| Malicious Alert |
Misc Anomaly
|
Message: Network settings tampered Detail: Browser network configuration modified
| |||||
| Regkey |
Setval
|
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
n\Internet Settings\ZoneMap\"ProxyBypass" = 0x00000001 | 640 | ||||
| Regkey |
Setval
|
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
n\Internet Settings\ZoneMap\"IntranetName" = 0x00000001 | 640 | ||||
| Regkey |
Setval
|
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
n\Internet Settings\ZoneMap\"UNCAsIntranet" = 0x00000001 | 640 | ||||
| Mutex |
Imagepath: C:\WINDOWS\system32\svchost.exe
| 640 | |||||
| Network |
Dns Query
|
Protocol Type: udp Qtype: Host Address Hostname: bing.com
Imagepath: C:\WINDOWS\system32\svchost.exe | 640 | ||||
| Network |
Dns Query
|
Protocol Type: udp Qtype: Host Address Hostname: twitter.com
Imagepath: C:\WINDOWS\system32\svchost.exe | 640 | ||||
| Network |
Dns Query
|
Protocol Type: udp Qtype: Host Address Hostname: coocislands2012.ru
Imagepath: C:\WINDOWS\system32\svchost.exe | 640 | ||||
| Network |
Dns Query
|
Protocol Type: udp Qtype: Host Address Hostname: google.com
Imagepath: C:\WINDOWS\system32\svchost.exe | 640 | ||||
| Uac |
Privilege use
|
SeTcbPrivilege
| |||||
| Network |
Dns Query
|
Protocol Type: udp Qtype: Host Address Hostname: google.com
Imagepath: C:\WINDOWS\system32\svchost.exe | 640 | ||||
| Network |
Dns Query
|
Protocol Type: udp Qtype: Host Address Hostname: fb.com
Imagepath: C:\WINDOWS\system32\svchost.exe | 640 | ||||
| Network |
Dns Query
|
Protocol Type: udp Qtype: Host Address Hostname: bing.com
Imagepath: C:\WINDOWS\system32\svchost.exe | 640 | ||||
| Regkey |
Setval
|
\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
n\Run\"lpxdhxwv" = "C:\Documents and Settings\admin\Local Settings\Application Data\jtjqhohe.exe" | 640 | ||||
| Malicious Alert |
Misc Anomaly
|
Message: Startup services added Detail: Malware adding itself (non-DLL) to windows startup areas
| |||||
| Network |
Dns Query
|
Protocol Type: udp Qtype: Host Address Hostname: twitter.com
Imagepath: C:\WINDOWS\system32\svchost.exe | 640 | ||||
| Network |
Dns Query
|
Protocol Type: udp Qtype: Host Address Hostname: coocislands2012.ru
Imagepath: C:\WINDOWS\system32\svchost.exe | 640 | ||||
| Network |
Dns Query
|
Protocol Type: udp Qtype: Host Address Hostname: google.com
Imagepath: C:\WINDOWS\system32\svchost.exe | 640 | ||||
| Network |
Dns Query
|
Protocol Type: udp Qtype: Host Address Hostname: fb.com
Imagepath: C:\WINDOWS\system32\svchost.exe | 640 | ||||
| Network |
Dns Query
|
Protocol Type: udp Qtype: Host Address Hostname: bing.com
Imagepath: C:\WINDOWS\system32\svchost.exe | 640 | ||||
| Network |
Dns Query
|
Protocol Type: udp Qtype: Host Address Hostname: twitter.com
Imagepath: C:\WINDOWS\system32\svchost.exe | 640 | ||||
| Network |
Dns Query
|
Protocol Type: udp Qtype: Host Address Hostname: coocislands2012.ru
Imagepath: C:\WINDOWS\system32\svchost.exe | 640 | ||||
| Network |
Dns Query
|
Protocol Type: udp Qtype: Host Address Hostname: google.com
Imagepath: C:\WINDOWS\system32\svchost.exe | 640 | ||||
| Network |
Dns Query
|
Protocol Type: udp Qtype: Host Address Hostname: fb.com
Imagepath: C:\WINDOWS\system32\svchost.exe | 640 | ||||
| Network |
Dns Query
|
Protocol Type: udp Qtype: Host Address Hostname: bing.com
Imagepath: C:\WINDOWS\system32\svchost.exe | 640 | ||||
| Network |
Dns Query
|
Protocol Type: udp Qtype: Host Address Hostname: twitter.com
Imagepath: C:\WINDOWS\system32\svchost.exe | 640 | ||||
| Network |
Dns Query
|
Protocol Type: udp Qtype: Host Address Hostname: coocislands2012.ru
Imagepath: C:\WINDOWS\system32\svchost.exe | 640 | ||||
| Network |
Dns Query
|
Protocol Type: udp Qtype: Host Address Hostname: google.com
Imagepath: C:\WINDOWS\system32\svchost.exe | 640 | ||||
| Network |
Dns Query
|
Protocol Type: udp Qtype: Host Address Hostname: fb.com
Imagepath: C:\WINDOWS\system32\svchost.exe | 640 | ||||
| Network |
Dns Query
|
Protocol Type: udp Qtype: Host Address Hostname: bing.com
Imagepath: C:\WINDOWS\system32\svchost.exe | 640 | ||||
| Network |
Dns Query
|
Protocol Type: udp Qtype: Host Address Hostname: twitter.com
Imagepath: C:\WINDOWS\system32\svchost.exe | 640 | ||||
| Network |
Dns Query
|
Protocol Type: udp Qtype: Host Address Hostname: coocislands2012.ru
Imagepath: C:\WINDOWS\system32\svchost.exe | 640 | ||||
| Network |
Dns Query
|
Protocol Type: udp Qtype: Host Address Hostname: google.com
Imagepath: C:\WINDOWS\system32\svchost.exe | 640 | ||||
| Network |
Dns Query
|
Protocol Type: udp Qtype: Host Address Hostname: fb.com
Imagepath: C:\WINDOWS\system32\svchost.exe | 640 | ||||
| Network |
Dns Query
|
Protocol Type: udp Qtype: Host Address Hostname: bing.com
Imagepath: C:\WINDOWS\system32\svchost.exe | 640 | ||||
| Network |
Dns Query
|
Protocol Type: udp Qtype: Host Address Hostname: twitter.com
Imagepath: C:\WINDOWS\system32\svchost.exe |
Reverse Malware Analysis, DFIR, Malware Ethical Hacking || Follow me on twitter @razoreqx || My opinions are my own and do not represent any company or the companies I work for.
Friday, June 22, 2012
Kuluoz.B
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment