View difference between Paste ID: <a href="/FR07ybTp">FR07ybTp</a> and <a href="/m4bnE5HC">m4bnE5HC</a> - Pastebin.com

View difference between Paste ID: FR07ybTp and m4bnE5HC

SHOW: | | - or go back to the newest paste.

English Transcript of Malware Analysis
Case: #OCJP-025
Malware: Win32/Trojan.Zeus (dropper/downloader/backdoor/spyware/PDF-exploiter... you name it..)

===============================
I. MALWARE BINARY ANALYSIS :
===============================

File name................: BtxX9KX.exe
MD5......................: 17bde98108092ed612c4511bd6a633ee
File size................: 271.5 KB ( 278016 bytes )
File type................: Win32 EXE
English Report...........: Wed Mar 14 20:17:36 JST 2012
Analysis by..............: Hendrik ADRIAN / @unixfreaxjp /0day.jp

This is the english report base analysis of malware case reported at:
1. http://unixfreaxjp.blogspot.com/2012/03/ocjp-025.html
2. https://www.virustotal.com/file/0dbce33621898ecd824a272ce5e960a685051a4a695292efb0b05d604827529e/analysis/
3. Base URL: http://pastebin.com/FR07ybTp
----------
ExifTool
----------
UninitializedDataSize....: 0
InitializedDataSize......: 10752
ImageVersion.............: 0.0
ProductName..............: 2q3wet(R) Windows (R) 2000 Operating System
FileVersionNumber........: 5.0.2137.1
LanguageCode.............: English (U.S.)
FileFlagsMask............: 0x003f
FileDescription..........: Windows TaskManager
CharacterSet.............: Unicode
LinkerVersion............: 2.5
FileOS...................: Windows NT 32-bit
MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
FileVersion..............: 5.00.2137.1
TimeStamp................: 2012:03:09 01:43:00+01:00
FileType.................: Win32 EXE
PEType...................: PE32
InternalName.............: taskmgr
ProductVersion...........: 5.00.2137.1
SubsystemVersion.........: 4.0
OSVersion................: 4.0
OriginalFilename.........: taskmgr.exe
LegalCopyright...........: Copyright (C) 2q3wet Corp. 1991-1999
MachineType..............: Intel 386 or later, and compatibles
CompanyName..............: 2q3wet Corporation
CodeSize.................: 265216
FileSubtype..............: 0
ProductVersionNumber.....: 5.0.2137.1
EntryPoint...............: 0x1210
ObjectFileType...........: Executable application

-----------
PE Structs
-----------
Name      V-Address  V-Size   Raw      Entropy  MD5
.text       4096    1916      2048     5.45  e93f3084f987fa110a4d8ca9274467d9
.textQ1     8192  262260    262656     7.71  de268b266e26e6a4aef8345fd2a01cd0
.textQ2   274432     100       512     0.00  bf619eac0cdf3f68d496ea9344137e8b
.data     278528     444       512     3.84  84072aa523e1285671b0e294565b43e9
.rsrc     282624    9724      9728     3.59  4e3e01ecc8f6cb1250de57f12d923bf3
.reloc    294912     116       512     1.76  250b11d9c9c72539dd168073a62fe6ab

(*) Below datas with thank's for Virus Total
(*) Above datas with thank's for Virus Total

-----------------
Suspected Points
-----------------

*) PE File, unknown packer, used encryption
   
*) CRC Data Unmatched, Claimed:  299582 / Actual:  299581
*) Compile Time: 2012-03-09 09:43:00 <---new made trojan

*) Entropy 7.71 is suspicious....(crypter?)
MD5     hash: de268b266e26e6a4aef8345fd2a01cd0
SHA-1   hash: 1867abe9de5a2e502bacea4ef897332057a97a20
Name:                          .textQ1
Misc:                          0x40074   
Misc_PhysicalAddress:          0x40074   
Misc_VirtualSize:              0x40074   
VirtualAddress:                0x2000    
SizeOfRawData:                 0x40200   
PointerToRawData:              0xC00     
PointerToRelocations:          0x0       
PointerToLinenumbers:          0x0       
NumberOfRelocations:           0x0       
NumberOfLinenumbers:           0x0       
Characteristics:               0x60000020 

