anubis left
Anubis - Analysis Report
anubis right

Analysis Report for Dis-Oriented.exe

 Comment on this report

Summary:

Description Risk
Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary. high
Performs Registry Activities: The executable reads and modifies registry values. It may also create and monitor registry keys. low


Table of Contents
expand all expand all   collapse all collapse all

1. General Information

  - Information about Anubis' invocation  
Time needed: 55 s 
Report created: 12/07/08, 03:13:32 
Termination reason: All tracked processes have exited 
Program version: 1.65.0 

2. sample.exe

  - General information about this executable  
Analysis Reason: Primary Analysis Subject 
Filename: sample.exe 
MD5: b8db355635ba14b2c78d2b5f98e4ee3d 
SHA-1: 9f98041cb71ed6bb6fd3a209bfc7e805994bc181 
File Size: 231294 Bytes
Command Line: "C:\sample.exe" 
Process-status at analysis end: dead 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​advapi32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​WinSxS\​x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\​comctl32.dll  0x773D0000  0x00103000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​SHLWAPI.dll  0x77F60000  0x00076000 
C:\​WINDOWS\​system32\​comdlg32.dll  0x763B0000  0x00049000 
C:\​WINDOWS\​system32\​SHELL32.dll  0x7C9C0000  0x00817000 
C:\​WINDOWS\​system32\​IMAGEHLP.DLL  0x76C90000  0x00028000 
C:\​WINDOWS\​system32\​oleaut32.dll  0x77120000  0x0008B000 
C:\​WINDOWS\​system32\​ole32.dll  0x774E0000  0x0013D000 
C:\​WINDOWS\​system32\​version.dll  0x77C00000  0x00008000 
C:\​WINDOWS\​system32\​IMM32.DLL  0x76390000  0x0001D000 

  - Run-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​uxtheme.dll  0x5AD70000  0x00038000 
C:\​WINDOWS\​system32\​MSCTF.dll  0x74720000  0x0004C000 
C:\​WINDOWS\​system32\​msctfime.ime  0x755C0000  0x0002E000 

  - SigBuster Output  
UPX All_Versions SN:1634

  - Popups  
Window Name Window Text Screenshot Number of Displayed Times
Dis-Oriented   0 About Start Game   screenshot

2.a) sample.exe - Registry Activities

  - Registry Values Read:  
Key Name Value Times
HKLM\​SOFTWARE\​Microsoft\​CTF\​SystemShared\​  CUAS 
HKLM\​Software\​Microsoft\​CTF\​SystemShared  CUAS 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​IMM  Ime File  msctfime.ime 
HKLM\​System\​CurrentControlSet\​Control\​ComputerName\​ActiveComputerName  ComputerName  USER 

2.b) sample.exe - File Activities

  - Files Read:  
C:\sample.exe
PIPE\lsarpc

  - Files Modified:  
PIPE\lsarpcinfo

  - File System Control Communication:  
File Control Code Times
PIPE\lsarpc  0x0011C017 

  - Memory Mapped Files:  
File Name
C:\WINDOWS\system32\MSCTF.dll
C:\WINDOWS\system32\Msimtf.dll
C:\WINDOWS\system32\msctfime.ime
C:\WINDOWS\system32\uxtheme.dll

2.c) sample.exe - Process Activities

  - Thread Overview:  
Time Number of threads
After 20 seconds
After 55 seconds

2.d) sample.exe - Other Activities

  - Mutexes Created:  
CTF.Asm.MutexDefaultS-​1-​5-​21-​1229272821-​1004336348-​527237240-​1003
CTF.Compart.MutexDefaultS-​1-​5-​21-​1229272821-​1004336348-​527237240-​1003
CTF.LBES.MutexDefaultS-​1-​5-​21-​1229272821-​1004336348-​527237240-​1003
CTF.Layouts.MutexDefaultS-​1-​5-​21-​1229272821-​1004336348-​527237240-​1003
CTF.TMD.MutexDefaultS-​1-​5-​21-​1229272821-​1004336348-​527237240-​1003
CTF.TimListCache.FMPDefaultS-​1-​5-​21-​1229272821-​1004336348-​527237240-​1003MUTEX.DefaultS-​1-​5-​21-​1229272821-​1004336348-​527237240-​1003
MSCTF.Shared.MUTEX.AGC

