unixfreaxjp

RAMNIT WORM BINARY ANALYSIS - FIRST HANDLE REPORT

Jan 11th, 2012
337
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. RAMNIT WORM BINARY ANALYSIS - FIRST HANDLE REPORT
  2. *) For the behavior analysis see: http://pastebin.com/JJ5zuTh1
  3. Analyze Date: Wed Jan 11 19:12:49 JST 2012
  4. by: Hendrik ADRIAN | Twitter @unixfreaxjp | http://unixfreaxjp.blogspot.com | 0day.jp
  5.  
  6. ------------------------------------------------
  7. Sigthings:
  8. ------------------------------------------------
  9. First seen: 2012-01-05 11:31:37
  10.  
  11. ------------------------------------------------
  12. File Info
  13. ------------------------------------------------
  14. File Name: Aha.exe
  15. File size : 135680 bytes
  16. MD5 : 607b2219fbcfbfe8e6ac9d7f3fb8d50e
  17. ------------------------------------------------
  18. File Attributes:
  19. ------------------------------------------------
  20. [StringFileInfo]
  21. Length: 0x228
  22. ValueLength: 0x0
  23. Type: 0x1
  24. [StringTable]
  25. Length: 0x204
  26. ValueLength: 0x0
  27. Type: 0x1
  28. LangID: 040904B0
  29. LegalCopyright: Desk Koala Yam Sown 1998-2007
  30. InternalName: Suzy Leaf Pearl
  31. FileVersion: 2.6
  32. CompanyName: Bitrix
  33. ProductName: Dave Cloud Stormy
  34. ProductVersion: 2.6
  35. FileDescription: Teak Quill Chloe
  36. OriginalFilename: Aha.exe
  37.  
  38. ------------------------------------------------
  39. ExifTool:
  40. ------------------------------------------------
  41. file metadata
  42. CharacterSet: Unicode
  43. CodeSize: 131072
  44. CompanyName: Bitrix
  45. EntryPoint: 0x3ebd0
  46. FileDescription: Teak Quill Chloe
  47. FileFlagsMask: 0x003f
  48. FileOS: Windows NT 32-bit
  49. FileSize: 132 kB
  50. FileSubtype: 0
  51. FileType: Win32 EXE
  52. FileVersion: 2.6
  53. FileVersionNumber: 2.6.0.0
  54. ImageVersion: 10.3
  55. InitializedDataSize: 4096
  56. InternalName: Suzy Leaf Pearl
  57. LanguageCode: English (U.S.)
  58. LegalCopyright: Desk Koala Yam Sown 1998-2007
  59. LinkerVersion: 5.2
  60. MIMEType: application/octet-stream
  61. MachineType: Intel 386 or later, and compatibles
  62. OSVersion: 7.0
  63. ObjectFileType: Executable application
  64. OriginalFilename: Aha.exe
  65. PEType: PE32
  66. ProductName: Dave Cloud Stormy
  67. ProductVersion: 2.6
  68. ProductVersionNumber: 2.6.0.0
  69. Subsystem: Windows GUI
  70. SubsystemVersion: 4.0
  71. TimeStamp: 2006:11:19 03:49:33+01:00
  72. UninitializedDataSize: 122880
  73.  
  74. ------------------------------------------------
  75. Suspicious Parts
  76. ------------------------------------------------
  77. Claimed CRC and Actual CRC are different: Claimed:0 Actual:176,848
  78. Compile Time: 2006-11-19 11:49:33
  79. Found Entry Point at section: UPX1
  80. Identified packer :UPX -> www.upx.sourceforge.net
  81. Identifying Suspicious section....
  82. On section 0 and section 1, both IMAGE_SCN_MEM_WRITE & IMAGE_SCN_MEM_EXECUTE flags are set.means this us packed executable.
  83. Anti Debugging traces identification
  84. [!] Found a call at: 0x43fde0 LoadLibraryA
  85. [!] Found a call at: 0x43fde4 GetProcAddress
  86. DEP Setting Change trace
  87. [!] Found a DEP setting change trace: 0x43fde8 VirtualProtect
  88. [!] Found a DEP setting change trace: 0x43fdec VirtualAlloc
  89. Looks Creating Mutex {19767501-5B71-7A19-AEFE-0C985A1C50FD}
  90.  
  91. ------------------------------------------------
  92. Suspicous Entropy:
  93. ------------------------------------------------
  94. Entropy 0.0, Entropy 7.93623838328
  95. Section Name: IMAGE_SECTION_HEADER Entropy 0.0
  96. [IMAGE_SECTION_HEADER]
  97. Name: UPX0
  98. Misc: 0x1E000
  99. Misc_PhysicalAddress: 0x1E000
  100. Misc_VirtualSize: 0x1E000
  101. VirtualAddress: 0x1000
  102. SizeOfRawData: 0x0
  103. PointerToRawData: 0x400
  104. PointerToRelocations: 0x0
  105. PointerToLinenumbers: 0x0
  106. NumberOfRelocations: 0x0
  107. NumberOfLinenumbers: 0x0
  108. Characteristics: 0xE0000080
  109.  
  110. Section Name: IMAGE_SECTION_HEADER Entropy 7.93623838328
  111. [IMAGE_SECTION_HEADER]
  112. Name: UPX1
  113. Misc: 0x20000
  114. Misc_PhysicalAddress: 0x20000
  115. Misc_VirtualSize: 0x20000
  116. VirtualAddress: 0x1F000
  117. SizeOfRawData: 0x1FE00
  118. PointerToRawData: 0x400
  119. PointerToRelocations: 0x0
  120. PointerToLinenumbers: 0x0
  121. NumberOfRelocations: 0x0
  122. NumberOfLinenumbers: 0x0
  123. Characteristics: 0xE0000040
  124.  
  125. ------------------------------------------------
  126. Loaded DLLs
  127. ------------------------------------------------
  128. [IMAGE_IMPORT_DESCRIPTOR]
  129. OriginalFirstThunk: 0x0
  130. Characteristics: 0x0
  131. TimeDateStamp: 0x0
  132. ForwarderChain: 0x0
  133. Name: 0x3FE0C
  134. FirstThunk: 0x3FDE0
  135. KERNEL.DLL
  136. KERNEL32.DLL.LoadLibraryA Hint[0]
  137. KERNEL32.DLL.GetProcAddress Hint[0]
  138. KERNEL32.DLL.VirtualProtect Hint[0]
  139. KERNEL32.DLL.VirtualAlloc Hint[0]
  140. KERNEL32.DLL.VirtualFree Hint[0]
  141. KERNEL32.DLL.ExitProcess Hint[0]
  142.  
  143. [IMAGE_IMPORT_DESCRIPTOR]
  144. OriginalFirstThunk: 0x0
  145. Characteristics: 0x0
  146. TimeDateStamp: 0x0
  147. ForwarderChain: 0x0
  148. Name: 0x3FE19
  149. FirstThunk: 0x3FDFC
  150. COMCTL32.DLL.InitCommonControls Hint[0]
  151.  
  152. [IMAGE_IMPORT_DESCRIPTOR]
  153. OriginalFirstThunk: 0x0
  154. Characteristics: 0x0
  155. TimeDateStamp: 0x0
  156. ForwarderChain: 0x0
  157. Name: 0x3FE26
  158. FirstThunk: 0x3FE04
  159. SHLWAPI.DLL.StrCmpW Hint[0]
  160.  
