Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- English Transcript of Malware Analysis
- Case: #OCJP-025
- Malware: Win32/Trojan.Zeus (dropper/downloader/backdoor/spyware/PDF-exploiter... you name it..)
- ===============================
- I. MALWARE BINARY ANALYSIS :
- ===============================
- File name................: BtxX9KX.exe
- MD5......................: 17bde98108092ed612c4511bd6a633ee
- File size................: 271.5 KB ( 278016 bytes )
- File type................: Win32 EXE
- English Report...........: Wed Mar 14 20:17:36 JST 2012
- Analysis by..............: Hendrik ADRIAN / @unixfreaxjp /0day.jp
- This is the english report base analysis of malware case reported at:
- 1. http://unixfreaxjp.blogspot.com/2012/03/ocjp-025.html
- 2. https://www.virustotal.com/file/0dbce33621898ecd824a272ce5e960a685051a4a695292efb0b05d604827529e/analysis/
- 3. Base URL: http://pastebin.com/FR07ybTp
- ----------
- ExifTool
- ----------
- UninitializedDataSize....: 0
- InitializedDataSize......: 10752
- ImageVersion.............: 0.0
- ProductName..............: 2q3wet(R) Windows (R) 2000 Operating System
- FileVersionNumber........: 5.0.2137.1
- LanguageCode.............: English (U.S.)
- FileFlagsMask............: 0x003f
- FileDescription..........: Windows TaskManager
- CharacterSet.............: Unicode
- LinkerVersion............: 2.5
- FileOS...................: Windows NT 32-bit
- MIMEType.................: application/octet-stream
- Subsystem................: Windows GUI
- FileVersion..............: 5.00.2137.1
- TimeStamp................: 2012:03:09 01:43:00+01:00
- FileType.................: Win32 EXE
- PEType...................: PE32
- InternalName.............: taskmgr
- ProductVersion...........: 5.00.2137.1
- SubsystemVersion.........: 4.0
- OSVersion................: 4.0
- OriginalFilename.........: taskmgr.exe
- LegalCopyright...........: Copyright (C) 2q3wet Corp. 1991-1999
- MachineType..............: Intel 386 or later, and compatibles
- CompanyName..............: 2q3wet Corporation
- CodeSize.................: 265216
- FileSubtype..............: 0
- ProductVersionNumber.....: 5.0.2137.1
- EntryPoint...............: 0x1210
- ObjectFileType...........: Executable application
- -----------
- PE Structs
- -----------
- Name V-Address V-Size Raw Entropy MD5
- .text 4096 1916 2048 5.45 e93f3084f987fa110a4d8ca9274467d9
- .textQ1 8192 262260 262656 7.71 de268b266e26e6a4aef8345fd2a01cd0
- .textQ2 274432 100 512 0.00 bf619eac0cdf3f68d496ea9344137e8b
- .data 278528 444 512 3.84 84072aa523e1285671b0e294565b43e9
- .rsrc 282624 9724 9728 3.59 4e3e01ecc8f6cb1250de57f12d923bf3
- .reloc 294912 116 512 1.76 250b11d9c9c72539dd168073a62fe6ab
- (*) Above datas with thank's for Virus Total
- -----------------
- Suspected Points
- -----------------
- *) PE File, unknown packer, used encryption
- *) CRC Data Unmatched, Claimed: 299582 / Actual: 299581
- *) Compile Time: 2012-03-09 09:43:00 <---new made trojan
- *) Entropy 7.71 is suspicious....(crypter?)
- MD5 hash: de268b266e26e6a4aef8345fd2a01cd0
- SHA-1 hash: 1867abe9de5a2e502bacea4ef897332057a97a20
- Name: .textQ1
- Misc: 0x40074
- Misc_PhysicalAddress: 0x40074
- Misc_VirtualSize: 0x40074
- VirtualAddress: 0x2000
- SizeOfRawData: 0x40200
- PointerToRawData: 0xC00
- PointerToRelocations: 0x0
- PointerToLinenumbers: 0x0
- NumberOfRelocations: 0x0
- NumberOfLinenumbers: 0x0
- Characteristics: 0x60000020
- *) Fake system file information found:
- Length: 0x27C
- ValueLength: 0x0
- Type: 0x1
- LangID: 040904B0
- LegalCopyright: Copyright (C) 2q3wet Corp. 1991-1999
- InternalName: taskmgr
- FileVersion: 5.00.2137.1
- CompanyName: 2q3wet Corporation
- ProductName: 2q3wet(R) Windows (R) 2000 Operating System
- ProductVersion: 5.00.2137.1
- FileDescription: Windows TaskManager
- OriginalFilename: taskmgr.exe
- *) Suspicious used of DLL:
- OriginalFirstThunk: 0x440E0
- Characteristics: 0x440E0
- TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
- ForwarderChain: 0x0
- Name: 0x44176
- FirstThunk: 0x44104
- KERNEL32.dll.CreateFileA Hint[120] <---- Malware drops
- KERNEL32.dll.GetWindowsDirectoryA Hint[640]
- KERNEL32.dll.lstrlenA Hint[1205]
- KERNEL32.dll.lstrcpyA Hint[1199]
- KERNEL32.dll.VirtualAlloc Hint[1108] <--- DEP privilege
- OriginalFirstThunk: 0x440F8
- Characteristics: 0x440F8
- TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
- ForwarderChain: 0x0
- Name: 0x441A2
- FirstThunk: 0x4411C
- ADVAPI32.dll.RegOpenKeyW Hint[606] <--- Registry Value Check
- ADVAPI32.dll.RegOpenKeyExA Hint[602] <---- Registry Value Check
- ===============================
- II. MALWARE BEHAVIOUR PROCESS
- ===============================
- initial process:
- sample.exe [/dir/file/pathname] 229,376 bytes
- |
- +payload.exe %AppData%\%payload-dir%\payload.exe 229,376 bytes
- |
- +--Explorer.EXE C:\WINDOWS\Explorer.EXE
- +--ctfmon.exe cmd.exe "C:\WINDOWS\system32\ctfmon.exe"
- +--msmsgs.exe cmd.exe "C:\Program Files\Messenger\msmsgs.exe" /background
- +--reader_sl.exe cmd.exe "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"
- later added additional process w/soon stopped:
- (parent: oves.exe)
- |
- +----cmd.exe %System%\cmd.exe 266,240 bytes
- -----------------------------------------------------------------------------
- I report the behavior analysis of this malware per process binary above
- with the below priority:
- (1) sample.exe
- (2) payload.exe
- (3) Explorer.EXE
- (4) msmsgs.exe
- (5) reader_sl.exe
- -----------------------------------------------------------------------------
- (1) SAMPLE
- File name: sample.exe
- MD5: 17bde98108092ed612c4511bd6a633ee
- File size: 271.5 KB ( 278,016 bytes )
- ---------------------
- REGISTRY
- ---------------------
- reg key create:
- HKEY_CURRENT_USER\Software\Microsoft\Ynpeo
- reg value create:
- [HKEY_CURRENT_USER\Software\Microsoft\Ynpeo]
- 18i62g6a = "Xv7cYZT7zDIVtw=="
- 1cf3ifcc = "df6pYQ=="
- 2cc8dhbc = 69 9A A9 61 9A 89 B6 32 2C B7 E1 76
- ---------------------
- DLLs
- ---------------------
- load:
- C:\WINDOWS\system32\ntdll.dll 0x7C900000 0x000AF000
- C:\WINDOWS\system32\kernel32.dll 0x7C800000 0x000F6000
- C:\WINDOWS\system32\ADVAPI32.dll 0x77DD0000 0x0009B000
- C:\WINDOWS\system32\RPCRT4.dll 0x77E70000 0x00092000
- C:\WINDOWS\system32\Secur32.dll 0x77FE0000 0x00011000
- runtime:
- C:\WINDOWS\system32\NETAPI32.dll 0x5B860000 0x00055000
- C:\WINDOWS\system32\comctl32.dll 0x5D090000 0x0009A000
- C:\WINDOWS\system32\WS2HELP.dll 0x71AA0000 0x00008000
- C:\WINDOWS\system32\WS2_32.dll 0x71AB0000 0x00017000
- C:\WINDOWS\system32\OLEAUT32.dll 0x77120000 0x0008B000
- C:\WINDOWS\system32\WININET.dll 0x771B0000 0x000AA000
- C:\WINDOWS\WinSxS\..comctl32.dll 0x773D0000 0x00103000
- C:\WINDOWS\system32\ole32.dll 0x774E0000 0x0013D000
- C:\WINDOWS\system32\CRYPT32.dll 0x77A80000 0x00095000
- C:\WINDOWS\system32\MSASN1.dll 0x77B20000 0x00012000
- C:\WINDOWS\system32\Apphelp.dll 0x77B40000 0x00022000
- C:\WINDOWS\system32\msvcrt.dll 0x77C10000 0x00058000
- C:\WINDOWS\system32\GDI32.dll 0x77F10000 0x00049000
- C:\WINDOWS\system32\SHLWAPI.dll 0x77F60000 0x00076000
- C:\WINDOWS\system32\SHELL32.dll 0x7C9C0000 0x00817000
- C:\WINDOWS\system32\USER32.dll 0x7E410000 0x00091000
- memory map:
- C:\Documents and Settings\Administrator\Application Data\Ejofd\awylm.exe
- C:\WINDOWS\WinSxS\ ..comctl32.dll
- C:\WINDOWS\WindowsShell.Manifest
- C:\WINDOWS\system32\Apphelp.dll
- C:\WINDOWS\system32\SHELL32.dll
- C:\WINDOWS\system32\WININET.dll
- C:\WINDOWS\system32\WS2HELP.dll
- C:\WINDOWS\system32\WS2_32.dll
- C:\WINDOWS\system32\comctl32.dll
- C:\Windows\AppPatch\sysmain.sdb
- ---------------------
- FILES & DROPS
- ---------------------
- This sample is creating one directory with the below format:
- %AppData%\[RANDOM 4characters #1]
- to drop in it the payload with the filename [RANDOM 4characters #2.exe]
- And the payload upon executed will create the directory w/ below format:
- %AppData%\[RANDOM 4characters #3]
- to drop in it config files with filename [RANDOM 4characters #4.RANDOM 3characters]
- During the operation the temporary data exchange is used w/ the format below:
- [%Temp%\tmp*******.bat]
- Proof of Concept (PoC)
- 2 tries was taken w/the current sample w/the below details:
- -----------------------------------------------------------------------------
- sample:
- C:\sample.exe 278,016 bytes 17bde98108092ed612c4511bd6a633ee
- -----------------------------------------------------------------------------
- Take 1:
- Drops:
- %AppData%\Ygas\oves.exe 278,016bytes c9c114d777780d35f7353e9520662389
- ↑which drops↓
- %AppData%\Kerez\ixko.liu 1,305bytes 700f2e487c893e74c00eeb0c1cd7ab4f
- then renamed into: %AppData%\ixko.liu.0 0bytes d41d8cd98f00b204e9800998ecf8427e
- created temp data: %Temp%\tmp4bbbf287.bat 168 bytes 8feeb2305d2cad502c43e0ec5378115a
- (new dirs made during opeartion)
- %AppData%\Kerez
- %AppData%\Ygas
- ------------------------------------
- Take 2:
- Drops:
- %AppData%\Ejofd\awylm.exe
- ↑which drops↓
- %AppData%\Uhxuig\ylwi.vik
- and then renamed into: %AppData%\ylwi.vik.0
- creating temp data: %Temp%\tmp4bbbf245.bat
- (new dirs made during opeartion)
- %AppData%\Ejofd
- %AppData%\Uhxuig
- -----------------------------------------------------------------------------
- (2) PAYLOAD.EXE
- I found the payload was varied in names in everytime you run the sample,
- but the characteristic is same, as per described above.
- Characteristic which is as per below:
- Name: [random4characters.exe] i.e.: awylm.exe
- MD5: dd507bdc57aacb3df8831c0df734d4aa
- Size: 278,016 Bytes
- ---------------------
- REGISTRY (changed/created)
- --------------------
- key1: HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Azer
- name: 13e9ii4f
- to: 0x5608eb5bc423314f0df5
- key2: HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\
- CurrentVersion\Explorer\Shell Folders
- name: AppData
- to: C:\Documents and Settings\Administrator\Application Data
- ---------------------
- MALICIOUS PROCESS INJECTION
- --------------------
- Remote threads was created by this payload with the following details:
- C:\WINDOWS\explorer.exe ←registry op, listening ports, autorun
- C:\WINDOWS\system32\ctfmon.exe ←being used to monitor keyboard/mouse activities
- C:\Program Files\Messenger\msmsgs.exe ←messaging to motherships
- C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe ←execute the malicious PDF files
- due to some windows CVE exploit
- *) explorer.exe was executed by payload, while-
- ctfmon.exe, msmsgs.exe & reader_sl.exe was executed by cmd.exe shell through explorer.exe-
- by payload.
- ------------------------------------------------------------------------------------------
- (3) EXPLORER.EXE
- Filename: Explorer.EXE (awylm.exe execute this process in virtual memory)
- MD5: 12896823fb95bfb3dc9b46bcaedc9923
- File Size: 1,033,728 Bytes
- Command Line: C:\WINDOWS\Explorer.EXE
- Sstatus: alive
- This process was executed by code of payload.
- This process' jobs are:
- - making registration of malware as fake software
- - make sure the payload get autoexecuted start
- - disarm the browser security policy for opening global port
- - opening backdoors,
- - Preparing the malicious cookies
- - Changing/disable PC internet zone for malicous purpose
- - Accessing downloaded malicious cookies
- - Monitoring the input device7s activities
- Registry Keys Changed:
- ------------------------
- 自動起動機能↓(auto exec)
- HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN info
- {B0F8B226-65CD-AD7D-E811-5333C5ED7021}
- "C:\Documents and Settings\Administrator\Application Data\Ejofd\awylm.exe"
- HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\Currentversion\Run info
- {B0F8B226-65CD-AD7D-E811-5333C5ED7021}
- "C:\Documents and Settings\Administrator\Application Data\Ejofd\awylm.exe"
- Windowsファイウォールを無効にされて(disarm firewall notification)
- HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile info
- DisableNotifications
- 0
- UDPポート16,892をオープンされて↓(opening tcp & udp backdoor)
- HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List info
- 16892:UDP
- 16892:UDP:*:Enabled:UDP 16892
- TCPポート25,231をオープンされて↓
- HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List info
- 25231:TCP
- 25231:TCP:*:Enabled:TCP 25231
- 色々マルウェアIDをニセソフトで登録されて(regist fake software)
- HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Azer
- 363a8039
- 0xd8499e5b29414b4f34f521cf
- HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Azer
- iibc3hd
- 0x34089e5b
- パソコンのCookiesをクリーンアップされた↓(disable cleaning up cookies)
- HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\InternetExplorer\Privacy
- CleanCookies
- 0
- インターネットZONEの設定を無効された↓(dsable internet zone for IE)
- HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0 info
- 1609
- 0
- HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\1 info
- 1406
- 0
- HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\1 info
- 1609
- 0
- HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\2 info
- 1609
- 0
- HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3 info
- 1406
- 0
- HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3 info
- 1609
- 0
- HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\4 info
- 1406
- 0
- HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\4 info
- 1609
- 0
- Read malware Cookies files:
- C:\Documents and Settings\Administrator\Cookies\administrator@adobe[1].txt
- C:\Documents and Settings\Administrator\Cookies\administrator@google[1].txt
- C:\Documents and Settings\Administrator\Cookies\administrator@java[1].txt
- C:\Documents and Settings\Administrator\Cookies\administrator@promotion.adobe[1].txt
- C:\Documents and Settings\Administrator\Cookies\administrator@sun[1].txt
- C:\Documents and Settings\Administrator\Cookies\administrator@walkernews[1].txt
- payload is using these DLL:
- C:\WINDOWS\System32\wshtcpip.dll
- C:\WINDOWS\system32\hnetcfg.dll
- C:\WINDOWS\system32\mswsock.dll
- Opening previous ports:
- TCP/25231
- UDP/16892
- listening at the below port:
- TCP/25231
- creating mutexes:
- Global\{370A7811-AFFA-2A8F-E811-5333C5ED7021}
- Global\{370A7816-AFFD-2A8F-E811-5333C5ED7021}
- Global\{3BE6AF24-78CF-2663-E811-5333C5ED7021}
- Global\{5D329B3C-4CD7-40B7-E811-5333C5ED7021}
- Global\{B69AE452-33B9-AB1F-05EB-B06D2817937F}
- Global\{B69AE452-33B9-AB1F-1DEA-B06D3016937F}
- Global\{B69AE452-33B9-AB1F-55EB-B06D7817937F}
- Global\{B69AE452-33B9-AB1F-7DEB-B06D5017937F}
- Global\{B69AE452-33B9-AB1F-89EB-B06DA417937F}
- Global\{C84914F5-C31E-D5CC-E811-5333C5ED7021}
- Global\{EDE09917-4EFC-F065-E811-5333C5ED7021}
- Local\{56ECCE04-19EF-4B69-E811-5333C5ED7021}
- Local\{56ECCE05-19EE-4B69-E811-5333C5ED7021}
- ------------------------------------------------------------------------------------------
- (4) CTFMON.EXE
- Filename: ctfmon.exe (awylm.exe wrote to this process in virtual memory)
- MD5: 5f1d5f88303d4a4dbc8e5f97ba967cc3
- File Size: 15360 Bytes
- Command Line: "C:\WINDOWS\system32\ctfmon.exe"
- status: alive
- This malware is having purpose to monitor the input device for malicious purpose.
- It has the interaction socket due to th emovement of mouse/keyboard recorded below:
- Monitoring devices:
- VK_LBUTTON (1) 64 (Mouse Lect Click actions)
- *) PS: the explorer.exe using the same API for mouse clicking interaction.
- Registry Values Modified:
- ------------------------
- HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Azer
- iibc3hd
- 1537083445
- Files Read/Write:
- ------------------
- accesssing/reading C:\autoexec.bat
- Using these DLL:
- C:\WINDOWS\system32\WININET.dll
- C:\WINDOWS\system32\WS2HELP.dll
- C:\WINDOWS\system32\WS2_32.dll
- ------------------------------------------------------------------------------------------
- (5) MSMSGS.EXE
- Filename: msmsgs.exe (awylm.exe wrote to this process in virtual memory)
- MD5: 3e930c641079443d4de036167a69caa2
- File Size: 1,695,232 Bytes
- Command Line: "C:\Program Files\Messenger\msmsgs.exe" /background
- Status: alive
- Executed by shell command through cmd.exe : "C:\Program Files\Messenger\msmsgs.exe /background"
- This program was ececuted for malware networking purpose.
- Running in the background and responsible to the pcap capture traffic saved at the below URL:
- http://
- It contacts the mothership IP, having handshake comm and sending encrypted data.
- Used DLL:
- C:\WINDOWS\WindowsShell.Manifest
- C:\WINDOWS\system32\MSOERT2.dll
- C:\WINDOWS\system32\acctres.dll
- C:\WINDOWS\system32\msoeacct.dll
- ------------------------------------------------------------------------------------------
- (6) READER_SL.EXE
- Filename: reader_sl.exe
- MD5: 54c88bfbd055621e2306534f445c0c8d
- File Size: 40,048 Bytes
- Command Line: "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"
- Status: alive
- This program was suspected executed for malware exploit purpose.
- Executed by shell command through cmd.exe :
- "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"
- Cannot find the significant evidence yet. Need more time to simulate more.
- Suspected to be used for exploiting PC with some CVE exploitation for the malicius purpose.
- Used DLL:
- C:\WINDOWS\system32\WININET.dll
- C:\WINDOWS\system32\WS2HELP.dll (Windows Socket 2.0 Helper for Windows NT)
- C:\WINDOWS\system32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL)
- ------------------------------------------------------------------------------------------
- =============================
- III. NETWORK TRAFFIC REPORT
- =============================
- This sample upon executed successfully will create the network traffic,
- as per below details:
- PROTOCOL DESTINATION NOTE
- ---------------------------------------------
- ICMP 178.19.25.92 mothership's pong (messenger)
- UDP/16892 178.19.25.92 source port (messenger)
- UDP/25939 178.19.25.92 destination port (messenger)
- TCP/16892 94.62.27.189 source port (messenger)
- TCP/28510 94.62.27.189 destination port (messenger)
- TCP/25231 (none) backdoor/open (explorer)
- *) See belowfor the captured packet data.
