* Arcade    FAQSearchLogin
Register
It is currently Sat Jul 04, 2009 7:51 pm

View unanswered posts | View active topics


Board index » Malware Analysis » Analyze Malwares

All times are UTC + 5:30 hours [ DST ]


Welcome
Welcome to <strong>Malware Analysis Forum</strong>.

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. Registration is fast, simple, and absolutely free, so please, <a href="/profile.php?mode=register">join our community today</a>!


Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 
  Previous topic | Next topic 
Author Message
maliciousbrains
 Post subject: old-lady-porn.com --> secret-porn-video.zip
PostPosted: Fri Apr 11, 2008 8:09 pm 
Offline
Site Admin
User avatar

Joined: Thu Mar 27, 2008 1:06 pm
Posts: 163
Location: India
Download Link: hxxp://old-lady-porn.com

File Name: secret-porn-video.zip

Archive Details
Modified Size Ratio CRC32 File name
4/9/2008 4:04:30 PM 309 KB 97% 1166672A secret-porn-video.exe

File Name: secret-porn-video.exe

VirusTotal Result: 10/32 (31.25%)
Avast 4.8.1169.0 2008.04.11 Win32:Delf-FIZ
AVG 7.5.0.516 2008.04.11 SHeur.BDYG
ClamAV 0.92.1 2008.04.11 Trojan.Clicker-548
DrWeb 4.44.0.09170 2008.04.11 Trojan.Click.origin
eSafe 7.0.15.0 2008.04.09 suspicious Trojan/Worm
F-Prot 4.4.2.54 2008.04.10 W32/Banload.E.gen!Eldorado
Ikarus T3.1.1.26 2008.04.11 Virus.Win32.Trojan
Panda 9.0.0.4 2008.04.10 Suspicious file
Prevx1 V2 2008.04.11 Heuristic: Suspicious File With Persistence
Sophos 4.28.0 2008.04.11 Mal/Uddo-A

File Info:
File size: 325120 bytes <-- Packed with UPX
MD5...: cff137a2d7a18eef5379ab8a2e3afeef
SHA1..: ca3916c06229c93d692c6d2bb0aa82d55f321b69
SHA256: 5e9470741a4d13de51406366a03e86a15c0d1460a0d8a0fe4c45fdbfc2b76053
SHA512: 93543079745daaa72f5b1fad721d61c2a2e9062e1a15df3b333098eb52d18608
201a400ca403444f0dd41977b776b303a4ff379e338a589460e9cf658e0c2642

PE Header
Signature: 00004550
Machine: 014C - Intel 386
Number of sections: 0003
Time/Date stamp: 2A425E19
Pointer to symbol table: 00000000
Number of symbols: 00000000
Size of optional header: 00E0
Characteristics: 818F
Magic: 010B
Linker version (major): 02
Linker version (minor): 19
Size of code: 0004E000
Size of initialized data: 00002000
Size of uninitialized data: 0008A000
Address of entry point: 000D8890
Base of code: 0008B000
Base of data: 000D9000
Image base: 00400000
Section alignment: 00001000
File alignment: 00000200
OS version (major): 0004
OS version (minor): 0000
Image version (major): 0000
Image version (minor): 0000
Sub system version (major): 0004
Sub system version (minor): 0000
Win32 version: 00000000
Size of image: 000DB000
Size of headers: 00001000
Checksum: 00000000
Sub system: 0002 - Windows graphical user interface (GUI) subsystem
DLL characteristics: 0000
Size of stack reserve: 00100000
Size of stack commit: 00004000
Size of heap reserve: 00100000
Size of heap commit: 00001000
Loader flags: 00000000
Number of RVA: 00000010

PE Sections
Section VirtSize VirtAddr PhysSize PhysAddr Flags
UPX0 0008A000 00001000 00000000 00000400 E0000080
UPX1 0004E000 0008B000 0004DC00 00000400 E0000040
.rsrc 00002000 000D9000 00001600 0004E000 C0000040

Import table (libraries: 9)
KERNEL32.DLL (imports: 3)
LoadLibraryA
GetProcAddress
ExitProcess
advapi32.dll (imports: 1)
RegFlushKey
comctl32.dll (imports: 1)
ImageList_Add
gdi32.dll (imports: 1)
SaveDC
ole32.dll (imports: 1)
OleDraw
oleaut32.dll (imports: 1)
VariantCopy
shell32.dll (imports: 1)
SHGetMalloc
URLMON.DLL (imports: 1)
URLDownloadToFileA
user32.dll (imports: 1)
GetDC

Unpacked with UPX:
File size Ratio Format Name
-------------------- ------ ----------- -----------
850944 <- 325120 38.21% win32/pe secret-porn-video_UnPacked.exe

PE Header
Size of code: 000AE800
Size of initialized data: 00021000
Size of uninitialized data: 00000000
Address of entry point: 000AF4BC
Base of code: 00001000
Base of data: 000B0000
Image base: 00400000
Section alignment: 00001000

PE Sections
Section VirtSize VirtAddr PhysSize PhysAddr Flags
CODE 000AE738 00001000 000AE800 00000400 60000020
DATA 00004B48 000B0000 00004C00 000AEC00 C0000040
BSS 000015C1 000B5000 00000000 000B3800 C0000000
.idata 00002864 000B7000 00002A00 000B3800 C0000040
.tls 00000010 000BA000 00000000 000B6200 C0000000
.rdata 00000018 000BB000 00000200 000B6200 50000040
.reloc 0000B6A8 000BC000 0000B800 000B6400 50000040
.rsrc 0000E000 000C8000 0000E000 000C1C00 50000040

File Name: secret-porn-video_UnPacked.exe

VirusTotal Result: 7/32 (21.88%)
Avast 4.8.1169.0 2008.04.11 Win32:Delf-FIZ
AVG 7.5.0.516 2008.04.11 SHeur.BDYG
ClamAV 0.92.1 2008.04.11 Trojan.Clicker-548
DrWeb 4.44.0.09170 2008.04.11 Trojan.Click.origin
F-Prot 4.4.2.54 2008.04.10 W32/Banload.E.gen!Eldorado
Ikarus T3.1.1.26.0 2008.04.11 Virus.Win32.Trojan
Panda 9.0.0.4 2008.04.10 Suspicious file

File Info:
File size: 850944 bytes <-- After unpacking with UPX
MD5...: 7c3ee3563d76ee6614b7e0d821e84c0b
SHA1..: 45110952ccc0fd3da5f75dcf4890ab0647c1e252
SHA256: c7026ccd3629436fb0f9cdb6f7318feb79a407eb846e89507668101e00051f71
SHA512: 9c148493c4209affec011af630c9354ea8001d5e9c339734589267567d4e9272
4328d06b856776b54aa5106f4d7f8495d3793a781c79fa7f6023c2f515abd323

Process Details:
Process ID 1916
Filename C:\secret-porn-video.exe
Filesize 325120 bytes
MD5 cff137a2d7a18eef5379ab8a2e3afeef

COM Activity:
COM Create Instance: C:\WINDOWS\system32\shdocvw.dll, ProgID: (Shell.Explorer.2), Interface ID: ({00000112-0000-0000-C000-000000000046})
COM Create Instance: C:\WINDOWS\system32\mlang.dll, ProgID: (), Interface ID: ({275C23E1-3747-11D0-9FEA-00AA003F8646})
COM Create Instance: C:\WINDOWS\system32\msimtf.dll, ProgID: (), Interface ID: ({08C0E040-62D1-11D1-9326-0060B067B86E})
COM Create Instance: C:\WINDOWS\system32\jscript.dll, ProgID: (JScript), Interface ID: ({BB1A2AE1-A4F9-11CF-8F20-00805F2CD064})
COM Create Instance: , ProgID: (), Interface ID: ({00000146-0000-0000-C000-000000000046})
COM Create Instance: , ProgID: (), Interface ID: ({6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8})
COM Create Instance: %SystemRoot%\system32\shdocvw.dll, ProgID: (), Interface ID: ({062E1261-A60E-11D0-82C2-00C04FD5AE38})
COM Get Class Object: C:\WINDOWS\system32\urlmon.dll, Interface ID: ({00000001-0000-0000-C000-000000000046})
COM Get Class Object: %SystemRoot%\system32\mshtml.dll, Interface ID: ({00000001-0000-0000-C000-000000000046})

New Files Created:
C:\Program Files\Gay-Lesbian-Photo\Gay-Lesbian-Photo.exe
\Device\RasAcd
C:\Documents and Settings\Sandbox\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT

Opened Files:
C:\WINDOWS\system32\shdocvw.dll
C:\secret-porn-video.exe
\\.\PIPE\wkssvc
\\.\PIPE\lsarpc
\SystemRoot\AppPatch\sysmain.sdb
\SystemRoot\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
c:\Program Files\Gay-Lesbian-Photo\Gay-Lesbian-Photo.exe
c:\autoexec.bat
C:\WINDOWS\system32\mlang.dat
C:\WINDOWS\fonts\ARIAL.TTF
C:\WINDOWS\fonts\ARIALBD.TTF
C:\WINDOWS\fonts\ARIALBI.TTF
C:\WINDOWS\fonts\ARIALI.TTF
C:\WINDOWS\fonts\COUR.TTF
C:\WINDOWS\fonts\COURBD.TTF
C:\WINDOWS\fonts\COURBI.TTF
C:\WINDOWS\fonts\COURI.TTF
C:\WINDOWS\fonts\LUCON.TTF
C:\WINDOWS\fonts\L_10646.TTF
C:\WINDOWS\fonts\TIMES.TTF
C:\WINDOWS\fonts\TIMESBD.TTF
C:\WINDOWS\fonts\TIMESBI.TTF
C:\WINDOWS\fonts\TIMESI.TTF
C:\WINDOWS\fonts\WINGDING.TTF
C:\WINDOWS\fonts\SYMBOL.TTF
C:\WINDOWS\fonts\verdana.TTF
C:\WINDOWS\fonts\verdanab.TTF
C:\WINDOWS\fonts\verdanai.TTF
C:\WINDOWS\fonts\verdanaz.TTF
C:\WINDOWS\fonts\ariblk.TTF
C:\WINDOWS\fonts\comic.TTF
C:\WINDOWS\fonts\comicbd.TTF
C:\WINDOWS\fonts\impact.TTF
C:\WINDOWS\fonts\georgia.TTF
C:\WINDOWS\fonts\georgiab.TTF
C:\WINDOWS\fonts\georgiaz.TTF
C:\WINDOWS\fonts\georgiai.TTF
C:\WINDOWS\fonts\Framd.TTF
C:\WINDOWS\fonts\Framdit.TTF
C:\WINDOWS\fonts\pala.TTF
C:\WINDOWS\fonts\palab.TTF
C:\WINDOWS\fonts\palabi.TTF
C:\WINDOWS\fonts\palai.TTF
C:\WINDOWS\fonts\tahomabd.TTF
C:\WINDOWS\fonts\trebuc.TTF
C:\WINDOWS\fonts\trebucbd.TTF
C:\WINDOWS\fonts\trebucbi.TTF
C:\WINDOWS\fonts\trebucit.TTF
C:\WINDOWS\fonts\webdings.TTF
C:\WINDOWS\fonts\estre.TTF
C:\WINDOWS\fonts\gautami.TTF
C:\WINDOWS\fonts\latha.TTF
C:\WINDOWS\fonts\mangal.TTF
C:\WINDOWS\fonts\mvboli.TTF
C:\WINDOWS\fonts\raavi.TTF
C:\WINDOWS\fonts\shruti.TTF
C:\WINDOWS\fonts\tunga.TTF
C:\WINDOWS\fonts\sylfaen.TTF
C:\WINDOWS\fonts\TAHOMA.TTF
C:\WINDOWS\fonts\MICROSS.TTF
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\MOKRLQTZ\_yandex-global[2].css
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\MOKRLQTZ\pass_style[1].css
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\2CJ8OP2C\_passport-new-head[2].css
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\1Q21BSU0\header[1].css
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\1Q21BSU0\registration-form[1].css
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\KSQIGQIV\inbox_hxxp[1].js
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\KSQIGQIV\hintquestion[1].js
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\1Q21BSU0\register[1].js
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\KSQIGQIV\pass_script[1].js

Read INI File:
C:\Documents and Settings\Sandbox\My Documents\desktop.ini [DeleteOnCopy] Owner =
C:\Documents and Settings\Sandbox\My Documents\desktop.ini [DeleteOnCopy.A] Owner =
C:\Documents and Settings\Sandbox\My Documents\desktop.ini [DeleteOnCopy] PersonalizedName =
C:\Documents and Settings\Sandbox\My Documents\desktop.ini [DeleteOnCopy.A] PersonalizedName =
C:\Documents and Settings\All Users\Documents\desktop.ini [DeleteOnCopy] Owner =
C:\Documents and Settings\All Users\Documents\desktop.ini [.ShellClassInfo] LocalizedResourceName =
WIN.INI [windows] DragScrollInset =
WIN.INI [windows] DragScrollDelay =
WIN.INI [windows] DragDelay =
WIN.INI [windows] DragScrollInterval =
C:\Documents and Settings\Sandbox\Local Settings\History\desktop.ini [DeleteOnCopy] Owner =
C:\Documents and Settings\Sandbox\Local Settings\History\desktop.ini [.ShellClassInfo] LocalizedResourceName =