  161. ------------------------------------------------
  162. First Opinion Check
  163. ------------------------------------------------
  164. Antivirus Version Last Update Result
  165. AhnLab-V3 2012.01.10.03 2012.01.10 Trojan/Win32.Lebag
  166. AntiVir 7.11.20.229 2012.01.11 TR/Offend.KD.504269
  167. Antiy-AVL 2.0.3.7 2012.01.11 -
  168. Avast 6.0.1289.0 2012.01.11 Win32:CripUnp [Susp]
  169. AVG 10.0.0.1190 2012.01.11 SHeur4.MLP
  170. BitDefender 7.2 2012.01.11 Trojan.Generic.KD.504269
  171. ByteHero 1.0.0.1 2011.12.31 Trojan.Win32.Heur.Gen
  172. CAT-QuickHeal 12.00 2012.01.11 Trojan.Ramnit.a
  173. ClamAV 0.97.3.0 2012.01.11 -
  174. Commtouch 5.3.2.6 2012.01.11 -
  175. Comodo 11236 2012.01.10 Heur.Suspicious
  176. DrWeb 5.0.2.03300 2012.01.11 Trojan.Rmnet.8
  177. Emsisoft 5.1.0.11 2012.01.11 Virus.Win32.Ramnit!IK
  178. eSafe 7.0.17.0 2012.01.10 -
  179. eTrust-Vet 37.0.9675 2012.01.11 -
  180. F-Prot 4.6.5.141 2012.01.11 -
  181. F-Secure 9.0.16440.0 2012.01.11 Trojan.Generic.KD.504269
  182. Fortinet 4.3.388.0 2012.01.11 W32/Yakes.B!tr
  183. GData 22 2012.01.11 Trojan.Generic.KD.504269
  184. Ikarus T3.1.1.109.0 2012.01.11 Virus.Win32.Ramnit
  185. Jiangmin 13.0.900 2012.01.10 -
  186. K7AntiVirus 9.125.5906 2012.01.10 Riskware
  187. Kaspersky 9.0.0.837 2012.01.11 Trojan.Win32.Lebag.klg
  188. McAfee 5.400.0.1158 2012.01.11 Generic.mfr!bc
  189. McAfee-GW 2010.1E 2012.01.10 Generic.mfr!bc
  190. Microsoft 1.7903 2012.01.11 Trojan:Win32/Ramnit.A
  191. NOD32 6783 2012.01.11 a variant of Win32/Kryptik.YNF
  192. Norman 6.07.13 2012.01.10 W32/Suspicious_Gen2.UWZFB
  193. nProtect 2012-01-11.01 2012.01.11 Trojan/W32.Agent.135680.LI
  194. Panda 10.0.3.5 2012.01.10 Bck/Qbot.AO
  195. PCTools 8.0.0.5 2012.01.11 Trojan.Generic
  196. Prevx 3.0 2012.01.11 -
  197. Rising 23.92.02.02 2012.01.11 Trojan.Win32.Generic.12AF6823
  198. Sophos 4.73.0 2012.01.11 -
  199. SUPERAntiSpywar 4.40.0.1006 2012.01.11 -
  200. Symantec 20111.2.0.82 2012.01.11 Trojan Horse
  201. TheHacker 6.7.0.1.375 2012.01.10 -
  202. TrendMicro 9.500.0.1008 2012.01.11 TROJ_SPNR.06A012
  203. TrendMicroHouse 9.500.0.1008 2012.01.11 TROJ_SPNR.06A012
  204. VBA32 3.12.16.4 2012.01.10 BScope.Trojan.Ramnit.5112
  205. VIPRE 11381 2012.01.11 Trojan.Win32.Generic!BT
  206. ViRobot 2012.1.11.4874 2012.01.11 -
  207. VirusBuster 14.1.160.0 2012.01.10 Trojan.Lebag!yEp9NXlqXHc
  208.  
  209. ------------------------------------------------
  210. Second Opinion Check
  211. ------------------------------------------------
  212. Trojan/Win32.Lebag
  213. TR/Offend.KD.504269
  214. SHeur4.MLP
  215. Trojan.Generic.KD.504269
  216. Trojan.Win32.Heur.Gen
  217. Trojan.Ramnit.a
  218. Heur.Suspicious
  219. Trojan.Rmnet.8
  220. Virus.Win32.Ramnit!IK
  221. Trojan.Generic.KD.504269
  222. W32/Yakes.B!tr
  223. Trojan.Generic.KD.504269
  224. Virus.Win32.Ramnit
  225. Riskware
  226. Trojan.Win32.Lebag.klg
  227. Generic.mfr!bc
  228. Generic.mfr!bc
  229. Trojan:Win32/Ramnit.A
  230. W32/Suspicious_Gen2.UWZFB
  231. Trojan/W32.Agent.135680.LI
  232. Bck/Qbot.AO
  233. Trojan.Generic
  234. Trojan.Win32.Generic.12AF682
  235. TROJ_SPNR.06A012
  236. TROJ_SPNR.06A012
  237. BScope.Trojan.Ramnit.5112
  238. Trojan.Win32.Generic!BT
  239. Trojan.Lebag!yEp9NXlqXHc
  240.  
  241. ------------------------------------------------
  242. References:
  243. ------------------------------------------------
  244. http://www.virustotal.com/file-scan/report.html?id=f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c-1326272864
  245. http://pastebin.com/JJ5zuTh1 (Behavior Analysis First Handle)
  246. http://unixfreaxjp.blogspot.com/2012/01/ramnit.html (Behavior Analysis First Handle)
RAW Paste Data