Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- =========================================
- #MalwareMustDie - AutoIt made Malware,
- Functioned as Trojan Banker Stealer Found
- @unixfreaxjp /malware]$ date
- Sun Nov 11 18:59:59 JST 2012
- =========================================
- --14:59:48-- h00p://wvvwcorreios.com/baixar.php
- => `baixar.php'
- Resolving wvvwcorreios.com... 64.31.44.236
- Connecting to wvvwcorreios.com|64.31.44.236|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 2,156,439 (2.1M) [application/octet-stream]
- 15:00:03 (139.62 KB/s) - `baixar.php' saved [2156439/2156439]
- $ md5 *
- baixar.php e7d91acded14a95c8c7ce5936950a08d
- //Which actually baixar.php is a PE binary↓
- $ bincat baixar.php
- 0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
- 0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
- 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 0030 00 00 00 00 00 00 00 00 00 00 00 00 E8 00 00 00 ................
- 0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
- 0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
- 0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
- 0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
- 0080 7D C6 81 DE 39 A7 EF 8D 39 A7 EF 8D 39 A7 EF 8D }...9...9...9...
- 0090 1E 61 82 8D 31 A7 EF 8D 1E 61 94 8D 2A A7 EF 8D .a..1....a..*...
- 00A0 39 A7 EE 8D 92 A7 EF 8D 27 F5 7A 8D 3C A7 EF 8D 9.......'.z.<...
- 00B0 30 DF 6C 8D 38 A7 EF 8D 30 DF 6B 8D 15 A7 EF 8D 0.l.8...0.k.....
- 00C0 30 DF 7D 8D 38 A7 EF 8D 27 F5 7B 8D 38 A7 EF 8D 0.}.8...'.{.8...
- 00D0 30 DF 7E 8D 38 A7 EF 8D 52 69 63 68 39 A7 EF 8D 0.~.8...Rich9...
- 00E0 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 05 00 ........PE..L...
- 00F0 66 D3 9D 4B 00 00 00 00 00 00 00 00 E0 00 03 01 f..K............
- 0100 0B 01 09 00 00 08 01 00 00 D2 00 00 00 00 00 00 ................
- 0110 B1 A7 00 00 00 10 00 00 00 20 01 00 00 00 40 00 ......... ....@.
- 0120 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 ................
- 0130 04 00 00 00 00 00 00 00 00 D0 02 00 00 04 00 00 ................
- 0140 E4 36 02 00 02 00 00 85 00 00 10 00 00 10 00 00 .6..............
- 0150 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 ................
- fd 3
- size 0x20e797
- block 0x40
- uri ./sample
- type EXEC (Executable file)
- os windows
- arch i386
- bits 32
- endian little
- //This is the SFX Extractor binary to extract and execute specific PE.
- packer: WinRAR SFX
- //Files Created (By SFX module extractor...)
- %Temp%\H1U88AfgpBlb 1037019 //WinRar tmp
- %Temp%\lzma.bin 35166 //WInRar tmp
- C:\Gbpsv_Ba.exe 1875456 // this SOB...
- C:\Gbpsv_Ba.pic 848 // Malware file..an exploit
- C:\libmySQL50.dll 1470464 // Malware Driver
- //Checked per creation date/timestamp:
- 2012/11/06 12:09 1,875,456 Gbpsv_Ba.exe
- 2012/09/30 21:35 848 Gbpsv_Ba.pic
- 2006/10/18 18:00 1,470,464 libmySQL50.dll <---has found url: http://schemas.microsoft.com/SMI/2005/WindowsSettings
- //MD5
- Gbpsv_Ba.exe 72e02ec21b99c1e7bed9633c595933e1
- Gbpsv_Ba.pic 2ae879ce40b21dc26c7681272fa53cd4
- libmySQL50.dll 51b4cecfb4c9ca5bf38215744e5df39d
- //What's with this pic file?? looks like the crypter key to me..
- $ bincat Gbpsv_Ba.pic
- 000000000000 000000000000 0 10101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919
- 000000000000 000000000000 0 10101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919
- //Let's see what is Gbpsv_Ba.exe 72e02ec21b99c1e7bed9633c595933e1 ↓
- 0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
- 0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
- 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 0030 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 ................
- 0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
- 0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
- 0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
- 0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
- 0080 12 F1 39 D5 56 90 57 86 56 90 57 86 56 90 57 86 ..9.V.W.V.W.V.W.
- 0090 C5 DE CF 86 54 90 57 86 4D 0D FD 86 E6 90 57 86 ....T.W.M.....W.
- 00A0 4D 0D FC 86 63 90 57 86 5F E8 D4 86 5F 90 57 86 M...c.W._..._.W.
- 00B0 5F E8 C4 86 77 90 57 86 56 90 56 86 5F 92 57 86 _...w.W.V.V._.W.
- 00C0 4D 0D E3 86 10 90 57 86 4D 0D C9 86 49 90 57 86 M.....W.M...I.W.
- 00D0 4D 0D CD 86 57 90 57 86 56 90 C0 86 57 90 57 86 M...W.W.V...W.W.
- 00E0 4D 0D CA 86 57 90 57 86 52 69 63 68 56 90 57 86 M...W.W.RichV.W.
- 00F0 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 04 00 ........PE..L...
- 0100 72 7F 14 4E 00 00 00 00 00 00 00 00 E0 00 23 01 r..N..........#.
- Image Base : 0x400000
- CRC looks fine.
- Entry Point: 0x16541
- Sections:
- .text 0x1000 0x7e402 517632
- .rdata 0x80000 0xded8 57344
- .data 0x8e000 0x1a638 26112
- .rsrc 0xa9000 0x136dca 1273344
- ==============================
- Binary Analysis...
- (aka.. "Slicing the Malware")
- ==============================
- //Compiler traces...
- Compile Time: 2011-07-07 00:29:54
- Compiler Traces: Microsoft Visual C++ 8 ,
- //BUT!!....found the below strings↓
- 0x081738 This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.
- =========================================================
- 0x0C1530 AutoIt v3 Script: 3, 3, 7, 13 <====VOILA! AutoIt used to code malware here.....
- 0x0C1572 VarFileInfo =========================================================
- 0x0C1592 Translation
- //↑making every sense.. go totns of these strings..incl.error codes/loaded autoit libs etc..
- //AntiReversing...
- 0x4802d4 GetCurrentThread
- 0x480304 CloseHandle
- 0x480308 GetCurrentProcess
- 0x48030c GetProcAddress
- 0x480310 LoadLibraryA
- 0x480324 IsDebuggerPresent
- 0x4803b4 GetTickCount
- //set of keyboard hook..
- 0x480598 GetAsyncKeyState
- 0x4805a0 GetKeyboardState
- 0x4805a4 GetKeyState
- //changed DEP settings.. why?
- 0x4802e8 VirtualAlloc
- 0x480384 HeapCreate
- // thus other privilege escalation...
- 0x480194 ReadProcessMemory
- 0x480040 OpenThreadToken
- 0x480044 OpenProcessToken
- 0x480070 GetTokenInformation
- //Registry activities....
- 0x480018 RegConnectRegistryW
- // internet activities....
- 0x480724 InternetReadFile
- 0x480728 InternetCloseHandle
- 0x48072c InternetOpenW
- 0x48073c InternetConnectW
- 0x480740 HttpOpenRequestW
- //....if we break out dll calls we can see more internet activities...
- MPR.dll.WNetCancelConnection2W Hint[12]
- MPR.dll.WNetGetConnectionW Hint[36]
- MPR.dll.WNetAddConnection2W Hint[6]
- MPR.dll.WNetUseConnectionW Hint[73]
- WININET.dll.InternetReadFile Hint[159]
- WININET.dll.InternetCloseHandle Hint[107]
- WININET.dll.InternetOpenW Hint[154]
- WININET.dll.InternetSetOptionW Hint[175]
- WININET.dll.InternetCrackUrlW Hint[116]
- WININET.dll.HttpQueryInfoW Hint[90]
- WININET.dll.InternetConnectW Hint[114]
- WININET.dll.HttpOpenRequestW Hint[88]
- WININET.dll.HttpSendRequestW Hint[94]
- WININET.dll.FtpOpenFileW Hint[53] <=== up to FTP...
