___ __ _ + /- / | ____ __ __/ /_ (_)____ -\ + /s h- / /| | / __ \/ / / / __ \/ / ___/ -h s\ oh-:d/ / ___ |/ / / / /_/ / /_/ / (__ ) /d:-ho shh+hy- /_/ |_/_/ /_/\__,_/_.___/_/____/ -yh+hhs -:+hhdhyys/- -\syyhdhh+:- -//////dhhhhhddhhyss- Analysis Report -ssyhhddhhhhhd\\\\\\- /++/////oydddddhhyys/ ooooooooooooooooooooo \syyhhdddddyo\\\\\++\ -+++///////odh/- -+hdo\\\\\\\+++- +++++++++//yy+/: :\+yy\\+++++++++ /+soss+sys//yyo/os++o+: :+o++so\oyy\\sys+ssos+\ +oyyyys++o/+yss/+/oyyyy: :yyyyo\+\ssy+\o++syyyyo+ +oyyyyyyso+os/o/+yyyyyy/ \yyyyyy+\o\so+osyyyyyyo+ [#############################################################################] Analysis Report for BRMCrypt.exe MD5: 2cf95cb4957f52135806e3984c14d92a [#############################################################################] Summary: - Performs Registry Activities: The executable reads and modifies registry values. It also creates and monitors registry keys. [=============================================================================] Table of Contents [=============================================================================] - General information - BRMCrypt.exe a) Registry Activities b) File Activities c) Other Activities [#############################################################################] 1. General Information [#############################################################################] [=============================================================================] Information about Anubis' invocation [=============================================================================] Time needed: 239 s Report created: 08/03/09, 00:57:33 UTC Termination reason: Timeout Program version: 1.70.0 [#############################################################################] 2. BRMCrypt.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Primary Analysis Subject Filename: BRMCrypt.exe MD5: 2cf95cb4957f52135806e3984c14d92a SHA-1: 1d5eca51f6e72b835ebb0ab304c44ebbc47bd3b9 File Size: 733184 Bytes Command Line: "C:\BRMCrypt.exe" Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\MSVBVM60.DLL ], Base Address: [0x73420000 ], Size: [0x00153000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\Comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\system32\OLEPRO32.DLL ], Base Address: [0x5EDD0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\asycfilt.dll ], Base Address: [0x708F0000 ], Size: [0x00013000 ] Module Name: [ C:\WINDOWS\system32\MSCTF.dll ], Base Address: [0x74720000 ], Size: [0x0004C000 ] Module Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ], Base Address: [0x76FD0000 ], Size: [0x0007F000 ] Module Name: [ C:\WINDOWS\system32\COMRes.dll ], Base Address: [0x77050000 ], Size: [0x000C5000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\shell32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\SXS.DLL ], Base Address: [0x7E720000 ], Size: [0x000B0000 ] [=============================================================================] 2.a) BRMCrypt.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{0BE35203-8F91-11CE-9DE3-00AA004BB851}\INPROCSERVER32 ], Value Name: [ ], Value: [ oleaut32.dll ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{0BE35203-8F91-11CE-9DE3-00AA004BB851}\INPROCSERVER32 ], Value Name: [ ThreadingModel ], Value: [ Both ], 1 time Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ], Value Name: [ CUAS ], Value: [ 0 ], 1 time Key: [ HKLM\SYSTEM\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\COM3 ], Value Name: [ Com+Enabled ], Value: [ 1 ], 2 times Key: [ HKLM\Software\Microsoft\COM3 ], Value Name: [ REGDBVersion ], Value: [ 0x0700000000000000 ], 8 times Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ], Value Name: [ 932 ], Value: [ c_932.nls ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ], Value Name: [ 936 ], Value: [ c_936.nls ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ], Value Name: [ 949 ], Value: [ c_949.nls ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ], Value Name: [ 950 ], Value: [ c_950.nls ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Monitored Registry Keys: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\Software\Classes ], Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 3 times Key: [ HKLM\Software\Classes\CLSID ], Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 2 times Key: [ HKLM\Software\Microsoft\COM3 ], Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 6 times Key: [ HKU ], Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 3 times [=============================================================================] 2.b) BRMCrypt.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\Registration\R000000000007.clb ] File Name: [ C:\WINDOWS\system32\MSVBVM60.DLL ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Device Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ unnamed file ], Control Code: [ 0x00390008 ], 7 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ] File Name: [ C:\WINDOWS\WindowsShell.Manifest ] File Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ] File Name: [ C:\WINDOWS\system32\COMRes.dll ] File Name: [ C:\WINDOWS\system32\Comctl32.dll ] File Name: [ C:\WINDOWS\system32\MSCTF.dll ] File Name: [ C:\WINDOWS\system32\MSVBVM60.DLL ] File Name: [ C:\WINDOWS\system32\OLEPRO32.DLL ] File Name: [ C:\WINDOWS\system32\SXS.DLL ] File Name: [ C:\WINDOWS\system32\asycfilt.dll ] File Name: [ C:\WINDOWS\system32\imm32.dll ] File Name: [ C:\WINDOWS\system32\rpcss.dll ] File Name: [ C:\WINDOWS\system32\shell32.dll ] [=============================================================================] 2.c) BRMCrypt.exe - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutexes Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutex: [ CTF.Asm.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.LBES.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.TMD.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.TimListCache.FMPDefaultS-1-5-21-842925246-1425521274-308236825-500MUTEX.DefaultS-1-5-21-842925246-1425521274-308236825-500 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Keyboard Keys Monitored: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Virtual Key Code: [ VK_ESCAPE (27) ], 41 times [#############################################################################] International Secure Systems Lab http://www.iseclab.org Vienna University of Technology Eurecom France UC Santa Barbara http://www.tuwien.ac.at http://www.eurecom.fr http://www.cs.ucsb.edu Contact: anubis@iseclab.org