Anubis - Analysis Report

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\wsock32.dll	0x71AD0000	0x00009000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\user32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000

Description	Times
Exception 0x80000003 (STATUS_BREAKPOINT) at 0x40b10c	1
Exception 0x80000003 (STATUS_BREAKPOINT) at 0x40ad5a	64
Exception 0x80000003 (STATUS_BREAKPOINT) at 0x40aad8	1
Exception 0x80000003 (STATUS_BREAKPOINT) at 0x40a6c8	1
Exception 0x80000003 (STATUS_BREAKPOINT) at 0x40a583	1
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x4a8e670d	1
Exception 0x80000003 (STATUS_BREAKPOINT) at 0x40a437	1
Exception 0x80000003 (STATUS_BREAKPOINT) at 0x40a16a	1
Exception 0x80000003 (STATUS_BREAKPOINT) at 0x40a2db	1
Exception 0x80000003 (STATUS_BREAKPOINT) at 0x40a962	1

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\BROWSEUI.dll	0x75F80000	0x000FD000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\SHDOCVW.dll	0x7E290000	0x00171000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\CRYPTUI.dll	0x754D0000	0x00080000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\WININET.dll	0x42C10000	0x000CF000
C:\WINDOWS\system32\Normaliz.dll	0x00400000	0x00009000
C:\WINDOWS\system32\iertutil.dll	0x42990000	0x00045000
C:\WINDOWS\system32\WINTRUST.dll	0x76C30000	0x0002E000
C:\WINDOWS\system32\IMAGEHLP.dll	0x76C90000	0x00028000
C:\WINDOWS\system32\WLDAP32.dll	0x76F60000	0x0002C000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000
C:\WINDOWS\system32\msctfime.ime	0x755C0000	0x0002E000
C:\WINDOWS\system32\appHelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\CLBCATQ.DLL	0x76FD0000	0x0007F000
C:\WINDOWS\system32\COMRes.dll	0x77050000	0x000C5000
C:\WINDOWS\System32\cscui.dll	0x77A20000	0x00054000
C:\WINDOWS\System32\CSCDLL.dll	0x76600000	0x0001D000
C:\WINDOWS\system32\themeui.dll	0x5BA60000	0x00071000
C:\WINDOWS\system32\MSIMG32.dll	0x76380000	0x00005000
C:\WINDOWS\system32\xpsp2res.dll	0x01100000	0x002C5000
C:\WINDOWS\system32\actxprxy.dll	0x71D40000	0x0001B000
C:\WINDOWS\system32\SAMLIB.dll	0x71BF0000	0x00013000
C:\WINDOWS\system32\SETUPAPI.dll	0x77920000	0x000F3000
C:\WINDOWS\system32\msi.dll	0x7D1E0000	0x002BC000
C:\WINDOWS\system32\ntshrui.dll	0x76990000	0x00025000
C:\WINDOWS\system32\ATL.DLL	0x76B20000	0x00011000
C:\WINDOWS\system32\ieframe.dll	0x42EF0000	0x005CD000
C:\WINDOWS\system32\PSAPI.DLL	0x76BF0000	0x0000B000
C:\WINDOWS\system32\LINKINFO.dll	0x76980000	0x00008000
C:\WINDOWS\system32\NETSHELL.dll	0x76400000	0x001A5000
C:\WINDOWS\system32\credui.dll	0x76C00000	0x0002E000
C:\WINDOWS\system32\dot3api.dll	0x478C0000	0x0000A000
C:\WINDOWS\system32\rtutils.dll	0x76E80000	0x0000E000
C:\WINDOWS\system32\dot3dlg.dll	0x736D0000	0x00006000
C:\WINDOWS\system32\OneX.DLL	0x5DCA0000	0x00028000
C:\WINDOWS\system32\WTSAPI32.dll	0x76F50000	0x00008000
C:\WINDOWS\system32\WINSTA.dll	0x76360000	0x00010000
C:\WINDOWS\system32\eappcfg.dll	0x745B0000	0x00022000
C:\WINDOWS\system32\MSVCP60.dll	0x76080000	0x00065000
C:\WINDOWS\system32\eappprxy.dll	0x5DCD0000	0x0000E000
C:\WINDOWS\system32\iphlpapi.dll	0x76D60000	0x00019000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\urlmon.dll	0x42CF0000	0x00127000
C:\WINDOWS\system32\webcheck.dll	0x42E40000	0x0003C000
C:\WINDOWS\system32\stobject.dll	0x76280000	0x00021000
C:\WINDOWS\system32\BatMeter.dll	0x74AF0000	0x0000A000
C:\WINDOWS\system32\POWRPROF.dll	0x74AD0000	0x00008000
C:\WINDOWS\system32\WPDShServiceObj.dll	0x164A0000	0x00023000
C:\WINDOWS\system32\WINHTTP.dll	0x4D4F0000	0x00059000
C:\WINDOWS\system32\mydocs.dll	0x72410000	0x0001A000
C:\WINDOWS\system32\PortableDeviceTypes.dll	0x109C0000	0x0002C000
C:\WINDOWS\system32\PortableDeviceApi.dll	0x10930000	0x00049000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\SXS.DLL	0x7E720000	0x000B0000
C:\WINDOWS\system32\MPR.dll	0x71B20000	0x00012000
C:\WINDOWS\System32\drprov.dll	0x75F60000	0x00007000
C:\WINDOWS\System32\ntlanman.dll	0x71C10000	0x0000E000
C:\WINDOWS\System32\NETUI0.dll	0x71CD0000	0x00017000
C:\WINDOWS\System32\NETUI1.dll	0x71C90000	0x00040000
C:\WINDOWS\System32\NETRAP.dll	0x71C80000	0x00007000
C:\WINDOWS\System32\davclnt.dll	0x75F70000	0x0000A000
C:\WINDOWS\system32\browselc.dll	0x71600000	0x00012000
C:\WINDOWS\system32\MSGINA.dll	0x75970000	0x000F8000
C:\WINDOWS\system32\ODBC32.dll	0x74320000	0x0003D000
C:\WINDOWS\system32\comdlg32.dll	0x763B0000	0x00049000
C:\WINDOWS\system32\odbcint.dll	0x02310000	0x00017000
C:\WINDOWS\system32\MLANG.dll	0x75CF0000	0x00091000
C:\WINDOWS\system32\rsaenh.dll	0x68000000	0x00036000