- WININET.dll.FtpGetFileSize Hint[50] <=== up to FTP...
- WININET.dll.InternetOpenUrlW Hint[153]
- WININET.dll.InternetQueryOptionW Hint[158]
- WININET.dll.InternetQueryDataAvailable Hint[155]
- //Clipboard operations..
- 0x48047c EmptyClipboard
- 0x480480 SetCli
- // aditionals.. enumeration process....
- 0x48042c EnumProcesses
- 0x4801b0 CreateToolhelp32Snapshot
- //We found the logeff event to start a malicious service traces:
- PID: 0xd8
- path: C:\TEST\sample.exe
- Addr: 0x77a89422
- SVC: Global\crypt32LogoffEvent
- //↑which caused by these calls operations..
- USERENV.dll.UnloadUserProfile Hint[44]
- USERENV.dll.DestroyEnvironmentBlock Hint[4]
- USERENV.dll.CreateEnvironmentBlock Hint[0]
- USERENV.dll.LoadUserProfileW Hint[33]
- ==============================================
- Behavior analysis
- a.k.a "Torture & Force Captured Malware to Talk!"
- ==============================================
- //Running Process 順番/PID
- 0xb8 Gbpsv_Ba.exe (executed by sample)
- 0xec Gbpsv_Ba.exe (cmd="C:\Gbpsv_Ba.exe") (exec by 0xb8)
- 0x348 svchost.exe
- 0x3e8 svchost.exe
- //Threaded...per PIDs..
- 0xb8 Gbpsv_Ba.exe 0x94 0x7c810867 MEM_FREE 0x0
- |
- +--0xec Gbpsv_Ba.exe 0x7e4 0x7c810867 MEM_IMAGE 0x416541
- |
- +---0x348 svchost.exe 0x784 0x7c810856 MEM_IMAGE 0x7c910760
- +---0x3e8 svchost.exe 0xdc 0x7c810856 MEM_IMAGE 0x77e76bf0
- //File Created:
- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aut1.tmp
- //Modified registry....
- ----------------------------------
- Malicious Keys added: 2
- ----------------------------------
- HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_STISVC\0000\Control
- HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_STISVC\0000\Control
- ----------------------------------
- Malicious Values added: 5
- ----------------------------------
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\evx\デスクトップ\fnzcyr.rkr: 01 00 00 00 08 00 00 00 D0 B3 EA 62 EF BF CD 01
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\evx\デスクトップ\fnzcyr2.rkr: 01 00 00 00 07 00 00 00 20 4F 6F 5C EF BF CD 01
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\evx\デスクトップ\fnzcyr3.rkr: 01 00 00 00 07 00 00 00 00 E1 DD 7B EF BF CD 01
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\zfcnvag.rkr: 01 00 00 00 06 00 00 00 D0 82 D7 6A EF BF CD 01
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3F30C968-480A-4C6C-862D-EFC0897BB84B} {0000010B-0000-0000-C000-000000000046} 0x401: 01 00 00 00 7C 6C 5B 7D F4 53 0A 75 EF BF CD 01
- ----------------------------------
- Malicious Values modified: 8
- ----------------------------------
- HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: C9 B8 E4 43 8A 83 19 97 7F AE C5 82 D2 45 20 E5 55 CC 0F BE EF 90 6B 99 88 6C 5B B4 C0 93 44 03 C3 EF 02 87 72 40 9F F9 D1 30 20 56 25 8A 5F D7 65 63 45 AB 1C 47 22 57 02 40 57 8C 54 6C 25 AF F2 A6 85 37 53 56 9E 02 B5 77 FD 28 E9 AE AC 6B
- HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: A9 5F BE 4F C9 99 29 63 C5 3D 30 B4 44 E0 E0 53 3A D3 1D CF 79 14 75 D2 7C AC 54 89 E1 BD A1 60 9C 5F 05 80 B5 F2 30 B0 D4 BC 85 16 39 F0 E6 8B E7 71 90 6A FE 94 F2 D9 03 87 86 21 CF EA EB E8 71 A4 20 F4 49 0B FE E1 CC 91 BB 76 C3 55 3B 17
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 01 00 00 00 13 00 00 00 20 22 E2 16 EF BF CD 01
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 01 00 00 00 1B 00 00 00 00 70 DB 7B EF BF CD 01
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 01 00 00 00 2C 00 00 00 20 93 E4 16 EF BF CD 01
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 01 00 00 00 35 00 00 00 00 E1 DD 7B EF BF CD 01
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:::{20Q04SR0-3NRN-1069-N2Q8-08002O30309Q}: 01 00 00 00 10 00 00 00 F0 AF C7 7E EE BF CD 01
- HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:::{20Q04SR0-3NRN-1069-N2Q8-08002O30309Q}: 01 00 00 00 11 00 00 00 40 2A 0A 35 EF BF CD 01
- ----------------------------------
- Total malicious Registry changes: 25
- ----------------------------------
- // Read registry.....(below are the registry information taken..)