Mutex:
Creates Mutex: RasPbFile
Creates Mutex: CTF.LBES.MutexDefaultS-1-5-21-1715567821-2139871995-725345543-1004
Creates Mutex: CTF.Compart.MutexDefaultS-1-5-21-1715567821-2139871995-725345543-1004
Creates Mutex: CTF.Asm.MutexDefaultS-1-5-21-1715567821-2139871995-725345543-1004
Creates Mutex: CTF.Layouts.MutexDefaultS-1-5-21-1715567821-2139871995-725345543-1004
Creates Mutex: CTF.TMD.MutexDefaultS-1-5-21-1715567821-2139871995-725345543-1004
Creates Mutex: MSIMGSIZECacheMutex
Creates Mutex: _!SHMSFTHISTORY!_
Opens Mutex: WininetStartupMutex
Opens Mutex: _!SHMSFTHISTORY!_

Registry Changes:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform "" =
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run "pviever" = "C:\Program Files\Gay-Lesbian-Photo\Gay-Lesbian-Photo.exe" hide
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\PornSoft "DisplayName" = Gay-Lesbian-Photo
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\PornSoft "UninstallString" = C:\Program Files\Gay-Lesbian-Photo\Gay-Lesbian-Photo.exe uninstall
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU "Enable" = [REG_DWORD, value: 00000001]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU "Size" = [REG_DWORD, value: 0000000A]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU "InitHits" = [REG_DWORD, value: 00000064]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU "Factor" = [REG_DWORD, value: 00000014]

Registry Reads:
HKEY_CLASSES_ROOT\htmlfile\shell\open\ddeexec\application ""
HKEY_CLASSES_ROOT\htmlfile\shell\open\ddeexec\topic ""
HKEY_CLASSES_ROOT\Folder\shell\open\ddeexec\application ""
HKEY_CLASSES_ROOT\Folder\shell\open\ddeexec\topic ""
HKEY_CLASSES_ROOT\Folder\shell\open\ddeexec ""
HKEY_CLASSES_ROOT\Folder\shell\explore\ddeexec ""
HKEY_CLASSES_ROOT\Directory\shell\find\ddeexec ""
HKEY_CLASSES_ROOT\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0 "win32"
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed"
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "DefaultAuthLevel"
_HKEY(1992)_ "NumShape"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU "Enable"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU "Size"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared\ "CUAS"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\ "EnableAnchorContext"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF "Disable Thread Input Manager"
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 "COM+Enabled"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility "DisableAppCompat"
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ff393560-c2a7-11cf-bff4-444553540000}\InProcServer32 ""

Enums:
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP

Process Management:
Creates Process - Filename: c:\Program Files\Gay-Lesbian-Photo\Gay-Lesbian-Photo.exe
Open Process - Filename: C:\WINDOWS\Explorer.EXE

Window:
Find Window - Class Name (MS_AutodialMonitor) Window Name ()
Find Window - Class Name (MS_WebcheckMonitor) Window Name ()

Enum Windows:
Destroy Window - Class Name (TMemo) Window Name (?????? ????? ??????? ????????? ??????? ???? ?????? ????? ???? ?????? ?????? ???? ????????? ??????? ???????? ???? ?????? ???????? ?????? ??????? ?????? ???????? ?????? ??????? ?????? ????? ????? ??????? ??????????? ??????? ?????? )
Destroy Window - Class Name (Tmainf) Window Name ()

Network Activity:
DNS Lookup
Host Name IP Address
neosap.ru 217.16.30.51
super-tds.info 88.214.202.8
Download URLs
hxxp://217.16.30.51/surf/stat.php?uin= (neosap.ru)
hxxp://88.214.202.8/surf/stat.php?uin= (super-tds.info)
hxxp://213.180.204.24/js/inbox_hxxp.js (213.180.204.24)
hxxp://213.180.204.24/pass_style.css (213.180.204.24)
hxxp://213.180.204.24/js/hintquestion.js (213.180.204.24)
hxxp://213.180.204.21/css/_yandex-global.css (213.180.204.21)
hxxp://213.180.204.24/header.css (213.180.204.24)
hxxp://213.180.204.24/js/register.js (213.180.204.24)
hxxp://213.180.204.24/css/registration-form.css (213.180.204.24)
hxxp://213.180.204.24/pass_script.js (213.180.204.24)
hxxp://213.180.204.45/css/_passport-new-head.css (213.180.204.45)
Data posted to URLs
hxxp://213.180.204.24/cgi-bin/Reg.pl?fr ... ster.xhtml (213.180.204.24)
Outgoing connection to remote server: neosap.ru TCP port 80
Outgoing connection to remote server: super-tds.info TCP port 80
Outgoing connection to remote server: 213.180.204.24 TCP port 80
Outgoing connection to remote server: 213.180.204.24 TCP port 80
Outgoing connection to remote server: 213.180.204.24 TCP port 80
Outgoing connection to remote server: 213.180.204.21 TCP port 80
Outgoing connection to remote server: 213.180.204.24 TCP port 80
Outgoing connection to remote server: 213.180.204.24 TCP port 80
Outgoing connection to remote server: 213.180.204.45 TCP port 80