*) Fake system file information found:
Length:                        0x27C     
ValueLength:                   0x0       
Type:                          0x1       
LangID: 040904B0
  LegalCopyright: Copyright (C) 2q3wet Corp. 1991-1999
  InternalName: taskmgr
  FileVersion: 5.00.2137.1
  CompanyName: 2q3wet Corporation
  ProductName: 2q3wet(R) Windows (R) 2000 Operating System
  ProductVersion: 5.00.2137.1
  FileDescription: Windows TaskManager
  OriginalFilename: taskmgr.exe


*) Suspicious used of DLL:
OriginalFirstThunk:            0x440E0   
Characteristics:               0x440E0   
TimeDateStamp:                 0x0        [Thu Jan 01 00:00:00 1970 UTC]
ForwarderChain:                0x0       
Name:                          0x44176   
FirstThunk:                    0x44104   
KERNEL32.dll.CreateFileA Hint[120] <---- Malware drops
KERNEL32.dll.GetWindowsDirectoryA Hint[640]
KERNEL32.dll.lstrlenA Hint[1205]
KERNEL32.dll.lstrcpyA Hint[1199]
KERNEL32.dll.VirtualAlloc Hint[1108] <--- DEP privilege

OriginalFirstThunk:            0x440F8   
Characteristics:               0x440F8   
TimeDateStamp:                 0x0        [Thu Jan 01 00:00:00 1970 UTC]
ForwarderChain:                0x0       
Name:                          0x441A2   
FirstThunk:                    0x4411C   
ADVAPI32.dll.RegOpenKeyW Hint[606] <--- Registry Value Check
ADVAPI32.dll.RegOpenKeyExA Hint[602] <---- Registry Value Check

===============================
II. MALWARE BEHAVIOUR PROCESS
===============================

initial process:

sample.exe             [/dir/file/pathname]                 229,376 bytes
  |
  +payload.exe         %AppData%\%payload-dir%\payload.exe  229,376 bytes
    |
    +--Explorer.EXE    C:\WINDOWS\Explorer.EXE
    +--ctfmon.exe      cmd.exe "C:\WINDOWS\system32\ctfmon.exe"
    +--msmsgs.exe      cmd.exe "C:\Program Files\Messenger\msmsgs.exe" /background
    +--reader_sl.exe   cmd.exe "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"

later added additional process w/soon stopped:
(parent: oves.exe)    
   |
   +----cmd.exe	       %System%\cmd.exe             266,240 bytes


-----------------------------------------------------------------------------
I report the behavior analysis of this malware per process binary above 
with the below priority:
(1) sample.exe
(2) payload.exe
(3) Explorer.EXE
(4) msmsgs.exe
(5) reader_sl.exe
-----------------------------------------------------------------------------

(1) SAMPLE
File name: sample.exe 
MD5: 	   17bde98108092ed612c4511bd6a633ee
File size: 271.5 KB ( 278,016 bytes )

---------------------
REGISTRY
---------------------
reg key create:
    HKEY_CURRENT_USER\Software\Microsoft\Ynpeo

reg value create:
    [HKEY_CURRENT_USER\Software\Microsoft\Ynpeo]
        18i62g6a = "Xv7cYZT7zDIVtw=="
        1cf3ifcc = "df6pYQ=="
        2cc8dhbc = 69 9A A9 61 9A 89 B6 32 2C B7 E1 76

---------------------
DLLs
---------------------
load:
C:\WINDOWS\system32\ntdll.dll    0x7C900000  	0x000AF000 
C:\WINDOWS\system32\kernel32.dll 0x7C800000  	0x000F6000 
C:\WINDOWS\system32\ADVAPI32.dll 0x77DD0000  	0x0009B000 
C:\WINDOWS\system32\RPCRT4.dll   0x77E70000  	0x00092000 
C:\WINDOWS\system32\Secur32.dll  0x77FE0000  	0x00011000 