- // Almost all of the data needed got cleaned up to the clipboard...
- Key: [ HKLM\SOFTWARE\CLASSES\.EXE ],
- Value Name: [ ], Value: [ exefile ], 1 time
- Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\INPROCSERVER32 ],
- Value Name: [ ], Value: [ %SystemRoot%\system32\SHELL32.dll ], 1 time
- Key: [ HKLM\SOFTWARE\CLASSES\DRIVE\SHELLEX\FOLDEREXTENSIONS\{FBEB8A05-BEEE-4442-804E-409D6C4515E9} ],
- Value Name: [ DriveMask ], Value: [ 32 ], 1 time
- Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ],
- Value Name: [ CUAS ], Value: [ 0 ], 1 time
- Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ],
- Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
- Key: [ HKLM\SYSTEM\Setup ],
- Value Name: [ OsLoaderPath ], Value: [ \ ], 2 times
- Key: [ HKLM\SYSTEM\Setup ],
- Value Name: [ SystemPartition ], Value: [ \Device\HarddiskVolume1 ], 2 times
- Key: [ HKLM\SYSTEM\Setup ],
- Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
- Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ],
- Value Name: [ DevicePath ], Value: [ %SystemRoot%\inf ], 1 time
- Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
- Value Name: [ DriverCachePath ], Value: [ %SystemRoot%\Driver Cache ], 2 times
- Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
- Value Name: [ LogLevel ], Value: [ 0 ], 2 times
- Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
- Value Name: [ ServicePackCachePath ], Value: [ c:\windows\ServicePackFiles\ServicePackCache ], 2 times
- Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
- Value Name: [ ServicePackSourcePath ], Value: [ D:\ ], 2 times
- Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
- Value Name: [ SourcePath ], Value: [ D:\ ], 2 times
- Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
- Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time
- Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ],
- Value Name: [ ComputerName ], Value: [ PC ], 2 times
- Key: [ HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm ],
- Value Name: [ wheel ], Value: [ 1 ], 1 time
- Key: [ HKLM\System\CurrentControlSet\Control\ProductOptions ],
- Value Name: [ ProductType ], Value: [ WinNT ], 1 time
- Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ],
- Value Name: [ Domain ], Value: [ ], 1 time
- Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ],
- Value Name: [ Hostname ], Value: [ pc ], 1 time
- Key: [ HKLM\System\Setup ],
- Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
- Key: [ HKLM\System\WPA\PnP ],
- Value Name: [ seed ], Value: [ 1274198464 ], 1 time
- Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\Mouse ],
- Value Name: [ SwapMouseButtons ], Value: [ 0 ], 1 time
- Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],
- Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times
- Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],
- Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times
- Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ ],
- Value Name: [ ShellState ], Value: [ 0x2400000038080000000000000000000000000000010000000d0000000000 ], 2 times
- Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ],
- Value Name: [ DontPrettyPath ], Value: [ 0 ], 1 time
- Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ],
- Value Name: [ Filter ], Value: [ 0 ], 1 time
- Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ],
- Value Name: [ Hidden ], Value: [ 1 ], 1 time
- Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ],
- Value Name: [ HideFileExt ], Value: [ 0 ], 1 time
- Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ],
- Value Name: [ HideIcons ], Value: [ 0 ], 1 time
- Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ],
