API tools faq
paste
unixfreaxjp

RAMNIT WORM BINARY ANALYSIS - FIRST HANDLE REPORT

unixfreaxjp
Jan 11th, 2012
402
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.89 KB | None | 0 0
raw download clone embed print report
  1. RAMNIT WORM BINARY ANALYSIS - FIRST HANDLE REPORT
  2. *) For the behavior analysis see: http://pastebin.com/JJ5zuTh1
  3. Analyze Date: Wed Jan 11 19:12:49 JST 2012
  4. by: Hendrik ADRIAN | Twitter @unixfreaxjp | http://unixfreaxjp.blogspot.com | 0day.jp
  5.  
  6. ------------------------------------------------
  7. Sigthings:
  8. ------------------------------------------------
  9. First seen: 2012-01-05 11:31:37
  10.  
  11. ------------------------------------------------
  12. File Info
  13. ------------------------------------------------
  14. File Name: Aha.exe
  15. File size : 135680 bytes
  16. MD5 : 607b2219fbcfbfe8e6ac9d7f3fb8d50e
  17. ------------------------------------------------
  18. File Attributes:
  19. ------------------------------------------------
  20. [StringFileInfo]
  21. Length: 0x228
  22. ValueLength: 0x0
  23. Type: 0x1
  24. [StringTable]
  25. Length: 0x204
  26. ValueLength: 0x0
  27. Type: 0x1
  28. LangID: 040904B0
  29. LegalCopyright: Desk Koala Yam Sown 1998-2007
  30. InternalName: Suzy Leaf Pearl
  31. FileVersion: 2.6
  32. CompanyName: Bitrix
  33. ProductName: Dave Cloud Stormy
  34. ProductVersion: 2.6
  35. FileDescription: Teak Quill Chloe
  36. OriginalFilename: Aha.exe
  37.  
  38. ------------------------------------------------
  39. ExifTool:
  40. ------------------------------------------------
  41. file metadata
  42. CharacterSet: Unicode
  43. CodeSize: 131072
  44. CompanyName: Bitrix
  45. EntryPoint: 0x3ebd0
  46. FileDescription: Teak Quill Chloe
  47. FileFlagsMask: 0x003f
  48. FileOS: Windows NT 32-bit
  49. FileSize: 132 kB
  50. FileSubtype: 0
  51. FileType: Win32 EXE
  52. FileVersion: 2.6
  53. FileVersionNumber: 2.6.0.0
  54. ImageVersion: 10.3
  55. InitializedDataSize: 4096
  56. InternalName: Suzy Leaf Pearl
  57. LanguageCode: English (U.S.)
  58. LegalCopyright: Desk Koala Yam Sown 1998-2007
  59. LinkerVersion: 5.2
  60. MIMEType: application/octet-stream
  61. MachineType: Intel 386 or later, and compatibles
  62. OSVersion: 7.0
  63. ObjectFileType: Executable application
  64. OriginalFilename: Aha.exe
  65. PEType: PE32
  66. ProductName: Dave Cloud Stormy
  67. ProductVersion: 2.6
  68. ProductVersionNumber: 2.6.0.0
  69. Subsystem: Windows GUI
  70. SubsystemVersion: 4.0
  71. TimeStamp: 2006:11:19 03:49:33+01:00
  72. UninitializedDataSize: 122880
  73.  
  74. ------------------------------------------------
  75. Suspicious Parts
  76. ------------------------------------------------
  77. Claimed CRC and Actual CRC are different: Claimed:0 Actual:176,848
  78. Compile Time: 2006-11-19 11:49:33
  79. Found Entry Point at section: UPX1
  80. Identified packer :UPX -> www.upx.sourceforge.net
  81. Identifying Suspicious section....
  82. On section 0 and section 1, both IMAGE_SCN_MEM_WRITE & IMAGE_SCN_MEM_EXECUTE flags are set.means this us packed executable.
  83. Anti Debugging traces identification
  84. [!] Found a call at: 0x43fde0 LoadLibraryA
  85. [!] Found a call at: 0x43fde4 GetProcAddress
  86. DEP Setting Change trace
  87. [!] Found a DEP setting change trace: 0x43fde8 VirtualProtect
  88. [!] Found a DEP setting change trace: 0x43fdec VirtualAlloc
  89. Looks Creating Mutex {19767501-5B71-7A19-AEFE-0C985A1C50FD}
  90.  