  - Keyboard Keys Monitored:  
Virtual Key Code Times
undefined (0) 
VK_LBUTTON (1) 
VK_RBUTTON (2) 
VK_CANCEL (3) 
VK_MBUTTON (4) 
VK_XBUTTON1 (5) 
VK_XBUTTON2 (6) 
undefined (7) 
VK_BACK (8) 
VK_TAB (9) 
undefined (10) 
undefined (11) 
VK_CLEAR (12) 
VK_RETURN (13) 
undefined (14) 
undefined (15) 
VK_SHIFT (16) 
VK_CONTROL (17) 
VK_MENU (18) 
VK_PAUSE (19) 
VK_CAPITAL (20) 
VK_HANGUL (21) 
undefined (22) 
VK_JUNJA (23) 
VK_FINAL (24) 
VK_KANJI (25) 
undefined (26) 
VK_ESCAPE (27) 
VK_CONVERT (28) 
VK_NONCONVERT (29) 
VK_ACCEPT (30) 
VK_MODECHANGE (31) 
VK_SPACE (32) 
VK_PRIOR (33) 
VK_NEXT (34) 
VK_END (35) 
VK_HOME (36) 
VK_LEFT (37) 
VK_UP (38) 
VK_RIGHT (39) 
VK_DOWN (40) 
VK_SELECT (41) 
VK_PRINT (42) 
VK_EXECUTE (43) 
VK_SNAPSHOT (44) 
VK_INSERT (45) 
VK_DELETE (46) 
VK_HELP (47) 
VK_0 (48) 
VK_1 (49) 
VK_2 (50) 
VK_3 (51) 
VK_4 (52) 
VK_5 (53) 
VK_6 (54) 
VK_7 (55) 
VK_8 (56) 
VK_9 (57) 
undefined (58) 
undefined (59) 
undefined (60) 
undefined (61) 
undefined (62) 
undefined (63) 
undefined (64) 
VK_A (65) 
VK_B (66) 
VK_C (67) 
VK_D (68) 
VK_E (69) 
VK_F (70) 
VK_G (71) 
VK_H (72) 
VK_I (73) 
VK_J (74) 
VK_K (75) 
VK_L (76) 
VK_M (77) 
VK_N (78) 
VK_O (79) 
VK_P (80) 
VK_Q (81) 
VK_R (82) 
VK_S (83) 
VK_T (84) 
VK_U (85) 
VK_V (86) 
VK_W (87) 
VK_X (88) 
VK_Y (89) 
VK_Z (90) 
VK_LWIN (91) 
VK_RWIN (92) 
VK_APPS (93) 
undefined (94) 
VK_SLEEP (95) 
VK_NUMPAD0 (96) 
VK_NUMPAD1 (97) 
VK_NUMPAD2 (98) 
VK_NUMPAD3 (99) 
VK_NUMPAD4 (100) 
VK_NUMPAD5 (101) 
VK_NUMPAD6 (102) 
VK_NUMPAD7 (103) 
VK_NUMPAD8 (104) 
VK_NUMPAD9 (105) 
VK_MULTIPLY (106) 
VK_ADD (107) 
VK_SEPARATOR (108) 
VK_SUBTRACT (109) 
VK_DECIMAL (110) 
VK_DIVIDE (111) 
VK_F1 (112) 
VK_F2 (113) 
VK_F3 (114) 
VK_F4 (115) 
VK_F5 (116) 
VK_F6 (117) 
VK_F7 (118) 
VK_F8 (119) 
VK_F9 (120) 
VK_F10 (121) 
VK_F11 (122) 
VK_F12 (123) 
VK_F13 (124) 
VK_F14 (125) 
VK_F15 (126) 
VK_F16 (127) 
VK_F17 (128) 
VK_F18 (129) 
VK_F19 (130) 
VK_F20 (131) 
VK_F21 (132) 
VK_F22 (133) 
VK_F23 (134) 
VK_F24 (135) 
undefined (136) 
undefined (137) 
undefined (138) 
undefined (139) 
undefined (140) 
undefined (141) 
undefined (142) 
undefined (143) 
VK_NUMLOCK (144) 
