anubis left
Anubis - Analysis Report
anubis right

Analysis Report for 34cd28ef831c82a55350c3eface482d7.zeustracker

 Comment on this report

Summary:

Description Risk
Packed Binary: This executable is protected with a packer in order to prevent it from being reverse engineered. medium
Performs Registry Activities: The executable creates and/or modifies registry entries. low


Table of Contents
expand all expand all   collapse all collapse all

1. General Information

  - Information about Anubis' invocation  
Time needed: 256 s 
Report created: 10/07/11, 09:31:25 UTC 
Termination reason: Timeout 
Program version: 1.75.3394 

2. 34cd28ef83.exe

  - General information about this executable  
Analysis Reason: Primary Analysis Subject 
Filename: 34cd28ef83.exe 
MD5: 34cd28ef831c82a55350c3eface482d7 
SHA-1: 4a124c9204a82e627cd8556c1049823a7753610f 
File Size: 169984 Bytes
Command Line: "C:\34cd28ef83.exe" 
Process-status at analysis end: alive 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 

  - Run-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​NETAPI32.dll  0x5B860000  0x00055000 
C:\​WINDOWS\​system32\​comctl32.dll  0x5D090000  0x0009A000 
C:\​WINDOWS\​system32\​WS2HELP.dll  0x71AA0000  0x00008000 
C:\​WINDOWS\​system32\​WS2_32.dll  0x71AB0000  0x00017000 
C:\​WINDOWS\​system32\​OLEAUT32.dll  0x77120000  0x0008B000 
C:\​WINDOWS\​system32\​WININET.dll  0x771B0000  0x000AA000 
C:\​WINDOWS\​WinSxS\​x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\​comctl32.dll  0x773D0000  0x00103000 
C:\​WINDOWS\​system32\​ole32.dll  0x774E0000  0x0013D000 
C:\​WINDOWS\​system32\​CRYPT32.dll  0x77A80000  0x00095000 
C:\​WINDOWS\​system32\​MSASN1.dll  0x77B20000  0x00012000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​SHLWAPI.dll  0x77F60000  0x00076000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​system32\​SHELL32.dll  0x7C9C0000  0x00817000 
C:\​WINDOWS\​system32\​USER32.DLL  0x7E410000  0x00091000 

  - SigBuster Output  
UPX All_Versions SN:1634

2.a) 34cd28ef83.exe - Registry Activities

  - Registry Keys Created:  
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​Microsoft\​Upes

  - Registry Values Modified:  
Key Name New Value
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  AppData  C:\​Documents and Settings\​Administrator\​Application Data 

  - Registry Values Read:  
Key Name Value Times
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion  DigitalProductId  0xa40000000300000037363438372d3634302d313435373233362d32333833 
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion  InstallDate  1212451221 
HKLM\​SYSTEM\​CurrentControlSet\​Control\​Session Manager  CriticalSectionTimeout  2592000 
HKLM\​SYSTEM\​Setup  SystemSetupInProgress 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  TransparentEnabled 
HKLM\​System\​CurrentControlSet\​Control\​ComputerName\​ActiveComputerName  ComputerName  PC 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters  WinSock_Registry_Version  2.0 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5  Num_Catalog_Entries 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5  Serial_Access_Num 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  DisplayString  Tcpip 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  Enabled 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  LibraryPath  %SystemRoot%\​System32\​mswsock.dll 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  ProviderId  0x409d05229e7ecf11ae5a00aa00a7112b 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  StoresServiceClassInfo 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  SupportedNameSpace  12 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  Version 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  DisplayString  NTDS 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  Enabled 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  LibraryPath  %SystemRoot%\​System32\​winrnr.dll 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  ProviderId  0xee37263b80e5cf11a55500c04fd8d4ac 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  StoresServiceClassInfo 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  SupportedNameSpace  32 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  Version 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  DisplayString  Network Location Awareness (NLA) Namespace 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  Enabled 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  LibraryPath  %SystemRoot%\​System32\​mswsock.dll 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  ProviderId  0x3a244266a83ba64abaa52e0bd71fdd83 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  StoresServiceClassInfo 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  SupportedNameSpace  15 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  Version 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Next_Catalog_Entry_ID  1020 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Num_Catalog_Entries  13 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Serial_Access_Num 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000001  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000002  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000003  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000004  PackedCatalogItem  %SystemRoot%\​system32\​rsvpsp.d 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000005  PackedCatalogItem  %SystemRoot%\​system32\​rsvpsp.d 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000006  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000007  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000008  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000009  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000010  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000011  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000012  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000013  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  AppData  %USERPROFILE%\​Application Data 

  - Monitored Registry Keys:  
Key Name Watch subtree Notify Filter Count
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5  Key Change 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Key Change 

2.b) 34cd28ef83.exe - File Activities

  - Files Created:  
C:\Documents and Settings\Administrator\Application Data\Eweh
C:\Documents and Settings\Administrator\Application Data\Eweh\guuni.exe
C:\Documents and Settings\Administrator\Application Data\Kyek
C:\Documents and Settings\Administrator\Application Data\Kyek\loafu.are

  - Files Read:  
C:\34cd28ef83.exe
PIPE\lsarpc

  - Files Modified:  
MountPointManager
PIPE\lsarpc

  - Directories Created:  
C:\Documents and Settings\Administrator\Application Data\Eweh
C:\Documents and Settings\Administrator\Application Data\Kyek

  - File System Control Communication:  
File Control Code Times
C:\Program Files\Common Files\  0x00090028 
PIPE\lsarpc  0x0011C017  11 

  - Device Control Communication:  
File Control Code Times
\Device\KsecDD  0x00390008 
C:  0x004D0008 
MountPointManager  0x006D0008 

  - Memory Mapped Files:  
File Name
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\WININET.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\comctl32.dll


International Secure Systems Lab
Vienna University of Technology, Eurecom France, UC Santa Barbara
Contact: anubis@iseclab.org