Process Info:
Process ID 1988
Filename c:\Program Files\Gay-Lesbian-Photo\Gay-Lesbian-Photo.exe hide 10000
Filesize 325120 bytes
MD5 cff137a2d7a18eef5379ab8a2e3afeef
Start Reason CreateProcess

COM Activity:
COM Create Instance: C:\WINDOWS\system32\shdocvw.dll, ProgID: (Shell.Explorer.2), Interface ID: ({00000112-0000-0000-C000-000000000046})
COM Create Instance: %SystemRoot%\system32\shdocvw.dll, ProgID: (), Interface ID: ({47851649-A2EF-4E67-BAEC-C6A153AC72EC})
COM Create Instance: %SystemRoot%\System32\cscui.dll, ProgID: (), Interface ID: ({0C6C4200-C589-11D0-999A-00C04FD655E1})
COM Create Instance: C:\WINDOWS\system32\msimtf.dll, ProgID: (), Interface ID: ({08C0E040-62D1-11D1-9326-0060B067B86E})
COM Create Instance: %SystemRoot%\system32\shdocvw.dll, ProgID: (), Interface ID: ({062E1261-A60E-11D0-82C2-00C04FD5AE38})
COM Create Instance: C:\WINDOWS\system32\jscript.dll, ProgID: (JScript), Interface ID: ({BB1A2AE1-A4F9-11CF-8F20-00805F2CD064})
COM Create Instance: , ProgID: (), Interface ID: ({00000146-0000-0000-C000-000000000046})
COM Create Instance: , ProgID: (), Interface ID: ({6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8})
COM Create Instance: C:\WINDOWS\system32\vbscript.dll, ProgID: (VBScript), Interface ID: ({BB1A2AE1-A4F9-11CF-8F20-00805F2CD064})
COM Create Instance: OLE32.DLL, ProgID: (), Interface ID: ({0002E013-0000-0000-C000-000000000046})
COM Create Instance: %SystemRoot%\system32\mshtml.dll, ProgID: (htmlfile), Interface ID: ({00000112-0000-0000-C000-000000000046})
COM Get Class Object: %SystemRoot%\system32\mshtml.dll, Interface ID: ({00000001-0000-0000-C000-000000000046})
COM Get Class Object: C:\WINDOWS\system32\urlmon.dll, Interface ID: ({00000001-0000-0000-C000-000000000046})
COM Get Class Object: C:\WINDOWS\system32\macromed\flash\flash.ocx, Interface ID: ({00000001-0000-0000-C000-000000000046})

New Files Created:
c:\Program Files\Gay-Lesbian-Photo\uin.txt
\Device\RasAcd

Opened Files:
C:\WINDOWS\system32\shdocvw.dll
\\.\PIPE\lsarpc
C:\WINDOWS\System32\cscui.dll
\\.\shadow
\\.\PIPE\wkssvc
\\.\PIPE\srvsvc
c:\autoexec.bat
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\2CJ8OP2C\main[1].css
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\MOKRLQTZ\ajs[1].php
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\2CJ8OP2C\index[1].htm
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\1Q21BSU0\media[1].htm
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\KSQIGQIV\index[1].htm
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\1Q21BSU0\media[2].htm
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\KSQIGQIV\index[2].htm
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\2CJ8OP2C\media[1].htm
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\1Q21BSU0\index[1].htm
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\KSQIGQIV\media[1].htm
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\2CJ8OP2C\index[2].htm
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\MOKRLQTZ\media[1].htm
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\1Q21BSU0\index[2].htm
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\KSQIGQIV\media[2].htm
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\2CJ8OP2C\index[3].htm
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\1Q21BSU0\media[3].htm
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\KSQIGQIV\index[3].htm
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\2CJ8OP2C\media[2].htm
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\MOKRLQTZ\index[1].htm
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\1Q21BSU0\media[4].htm
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\KSQIGQIV\index[4].htm
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\2CJ8OP2C\media[3].htm
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\1Q21BSU0\style[1].css
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\KSQIGQIV\flashdetect[1].js
C:\WINDOWS\system32\mshtml.tlb
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\2CJ8OP2C\eolasfix[1].js
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\2CJ8OP2C\swfobject[1].js
C:\WINDOWS\system32\macromed\flash\flash.ocx
C:\WINDOWS\system32\stdole2.tlb
C:\Documents and Settings\Sandbox\Local Settings\Temporary Internet Files\Content.IE5\1Q21BSU0\ga[2].js

Read INI File:
C:\Documents and Settings\Sandbox\My Documents\desktop.ini [DeleteOnCopy] Owner =
C:\Documents and Settings\Sandbox\My Documents\desktop.ini [DeleteOnCopy.A] Owner =
C:\Documents and Settings\Sandbox\My Documents\desktop.ini [DeleteOnCopy] PersonalizedName =
C:\Documents and Settings\Sandbox\My Documents\desktop.ini [DeleteOnCopy.A] PersonalizedName =
C:\Documents and Settings\All Users\Documents\desktop.ini [DeleteOnCopy] Owner =
C:\Documents and Settings\All Users\Documents\desktop.ini [.ShellClassInfo] LocalizedResourceName =
C:\desktop.ini [.ShellClassInfo] Sharing =
WIN.INI [windows] DragScrollInset =
WIN.INI [windows] DragScrollDelay =
WIN.INI [windows] DragDelay =
WIN.INI [windows] DragScrollInterval =
C:\Documents and Settings\Sandbox\Local Settings\History\desktop.ini [DeleteOnCopy] Owner =
C:\Documents and Settings\Sandbox\Local Settings\History\desktop.ini [.ShellClassInfo] LocalizedResourceName =

Mutexes:
Creates Mutex: Shell.CMruPidlList
Creates Mutex: CTF.LBES.MutexDefaultS-1-5-21-1715567821-2139871995-725345543-1004
Creates Mutex: CTF.Compart.MutexDefaultS-1-5-21-1715567821-2139871995-725345543-1004
Creates Mutex: CTF.Asm.MutexDefaultS-1-5-21-1715567821-2139871995-725345543-1004
Creates Mutex: CTF.Layouts.MutexDefaultS-1-5-21-1715567821-2139871995-725345543-1004
Creates Mutex: CTF.TMD.MutexDefaultS-1-5-21-1715567821-2139871995-725345543-1004
Creates Mutex: RasPbFile
Creates Mutex: MSIMGSIZECacheMutex
Opens Mutex: WininetStartupMutex
Opens Mutex: _!SHMSFTHISTORY!_

Registry Changes:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform "" =

Registry Reads:
HKEY_CLASSES_ROOT\htmlfile\shell\open\ddeexec\application ""
HKEY_CLASSES_ROOT\htmlfile\shell\open\ddeexec\topic ""
HKEY_CLASSES_ROOT\Folder\shell\open\ddeexec\application ""
HKEY_CLASSES_ROOT\Folder\shell\open\ddeexec\topic ""
HKEY_CLASSES_ROOT\Folder\shell\open\ddeexec ""
HKEY_CLASSES_ROOT\Folder\shell\explore\ddeexec ""
HKEY_CLASSES_ROOT\Directory\shell\find\ddeexec ""
HKEY_CLASSES_ROOT\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0 "win32"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility "DisableAppCompat"
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{750fdf0e-2a26-11d1-a3ea-080036587f03}\InProcServer32 ""
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ProductOptions "ProductType"
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "DefaultAuthLevel"
_HKEY(2180)_ "NumShape"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared\ "CUAS"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\ "EnableAnchorContext"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF "Disable Thread Input Manager"
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ff393560-c2a7-11cf-bff4-444553540000}\InProcServer32 ""
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 "COM+Enabled"
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-shockwave-flash "CLSID"
HKEY_CLASSES_ROOT\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0 "win32"
HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 "win32"
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32 ""

Enums:
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP

Service Management:
Open Service Manager - Name: "SCM"
Open Service - Name: "RASMAN"
Open Service - Name: "AudioSrv"

Window:
Find Window - Class Name (MS_AutodialMonitor) Window Name ()
Find Window - Class Name (MS_WebcheckMonitor) Window Name ()

Enum Windows:
Destroy Window - Class Name (Internet Explorer_Hidden) Window Name ()
Destroy Window - Class Name (tooltips_class32) Window Name ()

Network Activity:
DNS Lookup
Host Name IP Address
neosap.ru 217.16.30.51
super-tds.info 88.214.202.8
super-tds.info 88.214.202.8
super-tds.info 88.214.202.8
prosti-tutki.info 88.214.202.8
Download URLs
hxxp://217.16.30.51/surf/stat.php?uin=1 ... 2467411180 (neosap.ru)
hxxp://88.214.202.8/surf/stat.php?uin=1 ... 2467411180 (super-tds.info)
hxxp://88.214.202.8/surf/updinfo.php (super-tds.info)
hxxp://88.214.202.8/surf/surf.php?version=120 (super-tds.info)
hxxp://88.214.202.8/28/urls.html (super-tds.info)
hxxp://72.52.134.58/?td=porn-agregator.com (72.52.134.58)
hxxp://72.52.134.58/annons/www/delivery ... egator.com (72.52.134.58)
hxxp://72.52.134.58/annons/www/delivery ... 9b634a404e (72.52.134.58)
hxxp://72.52.134.58/css/internetE.css (72.52.134.58)
hxxp://72.52.134.58/css/main.css (72.52.134.58)
hxxp://72.52.134.58/preview/74.jpg (72.52.134.58)
hxxp://72.52.134.58/preview/68.jpg (72.52.134.58)
hxxp://72.52.134.58/preview/44.jpg (72.52.134.58)
hxxp://72.52.134.58/preview/29.jpg (72.52.134.58)
hxxp://72.52.134.58/images/header.gif (72.52.134.58)
hxxp://72.52.134.58/preview/90.jpg (72.52.134.58)
hxxp://72.52.134.58/preview/28.jpg (72.52.134.58)
hxxp://72.52.134.58/preview/18.jpg (72.52.134.58)
hxxp://72.52.134.58/preview/32.jpg (72.52.134.58)
hxxp://72.52.134.58/preview/59.jpg (72.52.134.58)
hxxp://72.52.134.58/annons/www/delivery ... nttype=gif (72.52.134.58)
hxxp://213.88.151.114/js/media.js?ref=2 ... movies.net (213.88.151.114)
hxxp://213.88.151.114/js/index.js?ref=2 ... movies.net (213.88.151.114)
hxxp://72.52.134.58/preview/19.jpg (72.52.134.58)
hxxp://72.52.134.58/preview/93.jpg (72.52.134.58)
hxxp://72.52.134.58/preview/26.jpg (72.52.134.58)
hxxp://72.52.134.58/preview/43.jpg (72.52.134.58)
hxxp://72.52.134.58/preview/40.jpg (72.52.134.58)
hxxp://72.52.134.58/out.php?link=trade- ... movies.net (72.52.134.58)
hxxp://72.52.134.58/preview/6.jpg (72.52.134.58)
hxxp://72.52.134.58/preview/62.jpg (72.52.134.58)
hxxp://72.52.134.58/preview/63.jpg (72.52.134.58)
hxxp://72.52.134.58/preview/21.jpg (72.52.134.58)
hxxp://213.88.151.114/js/index.js?ref=2 ... movies.net (213.88.151.114)
hxxp://67.225.143.173/images/se.gif (67.225.143.173)
hxxp://213.88.151.114/js/media.js?ref=2 ... movies.net (213.88.151.114)
hxxp://213.88.151.114/js/index.js?ref=2 ... movies.net (213.88.151.114)
hxxp://213.88.151.114/js/media.js?ref=2 ... movies.net (213.88.151.114)
hxxp://213.88.151.114/js/index.js?ref=2 ... movies.net (213.88.151.114)
hxxp://213.88.151.114/js/media.js?ref=2 ... movies.net (213.88.151.114)
hxxp://213.88.151.114/js/index.js?ref=2 ... movies.net (213.88.151.114)
hxxp://213.88.151.114/js/media.js?ref=2 ... movies.net (213.88.151.114)
hxxp://213.88.151.114/js/index.js?ref=2 ... movies.net (213.88.151.114)
hxxp://213.88.151.114/js/media.js?ref=2 ... movies.net (213.88.151.114)
hxxp://213.88.151.114/js/index.js?ref=2 ... movies.net (213.88.151.114)
hxxp://213.88.151.114/js/media.js?ref=2 ... movies.net (213.88.151.114)
hxxp://213.88.151.114/js/media.js?ref=2 ... movies.net (213.88.151.114)
hxxp://213.88.151.114/js/index.js?ref=2 ... movies.net (213.88.151.114)
hxxp://213.88.151.114/js/media.js?ref=2 ... movies.net (213.88.151.114)
hxxp://213.88.151.114/js/index.js?ref=2 ... movies.net (213.88.151.114)
hxxp://213.88.151.114/js/media.js?ref=2 ... movies.net (213.88.151.114)
hxxp://213.88.151.114/js/index.js?ref=2 ... movies.net (213.88.151.114)
hxxp://74.54.63.243/?ref=2113 (74.54.63.243)
hxxp://74.54.63.243/config/2113/live/style.css (74.54.63.243)
hxxp://74.54.63.243/config/2113/live/top.gif (74.54.63.243)
hxxp://74.54.63.243/members.php?ref=211 ... s5fitkfbp0 (74.54.63.243)
hxxp://213.88.151.115/js/flashdetect.js (213.88.151.115)
hxxp://213.88.151.115/js/eolasfix.js (213.88.151.115)
hxxp://213.88.151.115/covers/10456_cat.jpg (213.88.151.115)
hxxp://213.88.151.115/covers/10428_cat.jpg (213.88.151.115)
hxxp://213.88.151.115/gfx/payment_cc.gif (213.88.151.115)
hxxp://213.88.151.115/thumbs/166_pre_1.jpg (213.88.151.115)
hxxp://213.88.151.115/thumbs/601_pre_1.jpg (213.88.151.115)
hxxp://213.88.151.115/gfx/cc_ad_cus.gif (213.88.151.115)
hxxp://213.88.151.115/thumbs/3128_pre_1.jpg (213.88.151.115)
hxxp://213.88.151.115/gfx/spacer.gif (213.88.151.115)
hxxp://213.88.151.115/covers/10460_cat.jpg (213.88.151.115)
hxxp://213.88.151.115/covers/10417_cat.jpg (213.88.151.115)
hxxp://213.88.151.115/covers/10047_cat.jpg (213.88.151.115)
hxxp://213.88.151.115/js/swfobject.js (213.88.151.115)
hxxp://213.88.151.115/thumbs/3104_pre_1.jpg (213.88.151.115)
hxxp://213.88.151.115/thumbs/2171_pre_1.jpg (213.88.151.115)
hxxp://213.88.151.115/covers/10397_cat.jpg (213.88.151.115)
hxxp://72.14.221.103/ga.js (72.14.221.103)
hxxp://72.14.221.103/__utm.gif?utmwv=4. ... %3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B (72.14.221.103)
hxxp://72.14.221.103/__utm.gif?utmwv=4. ... %3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B (72.14.221.103)
Outgoing connection to remote server: neosap.ru TCP port 80
Outgoing connection to remote server: super-tds.info TCP port 80
Outgoing connection to remote server: super-tds.info TCP port 80
Outgoing connection to remote server: super-tds.info TCP port 80
Outgoing connection to remote server: super-tds.info TCP port 80
Outgoing connection to remote server: 72.52.134.58 TCP port 80
Outgoing connection to remote server: 72.52.134.58 TCP port 80
Outgoing connection to remote server: 72.52.134.58 TCP port 80
Outgoing connection to remote server: 72.52.134.58 TCP port 80
Outgoing connection to remote server: 72.52.134.58 TCP port 80
Outgoing connection to remote server: 72.52.134.58 TCP port 80
Outgoing connection to remote server: 213.88.151.114 TCP port 80
Outgoing connection to remote server: 72.52.134.58 TCP port 80
Outgoing connection to remote server: 72.52.134.58 TCP port 80
Outgoing connection to remote server: 213.88.151.114 TCP port 80
Outgoing connection to remote server: 67.225.143.173 TCP port 80
Outgoing connection to remote server: 213.88.151.114 TCP port 80
Outgoing connection to remote server: 213.88.151.114 TCP port 80
Outgoing connection to remote server: 213.88.151.114 TCP port 80
Outgoing connection to remote server: 213.88.151.114 TCP port 80
Outgoing connection to remote server: 213.88.151.114 TCP port 80
Outgoing connection to remote server: 213.88.151.114 TCP port 80
Outgoing connection to remote server: 213.88.151.114 TCP port 80
Outgoing connection to remote server: 213.88.151.114 TCP port 80
Outgoing connection to remote server: 213.88.151.114 TCP port 80
Outgoing connection to remote server: 74.54.63.243 TCP port 80
Outgoing connection to remote server: 74.54.63.243 TCP port 80
Outgoing connection to remote server: 213.88.151.115 TCP port 80
Outgoing connection to remote server: 213.88.151.115 TCP port 80
Outgoing connection to remote server: 213.88.151.115 TCP port 80
Outgoing connection to remote server: 213.88.151.115 TCP port 80
Outgoing connection to remote server: 72.14.221.103 TCP port 80

_________________
.:: MaliciousBrains ::.
http://www.malwareinfo.org

There are no patches or service packs for IGNORANCE!!

Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 

Board index » Malware Analysis » Analyze Malwares

All times are UTC + 5:30 hours [ DST ]

Who is online

Users browsing this forum: No registered users and 1 guest

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Donate Now
Donate Now
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Hosted by Freeforums.org