NoVirusThanks Automated Malware Analyzer (Preview)
Posted by admin on Tuesday, June 14th, 2011 | 10,573 views
We are working on a free online automated malware analyzer, here there are few example reports generated by the sandbox using malware samples captured in the wild. We capture every URL that is requested by the malware and every new file that is dropped in the disk, we use Driver Radar Pro to block loading of unknown kernel mode drivers (rootkits?) and to capture kernel drivers in a custom folder before are loaded.
TR/PSW.Zbot.2864 (f691ac38366149ac2f077bea304130aa):
Directory Created - %SAMPLE% - %AppData%\Aveni Directory Created - %SAMPLE% - %AppData%\Lele File Created - %SAMPLE% - %AppData%\Aveni\tyomw.exe - 56B6F09EDA75D2B1A23CAEAC3DF74C60 - 145920 bytes - attr: [] - PE Process Created - %SAMPLE% - %AppData%\Aveni\tyomw.exe - Mozilla Foundation - 56B6F09EDA75D2B1A23CAEAC3DF74C60 - 145920 bytes Connection Established - C:\WINDOWS\Explorer.EXE - TCP - 74.208.244.213 - 80 Web Request - C:\WINDOWS\Explorer.EXE - GET - s350098374.onlinehome.us - /mys.ini File Modified - %SAMPLE% - %AppData%\IMPOST~1\Temp\tmp11b6b034.bat File Created - %SAMPLE% - %Temp%\tmp11b6b034.bat - 30C730774F4E9A61E2055DD34D8DCAD6 - 244 bytes - attr: [-normal] - - Process Created - %SAMPLE% - C:\WINDOWS\system32\cmd.exe - Microsoft Corporation - 94744851B6A9BDCEFCD26CC61A6AFD12 - 397824 bytes File Deleted - C:\WINDOWS\system32\cmd.exe - %SAMPLE% - 145920 bytes File Deleted - C:\WINDOWS\system32\cmd.exe - %AppData%\IMPOST~1\Temp\TMP11B~1.BAT - 244 bytes |
TR/VBKrypt.dioe (e7cf4d8e210cafcb5b45c92f9e0a547f):
Process Created - %SAMPLE% - %SAMPLE% - K6Gwdrq - E7CF4D8E210CAFCB5B45C92F9E0A547F - 188416 bytes File Modified - %SAMPLE% - %AppData%\IMPOST~1\Temp\1.tmp File Created - %SAMPLE% - %Temp%\1.tmp - 75A0AECC55A3F0B9E2D54119FA4AAB6D - 729600 bytes - attr: [] - PE File Deleted - %SAMPLE% - %AppData%\IMPOST~1\Temp\1.tmp - 729600 bytes File Modified - %SAMPLE% - %AppData%\IMPOST~1\Temp\2.tmp File Created - %SAMPLE% - %Temp%\2.tmp - FEB3CC200749FF119BB8B08224A1A594 - 1027584 bytes - attr: [] - PE File Deleted - %SAMPLE% - %AppData%\IMPOST~1\Temp\2.tmp - 1027584 bytes Process Created - %SAMPLE% - C:\WINDOWS\explorer.exe - Microsoft Corporation - 178D42BD8FC34A9837417A6CE1D6BB7B - 1034752 bytes File Created - %SAMPLE% - %Temp%\6.tmp - E7CF4D8E210CAFCB5B45C92F9E0A547F - 188416 bytes - attr: [] - PE File Modified - C:\WINDOWS\Explorer.EXE - %UserProfile%\Menu Avvio\Programmi\Esecuzione automatica\igfxtray.exe File Deleted - C:\WINDOWS\Explorer.EXE - %AppData%\IMPOST~1\Temp\6.tmp - 188416 bytes File Deleted - C:\WINDOWS\Explorer.EXE - %SAMPLE% - 188416 bytes Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 212.48.8.140 - 80 Web Request - C:\WINDOWS\system32\svchost.exe - GET - fastsearchportal.org - /cfg/stopav.psd Web Request - C:\WINDOWS\system32\svchost.exe - GET - fastsearchportal.org - /cfg/passw.psd Web Request - C:\WINDOWS\system32\svchost.exe - POST - fastsearchportal.org - /jjxndu.phtml Web Request - C:\WINDOWS\system32\svchost.exe - POST - fastsearchportal.org - /ffzbyorxrn.7z |
Worm/Ainslot.A.951 (b88b24c0e103f5adda30912f8365472f):
Process Created - %SAMPLE% - %SAMPLE% - Ares Development Group - B88B24C0E103F5ADDA30912F8365472F - 516096 bytes File Modified - %SAMPLE% - %AppData%\Bedifender.exe File Created - %SAMPLE% - %AppData%\Bedifender.exe - B88B24C0E103F5ADDA30912F8365472F - 516096 bytes - attr: [] - PE Process Created - %SAMPLE% - C:\WINDOWS\system32\cmd.exe - Microsoft Corporation - 94744851B6A9BDCEFCD26CC61A6AFD12 - 397824 bytes Connection Established - %SAMPLE% - TCP - 41.140.168.39 - 123 Process Created - C:\WINDOWS\system32\cmd.exe - C:\WINDOWS\system32\reg.exe - Microsoft Corporation - BBECF085EE79726B5B7F95FDDA46B2F5 - 53248 bytes Connection Established - %SAMPLE% - TCP - 67.212.77.13 - 80 Web Request - %SAMPLE% - GET - api.ipinfodb.com - /v2/ip_query_country.php?key=1d1bb511aed00402daada8d8706f74b477e3172d0ca020deab3b43c16441a73d&timezone=off |
IRC/Zapchast.AI (ab1dfcf2defb1fcae95e441aa32c5b73):
Directory Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500 File Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\popups.txt - B9408AF4FBD695E8B022AD8289185D63 - 2601 bytes - attr: [] - - File Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\mirc.ico - E09AA9787AF5CC53FD7525DD6693CF10 - 5694 bytes - attr: [] - - File Modified - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\csrss.exe File Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\csrss.exe - DEF8C81AF6B9ECA2309B735BFF710AAF - 593262 bytes - attr: [] - PE File Modified - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe File Modified - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\instsrv.exe Process Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe - Unknown Publisher - 8ECF1B30F5FBB12A2FE138364D351A26 - 149742 bytes File Modified - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\svchost.exe Process Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe - Unknown Publisher - 8ECF1B30F5FBB12A2FE138364D351A26 - 149742 bytes File Modified - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe - %AppData%\IMPOST~1\Temp\bt4023.bat File Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe - 8ECF1B30F5FBB12A2FE138364D351A26 - 149742 bytes - attr: [] - PE File Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\instsrv.exe - 9F7ACAAD365AF0D1A3CD9261E3208B9B - 32256 bytes - attr: [] - PE File Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\a.reg - 5EE7FE7E4463ECABDB6236033D2C3A05 - 556 bytes - attr: [] - - File Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\svchost.exe - 4635935FC972C582632BF45C26BFCB0E - 8192 bytes - attr: [] - PE File Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\fullname.txt - C509DF67FE3B38FBED191B382B9D3D16 - 23250 bytes - attr: [] - - File Created - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe - %Temp%\bt4023.bat - DF6887D17E2C9912E637347EC7CA20B5 - 220 bytes - attr: [-hidden] - - Process Created - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe - C:\WINDOWS\system32\cmd.exe - Microsoft Corporation - 94744851B6A9BDCEFCD26CC61A6AFD12 - 397824 bytes Process Created - C:\WINDOWS\system32\cmd.exe - C:\WINDOWS\system32\net.exe - Microsoft Corporation - 5A35852FCADAFCC846AF01020AF1B60C - 42496 bytes Process Created - C:\WINDOWS\system32\net.exe - C:\WINDOWS\system32\net1.exe - Microsoft Corporation - 0B01298512B628AC862A0DFF586624EE - 124928 bytes Process Created - C:\WINDOWS\system32\cmd.exe - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\instsrv.exe - Unknown Publisher - 9F7ACAAD365AF0D1A3CD9261E3208B9B - 32256 bytes Process Created - C:\WINDOWS\system32\cmd.exe - C:\WINDOWS\regedit.exe - Microsoft Corporation - 2452458A26C4DD00E68F060870317675 - 151552 bytes Process Created - C:\WINDOWS\system32\cmd.exe - C:\WINDOWS\system32\net.exe - Microsoft Corporation - 5A35852FCADAFCC846AF01020AF1B60C - 42496 bytes Process Created - C:\WINDOWS\system32\net.exe - C:\WINDOWS\system32\net1.exe - Microsoft Corporation - 0B01298512B628AC862A0DFF586624EE - 124928 bytes Process Created - C:\WINDOWS\system32\services.exe - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\svchost.exe - