API tools faq
paste
Advertisement
MalwareMustDie

#MalwareMustDie! Trojan AutoIT (v3 Script)/UPX Packed

MalwareMustDie
Jun 29th, 2013
2,108
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PowerShell 13.81 KB | None | 0 0
raw download clone embed print report
  1. // #MalwareMustDie! Trojan AutoIT (v3 Script)/UPX Packed
  2. // Trojan backdoor with process injection.
  3. // Try to connect to Russia Federation IP: 37.0.122.139 via FTP access attempt.
  4. // British charcode environment detected in compile traces
  5. // Source: - unknown / Sample found in MMD dropBox request of analysis
  6.  
  7. File:    ./sample.exe
  8. Size:    2165176 bytes
  9. Type:    PE32 executable for MS Windows (GUI) Intel 80386 32-bit
  10. MD5:     53e6b2c539939cfd0a3dd928da5470c4
  11. SHA1:    74c033243e0e73016b274e0323ad2f99062d3640
  12. Date:    0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
  13. EP:      0x4c2e80 UPX1 1/3 [SUSPICIOUS]
  14. CRC:     Claimed: 0x0, Actual: 0x219f6b [SUSPICIOUS]
  15.  
  16. // Compilation..
  17.  
  18. CompiledScript: AutoIt v3 Script: 3, 3, 8, 1
  19. FileVersion: 3, 3, 8, 1
  20. FileDescription:
  21. Translation: 0x0809 0x04b0
  22. Compilation timestamp 2012-01-29 21:32:28
  23. Link date 10:32 PM 1/29/2012
  24.  
  25. // PE resources by language
  26.    ENGLISH UK 17
  27.    ENGLISH US 2
  28.  
  29. // Packer..
  30.  
  31. UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay
  32. UPX -> www.upx.sourceforge.net - additional
  33.  
  34. Sect. Name:     UPX0
  35. MD5   hash:     d41d8cd98f00b204e9800998ecf8427e
  36. SHA-1 hash:     da39a3ee5e6b4b0d3255bfef95601890afd80709
  37. Sect. Name:     UPX1
  38. MD5   hash:     4c66c69384c417c7b84c11e4868e3bc6
  39. SHA-1 hash:     06e7ac8e467c7f463ebff777d7306e6c5d6e10
  40.  
  41. // File and URL:
  42. FILE:           ICMP.DLL
  43. FILE:           Windows.Com
  44. FILE:           KERNEL32.DLL
  45. FILE:           ADVAPI32.dll
  46. FILE:           COMCTL32.dll
  47. FILE:           COMDLG32.dll
  48. FILE:           GDI32.dll
  49. FILE:           MPR.dll
  50. FILE:           ole32.dll
  51. FILE:           OLEAUT32.dll
  52. FILE:           PSAPI.DLL
  53. FILE:           SHELL32.dll
  54. FILE:           USER32.dll
  55. FILE:           USERENV.dll
  56. FILE:           VERSION.dll
  57. FILE:           WININET.dll
  58. FILE:           WINMM.dll
  59. FILE:           WSOCK32.dll
  60. URL:            None
  61.  
  62. // HIGHLY SUSPICIOUS API CALLS*
  63. Func. Name:     FtpOpenFileW
  64. Func. Name:     IsDebuggerPresent
  65.  
  66. // VT Verdict..
  67.  
  68. [31]VirusTotal: https://www.virustotal.com/en/file/7f765c1797094298050b1d4e112c54bfe7e674747647589c34ec9c64bf50b00f/analysis/
  69. SHA256:7f765c1797094298050b1d4e112c54bfe7e674747647589c34ec9c64bf50b00f
  70. SHA1: 74c033243e0e73016b274e0323ad2f99062d3640
  71. MD5: 53e6b2c539939cfd0a3dd928da5470c4
  72. File size: 2.1 MB ( 2165176 bytes )
  73. File name: 53e6b2c539939cfd0a3dd928da5470c4
  74. File type: Win32 EXE
  75. Tags: peexe
  76. Detection ratio: 25 / 47
  77. Analysis date: 2013-06-09 10:12:07 UTC ( 2 weeks, 5 days ago )
  78. First submission 2013-06-07 09:36:10 UTC ( 3 weeks ago )
  79. Last submission 2013-06-09 10:12:07 UTC ( 2 weeks, 5 days ago )
  80. File names 74C033243E0E73016B274E0323AD2F99062D3640.exe
  81.               53e6b2c539939cfd0a3dd928da5470c4
  82.               malekal_53e6b2c539939cfd0a3dd928da5470c4
  83.  
  84. MicroWorld-eScan         : Trojan.Generic.9225695
  85. nProtect                 : Trojan.Generic.9225695
  86. McAfee                   : Artemis!53E6B2C53993
  87. Malwarebytes             : Trojan.Agent.AI
  88. TheHacker                : Backdoor/Poison.etvb
  89. Norman                   : Troj_Generic.LVWBV
  90. ESET-NOD32               : a variant of Win32/Injector.Autoit.JX
  91. TrendMicro-HouseCall     : TROJ_GEN.RCBB1F9
  92. Avast                    : AutoIt:MalOb-AA [Trj]
  93. Kaspersky                : Trojan.Win32.Inject.fmkj
  94. BitDefender              : Trojan.Generic.9225695
  95. Sophos                   : Mal/Generic-S
  96. Comodo                   : UnclassifiedMalware
  97. F-Secure                 : Trojan.Generic.9225695
  98. DrWeb                    : BackDoor.Blackshades.17
  99. VIPRE                    : Trojan.Win32.Generic.pak!cobra
  100. AntiVir                  : TR/Inject.fmkj.4
  101. McAfee-GW-Edition        : Artemis!53E6B2C53993
  102. Emsisoft                 : Trojan.Generic.9225695 (B)
  103. GData                    : Trojan.Generic.9225695
  104. Commtouch                : W32/GenBl.53E6B2C5!Olympus
  105. Ikarus                   : Trojan-PWS.Win32.Skyper
  106. Fortinet                 : W32/Inject.FMKJ!tr
  107. AVG                      : Generic8_c.AGMN
  108. Panda                    : Trj/CI.A
  109.  
  110. // Injection Process:
  111. PID: 0x2b0 
  112. Image Name: lsass.exe
  113.  
  114. // registry:
  115. HKEY_CURRENT_USER\Control Panel\Mouse
  116. HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt
  117. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  118. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  119. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
  120. HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
  121. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
  122. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{475c7950-e3d2-11e0-8d7a-806d6172696f}\
  123. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{475c7952-e3d2-11e0-8d7a-806d6172696f}\
  124. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{475c7952-e3d2-11e0-8d7a-806d6172696f}\
  125. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{475c7950-e3d2-11e0-8d7a-806d6172696f}\
  126. HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
  127. HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
  128. HKEY_CLASSES_ROOT\Directory
  129. HKEY_CLASSES_ROOT\Directory\CurVer
  130. HKEY_CLASSES_ROOT\Directory\
  131. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
  132. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
  133. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
  134. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  135. HKEY_CLASSES_ROOT\Directory\\ShellEx\IconHandler
  136. HKEY_CLASSES_ROOT\Directory\\Clsid
  137. HKEY_CLASSES_ROOT\Folder
  138. HKEY_CLASSES_ROOT\Folder\Clsid
  139. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
  140. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.
  141. HKEY_CLASSES_ROOT\.
  142. HKEY_CLASSES_ROOT\SystemFileAssociations\.
  143. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IMM
  144. HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF
  145. HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\SystemShared
  146.  
  147. // secondary mount point drive detected..
  148. HKU\?S-1-5-21-842925246-1425521274-308236825-500\?Software\?Microsoft\?Windows\?CurrentVersion\?Explorer\?MountPoints2\?{a1094da8-30a0-11dd-817b-806d6172696f}\?
  149. KU\?S-1-5-21-842925246-1425521274-308236825-500\?Software\?Microsoft\?Windows\?CurrentVersion\?Explorer\?MountPoints2\?{a1094daa-30a0-11dd-817b-806d6172696f}\?  
  150.  
  151. // files:
  152.  
  153. // drives...
  154. IDE#CdRomVBOX_CD-ROM_____________________________1.0_____#42562d3231303037333036372020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
  155. MountPointManager
  156. STORAGE#Volume#1&30a96598&0&Signature32B832B7Offset7E00Length27F4DB200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
  157.  
  158. // noted...
  159. C:\WINDOWS\system32\msctfime.ime
  160.  
  161. // here come the "floods.."
  162. C:\DOCUME~1
  163. C:\Documents and Settings\User
  164. C:\Documents and Settings\User\LOCALS~1
  165. C:\Documents and Settings\User\Local Settings\Temp
  166. C:\DOCUME~1\User\LOCALS~1\Temp\53e6b2c539939cfd0a3dd928da5470c4
  167. C:\Documents and Settings\User\Local Settings\Temp\53e6b2c539939cfd0a3dd928da5470c4
  168. C:\DOCUME~1\User\LOCALS~1\Temp\6062553e6b2c539939cfd0a3dd928da5470c4
  169. C:\Documents and Settings\User\Local Settings\Temp\6062553e6b2c539939cfd0a3dd928da5470c4
  170. C:\DOCUME~1\User\LOCALS~1\Temp\765606062553e6b2c539939cfd0a3dd928da5470c4
  171. C:\Documents and Settings\User\Local Settings\Temp\765606062553e6b2c539939cfd0a3dd928da5470c4
  172. C:\DOCUME~1\User\LOCALS~1\Temp\49560765606062553e6b2c539939cfd0a3dd928da5470c4
  173. C:\Documents and Settings\User\Local Settings\Temp\49560765606062553e6b2c539939cfd0a3dd928da5470c4
  174. C:\DOCUME~1\User\LOCALS~1\Temp\7049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  175. C:\Documents and Settings\User\Local Settings\Temp\7049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  176. C:\DOCUME~1\User\LOCALS~1\Temp\511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  177. C:\Documents and Settings\User\Local Settings\Temp\511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  178. C:\DOCUME~1\User\LOCALS~1\Temp\40516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  179. C:\Documents and Settings\User\Local Settings\Temp\40516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  180. C:\DOCUME~1\User\LOCALS~1\Temp\4880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  181. C:\Documents and Settings\User\Local Settings\Temp\4880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  182. C:\DOCUME~1\User\LOCALS~1\Temp\891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  183. C:\Documents and Settings\User\Local Settings\Temp\891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  184. C:\DOCUME~1\User\LOCALS~1\Temp\95058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  185. C:\Documents and Settings\User\Local Settings\Temp\95058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  186. C:\DOCUME~1\User\LOCALS~1\Temp\3329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  187. C:\Documents and Settings\User\Local Settings\Temp\3329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  188. C:\DOCUME~1\User\LOCALS~1\Temp\192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  189. C:\Documents and Settings\User\Local Settings\Temp\192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  190. C:\DOCUME~1\User\LOCALS~1\Temp\84434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  191. C:\Documents and Settings\User\Local Settings\Temp\84434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  192. C:\DOCUME~1\User\LOCALS~1\Temp\3113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  193. C:\Documents and Settings\User\Local Settings\Temp\3113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  194. C:\DOCUME~1\User\LOCALS~1\Temp\594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  195. C:\Documents and Settings\User\Local Settings\Temp\594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  196. C:\DOCUME~1\User\LOCALS~1\Temp\73420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  197. C:\Documents and Settings\User\Local Settings\Temp\73420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  198. C:\DOCUME~1\User\LOCALS~1\Temp\8842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  199. C:\Documents and Settings\User\Local Settings\Temp\8842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  200. C:\DOCUME~1\User\LOCALS~1\Temp\226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  201. C:\Documents and Settings\User\Local Settings\Temp\226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  202. C:\DOCUME~1\User\LOCALS~1\Temp\87130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  203. C:\Documents and Settings\User\Local Settings\Temp\87130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  204. C:\DOCUME~1\User\LOCALS~1\Temp\5749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  205. C:\Documents and Settings\User\Local Settings\Temp\5749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  206. C:\DOCUME~1\User\LOCALS~1\Temp\322565749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  207. C:\Documents and Settings\User\Local Settings\Temp\322565749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  208. C:\DOCUME~1\User\LOCALS~1\Temp\70732322565749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  209. C:\Documents and Settings\User\Local Settings\Temp\70732322565749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  210. C:\DOCUME~1\User\LOCALS~1\Temp\2339970732322565749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  211. C:\Documents and Settings\User\Local Settings\Temp\2339970732322565749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  212. C:\DOCUME~1\User\LOCALS~1\Temp\283702339970732322565749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  213. C:\Documents and Settings\User\Local Settings\Temp\283702339970732322565749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  214. C:\DOCUME~1\User\LOCALS~1\Temp\47462283702339970732322565749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4
  215.  
  216. // mutex
  217. CTF.TimListCache.FMPDefaultS-1-5-21-1547161642-507921405-839522115-1004MUTEX.DefaultS-1-5-21-1547161642-507921405-839522115-1004
  218. ShimCacheMutex
  219.  
  220. // Networking
  221. attempt (FAIL) to connect to host in
  222.  
  223. IP: 37.0.122.139, via FTP connection.
  224.  
  225. Network;
  226. ASN    |Prefix         |ASName   |CN                | Domain         |ISP of an IP Address
  227. 198310 | 37.0.120.0/21 | PALLADA |Russia Federation | PW-SERVICE.COM | PALLADA WEB SERVICE LLC
  228.  
  229. ---
  230. #MalwareMustDie!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!