Analysis Report for BGbot.exe

Comment on this report

Summary:

Description	Risk
Performs Registry Activities: The executable reads and modifies registry values. It may also create and monitor registry keys.

Table of Contents
expand all	collapse all
General information BGbot.exe C:\BGbot.exe Primary Analysis Subject General Information a) Registry Activities b) File Activities c) Other Activities

1. General Information

	- Information about Anubis' invocation

Time needed:	240 s
Report created:	08/23/09, 08:35:31 UTC
Termination reason:	Timeout
Program version:	1.71.0

2. BGbot.exe

	- General information about this executable

Analysis Reason:	Primary Analysis Subject
Filename:	BGbot.exe
MD5:	f687276e2ab6a69da802f2789fbc0837
SHA-1:	003c6902f8ffeee2cb82698ef32faadde754a2d9
File Size:	209664 Bytes
Command Line:	"C:\BGbot.exe"
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\comdlg32.dll	0x763B0000	0x00049000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\WSOCK32.dll	0x71AD0000	0x00009000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000

	- SigBuster Output

UPX V2.9-3.X SN: 1730

	- Popups

Window Name	Window Text	Screenshot	Number of Displayed Times
Enter Account Name	OK Cancel		1
Enter Password	OK Cancel		1

2.a) BGbot.exe - Registry Activities

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\Microsoft\CTF\SystemShared\	CUAS	0	1
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager	CriticalSectionTimeout	2592000	1
HKLM\SYSTEM\Setup	SystemSetupInProgress	0	1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows	AppInit_DLLs		1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	1
HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	wheel	1	1
HKLM\System\CurrentControlSet\Control\Terminal Server	TSAppCompat	0	3
HKLM\System\CurrentControlSet\Control\Terminal Server	TSUserEnabled	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle	Language Hotkey	1	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle	Layout Hotkey	2	4

2.b) BGbot.exe - File Activities

	- Files Read:

C:\BGbot.exe

	- File System Control Communication:

File	Control Code	Times
C:\	0x00090028	1

	- Device Control Communication:

File	Control Code	Times
\Device\KsecDD	0x00390008	1

	- Memory Mapped Files:

File Name

C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll

C:\WINDOWS\WindowsShell.Manifest

C:\WINDOWS\system32\MSCTF.dll

C:\WINDOWS\system32\SHELL32.dll

C:\WINDOWS\system32\UxTheme.dll

C:\WINDOWS\system32\WINMM.dll

C:\WINDOWS\system32\WS2HELP.dll

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\WSOCK32.dll

C:\WINDOWS\system32\imm32.dll

2.c) BGbot.exe - Other Activities

	- Mutexes Created:

AHK Keybd

AHK Mouse

CTF.Asm.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500

CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500

CTF.LBES.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500

CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500

CTF.TMD.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500

CTF.TimListCache.FMPDefaultS-1-5-21-842925246-1425521274-308236825-500MUTEX.DefaultS-1-5-21-842925246-1425521274-308236825-500

MSCTF.Shared.MUTEX.AKG

MSCTF.Shared.MUTEX.IM

	- Keyboard Keys Monitored:

Virtual Key Code	Times
VK_CAPITAL (20)	32
VK_MENU (18)	4
VK_CONTROL (17)	6
VK_SHIFT (16)	6
VK_LWIN (91)	34
VK_RWIN (92)	34
VK_LSHIFT (160)	30
VK_RSHIFT (161)	30
VK_LCONTROL (162)	30
VK_RCONTROL (163)	30
VK_LMENU (164)	30
VK_RMENU (165)	30