anubis left
Anubis - Analysis Report
anubis right

Analysis Report for flash.exe.virus

Comment on this report

Table of Contents

expand all expand all   collapse all collapse all

1. General Information

  - Information about Anubis' invocation  
Time needed: 30 s 
Report created: 07/12/13, 23:03:14 UTC 
Termination reason: All tracked processes have exited 
Program version: 1.76.3886 

2. flash.exe..exe

  - General information about this executable  
Analysis Reason: Primary Analysis Subject 
Filename: flash.exe..exe 
MD5: 5bbb11de6f74415ee4005f792e0fe6ff 
SHA-1: 42828762312aaf5c397254345abfce479d307e2c 
File Size: 98200 Bytes
Command Line: "C:\flash.exe..exe" 
Process-status at analysis end: dead 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​SHELL32.dll  0x7C9C0000  0x00817000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​SHLWAPI.dll  0x77F60000  0x00076000 
C:\​WINDOWS\​system32\​COMCTL32.dll  0x5D090000  0x0009A000 
C:\​WINDOWS\​system32\​ole32.dll  0x774E0000  0x0013D000 
C:\​WINDOWS\​system32\​VERSION.dll  0x77C00000  0x00008000 
C:\​WINDOWS\​WinSxS\​x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\​comctl32.dll  0x773D0000  0x00103000 

  - Run-time Dlls  
Module Name Base Address Size
C:\​DOCUME~1\​ADMINI~1\​LOCALS~1\​Temp\​nse2.tmp\​FindProcDLL.dll  0x003D0000  0x00003000 
C:\​DOCUME~1\​ADMINI~1\​LOCALS~1\​Temp\​nse2.tmp\​UAC.dll  0x10000000  0x00008000 
C:\​WINDOWS\​system32\​MSCTF.dll  0x74720000  0x0004C000 
C:\​WINDOWS\​system32\​SHFOLDER.dll  0x76780000  0x00009000 
C:\​WINDOWS\​system32\​PSAPI.DLL  0x76BF0000  0x0000B000 
C:\​WINDOWS\​system32\​SETUPAPI.dll  0x77920000  0x000F3000 

2.a) flash.exe..exe - Registry Activities

  - Registry Values Modified:  
Key Name New Value
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​{a1094da8-30a0-11dd-817b-806d6172696f}\​  BaseClass  Drive 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​{a1094daa-30a0-11dd-817b-806d6172696f}\​  BaseClass  Drive 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Local AppData  C:\​Documents and Settings\​Administrator\​Local Settings\​Application Data 

  - Registry Values Read:  
Key Name Value Times
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{20D04FE0-3AEA-1069-A2D8-08002B30309D}\​INPROCSERVER32    %SystemRoot%\​system32\​SHELL32.dll 
HKLM\​SOFTWARE\​CLASSES\​DIRECTORY  AlwaysShowExt   
HKLM\​SOFTWARE\​CLASSES\​DRIVE\​SHELLEX\​FOLDEREXTENSIONS\​{FBEB8A05-BEEE-4442-804E-409D6C4515E9}  DriveMask  32 
HKLM\​SOFTWARE\​Microsoft\​CTF\​SystemShared\​  CUAS 
HKLM\​SYSTEM\​CurrentControlSet\​Control\​Session Manager  CriticalSectionTimeout  2592000 
HKLM\​SYSTEM\​Setup  OsLoaderPath  \​ 
HKLM\​SYSTEM\​Setup  SystemPartition  \​Device\​HarddiskVolume1 
HKLM\​SYSTEM\​Setup  SystemSetupInProgress 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Windows  AppInit_DLLs   
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion  DevicePath  %SystemRoot%\​inf 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  DriverCachePath  %SystemRoot%\​Driver Cache 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  LogLevel 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  ServicePackCachePath  c:\​windows\​ServicePackFiles\​ServicePackCache 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  ServicePackSourcePath  D:\​ 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  SourcePath  D:\​ 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  TransparentEnabled 
HKLM\​System\​CurrentControlSet\​Control\​ComputerName\​ActiveComputerName  ComputerName  PC 
HKLM\​System\​CurrentControlSet\​Control\​Terminal Server  TSAppCompat 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  Domain   
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  Hostname  pc 
HKLM\​System\​Setup  SystemSetupInProgress 
HKLM\​System\​WPA\​PnP  seed  1274198464 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Keyboard Layout\​Toggle  Language Hotkey 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Keyboard Layout\​Toggle  Layout Hotkey 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​  ShellState  0x2400000038080000000000000000000000000000010000000d0000000000 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  DontPrettyPath 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  Filter 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  Hidden 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  HideFileExt 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  HideIcons 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  MapNetDrvBtn 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  NoNetCrawling 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  SeparateProcess 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  ShowCompColor 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  ShowInfoTip 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  ShowSuperHidden 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  WebView 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​CPC\​Volume\​{a1094da8-30a0-11dd-817b-806d6172696f}\​  Data  0x000000005c005c003f005c0049004400450023004300640052006f006d00 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​CPC\​Volume\​{a1094da8-30a0-11dd-817b-806d6172696f}\​  Generation 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​CPC\​Volume\​{a1094daa-30a0-11dd-817b-806d6172696f}\​  Data  0x000000005c005c003f005c00530054004f00520041004700450023005600 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​CPC\​Volume\​{a1094daa-30a0-11dd-817b-806d6172696f}\​  Generation 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Local AppData  %USERPROFILE%\​Local Settings\​Application Data 

2.b) flash.exe..exe - File Activities

  - Files Deleted:  
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nse1.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nse2.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nse2.tmp\
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nse2.tmp\FindProcDLL.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nse2.tmp\UAC.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nse2.tmp\nsJSON.dll

  - Files Created:  
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nse1.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nse2.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nse2.tmp\FindProcDLL.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nse2.tmp\UAC.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nse2.tmp\nsJSON.dll
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\giemagpmpnboldamnfpipidmphpcmmia
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\giemagpmpnboldamnfpipidmphpcmmia\11_0
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\giemagpmpnboldamnfpipidmphpcmmia\11_0\background.js
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\giemagpmpnboldamnfpipidmphpcmmia\11_0\manifest.json
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\giemagpmpnboldamnfpipidmphpcmmia\11_0\s.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

  - Files Read:  
C:\flash.exe..exe
PIPE\lsarpc

  - Files Modified:  
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nse2.tmp\FindProcDLL.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nse2.tmp\UAC.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nse2.tmp\nsJSON.dll
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\giemagpmpnboldamnfpipidmphpcmmia\11_0\background.js
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\giemagpmpnboldamnfpipidmphpcmmia\11_0\manifest.json
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\giemagpmpnboldamnfpipidmphpcmmia\11_0\s.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
MountPointManager
PIPE\lsarpc

  - Directories Created:  
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nse2.tmp
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\giemagpmpnboldamnfpipidmphpcmmia
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\giemagpmpnboldamnfpipidmphpcmmia\11_0

  - Directories Removed:  
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nse2.tmp\

  - File System Control Communication:  
File Control Code Times
C:\Program Files\Common Files\  0x00090028 
PIPE\lsarpc  0x0011C017 

  - Device Control Communication:  
File Control Code Times
\Device\KsecDD  0x00390008 
IDE#CdRomQEMU_QEMU_CD-ROM________________________0.9.____#4d51303030302033202020202020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}  0x004D0008 
MountPointManager  0x006D0008 
STORAGE#Volume#1&30a96598&0&SignatureB15FB15FOffset7E00Length13F291800#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}  0x004D0008 
MountPointManager  0x006D0034 

  - Memory Mapped Files:  
File Name
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nse2.tmp\FindProcDLL.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nse2.tmp\UAC.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nse2.tmp\nsJSON.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\system32\COMCTL32.dll
C:\WINDOWS\system32\MSCTF.dll
C:\WINDOWS\system32\PSAPI.DLL
C:\WINDOWS\system32\SETUPAPI.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHFOLDER.dll
C:\WINDOWS\system32\imm32.dll
C:\WINDOWS\system32\rpcss.dll
C:\flash.exe..exe

2.c) flash.exe..exe - Process Activities

  - Foreign Memory Regions Read:  
Process: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
Process: C:\Program Files\Common Files\dgwxqncxg.exe
Process: C:\Program Files\Common Files\lklmxx.exe
Process: C:\Program Files\Messenger\msmsgs.exe
Process: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Process: C:\WINDOWS\explorer.exe
Process: C:\WINDOWS\system32\ctfmon.exe
Process: C:\WINDOWS\system32\lsass.exe
Process: C:\WINDOWS\system32\services.exe
Process: C:\WINDOWS\system32\smss.exe
Process: C:\WINDOWS\system32\spoolsv.exe
Process: C:\WINDOWS\system32\svchost.exe
Process: C:\WINDOWS\system32\winlogon.exe
Process: C:\WINDOWS\system32\wscntfy.exe
Process: C:\WINDOWS\system32\wuauclt.exe
Process: C:\flash.exe..exe


International Secure Systems Lab
Vienna University of Technology, Eurecom France, UC Santa Barbara
Contact: anubis@iseclab.org