- CAPTURE PACKET DETAILS
- -----------------------------------------------
- No. Time Source Destination Protocol
- 1 0.000000 x.x.x.x 178.19.25.92 UDP
- Source port: 16892
- Destination port: 25939
- Frame 1: 197 bytes on wire (1576 bits), 197 bytes captured (1576 bits)
- Ethernet II, Src: xx:xx:xx:xx:xx, Dst: 92:27:fc:57:72:bb (92:27:fc:57:72:bb)
- Internet Protocol, Src: x.x.x.x, Dst: 178.19.25.92 (178.19.25.92)
- User Datagram Protocol, Src Port: 16892 (16892), Dst Port: 25939 (25939)
- Data (155 bytes)
- 0000 d1 4f 1c 1e da 0e c7 20 33 7b 06 90 fb 6d 98 af .O..... 3{...m..
- 0010 36 74 14 7f 80 1e ac 5f 44 f1 11 45 bf f7 43 b1 6t....._D..E..C.
- 0020 b7 ae f7 51 72 a0 e0 47 99 50 c2 6f a4 5f 3e 4c ...Qr..G.P.o._>L
- 0030 84 b1 31 8f 9a d1 ee 11 5f 25 c3 d3 e7 3e 99 9e ..1....._%...>..
- 0040 c9 04 13 30 88 ed 01 c6 dd 67 d0 cd 9f f0 03 c7 ...0.....g......
- 0050 3c 34 df 32 b6 fb f8 02 50 b0 e7 2e a7 81 0b a2 <4.2....P.......
- 0060 af 86 6c a5 6b 09 bf c5 06 24 a6 1e ab c3 80 22 ..l.k....$....."
- 0070 6e 34 9c fb 38 65 e9 a3 35 7d fe 79 7b 66 39 f6 n4..8e..5}.y{f9.
- 0080 45 c6 f7 5a 03 6b 9b c6 ed 3f 5d 8b 62 54 0e cd E..Z.k...?].bT..
- 0090 f2 4a 73 f0 9c b6 b5 94 76 d3 45 .Js.....v.E
- ------------------------------------------------------------------------
- No. Time Source Destination Protocol
- 2 0.120353 178.19.25.92 x.x.x.x ICMP
- Frame 2: 190 bytes on wire (1520 bits), 190 bytes captured (1520 bits)
- Ethernet II, Src: 92:27:fc:57:72:bb (92:27:fc:57:72:bb), Dst: xx:xx:xx:xx
- Internet Protocol, Src: 178.19.25.92 (178.19.25.92), Dst: x.x.x.x
- Internet Control Message Protocol
- ------------------------------------------------------------------------
- No. Time Source Destination Protocol
- 3 36.124424 x.x.x.x 178.19.25.92 UDP
- Source port: 16892
- Destination port: 28510
- Frame 3: 243 bytes on wire (1944 bits), 243 bytes captured (1944 bits)
- Ethernet II, Src: xx:xx:xx:xx, Dst: 92:27:fc:57:72:bb (92:27:fc:57:72:bb)
- Internet Protocol, Src: x.x.x.x, Dst: 94.62.27.189 (94.62.27.189)
- User Datagram Protocol, Src Port: 16892 (16892), Dst Port: 28510 (28510)
- Data (201 bytes)
- 0000 33 34 b5 b7 07 24 c9 b7 42 ba 88 23 5f d3 eb fd 34...$..B..#_...
- 0010 4e 5e 1b 10 e6 32 00 8c 97 22 c2 96 6c 24 90 62 N^...2..."..l$.b
- 0020 64 7d 24 82 a1 73 33 94 4a 83 11 bc 7f 36 9d ad d}$..s3.J....6..
- 0030 18 c7 42 66 ab 65 bb bd 21 3c f9 ba 6c 19 8a 62 ..Bf.e..!<..l..b
- 0040 e5 e2 01 a7 b3 e7 e1 b4 c4 d6 b4 3a 9d 12 44 8d ...........:..D.
- 0050 44 52 fe c3 1c 35 bb ca a0 1a 1e 08 4b af 25 ec DR...5......K.%.
- 0060 04 23 f5 96 43 80 c8 9c 49 33 d8 9b c5 a1 f1 5f .#..C...I3....._
- 0070 b3 ab c5 fe f2 65 51 8c 7e 3d 7f 2a 24 7a 8d db .....eQ.~=.*$z..
- 0080 1f 25 a0 32 a4 dd 9e 69 d9 99 ed 16 20 ae 47 02 .%.2...i.... .G.
- 0090 a1 de 24 60 01 08 11 80 a4 e3 fc 14 94 9b aa f2 ..$`............
- 00a0 c8 4c f6 db 17 8d b4 32 9e 83 d5 01 a1 0e ed 5f .L.....2......._
- 00b0 76 90 bf 1f d2 d3 0d 51 19 24 e6 10 c1 1b f4 88 v......Q.$......
- 00c0 db 7c 3b fb 33 d0 22 6a 94 .|;.3."j.
- =================================
- IV. MALARE VERDICT
- =================================
- SHA1: 416548086c39938fd2d8194c27958261314c01e2
- MD5: 17bde98108092ed612c4511bd6a633ee
- File size: 271.5 KB ( 278016 bytes )
- File name: BtxX9KX.exe
- File type: Win32 EXE
- Detection ratio: 33 / 43
- URL: https://www.virustotal.com/file/0dbce33621898ecd824a272ce5e960a685051a4a695292efb0b05d604827529e/analysis/
- Antivirus Result Update
- ------------------------------
- AhnLab-V3 Spyware/Win32.Zbot 20120313
- AntiVir TR/Offend.KD.552855 20120314
- Antiy-AVL Trojan/Win32.Zbot 20120314
- Avast Win32:Zbot-OCM [Trj] 20120314
- AVG PSW.Generic9.BQLB 20120314
- BitDefender Trojan.Spy.Zbot.EVB 20120314
- ByteHero Trojan.Win32.Heur.Gen 20120309
- CAT-QuickHeal TrojanSpy.Zbot.dmzm 20120314
- ClamAV - 20120314
- Commtouch W32/Zbot.DQ3.gen!Eldorado 20120314
- Comodo TrojWare.Win32.Trojan.Agent.Gen 20120313
- DrWeb Trojan.PWS.Panda.1698 20120314
- Emsisoft Trojan-PWS.Win32.Zbot!IK 20120314
- eSafe - 20120313
- eTrust-Vet - 20120314
- F-Prot W32/Zbot.DQ3.gen!Eldorado 20120314
- F-Secure Trojan.Spy.Zbot.EVB 20120314
- Fortinet W32/Zbot.AAN!tr 20120314
- GData Trojan.Spy.Zbot.EVB 20120314
- Ikarus Trojan-PWS.Win32.Zbot 20120314
- Jiangmin - 20120301
- K7AntiVirus Trojan 20120313
- Kaspersky Trojan-Spy.Win32.Zbot.dmzm 20120314
- McAfee Artemis!17BDE9810809 20120308
- McAfee-GW-Edition Generic PWS.y!d2k 20120314
- Microsoft PWS:Win32/Zbot.gen!AF 20120314
- NOD32 Win32/Spy.Zbot.AAN 20120314
- Norman W32/Zbot.BMRX 20120314
- nProtect Trojan/W32.Agent.278016.DC 20120314
- Panda Generic Trojan 20120313
- PCTools - 20120313
- Prevx - 20120314
- Rising Trojan.Win32.Generic.12B9C7CD 20120314
- Sophos Mal/Toqwet-A 20120314
- SUPERAntiSpyware - 20120314
- Symantec WS.Reputation.1 20120314
- TheHacker Trojan/Dropper.Injector.dffv 20120313
- TrendMicro - 20120314
- TrendMicro-HouseCall TSPY_ZBOT.BUM 20120314
- VBA32 - 20120313
- VIPRE Trojan.Win32.Generic.pak!cobra 20120314
- ViRobot - 20120314
- VirusBuster TrojanSpy.Zbot!FzMiqMxwcJ8 20120314
- ---
- Operation Cleanup Japan - #OCJP
- ZeroDay Japan
- http://0day.jp
- Malware Analyst: Hendrik ADRIAN / アドリアン・ヘンドリック
- Twitter/VirusTotal/Google: @unixfreaxjp
- Analysis Blog: http://unixfreaxjp.blogspot.com
Add Comment
Please, Sign In to add comment