NoVirusThanks Automated Malware Analyzer (Preview)

Posted by on Tuesday, June 14th, 2011  |  10,902 views

We are working on a free online automated malware analyzer, here there are few example reports generated by the sandbox using malware samples captured in the wild. We capture every URL that is requested by the malware and every new file that is dropped in the disk, we use Driver Radar Pro to block loading of unknown kernel mode drivers (rootkits?) and to capture kernel drivers in a custom folder before are loaded.

TR/PSW.Zbot.2864 (f691ac38366149ac2f077bea304130aa):

Directory Created - %SAMPLE% - %AppData%\Aveni
Directory Created - %SAMPLE% - %AppData%\Lele
File Created - %SAMPLE% - %AppData%\Aveni\tyomw.exe - 56B6F09EDA75D2B1A23CAEAC3DF74C60 - 145920 bytes - attr: [] - PE
Process Created - %SAMPLE% - %AppData%\Aveni\tyomw.exe - Mozilla Foundation - 56B6F09EDA75D2B1A23CAEAC3DF74C60 - 145920 bytes
Connection Established - C:\WINDOWS\Explorer.EXE - TCP - 74.208.244.213 - 80
Web Request - C:\WINDOWS\Explorer.EXE - GET - s350098374.onlinehome.us - /mys.ini
File Modified - %SAMPLE% - %AppData%\IMPOST~1\Temp\tmp11b6b034.bat
File Created - %SAMPLE% - %Temp%\tmp11b6b034.bat - 30C730774F4E9A61E2055DD34D8DCAD6 - 244 bytes - attr: [-normal] - -
Process Created - %SAMPLE% - C:\WINDOWS\system32\cmd.exe - Microsoft Corporation - 94744851B6A9BDCEFCD26CC61A6AFD12 - 397824 bytes
File Deleted - C:\WINDOWS\system32\cmd.exe - %SAMPLE% - 145920 bytes
File Deleted - C:\WINDOWS\system32\cmd.exe - %AppData%\IMPOST~1\Temp\TMP11B~1.BAT - 244 bytes

TR/VBKrypt.dioe (e7cf4d8e210cafcb5b45c92f9e0a547f):

Process Created - %SAMPLE% - %SAMPLE% - K6Gwdrq - E7CF4D8E210CAFCB5B45C92F9E0A547F - 188416 bytes
File Modified - %SAMPLE% - %AppData%\IMPOST~1\Temp\1.tmp
File Created - %SAMPLE% - %Temp%\1.tmp - 75A0AECC55A3F0B9E2D54119FA4AAB6D - 729600 bytes - attr: [] - PE
File Deleted - %SAMPLE% - %AppData%\IMPOST~1\Temp\1.tmp - 729600 bytes
File Modified - %SAMPLE% - %AppData%\IMPOST~1\Temp\2.tmp
File Created - %SAMPLE% - %Temp%\2.tmp - FEB3CC200749FF119BB8B08224A1A594 - 1027584 bytes - attr: [] - PE
File Deleted - %SAMPLE% - %AppData%\IMPOST~1\Temp\2.tmp - 1027584 bytes
Process Created - %SAMPLE% - C:\WINDOWS\explorer.exe - Microsoft Corporation - 178D42BD8FC34A9837417A6CE1D6BB7B - 1034752 bytes
File Created - %SAMPLE% - %Temp%\6.tmp - E7CF4D8E210CAFCB5B45C92F9E0A547F - 188416 bytes - attr: [] - PE
File Modified - C:\WINDOWS\Explorer.EXE - %UserProfile%\Menu Avvio\Programmi\Esecuzione automatica\igfxtray.exe
File Deleted - C:\WINDOWS\Explorer.EXE - %AppData%\IMPOST~1\Temp\6.tmp - 188416 bytes
File Deleted - C:\WINDOWS\Explorer.EXE - %SAMPLE% - 188416 bytes
Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 212.48.8.140 - 80
Web Request - C:\WINDOWS\system32\svchost.exe - GET - fastsearchportal.org - /cfg/stopav.psd
Web Request - C:\WINDOWS\system32\svchost.exe - GET - fastsearchportal.org - /cfg/passw.psd
Web Request - C:\WINDOWS\system32\svchost.exe - POST - fastsearchportal.org - /jjxndu.phtml
Web Request - C:\WINDOWS\system32\svchost.exe - POST - fastsearchportal.org - /ffzbyorxrn.7z

Worm/Ainslot.A.951 (b88b24c0e103f5adda30912f8365472f):

Process Created - %SAMPLE% - %SAMPLE% - Ares Development Group - B88B24C0E103F5ADDA30912F8365472F - 516096 bytes
File Modified - %SAMPLE% - %AppData%\Bedifender.exe
File Created - %SAMPLE% - %AppData%\Bedifender.exe - B88B24C0E103F5ADDA30912F8365472F - 516096 bytes - attr: [] - PE
Process Created - %SAMPLE% - C:\WINDOWS\system32\cmd.exe - Microsoft Corporation - 94744851B6A9BDCEFCD26CC61A6AFD12 - 397824 bytes
Connection Established - %SAMPLE% - TCP - 41.140.168.39 - 123
Process Created - C:\WINDOWS\system32\cmd.exe - C:\WINDOWS\system32\reg.exe - Microsoft Corporation - BBECF085EE79726B5B7F95FDDA46B2F5 - 53248 bytes
Connection Established - %SAMPLE% - TCP - 67.212.77.13 - 80
Web Request - %SAMPLE% - GET - api.ipinfodb.com - /v2/ip_query_country.php?key=1d1bb511aed00402daada8d8706f74b477e3172d0ca020deab3b43c16441a73d&timezone=off

