anubis left
Anubis - Analysis Report
anubis right

Analysis Report for 67b78e61fce91dd9d6b3b0d01b5cf4b9

 Comment on this report

Summary:

Description Risk
Spawns Processes: The executable produces processes during the execution. low
Performs Registry Activities: The executable reads and modifies registry values. It may also create and monitor registry keys. low


Table of Contents
expand all expand all   collapse all collapse all

1. General Information

  - Information about Anubis' invocation  
Time needed: 237 s 
Report created: 07/01/09, 07:56:42 UTC 
Termination reason: Timeout 
Program version: 1.68.0 

1.a) - Network Activity

  -  HTTP Conversations:  
From ANUBIS:1032 to 66.220.17.154:80 - [ayb.host127-0-0-1.com]
Request: GET /abt?udata=WWW_9WWW:5.44www:1634344911:United States:program_started:0aae4256f940abdd
Response: 200 "OK"

  -  Unknown UDP Traffic:  
from ANUBIS:1025 to 192.168.0.1:53
State: Normal establishment and termination - Transferred outbound Bytes: 39 - Transferred inbound Bytes: 103

2. sample.exe

  - General information about this executable  
Analysis Reason: Primary Analysis Subject 
Filename: sample.exe 
MD5: 67b78e61fce91dd9d6b3b0d01b5cf4b9 
SHA-1: c48e2961917490792c4018d3de59126d08fd151a 
File Size: 524288 Bytes
Command Line: "C:\sample.exe" 
Process-status at analysis end: dead 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​gdi32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​WinSxS\​X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\​comctl32.dll  0x773D0000  0x00103000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​system32\​SHLWAPI.dll  0x77F60000  0x00076000 
C:\​WINDOWS\​system32\​wininet.dll  0x42C10000  0x000CF000 
C:\​WINDOWS\​system32\​Normaliz.dll  0x00340000  0x00009000 
C:\​WINDOWS\​system32\​iertutil.dll  0x42990000  0x00045000 
C:\​WINDOWS\​system32\​shell32.dll  0x7C9C0000  0x00817000 
C:\​WINDOWS\​system32\​wsock32.dll  0x71AD0000  0x00009000 
C:\​WINDOWS\​system32\​WS2_32.dll  0x71AB0000  0x00017000 
C:\​WINDOWS\​system32\​WS2HELP.dll  0x71AA0000  0x00008000 
C:\​WINDOWS\​system32\​ole32.dll  0x774E0000  0x0013D000 
C:\​WINDOWS\​system32\​mfc42.dll  0x73DD0000  0x000FE000 
C:\​WINDOWS\​system32\​IMM32.DLL  0x76390000  0x0001D000 

  - Run-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​Oleaut32.dll  0x77120000  0x0008B000 
C:\​WINDOWS\​system32\​Apphelp.dll  0x77B40000  0x00022000 
C:\​WINDOWS\​system32\​VERSION.dll  0x77C00000  0x00008000 

  - SigBuster Output  
Swizzor_test vna SN: 1732

  - Ikarus Virus Scanner  
Trojan.Win32.Obfuscated (Sig-Id:754735)

2.a) sample.exe - Registry Activities

  - Registry Keys Created:  
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​HOPE MANAGER ONLINEJunk
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​HOPE MANAGER ONLINEJunk\​GreatLiveLocks

  - Registry Values Modified:  
Key Name New Value
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​HOPE MANAGER ONLINEJunk  globalbind  0x603df93aa288af49d1b58ce99ee6a68bab97f2d38aca2abaeee3e22f4bd6 

  - Registry Values Read:  
Key Name Value Times
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{0002DF01-0000-0000-C000-000000000046}\​LOCALSERVER32    "C:\​Program Files\​Internet Explorer\​IEXPLORE.EXE" 
HKLM\​SOFTWARE\​CLASSES\​INTERNETEXPLORER.APPLICATION\​CLSID    {0002DF01-0000-0000-C000-000000000046} 
HKLM\​SYSTEM\​WPA\​MediaCenter  Installed 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Telephony\​Country List\​1  InternationalRule  S011EFG 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Telephony\​Country List\​1  Name  United States 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  AuthenticodeEnabled 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  DefaultLevel  262144 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  PolicyScope 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  TransparentEnabled 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  ItemData  0x5eab304f957a49896a006c1c31154015 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  ItemSize  779 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  ItemData  0x67b0d48b343a3fd3bce9dc646704f394 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  ItemSize  517 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  ItemData  0x327802dcfef8c893dc8ab006dd847d1d 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  ItemSize  918 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  ItemData  0xbd9a2adb42ebd8560e250e4df8162f67 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  ItemSize  229 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  ItemData  0x386b085f84ecf669d36b956a22c01e80 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  ItemSize  370 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Paths\​{dda3f824-d8cb-441b-834d-be2efd2c1a33}  ItemData  %HKEY_CURRENT_USER\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders\​Cache%OLK* 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Paths\​{dda3f824-d8cb-441b-834d-be2efd2c1a33}  SaferFlags 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​HOPE MANAGER ONLINEJunk  globalbind  0x67789030701e01db863180e5ce944435d695078d2e46be7274f6bd240ee0  25 
HKU\​S-1-5-21-1229272821-1004336348-527237240-1003\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cache  C:\​Documents and Settings\​user\​Local Settings\​Temporary Internet Files 

2.b) sample.exe - File Activities

  - Files Read:  
C:\sample.exe

  - Device Control Communication:  
File Control Code Times
unnamed file  0x00390008 

  - Memory Mapped Files:  
File Name
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\Apphelp.dll
C:\Windows\AppPatch\sysmain.sdb

2.c) sample.exe - Process Activities

  - Processes Created:  
Executable Command Line
C:\Program Files\Internet Explorer\IEXPLORE.EXE   
C:\Program Files\Internet Explorer\IEXPLORE.EXE   

  - Remote Threads Created:  
Affected Process
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

  - Foreign Memory Regions Read:  
Process: C:\Program Files\Internet Explorer\IEXPLORE.EXE

  - Foreign Memory Regions Written:  
Process: C:\Program Files\Internet Explorer\IEXPLORE.EXE

2.d) sample.exe - Other Activities

  - Mutexes Created:  

  - Windows SEH exceptions:  
Description Times
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x40d2cc 
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x40bcf3 
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x404849 
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x4154af 
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x41515d 
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x405d9a 
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x414b80 
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x4169d6 

3. iexplore.exe

  - General information about this executable  
Analysis Reason: Started by sample.exe 
Filename: iexplore.exe 
Process-status at analysis end: alive 
Exit Code:


International Secure Systems Lab
Vienna University of Technology, Eurecom France, UC Santa Barbara
Contact: anubis@iseclab.org