API tools faq
paste
Advertisement
MalwareMustDie

#MalwareMustDie - AutoIt-made Trojan/Banker/Downloader

MalwareMustDie
Nov 11th, 2012
1,746
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 23.38 KB | None | 0 0
raw download clone embed print report
  1. =========================================
  2. #MalwareMustDie - AutoIt made Malware,
  3. Functioned as Trojan Banker Stealer Found
  4. @unixfreaxjp /malware]$ date
  5. Sun Nov 11 18:59:59 JST 2012
  6. =========================================
  7.  
  8. --14:59:48-- h00p://wvvwcorreios.com/baixar.php
  9. => `baixar.php'
  10. Resolving wvvwcorreios.com... 64.31.44.236
  11. Connecting to wvvwcorreios.com|64.31.44.236|:80... connected.
  12. HTTP request sent, awaiting response... 200 OK
  13. Length: 2,156,439 (2.1M) [application/octet-stream]
  14. 15:00:03 (139.62 KB/s) - `baixar.php' saved [2156439/2156439]
  15.  
  16. $ md5 *
  17. baixar.php e7d91acded14a95c8c7ce5936950a08d
  18.  
  19. //Which actually baixar.php is a PE binary↓
  20.  
  21. $ bincat baixar.php
  22.  
  23. 0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
  24. 0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
  25. 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  26. 0030 00 00 00 00 00 00 00 00 00 00 00 00 E8 00 00 00 ................
  27. 0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
  28. 0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
  29. 0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
  30. 0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
  31. 0080 7D C6 81 DE 39 A7 EF 8D 39 A7 EF 8D 39 A7 EF 8D }...9...9...9...
  32. 0090 1E 61 82 8D 31 A7 EF 8D 1E 61 94 8D 2A A7 EF 8D .a..1....a..*...
  33. 00A0 39 A7 EE 8D 92 A7 EF 8D 27 F5 7A 8D 3C A7 EF 8D 9.......'.z.<...
  34. 00B0 30 DF 6C 8D 38 A7 EF 8D 30 DF 6B 8D 15 A7 EF 8D 0.l.8...0.k.....
  35. 00C0 30 DF 7D 8D 38 A7 EF 8D 27 F5 7B 8D 38 A7 EF 8D 0.}.8...'.{.8...
  36. 00D0 30 DF 7E 8D 38 A7 EF 8D 52 69 63 68 39 A7 EF 8D 0.~.8...Rich9...
  37. 00E0 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 05 00 ........PE..L...
  38. 00F0 66 D3 9D 4B 00 00 00 00 00 00 00 00 E0 00 03 01 f..K............
  39. 0100 0B 01 09 00 00 08 01 00 00 D2 00 00 00 00 00 00 ................
  40. 0110 B1 A7 00 00 00 10 00 00 00 20 01 00 00 00 40 00 ......... ....@.
  41. 0120 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 ................
  42. 0130 04 00 00 00 00 00 00 00 00 D0 02 00 00 04 00 00 ................
  43. 0140 E4 36 02 00 02 00 00 85 00 00 10 00 00 10 00 00 .6..............
  44. 0150 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 ................
  45. fd 3
  46. size 0x20e797
  47. block 0x40
  48. uri ./sample
  49. type EXEC (Executable file)
  50. os windows
  51. arch i386
  52. bits 32
  53. endian little
  54.  
  55. //This is the SFX Extractor binary to extract and execute specific PE.
  56.  
  57. packer: WinRAR SFX
  58.  
  59. //Files Created (By SFX module extractor...)
  60. %Temp%\H1U88AfgpBlb 1037019 //WinRar tmp
  61. %Temp%\lzma.bin 35166 //WInRar tmp
  62. C:\Gbpsv_Ba.exe 1875456 // this SOB...
  63. C:\Gbpsv_Ba.pic 848 // Malware file..an exploit
  64. C:\libmySQL50.dll 1470464 // Malware Driver
  65.  
  66. //Checked per creation date/timestamp:
  67. 2012/11/06 12:09 1,875,456 Gbpsv_Ba.exe
  68. 2012/09/30 21:35 848 Gbpsv_Ba.pic
  69. 2006/10/18 18:00 1,470,464 libmySQL50.dll <---has found url: http://schemas.microsoft.com/SMI/2005/WindowsSettings
  70.  
  71. //MD5
  72. Gbpsv_Ba.exe 72e02ec21b99c1e7bed9633c595933e1
  73. Gbpsv_Ba.pic 2ae879ce40b21dc26c7681272fa53cd4
  74. libmySQL50.dll 51b4cecfb4c9ca5bf38215744e5df39d
  75.  
  76. //What's with this pic file?? looks like the crypter key to me..
  77.  
  78. $ bincat Gbpsv_Ba.pic
  79.  
  80. 000000000000 000000000000 0 10101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919
  81. 000000000000 000000000000 0 10101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919101010119919191910101011991919191010101199191919
  82.  
  83.  
  84. //Let's see what is Gbpsv_Ba.exe 72e02ec21b99c1e7bed9633c595933e1 ↓
  85.  
  86. 0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
  87. 0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
  88. 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  89. 0030 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 ................
  90. 0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
  91. 0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
  92. 0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
  93. 0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
  94. 0080 12 F1 39 D5 56 90 57 86 56 90 57 86 56 90 57 86 ..9.V.W.V.W.V.W.
  95. 0090 C5 DE CF 86 54 90 57 86 4D 0D FD 86 E6 90 57 86 ....T.W.M.....W.
  96. 00A0 4D 0D FC 86 63 90 57 86 5F E8 D4 86 5F 90 57 86 M...c.W._..._.W.
  97. 00B0 5F E8 C4 86 77 90 57 86 56 90 56 86 5F 92 57 86 _...w.W.V.V._.W.
  98. 00C0 4D 0D E3 86 10 90 57 86 4D 0D C9 86 49 90 57 86 M.....W.M...I.W.
  99. 00D0 4D 0D CD 86 57 90 57 86 56 90 C0 86 57 90 57 86 M...W.W.V...W.W.
  100. 00E0 4D 0D CA 86 57 90 57 86 52 69 63 68 56 90 57 86 M...W.W.RichV.W.
  101. 00F0 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 04 00 ........PE..L...
  102. 0100 72 7F 14 4E 00 00 00 00 00 00 00 00 E0 00 23 01 r..N..........#.
  103.  
  104. Image Base : 0x400000
  105. CRC looks fine.
  106. Entry Point: 0x16541
  107. Sections:
  108. .text 0x1000 0x7e402 517632
  109. .rdata 0x80000 0xded8 57344
  110. .data 0x8e000 0x1a638 26112
  111. .rsrc 0xa9000 0x136dca 1273344
  112.  
  113. ==============================
  114. Binary Analysis...
  115. (aka.. "Slicing the Malware")
  116. ==============================
  117.  
  118. //Compiler traces...
  119. Compile Time: 2011-07-07 00:29:54
  120. Compiler Traces: Microsoft Visual C++ 8 ,
  121. //BUT!!....found the below strings↓
  122. 0x081738 This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.
  123. =========================================================
  124. 0x0C1530 AutoIt v3 Script: 3, 3, 7, 13 <====VOILA! AutoIt used to code malware here.....
  125. 0x0C1572 VarFileInfo =========================================================
  126.  
  127. 0x0C1592 Translation
  128. //↑making every sense.. go totns of these strings..incl.error codes/loaded autoit libs etc..
  129.  
  130. //AntiReversing...
  131. 0x4802d4 GetCurrentThread
  132. 0x480304 CloseHandle
  133. 0x480308 GetCurrentProcess
  134. 0x48030c GetProcAddress
  135. 0x480310 LoadLibraryA
  136. 0x480324 IsDebuggerPresent
  137. 0x4803b4 GetTickCount
  138.  
  139. //set of keyboard hook..
  140. 0x480598 GetAsyncKeyState
  141. 0x4805a0 GetKeyboardState
  142. 0x4805a4 GetKeyState
  143.  
  144. //changed DEP settings.. why?
  145. 0x4802e8 VirtualAlloc
  146. 0x480384 HeapCreate
  147.  
  148. // thus other privilege escalation...
  149. 0x480194 ReadProcessMemory
  150. 0x480040 OpenThreadToken
  151. 0x480044 OpenProcessToken
  152. 0x480070 GetTokenInformation
  153.  
  154. //Registry activities....
  155. 0x480018 RegConnectRegistryW
  156.  
  157. // internet activities....
  158. 0x480724 InternetReadFile
  159. 0x480728 InternetCloseHandle
  160. 0x48072c InternetOpenW
  161. 0x48073c InternetConnectW
  162. 0x480740 HttpOpenRequestW
  163. //....if we break out dll calls we can see more internet activities...
  164. MPR.dll.WNetCancelConnection2W Hint[12]
  165. MPR.dll.WNetGetConnectionW Hint[36]
  166. MPR.dll.WNetAddConnection2W Hint[6]
  167. MPR.dll.WNetUseConnectionW Hint[73]
  168. WININET.dll.InternetReadFile Hint[159]
  169. WININET.dll.InternetCloseHandle Hint[107]
  170. WININET.dll.InternetOpenW Hint[154]
  171. WININET.dll.InternetSetOptionW Hint[175]
  172. WININET.dll.InternetCrackUrlW Hint[116]
  173. WININET.dll.HttpQueryInfoW Hint[90]
  174. WININET.dll.InternetConnectW Hint[114]
  175. WININET.dll.HttpOpenRequestW Hint[88]
  176. WININET.dll.HttpSendRequestW Hint[94]
  177. WININET.dll.FtpOpenFileW Hint[53]  <=== up to FTP...
  178. WININET.dll.FtpGetFileSize Hint[50] <=== up to FTP...
  179. WININET.dll.InternetOpenUrlW Hint[153]
  180. WININET.dll.InternetQueryOptionW Hint[158]
  181. WININET.dll.InternetQueryDataAvailable Hint[155]
  182.  
  183. //Clipboard operations..
  184. 0x48047c EmptyClipboard
  185. 0x480480 SetCli
  186.  
  187. // aditionals.. enumeration process....
  188.  
  189. 0x48042c EnumProcesses
  190. 0x4801b0 CreateToolhelp32Snapshot
  191.  
  192. //We found the logeff event to start a malicious service traces:
  193. PID: 0xd8
  194. path: C:\TEST\sample.exe
  195. Addr: 0x77a89422
  196. SVC: Global\crypt32LogoffEvent
  197.  
  198. //↑which caused by these calls operations..
  199. USERENV.dll.UnloadUserProfile Hint[44]
  200. USERENV.dll.DestroyEnvironmentBlock Hint[4]
  201. USERENV.dll.CreateEnvironmentBlock Hint[0]
  202. USERENV.dll.LoadUserProfileW Hint[33]
  203.  
  204. ==============================================
  205. Behavior analysis
  206. a.k.a "Torture & Force Captured Malware to Talk!"
  207. ==============================================
  208.  
  209. //Running Process 順番/PID
  210. 0xb8 Gbpsv_Ba.exe (executed by sample)
  211. 0xec Gbpsv_Ba.exe (cmd="C:\Gbpsv_Ba.exe") (exec by 0xb8)
  212. 0x348 svchost.exe
  213. 0x3e8 svchost.exe
  214.  
  215. //Threaded...per PIDs..
  216. 0xb8 Gbpsv_Ba.exe 0x94 0x7c810867 MEM_FREE 0x0
  217. |
  218. +--0xec Gbpsv_Ba.exe 0x7e4 0x7c810867 MEM_IMAGE 0x416541
  219. |
  220. +---0x348 svchost.exe 0x784 0x7c810856 MEM_IMAGE 0x7c910760
  221. +---0x3e8 svchost.exe 0xdc 0x7c810856 MEM_IMAGE 0x77e76bf0
  222.  
  223. //File Created:
  224. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aut1.tmp
  225.  
  226. //Modified registry....
  227. ----------------------------------
  228. Malicious Keys added: 2
  229. ----------------------------------
  230. HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_STISVC\0000\Control
  231. HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_STISVC\0000\Control
  232.  
  233. ----------------------------------
  234. Malicious Values added: 5
  235. ----------------------------------
  236. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\evx\デスクトップ\fnzcyr.rkr: 01 00 00 00 08 00 00 00 D0 B3 EA 62 EF BF CD 01
  237. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\evx\デスクトップ\fnzcyr2.rkr: 01 00 00 00 07 00 00 00 20 4F 6F 5C EF BF CD 01
  238. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\evx\デスクトップ\fnzcyr3.rkr: 01 00 00 00 07 00 00 00 00 E1 DD 7B EF BF CD 01
  239. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\zfcnvag.rkr: 01 00 00 00 06 00 00 00 D0 82 D7 6A EF BF CD 01
  240. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3F30C968-480A-4C6C-862D-EFC0897BB84B} {0000010B-0000-0000-C000-000000000046} 0x401: 01 00 00 00 7C 6C 5B 7D F4 53 0A 75 EF BF CD 01
  241.  
  242. ----------------------------------
  243. Malicious Values modified: 8
  244. ----------------------------------
  245. HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: C9 B8 E4 43 8A 83 19 97 7F AE C5 82 D2 45 20 E5 55 CC 0F BE EF 90 6B 99 88 6C 5B B4 C0 93 44 03 C3 EF 02 87 72 40 9F F9 D1 30 20 56 25 8A 5F D7 65 63 45 AB 1C 47 22 57 02 40 57 8C 54 6C 25 AF F2 A6 85 37 53 56 9E 02 B5 77 FD 28 E9 AE AC 6B
  246. HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: A9 5F BE 4F C9 99 29 63 C5 3D 30 B4 44 E0 E0 53 3A D3 1D CF 79 14 75 D2 7C AC 54 89 E1 BD A1 60 9C 5F 05 80 B5 F2 30 B0 D4 BC 85 16 39 F0 E6 8B E7 71 90 6A FE 94 F2 D9 03 87 86 21 CF EA EB E8 71 A4 20 F4 49 0B FE E1 CC 91 BB 76 C3 55 3B 17
  247. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 01 00 00 00 13 00 00 00 20 22 E2 16 EF BF CD 01
  248. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 01 00 00 00 1B 00 00 00 00 70 DB 7B EF BF CD 01
  249. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 01 00 00 00 2C 00 00 00 20 93 E4 16 EF BF CD 01
  250. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 01 00 00 00 35 00 00 00 00 E1 DD 7B EF BF CD 01
  251. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:::{20Q04SR0-3NRN-1069-N2Q8-08002O30309Q}: 01 00 00 00 10 00 00 00 F0 AF C7 7E EE BF CD 01
  252. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:::{20Q04SR0-3NRN-1069-N2Q8-08002O30309Q}: 01 00 00 00 11 00 00 00 40 2A 0A 35 EF BF CD 01
  253.  
  254. ----------------------------------
  255. Total malicious Registry changes: 25
  256. ----------------------------------
  257. // Read registry.....(below are the registry information taken..)
  258. // Almost all of the data needed got cleaned up to the clipboard...
  259.  
  260. Key: [ HKLM\SOFTWARE\CLASSES\.EXE ],
  261. Value Name: [ ], Value: [ exefile ], 1 time
  262. Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\INPROCSERVER32 ],
  263. Value Name: [ ], Value: [ %SystemRoot%\system32\SHELL32.dll ], 1 time
  264. Key: [ HKLM\SOFTWARE\CLASSES\DRIVE\SHELLEX\FOLDEREXTENSIONS\{FBEB8A05-BEEE-4442-804E-409D6C4515E9} ],
  265. Value Name: [ DriveMask ], Value: [ 32 ], 1 time
  266. Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ],
  267. Value Name: [ CUAS ], Value: [ 0 ], 1 time
  268. Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ],
  269. Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
  270. Key: [ HKLM\SYSTEM\Setup ],
  271. Value Name: [ OsLoaderPath ], Value: [ \ ], 2 times
  272. Key: [ HKLM\SYSTEM\Setup ],
  273. Value Name: [ SystemPartition ], Value: [ \Device\HarddiskVolume1 ], 2 times
  274. Key: [ HKLM\SYSTEM\Setup ],
  275. Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
  276. Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ],
  277. Value Name: [ DevicePath ], Value: [ %SystemRoot%\inf ], 1 time
  278. Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
  279. Value Name: [ DriverCachePath ], Value: [ %SystemRoot%\Driver Cache ], 2 times
  280. Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
  281. Value Name: [ LogLevel ], Value: [ 0 ], 2 times
  282. Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
  283. Value Name: [ ServicePackCachePath ], Value: [ c:\windows\ServicePackFiles\ServicePackCache ], 2 times
  284. Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
  285. Value Name: [ ServicePackSourcePath ], Value: [ D:\ ], 2 times
  286. Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ],
  287. Value Name: [ SourcePath ], Value: [ D:\ ], 2 times
  288. Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
  289. Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time
  290. Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ],
  291. Value Name: [ ComputerName ], Value: [ PC ], 2 times
  292. Key: [ HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm ],
  293. Value Name: [ wheel ], Value: [ 1 ], 1 time
  294. Key: [ HKLM\System\CurrentControlSet\Control\ProductOptions ],
  295. Value Name: [ ProductType ], Value: [ WinNT ], 1 time
  296. Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ],
  297. Value Name: [ Domain ], Value: [ ], 1 time
  298. Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ],
  299. Value Name: [ Hostname ], Value: [ pc ], 1 time
  300. Key: [ HKLM\System\Setup ],
  301. Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
  302. Key: [ HKLM\System\WPA\PnP ],
  303. Value Name: [ seed ], Value: [ 1274198464 ], 1 time
  304. Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Control Panel\Mouse ],
  305. Value Name: [ SwapMouseButtons ], Value: [ 0 ], 1 time
  306. Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],
  307. Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times
  308. Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],
  309. Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times
  310. Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ ],
  311. Value Name: [ ShellState ], Value: [ 0x2400000038080000000000000000000000000000010000000d0000000000 ], 2 times
  312. Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ],
  313. Value Name: [ DontPrettyPath ], Value: [ 0 ], 1 time
  314. Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ],
  315. Value Name: [ Filter ], Value: [ 0 ], 1 time
  316. Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ],
  317. Value Name: [ Hidden ], Value: [ 1 ], 1 time
  318. Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ],
  319. Value Name: [ HideFileExt ], Value: [ 0 ], 1 time
  320. Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ],
  321. Value Name: [ HideIcons ], Value: [ 0 ], 1 time
  322. Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ],
  323. Value Name: [ MapNetDrvBtn ], Value: [ 0 ], 1 time
  324. Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ],
  325. Value Name: [ NoNetCrawling ], Value: [ 1 ], 1 time
  326. Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ],
  327. Value Name: [ SeparateProcess ], Value: [ 0 ], 1 time
  328. Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ],
  329. Value Name: [ ShowCompColor ], Value: [ 1 ], 1 time
  330. Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ],
  331. Value Name: [ ShowInfoTip ], Value: [ 1 ], 1 time
  332. Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ],
  333. Value Name: [ ShowSuperHidden ], Value: [ 1 ], 1 time
  334. Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ],
  335. Value Name: [ WebView ], Value: [ 0 ], 1 time
  336. Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094da8-30a0-11dd-817b-806d6172696f}\ ],
  337. Value Name: [ Data ], Value: [ 0x000000005c005c003f005c0049004400450023004300640052006f006d00 ], 1 time
  338. Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094da8-30a0-11dd-817b-806d6172696f}\ ],
  339. Value Name: [ Generation ], Value: [ 1 ], 1 time
  340. Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094daa-30a0-11dd-817b-806d6172696f}\ ],
  341. Value Name: [ Data ], Value: [ 0x000000005c005c003f005c00530054004f00520041004700450023005600 ], 1 time
  342. Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094daa-30a0-11dd-817b-806d6172696f}\ ],
  343. Value Name: [ Generation ], Value: [ 1 ], 2 times
  344. Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
  345. Value Name: [ Local Settings ], Value: [ %USERPROFILE%\Local Settings ], 1 time
  346. Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ],
  347. Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time
  348.  