runtime:
C:\WINDOWS\system32\NETAPI32.dll 0x5B860000  	0x00055000
C:\WINDOWS\system32\comctl32.dll 0x5D090000  	0x0009A000
C:\WINDOWS\system32\WS2HELP.dll  0x71AA0000  	0x00008000
C:\WINDOWS\system32\WS2_32.dll   0x71AB0000  	0x00017000
C:\WINDOWS\system32\OLEAUT32.dll 0x77120000  	0x0008B000
C:\WINDOWS\system32\WININET.dll  0x771B0000  	0x000AA000
C:\WINDOWS\WinSxS\..comctl32.dll 0x773D0000  	0x00103000
C:\WINDOWS\system32\ole32.dll  	 0x774E0000  	0x0013D000
C:\WINDOWS\system32\CRYPT32.dll  0x77A80000  	0x00095000
C:\WINDOWS\system32\MSASN1.dll   0x77B20000  	0x00012000
C:\WINDOWS\system32\Apphelp.dll  0x77B40000  	0x00022000
C:\WINDOWS\system32\msvcrt.dll   0x77C10000  	0x00058000
C:\WINDOWS\system32\GDI32.dll  	 0x77F10000  	0x00049000
C:\WINDOWS\system32\SHLWAPI.dll  0x77F60000  	0x00076000
C:\WINDOWS\system32\SHELL32.dll  0x7C9C0000  	0x00817000
C:\WINDOWS\system32\USER32.dll   0x7E410000  	0x00091000

memory map:
C:\Documents and Settings\Administrator\Application Data\Ejofd\awylm.exe
C:\WINDOWS\WinSxS\ ..comctl32.dll
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\system32\Apphelp.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\WININET.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\comctl32.dll
C:\Windows\AppPatch\sysmain.sdb

---------------------
FILES & DROPS
---------------------

This sample is creating one directory with the below format:
%AppData%\[RANDOM 4characters #1]
to drop in it the payload with the filename [RANDOM 4characters #2.exe]

And the payload upon executed will create the directory w/ below format:
%AppData%\[RANDOM 4characters #3]
to drop in it config files with filename [RANDOM 4characters #4.RANDOM 3characters]

During the operation the temporary data exchange is used w/ the format below:
[%Temp%\tmp*******.bat]

Proof of Concept (PoC)

2 tries was taken w/the current sample w/the below details:
-----------------------------------------------------------------------------
sample:
C:\sample.exe                 278,016 bytes 17bde98108092ed612c4511bd6a633ee 
-----------------------------------------------------------------------------
Take 1:
Drops:
%AppData%\Ygas\oves.exe                   278,016bytes  c9c114d777780d35f7353e9520662389
  ↑which drops↓
%AppData%\Kerez\ixko.liu                    1,305bytes 700f2e487c893e74c00eeb0c1cd7ab4f
  then renamed into: %AppData%\ixko.liu.0       0bytes d41d8cd98f00b204e9800998ecf8427e 
  created temp data: %Temp%\tmp4bbbf287.bat  168 bytes 8feeb2305d2cad502c43e0ec5378115a
(new dirs made during opeartion)
%AppData%\Kerez
%AppData%\Ygas
------------------------------------
Take 2:
Drops:
%AppData%\Ejofd\awylm.exe
  ↑which drops↓
%AppData%\Uhxuig\ylwi.vik
  and then renamed into: %AppData%\ylwi.vik.0 
  creating temp data: %Temp%\tmp4bbbf245.bat
(new dirs made during opeartion)
%AppData%\Ejofd
%AppData%\Uhxuig

-----------------------------------------------------------------------------

(2) PAYLOAD.EXE

I found the payload was varied in names in everytime you run the sample, 
but the characteristic is same, as per described above.

Characteristic which is as per below:

Name: [random4characters.exe] i.e.: awylm.exe 
MD5:  dd507bdc57aacb3df8831c0df734d4aa 
Size: 278,016 Bytes

---------------------
REGISTRY (changed/created)
--------------------
key1: HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Azer
name: 13e9ii4f
to:   0x5608eb5bc423314f0df5

key2: HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​
      CurrentVersion\​Explorer\​Shell Folders  
name: AppData
to:   C:\​Documents and Settings\​Administrator\​Application Data 

---------------------
MALICIOUS PROCESS INJECTION
--------------------
Remote threads was created by this payload with the following details:
C:\WINDOWS\explorer.exe              ←registry op, listening ports, autorun
C:\WINDOWS\system32\ctfmon.exe       ←being used to monitor keyboard/mouse activities
C:\Program Files\Messenger\msmsgs.exe ←messaging to motherships
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe ←execute the malicious PDF files
                                                         due to some windows CVE exploit
*) explorer.exe was executed by payload, while-
ctfmon.exe, msmsgs.exe & reader_sl.exe was executed by cmd.exe shell through explorer.exe-
by payload.

