My monitoring bot who download ransomwares have found something different today when he have downloaded the sample from kliikers.info (http://www.kernelmode.info/forum/viewto ... t=40#p4840)
VirusTotal 1/43 ~ 8CAA5E3348478C3C0023BD0310593F96_pornoplayer.exe.ViR
http://www.virustotal.com/file-scan/rep ... 1296779373
VirusTotal 1/43 ~ 74EF46EC6C2C92A032144F0D8E80875A_pornoplayer.exe.ViR
http://www.virustotal.com/file-scan/rep ... 1296779377
I see he drop also some stuff in sys32
here a dll: 2/41
http://www.virustotal.com/file-scan/rep ... 1296781866
About what's i understand that drop a dll in sys32 with a random name and register it
If someone was able do understand/identify what's actions are exactly done with the loaded dll?
stuff attached
Code: Select all
03/02/2011 - 21:12:16 - 74EF46EC6C2C92A032144F0D8E80875A_pornoplayer.exe.ViR
03/02/2011 - 23:12:19 - 8CAA5E3348478C3C0023BD0310593F96_pornoplayer.exe.ViR
gmt+1
VirusTotal 1/43 ~ 8CAA5E3348478C3C0023BD0310593F96_pornoplayer.exe.ViR
http://www.virustotal.com/file-scan/rep ... 1296779373
VirusTotal 1/43 ~ 74EF46EC6C2C92A032144F0D8E80875A_pornoplayer.exe.ViR
http://www.virustotal.com/file-scan/rep ... 1296779377
I see he drop also some stuff in sys32
here a dll: 2/41
http://www.virustotal.com/file-scan/rep ... 1296781866
About what's i understand that drop a dll in sys32 with a random name and register it
Code: Select all
you will get after some problem when you launch a exe file (for me the dll is broken)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
LoadAppInit_DLLs = 1
AppInit_DLLs = C:\WINDOWS\system32\bhjadom.dll
If someone was able do understand/identify what's actions are exactly done with the loaded dll?
stuff attached
Attachments
passwd: xylibox
(106.15 KiB) Downloaded 72 times
(106.15 KiB) Downloaded 72 times