  349.  
  350. //Cannot conduct further behavior test because malware crashed in the mid of operation with the error:
  351. ---------------------
  352. AutoIt
  353. ---------------------
  354. Error Allocating Memory
  355. -----------------------
  356.  
  357. =============================
  358. Reference Analysis
  359. for baixar.php & Gbpsv_Ba.exe
  360. =============================
  361.  
  362. // Virus Total Check as Per: Sun Nov 11 19:18:57 JST 2012
  363.  
  364. MD5: e7d91acded14a95c8c7ce5936950a08d
  365. File size: 2.1 MB ( 2156439 bytes )
  366. File name: baixar.php
  367. File type: Win32 EXE
  368. Detection ratio: 19 / 43
  369. Analysis date: 2012-11-11 10:10:25 UTC
  370. URL: https://www.virustotal.com/file/54e2163bf5d61359dec677f0d8357338f792ffdbae5b65d402e810caefabbcae/analysis/1352628625/
  371.  
  372. MD5: 72e02ec21b99c1e7bed9633c595933e1
  373. File size: 1.8 MB ( 1875456 bytes )
  374. File name: Gbpsv_Ba.exe
  375. File type: Win32 EXE
  376. Detection ratio: 19 / 44
  377. Analysis date: 2012-11-11 10:10:54 UTC
  378. URL: https://www.virustotal.com/file/1889b97bfd218fdda9b0f21f5d26f3ba0a5665975befaabff0fcfd13b007e093/analysis/1352628654/
  379.  
  380. //Malware Naming:
  381.  
  382. DrWeb : Trojan.DownLoader7.19718
  383. VIPRE : Trojan.Win32.Generic!BT
  384. Symantec : WS.Reputation.1
  385. Norman : W32/Troj_Generic.FGEJL
  386. McAfee-GW-Edition : Heuristic.BehavesLike.Win32.Suspicious-BAY.S
  387. Fortinet : W32/Banker.XRJ!tr.spy
  388. TrendMicro-HouseCall : TROJ_GEN.R47H1K9
  389. Emsisoft : Trojan.Win32.AMN (A)
  390. Ikarus : Trojan-Downloader.Win32.Banload
  391. Kaspersky : HEUR:Trojan.Win32.Generic
  392. Jiangmin : Trojan/Generic.axncw
  393. ESET-NOD32 : Win32/Spy.Banker.XRJ
  394. Panda : Trj/CI.A
  395. Kingsoft : Win32.Troj.Undef.(kcloud)
  396. Antiy-AVL : Trojan/Win32.Chifrax.gen
  397. AntiVir : TR/Spy.Banker.VH
  398. AVG : Generic6_c.BHLH
  399. Microsoft : TrojanDownloader:Win32/Banload.ALA
  400. Comodo : UnclassifiedMalware
  401.  
  402. --------
  403. Honor, virtus et potestas et imperium sit trinitati in unitate,
  404. unitati in trinitate, in perenni saeculorum tempore.
  405. Trinitati lux perennis, unitati sit decus perpetim.
  406. Gloria †Patri et Filio et Spiritui Sancto.
  407.  
  408. #MalwareMustDie!!!!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!