- Value Name: [ MapNetDrvBtn ], Value: [ 0 ], 1 time
- Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ],
- Value Name: [ NoNetCrawling ], Value: [ 1 ], 1 time
- Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ],
- Value Name: [ SeparateProcess ], Value: [ 0 ], 1 time
- Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ],
- Value Name: [ ShowCompColor ], Value: [ 1 ], 1 time
- Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ],
- Value Name: [ ShowInfoTip ], Value: [ 1 ], 1 time
- Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ],
- Value Name: [ ShowSuperHidden ], Value: [ 1 ], 1 time
- Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ],
- Value Name: [ WebView ], Value: [ 0 ], 1 time
- Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094da8-30a0-11dd-817b-806d6172696f}\ ],
- Value Name: [ Data ], Value: [ 0x000000005c005c003f005c0049004400450023004300640052006f006d00 ], 1 time
- Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094da8-30a0-11dd-817b-806d6172696f}\ ],
- Value Name: [ Generation ], Value: [ 1 ], 1 time
- Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094daa-30a0-11dd-817b-806d6172696f}\ ],
- Value Name: [ Data ], Value: [ 0x000000005c005c003f005c00530054004f00520041004700450023005600 ], 1 time
- Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094daa-30a0-11dd-817b-806d6172696f}\ ],
- Value Name: [ Generation ], Value: [ 1 ], 2 times
- Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
- Value Name: [ Local Settings ], Value: [ %USERPROFILE%\Local Settings ], 1 time
- Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
- Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time
- //Cannot conduct further behavior test because malware crashed in the mid of operation with the error:
- ---------------------
- AutoIt
- ---------------------
- Error Allocating Memory
- -----------------------
- =============================
- Reference Analysis
- for baixar.php & Gbpsv_Ba.exe
- =============================
- // Virus Total Check as Per: Sun Nov 11 19:18:57 JST 2012
- MD5: e7d91acded14a95c8c7ce5936950a08d
- File size: 2.1 MB ( 2156439 bytes )
- File name: baixar.php
- File type: Win32 EXE
- Detection ratio: 19 / 43
- Analysis date: 2012-11-11 10:10:25 UTC
- URL: https://www.virustotal.com/file/54e2163bf5d61359dec677f0d8357338f792ffdbae5b65d402e810caefabbcae/analysis/1352628625/
- MD5: 72e02ec21b99c1e7bed9633c595933e1
- File size: 1.8 MB ( 1875456 bytes )
- File name: Gbpsv_Ba.exe
- File type: Win32 EXE
- Detection ratio: 19 / 44
- Analysis date: 2012-11-11 10:10:54 UTC
- URL: https://www.virustotal.com/file/1889b97bfd218fdda9b0f21f5d26f3ba0a5665975befaabff0fcfd13b007e093/analysis/1352628654/
- //Malware Naming:
- DrWeb : Trojan.DownLoader7.19718
- VIPRE : Trojan.Win32.Generic!BT
- Symantec : WS.Reputation.1
- Norman : W32/Troj_Generic.FGEJL
- McAfee-GW-Edition : Heuristic.BehavesLike.Win32.Suspicious-BAY.S
- Fortinet : W32/Banker.XRJ!tr.spy
- TrendMicro-HouseCall : TROJ_GEN.R47H1K9
- Emsisoft : Trojan.Win32.AMN (A)
- Ikarus : Trojan-Downloader.Win32.Banload
- Kaspersky : HEUR:Trojan.Win32.Generic
- Jiangmin : Trojan/Generic.axncw
- ESET-NOD32 : Win32/Spy.Banker.XRJ
- Panda : Trj/CI.A
- Kingsoft : Win32.Troj.Undef.(kcloud)
- Antiy-AVL : Trojan/Win32.Chifrax.gen
- AntiVir : TR/Spy.Banker.VH
- AVG : Generic6_c.BHLH
- Microsoft : TrojanDownloader:Win32/Banload.ALA
- Comodo : UnclassifiedMalware
- --------
- Honor, virtus et potestas et imperium sit trinitati in unitate,
- unitati in trinitate, in perenni saeculorum tempore.
- Trinitati lux perennis, unitati sit decus perpetim.
- Gloria †Patri et Filio et Spiritui Sancto.
- #MalwareMustDie!!!!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement