anubis left
Anubis - Analysis Report
anubis right

Analysis Report for HMA-Pro-VPN-2.6.9-install.exe

Comment on this report

Summary:

Description Risk
Packed Binary: This executable is protected with a packer in order to prevent it from being reverse engineered. medium
Performs Registry Activities: The executable creates and/or modifies registry entries. low


Table of Contents

expand all expand all   collapse all collapse all

1. General Information

  - Information about Anubis' invocation  
Time needed: 292 s 
Report created: 10/09/11, 14:52:00 UTC 
Termination reason: Timeout 
Program version: 1.75.3394 

2. HMA-Pro-VP.exe

  - General information about this executable  
Analysis Reason: Primary Analysis Subject 
Filename: HMA-Pro-VP.exe 
MD5: cf2acd6c9975d4713c11b9575bc476ed 
SHA-1: dafeb9c2d6714d904bd825b4d87265470d48c98a 
File Size: 3433503 Bytes
Command Line: "C:\HMA-Pro-VP.exe" 
Process-status at analysis end: alive 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​SHELL32.dll  0x7C9C0000  0x00817000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​SHLWAPI.dll  0x77F60000  0x00076000 
C:\​WINDOWS\​WinSxS\​X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\​COMCTL32.dll  0x773D0000  0x00103000 
C:\​WINDOWS\​system32\​ole32.dll  0x774E0000  0x0013D000 
C:\​WINDOWS\​system32\​VERSION.dll  0x77C00000  0x00008000 

  - Run-time Dlls  
Module Name Base Address Size
C:\​DOCUME~1\​ADMINI~1\​LOCALS~1\​Temp\​nsd2.tmp\​InstallOptions.dll  0x003F0000  0x00009000 
C:\​DOCUME~1\​ADMINI~1\​LOCALS~1\​Temp\​nsd2.tmp\​UserInfo.dll  0x10000000  0x00005000 
C:\​WINDOWS\​system32\​UxTheme.dll  0x5AD70000  0x00038000 
C:\​WINDOWS\​system32\​MSCTF.dll  0x74720000  0x0004C000 
C:\​WINDOWS\​system32\​RichEd20.dll  0x74E30000  0x0006D000 
C:\​WINDOWS\​system32\​comdlg32.dll  0x763B0000  0x00049000 
C:\​WINDOWS\​system32\​SHFOLDER.dll  0x76780000  0x00009000 
C:\​WINDOWS\​system32\​SETUPAPI.dll  0x77920000  0x000F3000 

  - SigBuster Output  
NullSoft_PiMP_SFX vna SN: 1724

  - Popups  
Window Name Window Text Screenshot Number of Displayed Times
HMA! Pro VPN 2.6.9 Setup  &Next > Cancel Welcome to the HMA! Pro VPN 2.6.9 Setup Wizard This wizard will guide you through the installation of HMA! Pro VPN. Note that the Windows version of HMA! Pro VPN will only run on Win 2000, XP, or higher.   screenshot
HMA! Pro VPN 2.6.9 Setup  &Yes &No Are you sure you want to quit HMA! Pro VPN 2.6.9 Setup?   screenshot

2.a) HMA-Pro-VP.exe - Registry Activities

  - Registry Values Modified:  
Key Name New Value
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​{a1094da8-30a0-11dd-817b-806d6172696f}\​  BaseClass  Drive 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​{a1094daa-30a0-11dd-817b-806d6172696f}\​  BaseClass  Drive 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Programs  C:\​Documents and Settings\​Administrator\​Start Menu\​Programs 

  - Registry Values Read:  
Key Name Value Times
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{20D04FE0-3AEA-1069-A2D8-08002B30309D}\​INPROCSERVER32    %SystemRoot%\​system32\​SHELL32.dll 
HKLM\​SOFTWARE\​CLASSES\​DIRECTORY  AlwaysShowExt   
HKLM\​SOFTWARE\​CLASSES\​DRIVE\​SHELLEX\​FOLDEREXTENSIONS\​{FBEB8A05-BEEE-4442-804E-409D6C4515E9}  DriveMask  32 
HKLM\​SOFTWARE\​Microsoft\​CTF\​SystemShared\​  CUAS 
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion  CurrentVersion  5.1 
HKLM\​SYSTEM\​CurrentControlSet\​Control\​Session Manager  CriticalSectionTimeout  2592000 
HKLM\​SYSTEM\​Setup  OsLoaderPath  \​ 
HKLM\​SYSTEM\​Setup  SystemPartition  \​Device\​HarddiskVolume1 
HKLM\​SYSTEM\​Setup  SystemSetupInProgress 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion  DevicePath  %SystemRoot%\​inf 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion  ProgramFilesDir  C:\​Program Files 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  DriverCachePath  %SystemRoot%\​Driver Cache 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  LogLevel 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  ServicePackCachePath  c:\​windows\​ServicePackFiles\​ServicePackCache 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  ServicePackSourcePath  D:\​ 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  SourcePath  D:\​ 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  TransparentEnabled 
HKLM\​System\​CurrentControlSet\​Control\​ComputerName\​ActiveComputerName  ComputerName  PC 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  Domain   
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  Hostname  pc 
HKLM\​System\​Setup  SystemSetupInProgress 
HKLM\​System\​WPA\​PnP  seed  1274198464 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Keyboard Layout\​Toggle  Language Hotkey 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Keyboard Layout\​Toggle  Layout Hotkey 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​  ShellState  0x2400000038080000000000000000000000000000010000000d0000000000 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  DontPrettyPath 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  Filter 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  Hidden 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  HideFileExt 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  HideIcons 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  MapNetDrvBtn 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  NoNetCrawling 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  SeparateProcess 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  ShowCompColor 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  ShowInfoTip 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  ShowSuperHidden 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  WebView 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​CPC\​Volume\​{a1094da8-30a0-11dd-817b-806d6172696f}\​  Data  0x000000005c005c003f005c0049004400450023004300640052006f006d00 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​CPC\​Volume\​{a1094da8-30a0-11dd-817b-806d6172696f}\​  Generation 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​CPC\​Volume\​{a1094daa-30a0-11dd-817b-806d6172696f}\​  Data  0x000000005c005c003f005c00530054004f00520041004700450023005600 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​CPC\​Volume\​{a1094daa-30a0-11dd-817b-806d6172696f}\​  Generation 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Programs  %USERPROFILE%\​Start Menu\​Programs 

2.b) HMA-Pro-VP.exe - File Activities

  - Files Deleted:  
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsr1.tmp

  - Files Created:  
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\InstallOptions.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\System.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\UserInfo.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\ioSpecial.ini
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\modern-header.bmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\modern-wizard.bmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\options.ini
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsr1.tmp

  - Files Read:  
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\ioSpecial.ini
C:\HMA-Pro-VP.exe
PIPE\lsarpc

  - Files Modified:  
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\InstallOptions.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\System.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\UserInfo.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\ioSpecial.ini
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\modern-header.bmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\modern-wizard.bmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\options.ini
MountPointManager
PIPE\lsarpc

  - Directories Created:  
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp

  - File System Control Communication:  
File Control Code Times
C:\Program Files\Common Files\  0x00090028 
PIPE\lsarpc  0x0011C017 

  - Device Control Communication:  
File Control Code Times
\Device\KsecDD  0x00390008 
IDE#CdRomQEMU_QEMU_CD-ROM________________________0.9.____#4d51303030302033202020202020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}  0x004D0008 
MountPointManager  0x006D0008 
STORAGE#Volume#1&30a96598&0&SignatureB15FB15FOffset7E00Length13F291800#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}  0x004D0008 
MountPointManager  0x006D0034 

  - Memory Mapped Files:  
File Name
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\InstallOptions.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\System.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\UserInfo.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\modern-header.bmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd2.tmp\modern-wizard.bmp
C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\system32\MSCTF.dll
C:\WINDOWS\system32\RichEd20.dll
C:\WINDOWS\system32\SETUPAPI.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHFOLDER.dll
C:\WINDOWS\system32\UxTheme.dll
C:\WINDOWS\system32\imm32.dll
C:\WINDOWS\system32\rpcss.dll


International Secure Systems Lab
Vienna University of Technology, Eurecom France, UC Santa Barbara
Contact: anubis@iseclab.org