------------------------------------------------------------------------------------------

(3) EXPLORER.EXE

Filename:       Explorer.EXE (awylm.exe execute this process in virtual memory)
MD5: 	        12896823fb95bfb3dc9b46bcaedc9923 
File Size:      1,033,728 Bytes
Command Line:   C:\WINDOWS\Explorer.EXE 
Sstatus:        alive 

This process was executed by code of payload.
This process' jobs are:
 - making registration of malware as fake software
 - make sure the payload get autoexecuted start
 - disarm the browser security policy for opening global port
 - opening backdoors, 
 - Preparing the malicious cookies
 - Changing/disable PC internet zone for malicous purpose
 - Accessing downloaded malicious cookies
 - Monitoring the input device7s activities


Registry Keys Changed:
------------------------
自動起動機能↓(auto exec)
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN  info 	
{B0F8B226-65CD-AD7D-E811-5333C5ED7021}  	
"C:\Documents and Settings\Administrator\Application Data\Ejofd\awylm.exe"

HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\Currentversion\Run  info
{B0F8B226-65CD-AD7D-E811-5333C5ED7021}  	
"C:\Documents and Settings\Administrator\Application Data\Ejofd\awylm.exe"

Windowsファイウォールを無効にされて(disarm firewall notification)
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile  info
DisableNotifications  	
0 

UDPポート16,892をオープンされて↓(opening tcp & udp backdoor)
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List info
16892:UDP  	
16892:UDP:*:Enabled:UDP 16892 

TCPポート25,231をオープンされて↓
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List info
25231:TCP  	
25231:TCP:*:Enabled:TCP 25231

色々マルウェアIDをニセソフトで登録されて(regist fake software)
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Azer
363a8039  	
0xd8499e5b29414b4f34f521cf 

HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Azer
iibc3hd  	
0x34089e5b 

パソコンのCookiesをクリーンアップされた↓(disable cleaning up cookies)
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\InternetExplorer\Privacy
CleanCookies  	
0 

インターネットZONEの設定を無効された↓(dsable internet zone for IE)
HKU\S-1-5-21-842925246-1425521274-308236825-500\​Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0 info
1609  	
0 

HKU\S-1-5-21-842925246-1425521274-308236825-500\​Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\1 info
1406  	
0 

HKU\S-1-5-21-842925246-1425521274-308236825-500\​Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\1 info
1609  	
0
 
HKU\S-1-5-21-842925246-1425521274-308236825-500\​Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\2 info
1609  	
0
 
HKU\S-1-5-21-842925246-1425521274-308236825-500\​Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3 info
1406  	
0
 
HKU\S-1-5-21-842925246-1425521274-308236825-500\​Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\3 info
1609  	
0
 
HKU\S-1-5-21-842925246-1425521274-308236825-500\​Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\4 info
1406  	
0
 
HKU\S-1-5-21-842925246-1425521274-308236825-500\​Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\4 info
1609  	
0

Read malware Cookies files:
C:\Documents and Settings\Administrator\Cookies\administrator@adobe[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@google[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@java[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@promotion.adobe[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@sun[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@walkernews[1].txt

payload is using these DLL:
C:\WINDOWS\System32\wshtcpip.dll
C:\WINDOWS\system32\hnetcfg.dll
C:\WINDOWS\system32\mswsock.dll

Opening previous ports:
TCP/25231
UDP/16892

listening at the below port:
TCP/25231

creating mutexes:
Global\{370A7811-AFFA-2A8F-E811-5333C5ED7021}
Global\{370A7816-AFFD-2A8F-E811-5333C5ED7021}
Global\{3BE6AF24-78CF-2663-E811-5333C5ED7021}
Global\{5D329B3C-4CD7-40B7-E811-5333C5ED7021}
Global\{B69AE452-33B9-AB1F-05EB-B06D2817937F}
Global\{B69AE452-33B9-AB1F-1DEA-B06D3016937F}
Global\{B69AE452-33B9-AB1F-55EB-B06D7817937F}
Global\{B69AE452-33B9-AB1F-7DEB-B06D5017937F}
Global\{B69AE452-33B9-AB1F-89EB-B06DA417937F}
Global\{C84914F5-C31E-D5CC-E811-5333C5ED7021}
Global\{EDE09917-4EFC-F065-E811-5333C5ED7021}
Local\{56ECCE04-19EF-4B69-E811-5333C5ED7021}
Local\{56ECCE05-19EE-4B69-E811-5333C5ED7021}

------------------------------------------------------------------------------------------

(4) CTFMON.EXE
Filename: 	ctfmon.exe (awylm.exe wrote to this process in virtual memory)
MD5:            5f1d5f88303d4a4dbc8e5f97ba967cc3 
File Size: 	15360 Bytes
Command Line: 	"C:\WINDOWS\system32\ctfmon.exe"  
status:         alive 

This malware is having purpose to monitor the input device for malicious purpose.
It has the interaction socket due to th emovement of mouse/keyboard recorded below:

Monitoring devices:
VK_LBUTTON (1)  	64 (Mouse Lect Click actions)
*) PS: the explorer.exe using the same API for mouse clicking interaction.


Registry Values Modified:
------------------------
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Azer  	
iibc3hd  	
1537083445  

Files Read/Write:
------------------
accesssing/reading C:\autoexec.bat

Using these DLL:
C:\WINDOWS\system32\WININET.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\WS2_32.dll

------------------------------------------------------------------------------------------

(5) MSMSGS.EXE

Filename: 	msmsgs.exe (awylm.exe wrote to this process in virtual memory)
MD5: 	        3e930c641079443d4de036167a69caa2 
File Size: 	1,695,232 Bytes
Command Line: 	"C:\Program Files\Messenger\msmsgs.exe" /background 
Status:         alive 

Executed by shell command through cmd.exe : "C:\Program Files\Messenger\msmsgs.exe /background"
This program was ececuted for malware networking purpose.
Running in the background and responsible to the pcap capture traffic saved at the below URL:
http://
It contacts the mothership IP, having handshake comm and sending encrypted data.

Used DLL:
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\system32\MSOERT2.dll
C:\WINDOWS\system32\acctres.dll
C:\WINDOWS\system32\msoeacct.dll

------------------------------------------------------------------------------------------

(6) READER_SL.EXE

Filename:       reader_sl.exe 
MD5:            54c88bfbd055621e2306534f445c0c8d 
File Size:      40,048 Bytes
Command Line:   "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"  
Status:         alive 

This program was suspected executed for malware exploit purpose.
Executed by shell command through cmd.exe : 
"C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"  

Cannot find the significant evidence yet. Need more time to simulate more.
Suspected to be used for exploiting PC with some CVE exploitation for the malicius purpose.

Used DLL:
C:\WINDOWS\system32\WININET.dll
C:\WINDOWS\system32\WS2HELP.dll (Windows Socket 2.0 Helper for Windows NT)
C:\WINDOWS\system32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL)
------------------------------------------------------------------------------------------


=============================
III. NETWORK TRAFFIC REPORT
=============================

This sample upon executed successfully will create the network traffic,
as per below details:

PROTOCOL     DESTINATION  NOTE
---------------------------------------------
ICMP         178.19.25.92 mothership's pong (messenger)
UDP/16892    178.19.25.92 source port  (messenger)
UDP/25939    178.19.25.92 destination port (messenger)
TCP/16892    94.62.27.189 source port (messenger)
TCP/28510    94.62.27.189 destination port (messenger)
TCP/25231    (none)       backdoor/open (explorer)
*) See belowfor the captured packet data.

CAPTURE PACKET DETAILS
-----------------------------------------------
No. Time      Source    Destination  Protocol
1   0.000000  x.x.x.x   178.19.25.92 UDP      
Source port: 16892  
Destination port: 25939

Frame 1: 197 bytes on wire (1576 bits), 197 bytes captured (1576 bits)
Ethernet II, Src: xx:xx:xx:xx:xx, Dst: 92:27:fc:57:72:bb (92:27:fc:57:72:bb)
Internet Protocol, Src: x.x.x.x, Dst: 178.19.25.92 (178.19.25.92)
User Datagram Protocol, Src Port: 16892 (16892), Dst Port: 25939 (25939)
Data (155 bytes)

0000  d1 4f 1c 1e da 0e c7 20 33 7b 06 90 fb 6d 98 af   .O..... 3{...m..
0010  36 74 14 7f 80 1e ac 5f 44 f1 11 45 bf f7 43 b1   6t....._D..E..C.
0020  b7 ae f7 51 72 a0 e0 47 99 50 c2 6f a4 5f 3e 4c   ...Qr..G.P.o._>L
0030  84 b1 31 8f 9a d1 ee 11 5f 25 c3 d3 e7 3e 99 9e   ..1....._%...>..
0040  c9 04 13 30 88 ed 01 c6 dd 67 d0 cd 9f f0 03 c7   ...0.....g......
0050  3c 34 df 32 b6 fb f8 02 50 b0 e7 2e a7 81 0b a2   <4.2....P.......
0060  af 86 6c a5 6b 09 bf c5 06 24 a6 1e ab c3 80 22   ..l.k....$....."
0070  6e 34 9c fb 38 65 e9 a3 35 7d fe 79 7b 66 39 f6   n4..8e..5}.y{f9.
0080  45 c6 f7 5a 03 6b 9b c6 ed 3f 5d 8b 62 54 0e cd   E..Z.k...?].bT..
0090  f2 4a 73 f0 9c b6 b5 94 76 d3 45                  .Js.....v.E

------------------------------------------------------------------------
No. Time      Source       Destination  Protocol
2   0.120353  178.19.25.92 x.x.x.x  ICMP     

Frame 2: 190 bytes on wire (1520 bits), 190 bytes captured (1520 bits)
Ethernet II, Src: 92:27:fc:57:72:bb (92:27:fc:57:72:bb), Dst: xx:xx:xx:xx
Internet Protocol, Src: 178.19.25.92 (178.19.25.92), Dst: x.x.x.x
Internet Control Message Protocol

------------------------------------------------------------------------
No. Time      Source     Destination  Protocol
3   36.124424 x.x.x.x    178.19.25.92      UDP      
Source port: 16892  
Destination port: 28510

Frame 3: 243 bytes on wire (1944 bits), 243 bytes captured (1944 bits)
Ethernet II, Src: xx:xx:xx:xx, Dst: 92:27:fc:57:72:bb (92:27:fc:57:72:bb)
Internet Protocol, Src: x.x.x.x, Dst: 94.62.27.189 (94.62.27.189)
User Datagram Protocol, Src Port: 16892 (16892), Dst Port: 28510 (28510)
Data (201 bytes)

0000  33 34 b5 b7 07 24 c9 b7 42 ba 88 23 5f d3 eb fd   34...$..B..#_...
0010  4e 5e 1b 10 e6 32 00 8c 97 22 c2 96 6c 24 90 62   N^...2..."..l$.b
0020  64 7d 24 82 a1 73 33 94 4a 83 11 bc 7f 36 9d ad   d}$..s3.J....6..
0030  18 c7 42 66 ab 65 bb bd 21 3c f9 ba 6c 19 8a 62   ..Bf.e..!<..l..b
0040  e5 e2 01 a7 b3 e7 e1 b4 c4 d6 b4 3a 9d 12 44 8d   ...........:..D.
0050  44 52 fe c3 1c 35 bb ca a0 1a 1e 08 4b af 25 ec   DR...5......K.%.
0060  04 23 f5 96 43 80 c8 9c 49 33 d8 9b c5 a1 f1 5f   .#..C...I3....._
0070  b3 ab c5 fe f2 65 51 8c 7e 3d 7f 2a 24 7a 8d db   .....eQ.~=.*$z..
0080  1f 25 a0 32 a4 dd 9e 69 d9 99 ed 16 20 ae 47 02   .%.2...i.... .G.
0090  a1 de 24 60 01 08 11 80 a4 e3 fc 14 94 9b aa f2   ..$`............
00a0  c8 4c f6 db 17 8d b4 32 9e 83 d5 01 a1 0e ed 5f   .L.....2......._
00b0  76 90 bf 1f d2 d3 0d 51 19 24 e6 10 c1 1b f4 88   v......Q.$......
00c0  db 7c 3b fb 33 d0 22 6a 94                        .|;.3."j.



=================================
IV. MALARE VERDICT
=================================

SHA1:            416548086c39938fd2d8194c27958261314c01e2
MD5:             17bde98108092ed612c4511bd6a633ee
File size:       271.5 KB ( 278016 bytes )
File name:       BtxX9KX.exe
File type:       Win32 EXE
Detection ratio: 33 / 43
URL: https://www.virustotal.com/file/0dbce33621898ecd824a272ce5e960a685051a4a695292efb0b05d604827529e/analysis/

Antivirus 	Result 	Update
------------------------------
AhnLab-V3 	Spyware/Win32.Zbot 	20120313
AntiVir 	TR/Offend.KD.552855 	20120314
Antiy-AVL 	Trojan/Win32.Zbot 	20120314
Avast 	Win32:Zbot-OCM [Trj] 	20120314
AVG 	PSW.Generic9.BQLB 	20120314
BitDefender 	Trojan.Spy.Zbot.EVB 	20120314
ByteHero 	Trojan.Win32.Heur.Gen 	20120309
CAT-QuickHeal 	TrojanSpy.Zbot.dmzm 	20120314
ClamAV 	- 	20120314
Commtouch 	W32/Zbot.DQ3.gen!Eldorado 	20120314
Comodo 	TrojWare.Win32.Trojan.Agent.Gen 	20120313
DrWeb 	Trojan.PWS.Panda.1698 	20120314
Emsisoft 	Trojan-PWS.Win32.Zbot!IK 	20120314
eSafe 	- 	20120313
eTrust-Vet 	- 	20120314
F-Prot 	W32/Zbot.DQ3.gen!Eldorado 	20120314
F-Secure 	Trojan.Spy.Zbot.EVB 	20120314
Fortinet 	W32/Zbot.AAN!tr 	20120314
GData 	Trojan.Spy.Zbot.EVB 	20120314
Ikarus 	Trojan-PWS.Win32.Zbot 	20120314
Jiangmin 	- 	20120301
K7AntiVirus 	Trojan 	20120313
Kaspersky 	Trojan-Spy.Win32.Zbot.dmzm 	20120314
McAfee 	Artemis!17BDE9810809 	20120308
McAfee-GW-Edition 	Generic PWS.y!d2k 	20120314
Microsoft 	PWS:Win32/Zbot.gen!AF 	20120314
NOD32 	Win32/Spy.Zbot.AAN 	20120314
Norman 	W32/Zbot.BMRX 	20120314
nProtect 	Trojan/W32.Agent.278016.DC 	20120314
Panda 	Generic Trojan 	20120313
PCTools 	- 	20120313
Prevx 	- 	20120314
Rising 	Trojan.Win32.Generic.12B9C7CD 	20120314
Sophos 	Mal/Toqwet-A 	20120314
SUPERAntiSpyware 	- 	20120314
Symantec 	WS.Reputation.1 	20120314
TheHacker 	Trojan/Dropper.Injector.dffv 	20120313
TrendMicro 	- 	20120314
TrendMicro-HouseCall 	TSPY_ZBOT.BUM 	20120314
VBA32 	- 	20120313
VIPRE 	Trojan.Win32.Generic.pak!cobra 	20120314
ViRobot 	- 	20120314
VirusBuster 	TrojanSpy.Zbot!FzMiqMxwcJ8 	20120314

---
Operation Cleanup Japan - #OCJP
ZeroDay Japan
http://0day.jp
Malware Analyst: Hendrik ADRIAN / アドリアン・ヘンドリック
Twitter/VirusTotal/Google: @unixfreaxjp
Analysis Blog: http://unixfreaxjp.blogspot.com

Public Pastes

Max Number of K-Sum Pairs
C++ | 2 min ago | 0.41 KB
🤑 G2A.com Free Gift Card Guide May 2024 FIX 🤑
GetText | 24 min ago | 0.39 KB
Library management
C | 1 hour ago | 3.27 KB
Alat Ukur Suhu dan Kelembaban dengan Arduino...
C++ | 1 hour ago | 1.07 KB
Container With Most Water
C++ | 4 hours ago | 0.43 KB
Pastebin.ai - #1 pastebin alternative
PHP | 4 hours ago | 0.83 KB
for Karina with love
C++ | 4 hours ago | 2.36 KB
2024-05-01_stats.json
JSON | 5 hours ago | 4.37 KB