anubis left
Anubis - Analysis Report
anubis right

Analysis Report for NF-eletronica-987812165162.Docx.exe

Comment on this report

Summary:

Description Risk
Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary. low
Packed Binary: This executable is protected with a packer in order to prevent it from being reverse engineered. medium


Table of Contents

expand all expand all   collapse all collapse all

1. General Information

  - Information about Anubis' invocation  
Time needed: 256 s 
Report created: 04/02/13, 05:17:00 UTC 
Termination reason: Timeout 
Program version: 1.76.3886 

2. NF-eletron.exe

  - General information about this executable  
Analysis Reason: Primary Analysis Subject 
Filename: NF-eletron.exe 
MD5: 65ba9ff22e4e9073dda5ecae0fd056a7 
SHA-1: 0dd46f3e46ace98eb09a41a4d33757d40d686fb2 
File Size: 531968 Bytes
Command Line: "C:\NF-eletron.exe" 
Process-status at analysis end: alive 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​oleaut32.dll  0x77120000  0x0008B000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​ole32.dll  0x774E0000  0x0013D000 
C:\​WINDOWS\​system32\​msimg32.dll  0x76380000  0x00005000 
C:\​WINDOWS\​system32\​version.dll  0x77C00000  0x00008000 
C:\​WINDOWS\​WinSxS\​x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\​comctl32.dll  0x773D0000  0x00103000 
C:\​WINDOWS\​system32\​SHLWAPI.dll  0x77F60000  0x00076000 
C:\​WINDOWS\​system32\​winspool.drv  0x73000000  0x00026000 

  - Run-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​hnetcfg.dll  0x662B0000  0x00058000 
C:\​WINDOWS\​system32\​mswsock.dll  0x71A50000  0x0003F000 
C:\​WINDOWS\​System32\​wshtcpip.dll  0x71A90000  0x00008000 
C:\​WINDOWS\​system32\​WS2HELP.dll  0x71AA0000  0x00008000 
C:\​WINDOWS\​system32\​WS2_32.DLL  0x71AB0000  0x00017000 
C:\​WINDOWS\​system32\​MSCTF.dll  0x74720000  0x0004C000 
C:\​WINDOWS\​system32\​imm32.dll  0x76390000  0x0001D000 

  - SigBuster Output  
PE_Compact v2.X SN:660 PE_Compact V2.X SN:1620

2.a) NF-eletron.exe - Registry Activities

  - Registry Values Read:  
Key Name Value Times
HKLM\​SOFTWARE\​Microsoft\​CTF\​SystemShared\​  CUAS 
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion\​FontSubstitutes  MS Shell Dlg 2  Tahoma 
HKLM\​SYSTEM\​CurrentControlSet\​Control\​Session Manager  CriticalSectionTimeout  2592000 
HKLM\​SYSTEM\​CurrentControlSet\​Services\​Winsock\​Parameters  Transports  0x5400630070006900700000004e0065007400420049004f00530000000000 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  TransparentEnabled 
HKLM\​System\​CurrentControlSet\​Control\​Terminal Server  TSUserEnabled 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  HelperDllName  %SystemRoot%\​System32\​wshtcpip.dll 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  Mapping  0x0b0000000300000002000000010000000600000002000000010000000000 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  MaxSockaddrLength  16 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  MinSockaddrLength  16 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  UseDelayedAcceptance 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters  WinSock_Registry_Version  2.0 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5  Num_Catalog_Entries 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5  Serial_Access_Num 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  DisplayString  Tcpip 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  Enabled 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  LibraryPath  %SystemRoot%\​System32\​mswsock.dll 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  ProviderId  0x409d05229e7ecf11ae5a00aa00a7112b 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  StoresServiceClassInfo 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  SupportedNameSpace  12 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  Version 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  DisplayString  NTDS 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  Enabled 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  LibraryPath  %SystemRoot%\​System32\​winrnr.dll 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  ProviderId  0xee37263b80e5cf11a55500c04fd8d4ac 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  StoresServiceClassInfo 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  SupportedNameSpace  32 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  Version 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  DisplayString  Network Location Awareness (NLA) Namespace 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  Enabled 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  LibraryPath  %SystemRoot%\​System32\​mswsock.dll 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  ProviderId  0x3a244266a83ba64abaa52e0bd71fdd83 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  StoresServiceClassInfo 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  SupportedNameSpace  15 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  Version 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Next_Catalog_Entry_ID  1020 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Num_Catalog_Entries  13 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Serial_Access_Num 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000001  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000002  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000003  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000004  PackedCatalogItem  %SystemRoot%\​system32\​rsvpsp.d 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000005  PackedCatalogItem  %SystemRoot%\​system32\​rsvpsp.d 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000006  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000007  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000008  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000009  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000010  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000011  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000012  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000013  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Keyboard Layout\​Toggle  Language Hotkey 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Keyboard Layout\​Toggle  Layout Hotkey 

