anubis left
Anubis - Analysis Report
anubis right

Analysis Report for a3e0fae4cf7ce71b1e27ccbeed7eb310-5a94da838a12a93e975eee9d148ed5a0

 Comment on this report

Summary:

Description Risk
Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary. high
Performs Registry Activities: The executable reads and modifies registry values. It may also create and monitor registry keys. low


Table of Contents
expand all expand all   collapse all collapse all

1. General Information

  - Information about Anubis' invocation  
Time needed: 24 s 
Report created: 10/08/09, 17:44:51 UTC 
Termination reason: Timeout 
Program version: 1.72.0 

2. a3e0fae4cf7ce71b1e27ccbeed7eb310-5a94da838a12a93e975eee9d148ed5a0

  - General information about this executable  
Analysis Reason: Primary Analysis Subject 
Filename: a3e0fae4cf7ce71b1e27ccbeed7eb310-5a94da838a12a93e975eee9d148ed5a0 
Command Line: "C:\a3e0fae4cf7ce71b1e27ccbeed7eb310-5a94da838a12a93e975eee9d148ed5a0"  
Process-status at analysis end: alive 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​user32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 

  - Run-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​comctl32.dll  0x5D090000  0x0009A000 
C:\​WINDOWS\​system32\​imagehlp.dll  0x76C90000  0x00028000 
C:\​WINDOWS\​system32\​OLEAUT32.dll  0x77120000  0x0008B000 
C:\​WINDOWS\​system32\​WININET.dll  0x771B0000  0x000AA000 
C:\​WINDOWS\​WinSxS\​x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\​comctl32.dll  0x773D0000  0x00103000 
C:\​WINDOWS\​system32\​ole32.dll  0x774E0000  0x0013D000 
C:\​WINDOWS\​system32\​CRYPT32.dll  0x77A80000  0x00095000 
C:\​WINDOWS\​system32\​MSASN1.dll  0x77B20000  0x00012000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​SHLWAPI.dll  0x77F60000  0x00076000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​system32\​SHELL32.dll  0x7C9C0000  0x00817000 

2.a) a3e0fae4cf7ce71b1e27ccbeed7eb310-5a94da838a12a93e975eee9d148ed5a0 - Registry Activities

  - Registry Values Read:  
Key Name Value Times
HKLM\​SYSTEM\​CurrentControlSet\​Control\​Session Manager  CriticalSectionTimeout  2592000 
HKLM\​SYSTEM\​Setup  SystemSetupInProgress 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Windows  AppInit_DLLs   
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  TransparentEnabled 
HKLM\​System\​CurrentControlSet\​Control\​ComputerName\​ActiveComputerName  ComputerName  PC 
HKLM\​System\​CurrentControlSet\​Control\​Terminal Server  TSAppCompat 
HKLM\​System\​CurrentControlSet\​Control\​Terminal Server  TSUserEnabled 

2.b) a3e0fae4cf7ce71b1e27ccbeed7eb310-5a94da838a12a93e975eee9d148ed5a0 - File Activities

  - Files Read:  
PIPE\lsarpc

  - Files Modified:  
PIPE\lsarpcinfo

  - File System Control Communication:  
File Control Code Times
C:\  0x00090028 
PIPE\lsarpc  0x0011C017 

  - Device Control Communication:  
File Control Code Times
\Device\KsecDD  0x00390008 

  - Memory Mapped Files:  
File Name
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\WININET.dll
C:\WINDOWS\system32\comctl32.dll

2.c) a3e0fae4cf7ce71b1e27ccbeed7eb310-5a94da838a12a93e975eee9d148ed5a0 - Other Activities

  - Mutexes Created:  
\A0871E65-​DDDA-​4475-​847B-​9306443855DE

  - Windows SEH exceptions:  
Description Times
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x77dfc1a7 


International Secure Systems Lab
Vienna University of Technology, Eurecom France, UC Santa Barbara
Contact: anubis@iseclab.org