A forum for reverse engineering, OS internals and malware analysis 

Sandboxes (Discussion)

Forum for analysis and discussion about malware.

Re: Sandboxes / Online Link checkers

 #863  by Buster_BSA
 Fri Apr 23, 2010 6:00 pm
EP_X0FF wrote:Most so called anti* tricks based on analyzing hardware components of system (driver/process names of VmWare/VPC/VBox) or searching for specific dll's (as in case of sandboxie).
I would be interested in a list of registry keys, drivers and process names malwares use to check if they are being run under a VM.

I want this to look for such checkings in BSA.

I have found this http://handlers.sans.org/tliston/Thwart ... koudis.pdf but it didn´t help me.

Re: Sandboxes (Discussion)

 #864  by EP_X0FF
 Fri Apr 23, 2010 6:09 pm
Hello,

below is pseudo or incomplete code of some trivial detections.
Code: Select all
char* sExes[] = { "joeboxserver.exe", "joeboxcontrol.exe", //joebox 
                  "wireshark.exe", //wireshark 
                  "avp.exe", //kaspersky
                  "sniff_hit.exe", "sysAnalyzer.exe" };  //sysanalyzer
                  
char* sUsers[] = { "username", //threat expert
                  "user", //sandbox
                  "currentuser" };  //norman
                  
char* sModules[] = { "api_log.dll", "dir_watch.dll", //sunbelt & sandboxie
                     "pstorec.dll", //sunbelt
                     "SbieDll.dll", }; //sandboxie
Code: Select all
BOOL IsAnubis()
    if (IsFileInFolder("C:\\InsideTm\\") == 1)

BOOL IsTE()
    if(IsUsername("username") == 1)

BOOL IsSandbox()
    if(IsUsername("user") == 1)

BOOL IsJB()
    if(IsProcessRunning("joeboxserver.exe") == 1 || IsProcessRunning("joeboxcontrol.exe") == 1)
    
BOOL IsNorman()
    if(IsUsername("currentuser") == 1)
    
BOOL IsWireShark()
    if(IsProcessRunning("wireshark.exe") == 1)
    
BOOL IsKaspersky()
    if(IsProcessRunning("avp.exe") == 1)

BOOL IsID() //Sunbelt & Sandboxie included
    if(GetModuleHandle("api_log.dll") || GetModuleHandle("dir_watch.dll"))   
    else if(IsProcessRunning("sniff_hit.exe") == 1 || IsProcessRunning("sysAnalyzer.exe") == 1)

BOOL IsSunbelt()
    if(GetModuleHandle("pstorec.dll"))
    else if(IsFolderExist("C:\\analysis") == 1)

BOOL IsSandboxie()
    if(GetModuleHandle("SbieDll.dll"))

BOOL IsOther() 
{
   unsigned char bBuffer;
   unsigned long aCreateProcess = (unsigned long)GetProcAddress( GetModuleHandle( "KERNEL32.dll" ), "CreateProcessA" );

   ReadProcessMemory( GetCurrentProcess( ), (void *) aCreateProcess, &bBuffer, 1, 0 );
  
   if( bBuffer == 0xE9 )

BOOL IsVB()
    if(IsProcessRunning("VBoxService.exe") == 1)
HTH

Re: Suggestion

 #6353  by Buster_BSA
 Tue May 17, 2011 10:16 am
Blaze wrote:Sandbox:
http://malbox.xjtu.edu.cn/
More information: http://www.vulnerabilitydatabase.com/20 ... -behavior/
I tried it to compare with BSA, for this I downloaded the first malware available from the list at malc0de.com:

hxxp://zemmor.fileave.com/ChitChat.exe

and sent it for analysis.

