Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- RAMNIT WORM BINARY ANALYSIS - FIRST HANDLE REPORT
- *) For the behavior analysis see: http://pastebin.com/JJ5zuTh1
- Analyze Date: Wed Jan 11 19:12:49 JST 2012
- by: Hendrik ADRIAN | Twitter @unixfreaxjp | http://unixfreaxjp.blogspot.com | 0day.jp
- ------------------------------------------------
- Sigthings:
- ------------------------------------------------
- First seen: 2012-01-05 11:31:37
- ------------------------------------------------
- File Info
- ------------------------------------------------
- File Name: Aha.exe
- File size : 135680 bytes
- MD5 : 607b2219fbcfbfe8e6ac9d7f3fb8d50e
- ------------------------------------------------
- File Attributes:
- ------------------------------------------------
- [StringFileInfo]
- Length: 0x228
- ValueLength: 0x0
- Type: 0x1
- [StringTable]
- Length: 0x204
- ValueLength: 0x0
- Type: 0x1
- LangID: 040904B0
- LegalCopyright: Desk Koala Yam Sown 1998-2007
- InternalName: Suzy Leaf Pearl
- FileVersion: 2.6
- CompanyName: Bitrix
- ProductName: Dave Cloud Stormy
- ProductVersion: 2.6
- FileDescription: Teak Quill Chloe
- OriginalFilename: Aha.exe
- ------------------------------------------------
- ExifTool:
- ------------------------------------------------
- file metadata
- CharacterSet: Unicode
- CodeSize: 131072
- CompanyName: Bitrix
- EntryPoint: 0x3ebd0
- FileDescription: Teak Quill Chloe
- FileFlagsMask: 0x003f
- FileOS: Windows NT 32-bit
- FileSize: 132 kB
- FileSubtype: 0
- FileType: Win32 EXE
- FileVersion: 2.6
- FileVersionNumber: 2.6.0.0
- ImageVersion: 10.3
- InitializedDataSize: 4096
- InternalName: Suzy Leaf Pearl
- LanguageCode: English (U.S.)
- LegalCopyright: Desk Koala Yam Sown 1998-2007
- LinkerVersion: 5.2
- MIMEType: application/octet-stream
- MachineType: Intel 386 or later, and compatibles
- OSVersion: 7.0
- ObjectFileType: Executable application
- OriginalFilename: Aha.exe
- PEType: PE32
- ProductName: Dave Cloud Stormy
- ProductVersion: 2.6
- ProductVersionNumber: 2.6.0.0
- Subsystem: Windows GUI
- SubsystemVersion: 4.0
- TimeStamp: 2006:11:19 03:49:33+01:00
- UninitializedDataSize: 122880
- ------------------------------------------------
- Suspicious Parts
- ------------------------------------------------
- Claimed CRC and Actual CRC are different: Claimed:0 Actual:176,848
- Compile Time: 2006-11-19 11:49:33
- Found Entry Point at section: UPX1
- Identified packer :UPX -> www.upx.sourceforge.net
- Identifying Suspicious section....
- On section 0 and section 1, both IMAGE_SCN_MEM_WRITE & IMAGE_SCN_MEM_EXECUTE flags are set.means this us packed executable.
- Anti Debugging traces identification
- [!] Found a call at: 0x43fde0 LoadLibraryA
- [!] Found a call at: 0x43fde4 GetProcAddress
- DEP Setting Change trace
- [!] Found a DEP setting change trace: 0x43fde8 VirtualProtect
- [!] Found a DEP setting change trace: 0x43fdec VirtualAlloc
- Looks Creating Mutex {19767501-5B71-7A19-AEFE-0C985A1C50FD}
- ------------------------------------------------
- Suspicous Entropy:
- ------------------------------------------------
- Entropy 0.0, Entropy 7.93623838328
- Section Name: IMAGE_SECTION_HEADER Entropy 0.0
- [IMAGE_SECTION_HEADER]
- Name: UPX0
- Misc: 0x1E000
- Misc_PhysicalAddress: 0x1E000
- Misc_VirtualSize: 0x1E000
- VirtualAddress: 0x1000
- SizeOfRawData: 0x0
- PointerToRawData: 0x400
- PointerToRelocations: 0x0
- PointerToLinenumbers: 0x0
- NumberOfRelocations: 0x0
- NumberOfLinenumbers: 0x0
- Characteristics: 0xE0000080
- Section Name: IMAGE_SECTION_HEADER Entropy 7.93623838328
- [IMAGE_SECTION_HEADER]
- Name: UPX1
- Misc: 0x20000
- Misc_PhysicalAddress: 0x20000
- Misc_VirtualSize: 0x20000
- VirtualAddress: 0x1F000
- SizeOfRawData: 0x1FE00
- PointerToRawData: 0x400
- PointerToRelocations: 0x0
- PointerToLinenumbers: 0x0
- NumberOfRelocations: 0x0
- NumberOfLinenumbers: 0x0
- Characteristics: 0xE0000040
- ------------------------------------------------
- Loaded DLLs
- ------------------------------------------------
- [IMAGE_IMPORT_DESCRIPTOR]
- OriginalFirstThunk: 0x0
- Characteristics: 0x0
- TimeDateStamp: 0x0
- ForwarderChain: 0x0
- Name: 0x3FE0C
- FirstThunk: 0x3FDE0
- KERNEL.DLL
- KERNEL32.DLL.LoadLibraryA Hint[0]
- KERNEL32.DLL.GetProcAddress Hint[0]
- KERNEL32.DLL.VirtualProtect Hint[0]
- KERNEL32.DLL.VirtualAlloc Hint[0]
- KERNEL32.DLL.VirtualFree Hint[0]
- KERNEL32.DLL.ExitProcess Hint[0]
- [IMAGE_IMPORT_DESCRIPTOR]
- OriginalFirstThunk: 0x0
- Characteristics: 0x0
- TimeDateStamp: 0x0
- ForwarderChain: 0x0
- Name: 0x3FE19
- FirstThunk: 0x3FDFC
- COMCTL32.DLL.InitCommonControls Hint[0]
- [IMAGE_IMPORT_DESCRIPTOR]
- OriginalFirstThunk: 0x0
- Characteristics: 0x0
- TimeDateStamp: 0x0
- ForwarderChain: 0x0
- Name: 0x3FE26
- FirstThunk: 0x3FE04
- SHLWAPI.DLL.StrCmpW Hint[0]
- ------------------------------------------------
- First Opinion Check
- ------------------------------------------------
- Antivirus Version Last Update Result
- AhnLab-V3 2012.01.10.03 2012.01.10 Trojan/Win32.Lebag
- AntiVir 7.11.20.229 2012.01.11 TR/Offend.KD.504269
- Antiy-AVL 2.0.3.7 2012.01.11 -
- Avast 6.0.1289.0 2012.01.11 Win32:CripUnp [Susp]
- AVG 10.0.0.1190 2012.01.11 SHeur4.MLP
- BitDefender 7.2 2012.01.11 Trojan.Generic.KD.504269
- ByteHero 1.0.0.1 2011.12.31 Trojan.Win32.Heur.Gen
- CAT-QuickHeal 12.00 2012.01.11 Trojan.Ramnit.a
- ClamAV 0.97.3.0 2012.01.11 -
- Commtouch 5.3.2.6 2012.01.11 -
- Comodo 11236 2012.01.10 Heur.Suspicious
- DrWeb 5.0.2.03300 2012.01.11 Trojan.Rmnet.8
- Emsisoft 5.1.0.11 2012.01.11 Virus.Win32.Ramnit!IK
- eSafe 7.0.17.0 2012.01.10 -
- eTrust-Vet 37.0.9675 2012.01.11 -
- F-Prot 4.6.5.141 2012.01.11 -
- F-Secure 9.0.16440.0 2012.01.11 Trojan.Generic.KD.504269
- Fortinet 4.3.388.0 2012.01.11 W32/Yakes.B!tr
- GData 22 2012.01.11 Trojan.Generic.KD.504269
- Ikarus T3.1.1.109.0 2012.01.11 Virus.Win32.Ramnit
- Jiangmin 13.0.900 2012.01.10 -
- K7AntiVirus 9.125.5906 2012.01.10 Riskware
- Kaspersky 9.0.0.837 2012.01.11 Trojan.Win32.Lebag.klg
- McAfee 5.400.0.1158 2012.01.11 Generic.mfr!bc
- McAfee-GW 2010.1E 2012.01.10 Generic.mfr!bc
- Microsoft 1.7903 2012.01.11 Trojan:Win32/Ramnit.A
- NOD32 6783 2012.01.11 a variant of Win32/Kryptik.YNF
- Norman 6.07.13 2012.01.10 W32/Suspicious_Gen2.UWZFB
- nProtect 2012-01-11.01 2012.01.11 Trojan/W32.Agent.135680.LI
- Panda 10.0.3.5 2012.01.10 Bck/Qbot.AO
- PCTools 8.0.0.5 2012.01.11 Trojan.Generic
- Prevx 3.0 2012.01.11 -
- Rising 23.92.02.02 2012.01.11 Trojan.Win32.Generic.12AF6823
- Sophos 4.73.0 2012.01.11 -
- SUPERAntiSpywar 4.40.0.1006 2012.01.11 -
- Symantec 20111.2.0.82 2012.01.11 Trojan Horse
- TheHacker 6.7.0.1.375 2012.01.10 -
- TrendMicro 9.500.0.1008 2012.01.11 TROJ_SPNR.06A012
- TrendMicroHouse 9.500.0.1008 2012.01.11 TROJ_SPNR.06A012
- VBA32 3.12.16.4 2012.01.10 BScope.Trojan.Ramnit.5112
- VIPRE 11381 2012.01.11 Trojan.Win32.Generic!BT
- ViRobot 2012.1.11.4874 2012.01.11 -
- VirusBuster 14.1.160.0 2012.01.10 Trojan.Lebag!yEp9NXlqXHc
- ------------------------------------------------
- Second Opinion Check
- ------------------------------------------------
- Trojan/Win32.Lebag
- TR/Offend.KD.504269
- SHeur4.MLP
- Trojan.Generic.KD.504269
- Trojan.Win32.Heur.Gen
- Trojan.Ramnit.a
- Heur.Suspicious
- Trojan.Rmnet.8
- Virus.Win32.Ramnit!IK
- Trojan.Generic.KD.504269
- W32/Yakes.B!tr
- Trojan.Generic.KD.504269
- Virus.Win32.Ramnit
- Riskware
- Trojan.Win32.Lebag.klg
- Generic.mfr!bc
- Generic.mfr!bc
- Trojan:Win32/Ramnit.A
- W32/Suspicious_Gen2.UWZFB
- Trojan/W32.Agent.135680.LI
- Bck/Qbot.AO
- Trojan.Generic
- Trojan.Win32.Generic.12AF682
- TROJ_SPNR.06A012
- TROJ_SPNR.06A012
- BScope.Trojan.Ramnit.5112
- Trojan.Win32.Generic!BT
- Trojan.Lebag!yEp9NXlqXHc
- ------------------------------------------------
- References:
- ------------------------------------------------
- http://www.virustotal.com/file-scan/report.html?id=f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c-1326272864
- http://pastebin.com/JJ5zuTh1 (Behavior Analysis First Handle)
- http://unixfreaxjp.blogspot.com/2012/01/ramnit.html (Behavior Analysis First Handle)
Add Comment
Please, Sign In to add comment