  - Monitored Registry Keys:  
Key Name Watch subtree Notify Filter Count
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5  Key Change 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Key Change 

2.b) NF-eletron.exe - File Activities

  - Files Created:  
C:\Program Files\2M3f4Y
C:\Program Files\2M3f4Y\3t3h5a0Q5O.3q6y5o5b
C:\Program Files\2M3f4Y\help01.hlp
C:\Program Files\2M3f4Y\help02.hlp

  - Files Read:  
C:\Program Files\2M3f4Y\3t3h5a0Q5O.3q6y5o5b

  - Files Modified:  
C:\Program Files\2M3f4Y\3t3h5a0Q5O.3q6y5o5b
C:\Program Files\2M3f4Y\help01.hlp
C:\Program Files\2M3f4Y\help02.hlp
\Device\Afd\Endpointinfo

  - Directories Created:  
C:\Program Files\2M3f4Y

  - File System Control Communication:  
File Control Code Times
C:\Program Files\Common Files\  0x00090028 

  - Device Control Communication:  
File Control Code Times
\Device\KsecDD  0x00390008 
\Device\Afd\Endpoint  AFD_GET_INFO (0x0001207B) 
\Device\Afd\Endpoint  AFD_SET_CONTEXT (0x00012047) 
\Device\Afd\Endpoint  AFD_BIND (0x00012003) 
\Device\Afd\Endpoint  AFD_GET_TDI_HANDLES (0x00012037) 
\Device\Afd\Endpoint  AFD_GET_SOCK_NAME (0x0001202F) 
\Device\Afd\Endpoint  AFD_CONNECT (0x00012007) 
\Device\Afd\Endpoint  AFD_SEND (0x0001201F) 
\Device\Afd\Endpoint  AFD_SELECT (0x00012024)  1497 
\Device\Afd\Endpoint  AFD_RECV (0x00012017)  1494 
\Device\Afd\Endpoint  AFD_DISCONNECT (0x0001202B) 

  - Memory Mapped Files:  
File Name
C:\WINDOWS\System32\wshtcpip.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\system32\MSCTF.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\WS2_32.DLL
C:\WINDOWS\system32\hnetcfg.dll
C:\WINDOWS\system32\imm32.dll
C:\WINDOWS\system32\msimg32.dll
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rpcss.dll
C:\WINDOWS\system32\winspool.drv

2.c) NF-eletron.exe - Network Activity

  -  HTTP Conversations:  
From ANUBIS:1028 to 54.244.228.88:80 - [54.244.228.88]
Request: GET /arquivos/updados.hlp
Response: 200 "OK"

2.d) NF-eletron.exe - Other Activities

  - Mutexes Created:  
CTF.Asm.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.Compart.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.LBES.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.Layouts.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.TMD.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.TimListCache.FMPDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500MUTEX.DefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500

  - Windows SEH exceptions:  
Description Times
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x541016 
Exception 0x406d1388 at 0x7c812aeb 


International Secure Systems Lab
Vienna University of Technology, Eurecom France, UC Santa Barbara
Contact: anubis@iseclab.org