I received at mail this:
Code: Select all
                          .__  ___.
                 _____  _____   |  | \_ |__    ____ ___  ___
                /     \ \__  \  |  |  | __ \  /  _ \\  \/  /
               |  Y Y  \ / __ \_|  |__| \_\ \(  <_> )>    <
               |__|_|  /(____  /|____/|___  / \____//__/\_ \
                     \/      \/           \/              \/

URL: http://zemmor.fileave.com/ChitChat.exe

=====Major Threats=====

=====Behavior Details=====

Create key:
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Internet Explorer\Security\P3Global
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Internet Explorer\Security\P3Sites
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\ShellNoRoam
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1
IEXPLORE.EXE --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\Shell
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Internet Explorer\Toolbar
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Internet Explorer\TypedURLs
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
IEXPLORE.EXE --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\000000000004523a
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Internet Explorer\Extensions\CmdMapping
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore
IEXPLORE.EXE --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Internet Explorer\Toolbar\Explorer
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
IEXPLORE.EXE --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked
IEXPLORE.EXE --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
IEXPLORE.EXE --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
IEXPLORE.EXE --> \REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings
IEXPLORE.EXE --> \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
IEXPLORE.EXE --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket

Set value key:
IEXPLORE.EXE --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [E1 1F B9 7B CE 47 5C B1 ...]
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop ["C:\Documents and Settings\Administrator\桌面"]
IEXPLORE.EXE --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [17 A1 B4 CD F6 57 DF 77 ...]
IEXPLORE.EXE --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [49 C9 F8 80 8D EF E8 48 ...]
IEXPLORE.EXE --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [A7 13 91 03 33 39 7D 46 ...]
IEXPLORE.EXE --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [CE 37 F7 BB 43 55 FD D1 ...]
IEXPLORE.EXE --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [3C 7C 8A 09 1F 5C 3F 16 ...]
IEXPLORE.EXE --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [D3 B0 43 78 69 05 5E DB ...]
IEXPLORE.EXE --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [75 11 95 69 10 5A 9E 39 ...]
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Favorites ["D:\Backup\收藏夹"]
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots [02 02 02 02 02 02 02 02 ...]
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx [01 00 00 00 00 00 00 00 ...]
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Internet Explorer\Toolbar\Locked [0x1]
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache ["C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files"]
IEXPLORE.EXE --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory ["C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5"]
IEXPLORE.EXE --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Paths [0x4]
IEXPLORE.EXE --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CachePath ["C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache1"]
IEXPLORE.EXE --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CachePath ["C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache2"]
IEXPLORE.EXE --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CachePath ["C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache3"]
IEXPLORE.EXE --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CachePath ["C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache4"]
IEXPLORE.EXE --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CacheLimit [0xC02E]
IEXPLORE.EXE --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CacheLimit [0xC02E]
IEXPLORE.EXE --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CacheLimit [0xC02E]
IEXPLORE.EXE --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CacheLimit [0xC02E]
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies ["C:\Documents and Settings\Administrator\Cookies"]
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History ["C:\Documents and Settings\Administrator\Local Settings\History"]
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Type [0x4]
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Count [0x14]
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Time [DB 07 05 00 02 00 11 00 ...]
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Type [0x4]
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Count [0x14]
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Time [DB 07 05 00 02 00 11 00 ...]
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass [0x1]
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName [0x1]
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet [0x1]
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383} [81 45 E0 01 EE 4E D0 11 ...]
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Internet Explorer\Toolbar\Explorer\ITBarLayout [11 00 00 00 5C 00 00 00 ...]
IEXPLORE.EXE --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData ["C:\Documents and Settings\All Users\Application Data"]
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData ["C:\Documents and Settings\Administrator\Application Data"]
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy [0x1]
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable [0x0]
IEXPLORE.EXE --> \REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable [0x0]
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings [3C 00 00 00 14 00 00 00 ...]
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal ["D:\Backup\我的文档"]

Delete value key:
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
IEXPLORE.EXE --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL

Tcp Connection:
local:1094 --> 64.62.181.43:80
Meanwhile BSA reported this:
Code: Select all
 [ General information ]
   * File name: c:\m\test\chitchat.exe
   * File length: 522752 bytes
   * File type: 
   * MD5 hash: bbe81413845c3638b41ddf91ea2341b7
   * SHA1 hash: ea43eac297160298e5e6f84131bf3eb9f021a9ee
   * SHA256 hash: 96bf51f603b6871de7af8da51b35d144850b7351c8629ab3058f070207527e9d
   * VirusTotal detections: 
      AhnLab-V3: Win-Trojan/Seint.522752.B
      AntiVir: Worm/Rebhip.A.1700
      Avast: Win32:Malware-gen
      Avast5: Win32:Malware-gen
      AVG: Worm/Generic2.APWJ
      BitDefender: Gen:Trojan.Heur.JP.Fu0@a0xDhxfi
      CAT-QuickHeal: Trojan.Llac.ufi
      Comodo: Heur.Suspicious
      DrWeb: Trojan.DownLoader2.42768
      Emsisoft: Trojan.Win32.Llac!IK
      F-Secure: Gen:Trojan.Heur.JP.Fu0@a0xDhxfi
      Fortinet: W32/Llac.UFI!tr
      GData: Gen:Trojan.Heur.JP.Fu0@a0xDhxfi
      Ikarus: Trojan.Win32.Llac
      Jiangmin: Trojan/Llac.cgz
      K7AntiVirus: Trojan
      Kaspersky: Trojan.Win32.Llac.ufi
      McAfee: Artemis!BBE81413845C
      McAfee-GW-Edition: Artemis!BBE81413845C
      Microsoft: Worm:Win32/Rebhip.A
      NOD32: a variant of Win32/Injector.FYP
      Panda: Generic Trojan
      PCTools: Trojan.Gen
      Sophos: Mal/Generic-L
      Symantec: Trojan.Gen
      TheHacker: Trojan/Llac.ufi
      TrendMicro: TROJ_GEN.R3EC2DP
      TrendMicro-HouseCall: TROJ_GEN.R3EC2DP
      VBA32: OScope.Worm.Bybz.31321
      VIPRE: Trojan.Win32.Generic!BT
      VirusBuster: Trojan.Llac!vlQh/zfidyU

 [ Changes to filesystem ]
   * Creates hidden folder C:\WINDOWS\system32\WinDir
   * Creates file (hidden) C:\WINDOWS\system32\WinDir\Svchost.exe
     File type: EXE
     MD5 hash: bbe81413845c3638b41ddf91ea2341b7
     SHA1 hash: ea43eac297160298e5e6f84131bf3eb9f021a9ee
     SHA256 hash: 96bf51f603b6871de7af8da51b35d144850b7351c8629ab3058f070207527e9d
   * Creates file C:\Documents and Settings\Buster\Configuración local\Temp\formeonly.jpg
     File type: JPG
     MD5 hash: 7f56ec8406bf303f7e65a34002462289
     SHA1 hash: af430de06ddcb7188d1f3bdfdf8cb558df2fe42e
     SHA256 hash: a7c8e87ae76f4cf565eca650d8fc0c7764dc8557c356613a8503196a603d45e8
   * Creates file C:\Documents and Settings\Buster\Configuración local\Temp\Buster7
     File type: Unknown
     MD5 hash: 72851ec8275f7df6161e86a8b70cb795
     SHA1 hash: bdb79ffc0a29c0ec2a4cf727a3cfbf60ba1cd70f
     SHA256 hash: 726ec9448860fe1375af5a3579496575f39c23d5209db95ce9cc8e330859a128
   * Creates file C:\Documents and Settings\Buster\Configuración local\Temp\Buster8
     File type: Unknown
     MD5 hash: 839570bae3e51ce137d69a092774ce83
     SHA1 hash: 31bb5f95b941841ba4d0817bebc16af88b6c50e2
     SHA256 hash: e7025738419c04c47a8f0b2ad5d6ee92a0b0a586247ff6c31610d86b92bd81a5
   * Creates file (hidden) C:\Documents and Settings\Buster\Datos de programa\Busterlog.dat
     File type: Unknown
     MD5 hash: bf3dba41023802cf6d3f8c5fd683a0c7
     SHA1 hash: 466530987a347b68ef28faad238d7b50db8656a5
     SHA256 hash: 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