VK_SCROLL (145) 
undefined (146) 
undefined (147) 
undefined (148) 
undefined (149) 
undefined (150) 
undefined (151) 
undefined (152) 
undefined (153) 
undefined (154) 
undefined (155) 
undefined (156) 
undefined (157) 
undefined (158) 
undefined (159) 
VK_LSHIFT (160) 
VK_RSHIFT (161) 
VK_LCONTROL (162) 
VK_RCONTROL (163) 
VK_LMENU (164) 
VK_RMENU (165) 
VK_BROWSER_BACK (166) 
VK_BROWSER_FORWARD (167) 
VK_BROWSER_REFRESH (168) 
VK_BROWSER_STOP (169) 
VK_BROWSER_SEARCH (170) 
VK_BROWSER_FAVORITES (171) 
VK_BROWSER_HOME (172) 
VK_VOLUME_MUTE (173) 
VK_VOLUME_DOWN (174) 
VK_VOLUME_UP (175) 
VK_MEDIA_NEXT_TRACK (176) 
VK_MEDIA_PREV_TRACK (177) 
VK_MEDIA_STOP (178) 
VK_MEDIA_PLAY_PAUSE (179) 
VK_LAUNCH_MAIL (180) 
VK_LAUNCH_MEDIA_SELECT (181) 
VK_LAUNCH_APP1 (182) 
VK_LAUNCH_APP2 (183) 
undefined (184) 
undefined (185) 
VK_OEM_1 (186) 
VK_OEM_PLUS (187) 
VK_OEM_COMMA (188) 
VK_OEM_MINUS (189) 
VK_OEM_PERIOD (190) 
VK_OEM_2 (191) 
VK_OEM_3 (192) 
undefined (193) 
undefined (194) 
undefined (195) 
undefined (196) 
undefined (197) 
undefined (198) 
undefined (199) 
undefined (200) 
undefined (201) 
undefined (202) 
undefined (203) 
undefined (204) 
undefined (205) 
undefined (206) 
undefined (207) 
undefined (208) 
undefined (209) 
undefined (210) 
undefined (211) 
undefined (212) 
undefined (213) 
undefined (214) 
undefined (215) 
undefined (216) 
undefined (217) 
undefined (218) 
VK_OEM_4 (219) 
VK_OEM_5 (220) 
VK_OEM_6 (221) 
VK_OEM_7 (222) 
VK_OEM_8 (223) 
undefined (224) 
undefined (225) 
VK_OEM_102 (226) 
undefined (227) 
undefined (228) 
VK_PROCESSKEY (229) 
undefined (230) 
VK_PACKET (231) 
undefined (232) 
undefined (233) 
undefined (234) 
undefined (235) 
undefined (236) 
undefined (237) 
undefined (238) 
undefined (239) 
undefined (240) 
undefined (241) 
undefined (242) 
undefined (243) 
undefined (244) 
undefined (245) 
VK_ATTN (246) 
VK_CRSEL (247) 
VK_EXSEL (248) 
VK_EREOF (249) 
VK_PLAY (250) 
VK_ZOOM (251) 
VK_NONAME (252) 
VK_PA1 (253) 
VK_OEM_CLEAR (254) 
undefined (255) 


International Secure Systems Lab
Vienna University of Technology, Eurecom France, UC Santa Barbara
Contact: anubis@iseclab.org