  91. ------------------------------------------------
  92. Suspicous Entropy:
  93. ------------------------------------------------
  94. Entropy 0.0, Entropy 7.93623838328
  95. Section Name: IMAGE_SECTION_HEADER Entropy 0.0
  96. [IMAGE_SECTION_HEADER]
  97. Name: UPX0
  98. Misc: 0x1E000
  99. Misc_PhysicalAddress: 0x1E000
  100. Misc_VirtualSize: 0x1E000
  101. VirtualAddress: 0x1000
  102. SizeOfRawData: 0x0
  103. PointerToRawData: 0x400
  104. PointerToRelocations: 0x0
  105. PointerToLinenumbers: 0x0
  106. NumberOfRelocations: 0x0
  107. NumberOfLinenumbers: 0x0
  108. Characteristics: 0xE0000080
  109.  
  110. Section Name: IMAGE_SECTION_HEADER Entropy 7.93623838328
  111. [IMAGE_SECTION_HEADER]
  112. Name: UPX1
  113. Misc: 0x20000
  114. Misc_PhysicalAddress: 0x20000
  115. Misc_VirtualSize: 0x20000
  116. VirtualAddress: 0x1F000
  117. SizeOfRawData: 0x1FE00
  118. PointerToRawData: 0x400
  119. PointerToRelocations: 0x0
  120. PointerToLinenumbers: 0x0
  121. NumberOfRelocations: 0x0
  122. NumberOfLinenumbers: 0x0
  123. Characteristics: 0xE0000040
  124.  
  125. ------------------------------------------------
  126. Loaded DLLs
  127. ------------------------------------------------
  128. [IMAGE_IMPORT_DESCRIPTOR]
  129. OriginalFirstThunk: 0x0
  130. Characteristics: 0x0
  131. TimeDateStamp: 0x0
  132. ForwarderChain: 0x0
  133. Name: 0x3FE0C
  134. FirstThunk: 0x3FDE0
  135. KERNEL.DLL
  136. KERNEL32.DLL.LoadLibraryA Hint[0]
  137. KERNEL32.DLL.GetProcAddress Hint[0]
  138. KERNEL32.DLL.VirtualProtect Hint[0]
  139. KERNEL32.DLL.VirtualAlloc Hint[0]
  140. KERNEL32.DLL.VirtualFree Hint[0]
  141. KERNEL32.DLL.ExitProcess Hint[0]
  142.  
  143. [IMAGE_IMPORT_DESCRIPTOR]
  144. OriginalFirstThunk: 0x0
  145. Characteristics: 0x0
  146. TimeDateStamp: 0x0
  147. ForwarderChain: 0x0
  148. Name: 0x3FE19
  149. FirstThunk: 0x3FDFC
  150. COMCTL32.DLL.InitCommonControls Hint[0]
  151.  
  152. [IMAGE_IMPORT_DESCRIPTOR]
  153. OriginalFirstThunk: 0x0
  154. Characteristics: 0x0
  155. TimeDateStamp: 0x0
  156. ForwarderChain: 0x0
  157. Name: 0x3FE26
  158. FirstThunk: 0x3FE04
  159. SHLWAPI.DLL.StrCmpW Hint[0]
  160.  