 [ Changes to registry ]
   * Creates value "StubPath=43003A005C00570049004E0044004F00570053005C00730079007300740065006D00330032005C00570069006E004400690072005C0053007600630068006F00730074002E006500780065000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Active Setup\Installed Components\{NM5M33PL-7503-DQLK-H3O8-6C26D0OB562X}
   * Creates value "Policies=43003A005C00570049004E0044004F00570053005C00730079007300740065006D00330032005C00570069006E004400690072005C0053007600630068006F00730074002E006500780065000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Policies\Explorer\Run
   * Creates value "HKLM=43003A005C00570049004E0044004F00570053005C00730079007300740065006D00330032005C00570069006E004400690072005C0053007600630068006F00730074002E006500780065000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
   * Creates value "Policies=43003A005C00570049004E0044004F00570053005C00730079007300740065006D00330032005C00570069006E004400690072005C0053007600630068006F00730074002E006500780065000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
   * Creates value "HKCU=43003A005C00570049004E0044004F00570053005C00730079007300740065006D00330032005C00570069006E004400690072005C0053007600630068006F00730074002E006500780065000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run
   * Creates value "FirstExecution=310037002F00300035002F00320030003100310020002D002D002000310032003A00300035000000" in key HKEY_CURRENT_USER\software\remote
   * Creates value "NewIdentification=720065006D006F00740065000000" in key HKEY_CURRENT_USER\software\remote

 [ Process/window information ]
   * Keylogger functionality.
   * Enables process privileges.
   * Creates a mutex "RasPbFile".
   * Creates a mutex "Buster5".
   * Creates a mutex "Buster4".
   * Creates a mutex "Buster1".
   * Anti-Malware Analyzer routine: Sandboxie detection.
   * Enumerates running processes.
   * Anti-Malware Analyzer routine: WinDbg detection.
   * Creates a mutex "2GJWSPI7UBY25L".
   * Creates a mutex "2GJWSPI7UBY25L_PERSIST".
   * Injects code into process "c:\windows\explorer.exe".
   * Creates process "(null),explorer.exe,(null)".
   * Creates process "C:\Archivos de programa\Mozilla Firefox\firefox.exe,,(null)".
   * Injects code into process "c:\archivos de programa\mozilla firefox\firefox.exe".
   * Creates process "C:\WINDOWS\system32\rundll32.exe,"rundll32.exe" C:\WINDOWS\system32\shimgvw.dll,ImageView_Fullscreen C:\DOCUME~1\BUSTER\CONFIG~1\Temp\formeonly.jpg,C:\DOCUME~1\BUSTER\CONFIG~1\Temp\".
   * Creates a mutex "ZonesCounterMutex".
   * Creates a mutex "ZonesCacheCounterMutex".
   * Creates a mutex "ZonesLockedCacheCounterMutex".
   * Creates process "C:\WINDOWS\system32\rundll32.exe,"rundll32.exe" C:\WINDOWS\system32\shimgvw.dll,ImageView_Fullscreen C:\DOCUME~1\BUSTER\CONFIG~1\Temp\formeonly.jpg,C:\Documents and Settings\Buster\Datos de programa\Sandbox\DefaultBox\user\current\Configuración local\Temp".
   * Creates process "C:\Documents and Settings\Buster\Datos de programa\Sandbox\DefaultBox\drive\C\WINDOWS\system32\WinDir\Svchost.exe,"C:\WINDOWS\system32\WinDir\Svchost.exe" ,C:\M\TEST".
   * Creates a mutex "SHIMLIB_LOG_MUTEX".
   * Creates a mutex "2GJWSPI7UBY25L_SAIR".
   * Creates an event named "E4162AEC-7EEF-4ea6-8FB5-E2B6A3CE3504".
I feel like that malware behaviour analyzer is not very complete yet.

Re: Suggestion

 #6410  by Blaze
 Thu May 19, 2011 8:49 am
Buster_BSA wrote: I feel like that malware behaviour analyzer is not very complete yet.
True, it's still in development but it's always nice to have an extra 2nd opinion if needed.

Alex wrote: Thanks, added to lists.

Cheers !
 Return to “Malware”