IRC/Zapchast.AI (ab1dfcf2defb1fcae95e441aa32c5b73):

Directory Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500
File Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\popups.txt - B9408AF4FBD695E8B022AD8289185D63 - 2601 bytes - attr: [] - -
File Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\mirc.ico - E09AA9787AF5CC53FD7525DD6693CF10 - 5694 bytes - attr: [] - -
File Modified - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\csrss.exe
File Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\csrss.exe - DEF8C81AF6B9ECA2309B735BFF710AAF - 593262 bytes - attr: [] - PE
File Modified - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe
File Modified - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\instsrv.exe
Process Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe - Unknown Publisher - 8ECF1B30F5FBB12A2FE138364D351A26 - 149742 bytes
File Modified - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\svchost.exe
Process Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe - Unknown Publisher - 8ECF1B30F5FBB12A2FE138364D351A26 - 149742 bytes
File Modified - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe - %AppData%\IMPOST~1\Temp\bt4023.bat
File Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe - 8ECF1B30F5FBB12A2FE138364D351A26 - 149742 bytes - attr: [] - PE
File Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\instsrv.exe - 9F7ACAAD365AF0D1A3CD9261E3208B9B - 32256 bytes - attr: [] - PE
File Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\a.reg - 5EE7FE7E4463ECABDB6236033D2C3A05 - 556 bytes - attr: [] - -
File Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\svchost.exe - 4635935FC972C582632BF45C26BFCB0E - 8192 bytes - attr: [] - PE
File Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\fullname.txt - C509DF67FE3B38FBED191B382B9D3D16 - 23250 bytes - attr: [] - -
File Created - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe - %Temp%\bt4023.bat - DF6887D17E2C9912E637347EC7CA20B5 - 220 bytes - attr: [-hidden] - -
Process Created - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe - C:\WINDOWS\system32\cmd.exe - Microsoft Corporation - 94744851B6A9BDCEFCD26CC61A6AFD12 - 397824 bytes
Process Created - C:\WINDOWS\system32\cmd.exe - C:\WINDOWS\system32\net.exe - Microsoft Corporation - 5A35852FCADAFCC846AF01020AF1B60C - 42496 bytes
Process Created - C:\WINDOWS\system32\net.exe - C:\WINDOWS\system32\net1.exe - Microsoft Corporation - 0B01298512B628AC862A0DFF586624EE - 124928 bytes
Process Created - C:\WINDOWS\system32\cmd.exe - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\instsrv.exe - Unknown Publisher - 9F7ACAAD365AF0D1A3CD9261E3208B9B - 32256 bytes
Process Created - C:\WINDOWS\system32\cmd.exe - C:\WINDOWS\regedit.exe - Microsoft Corporation - 2452458A26C4DD00E68F060870317675 - 151552 bytes
Process Created - C:\WINDOWS\system32\cmd.exe - C:\WINDOWS\system32\net.exe - Microsoft Corporation - 5A35852FCADAFCC846AF01020AF1B60C - 42496 bytes
Process Created - C:\WINDOWS\system32\net.exe - C:\WINDOWS\system32\net1.exe - Microsoft Corporation - 0B01298512B628AC862A0DFF586624EE - 124928 bytes
Process Created - C:\WINDOWS\system32\services.exe - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\svchost.exe - Unknown Publisher - 4635935FC972C582632BF45C26BFCB0E - 8192 bytes
Process Created - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\svchost.exe - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\csrss.exe - Unknown Publisher - DEF8C81AF6B9ECA2309B735BFF710AAF - 593262 bytes
Directory Created - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\csrss.exe - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\download
Process Created - C:\WINDOWS\system32\svchost.exe - C:\WINDOWS\msagent\agentsvr.exe - Microsoft Corporation - 5FE50F378415EF5F0663BC4FF51878A1 - 256512 bytes
File Created - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\csrss.exe - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\TMP1.$$$ - NOTHING TO HASH - 0 bytes - attr: [] - -
Connection Established - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\csrss.exe - TCP - 94.125.182.255 - 6667
File Deleted - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe - %AppData%\IMPOST~1\Temp\bt4023.bat - 220 bytes
Connection Established - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\csrss.exe - TCP - 72.10.160.204 - 6667

TR/Dropper.Gen (db00bf4a32c4834315106fe8c20b82db):

Process Created - %SAMPLE% - %SAMPLE% - Unknown Publisher - DB00BF4A32C4834315106FE8C20B82DB - 188416 bytes
File Modified - %SAMPLE% - C:\WINDOWS\system32\sdra64.exe
Directory Created - C:\WINDOWS\system32\winlogon.exe - C:\WINDOWS\system32\lowsec
Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 209.190.61.39 - 80
Web Request - C:\WINDOWS\system32\svchost.exe - GET - lsrgta.com - /farmfres/cfg.bin
Web Request - C:\WINDOWS\system32\svchost.exe - GET - lsrgta.com - /cgi-sys/suspendedpage.cgi
Posted by on Tuesday, June 14th, 2011 at 6:04 pm and filed under Security News with tags , . You can skip to the end and leave a response. Pinging is currently not allowed.

Random Posts

Previous Posts