Module Name	Base Address	Size
C:\WINDOWS\system32\hnetcfg.dll	0x662B0000	0x00058000
C:\WINDOWS\System32\mswsock.dll	0x71A50000	0x0003F000
C:\WINDOWS\System32\wshtcpip.dll	0x71A90000	0x00008000
C:\WINDOWS\system32\DNSAPI.dll	0x76F20000	0x00027000
C:\WINDOWS\System32\winrnr.dll	0x76FB0000	0x00008000
C:\WINDOWS\system32\rasadhlp.dll	0x76FC0000	0x00006000

Key	Name	Value	Times
HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\LINKAGE	Bind	0x5c004400650076006900630065005c007b00420032004200350031003000	288
HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\NAMESPACE_CATALOG5	Serial_Access_Num	4	1
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B2B51064-BBF5-4528-B62B-E6D62A782874}	DhcpServer	255.255.255.255	288
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B2B51064-BBF5-4528-B62B-E6D62A782874}	EnableDHCP	0	144
HKLM\SYSTEM\CurrentControlSet\Services\Winsock\Parameters	Transports	0x5400630070006900700000004e0065007400420049004f00530000000000	2
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Domain		2
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Hostname	user	2
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	UseDomainNameDevolution	1	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	HelperDllName	%SystemRoot%\System32\wshtcpip.dll	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	Mapping	0x0b0000000300000002000000010000000600000002000000010000000000	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	MaxSockaddrLength	16	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	MinSockaddrLength	16	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	UseDelayedAcceptance	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0	2
HKLM\System\Setup	SystemSetupInProgress	0	1

File	Control Code	Times
\Device\{B2B51064-BBF5-4528-B62B-E6D62A782874}	0x0017003E	72
unnamed file	0x00120003	1872
unnamed file	0x00120040	288
unnamed file	0x00120090	144
\Device\NetBT_Tcpip_{B2B51064-BBF5-4528-B62B-E6D62A782874}	0x0021009A	144
\Device\RasAcd	0x00F14014	3
\Device\Afd\Endpoint	AFD_GET_INFO (0x0001207B)	2
\Device\Afd\Endpoint	AFD_SET_CONTEXT (0x00012047)	9
\Device\Afd\Endpoint	AFD_BIND (0x00012003)	3
\Device\Afd\Endpoint	AFD_GET_TDI_HANDLES (0x00012037)	6
\Device\Afd\Endpoint	AFD_CONNECT (0x00012007)	3
\Device\Afd\Endpoint	AFD_SELECT (0x00012024)	9
\Device\Afd\Endpoint	AFD_SEND (0x0001201F)	3
\Device\Afd\Endpoint	AFD_RECV (0x00012017)	6

File Name

C:\WINDOWS\System32\mswsock.dll

C:\WINDOWS\System32\winrnr.dll

C:\WINDOWS\System32\wshtcpip.dll

C:\WINDOWS\system32\DNSAPI.dll

C:\WINDOWS\system32\hnetcfg.dll

C:\WINDOWS\system32\rasadhlp.dll

Analysis Report for ma.exe

Summary:

Table of Contents

1. General Information

1.a) - Network Activity

2. sample.exe

2.a) sample.exe - Registry Activities

2.b) sample.exe - File Activities

2.c) sample.exe - Process Activities

2.d) sample.exe - Other Activities

3. Explorer.EXE

3.a) Explorer.EXE - Registry Activities

3.b) Explorer.EXE - File Activities

3.c) Explorer.EXE - Process Activities

3.d) Explorer.EXE - Network Activity

3.e) Explorer.EXE - Other Activities