  161. ------------------------------------------------
  162. First Opinion Check
  163. ------------------------------------------------
  164. Antivirus Version Last Update Result
  165. AhnLab-V3 2012.01.10.03 2012.01.10 Trojan/Win32.Lebag
  166. AntiVir 7.11.20.229 2012.01.11 TR/Offend.KD.504269
  167. Antiy-AVL 2.0.3.7 2012.01.11 -
  168. Avast 6.0.1289.0 2012.01.11 Win32:CripUnp [Susp]
  169. AVG 10.0.0.1190 2012.01.11 SHeur4.MLP
  170. BitDefender 7.2 2012.01.11 Trojan.Generic.KD.504269
  171. ByteHero 1.0.0.1 2011.12.31 Trojan.Win32.Heur.Gen
  172. CAT-QuickHeal 12.00 2012.01.11 Trojan.Ramnit.a
  173. ClamAV 0.97.3.0 2012.01.11 -
  174. Commtouch 5.3.2.6 2012.01.11 -
  175. Comodo 11236 2012.01.10 Heur.Suspicious
  176. DrWeb 5.0.2.03300 2012.01.11 Trojan.Rmnet.8
  177. Emsisoft 5.1.0.11 2012.01.11 Virus.Win32.Ramnit!IK
  178. eSafe 7.0.17.0 2012.01.10 -
  179. eTrust-Vet 37.0.9675 2012.01.11 -
  180. F-Prot 4.6.5.141 2012.01.11 -
  181. F-Secure 9.0.16440.0 2012.01.11 Trojan.Generic.KD.504269
  182. Fortinet 4.3.388.0 2012.01.11 W32/Yakes.B!tr
  183. GData 22 2012.01.11 Trojan.Generic.KD.504269
  184. Ikarus T3.1.1.109.0 2012.01.11 Virus.Win32.Ramnit
  185. Jiangmin 13.0.900 2012.01.10 -
  186. K7AntiVirus 9.125.5906 2012.01.10 Riskware
  187. Kaspersky 9.0.0.837 2012.01.11 Trojan.Win32.Lebag.klg
  188. McAfee 5.400.0.1158 2012.01.11 Generic.mfr!bc
  189. McAfee-GW 2010.1E 2012.01.10 Generic.mfr!bc
  190. Microsoft 1.7903 2012.01.11 Trojan:Win32/Ramnit.A
  191. NOD32 6783 2012.01.11 a variant of Win32/Kryptik.YNF
  192. Norman 6.07.13 2012.01.10 W32/Suspicious_Gen2.UWZFB
  193. nProtect 2012-01-11.01 2012.01.11 Trojan/W32.Agent.135680.LI
  194. Panda 10.0.3.5 2012.01.10 Bck/Qbot.AO
  195. PCTools 8.0.0.5 2012.01.11 Trojan.Generic
  196. Prevx 3.0 2012.01.11 -
  197. Rising 23.92.02.02 2012.01.11 Trojan.Win32.Generic.12AF6823
  198. Sophos 4.73.0 2012.01.11 -
  199. SUPERAntiSpywar 4.40.0.1006 2012.01.11 -
  200. Symantec 20111.2.0.82 2012.01.11 Trojan Horse
  201. TheHacker 6.7.0.1.375 2012.01.10 -
  202. TrendMicro 9.500.0.1008 2012.01.11 TROJ_SPNR.06A012
  203. TrendMicroHouse 9.500.0.1008 2012.01.11 TROJ_SPNR.06A012
  204. VBA32 3.12.16.4 2012.01.10 BScope.Trojan.Ramnit.5112
  205. VIPRE 11381 2012.01.11 Trojan.Win32.Generic!BT
  206. ViRobot 2012.1.11.4874 2012.01.11 -
  207. VirusBuster 14.1.160.0 2012.01.10 Trojan.Lebag!yEp9NXlqXHc
  208.  
  209. ------------------------------------------------
  210. Second Opinion Check
  211. ------------------------------------------------
  212. Trojan/Win32.Lebag
  213. TR/Offend.KD.504269
  214. SHeur4.MLP
  215. Trojan.Generic.KD.504269
  216. Trojan.Win32.Heur.Gen
  217. Trojan.Ramnit.a
  218. Heur.Suspicious
  219. Trojan.Rmnet.8
  220. Virus.Win32.Ramnit!IK
  221. Trojan.Generic.KD.504269
  222. W32/Yakes.B!tr
  223. Trojan.Generic.KD.504269
  224. Virus.Win32.Ramnit
  225. Riskware
  226. Trojan.Win32.Lebag.klg
  227. Generic.mfr!bc
  228. Generic.mfr!bc
  229. Trojan:Win32/Ramnit.A
  230. W32/Suspicious_Gen2.UWZFB
  231. Trojan/W32.Agent.135680.LI
  232. Bck/Qbot.AO
  233. Trojan.Generic
  234. Trojan.Win32.Generic.12AF682
  235. TROJ_SPNR.06A012
  236. TROJ_SPNR.06A012
  237. BScope.Trojan.Ramnit.5112
  238. Trojan.Win32.Generic!BT
  239. Trojan.Lebag!yEp9NXlqXHc
  240.  
  241. ------------------------------------------------
  242. References:
  243. ------------------------------------------------
  244. http://www.virustotal.com/file-scan/report.html?id=f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c-1326272864
  245. http://pastebin.com/JJ5zuTh1 (Behavior Analysis First Handle)
  246. http://unixfreaxjp.blogspot.com/2012/01/ramnit.html (Behavior Analysis First Handle)
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!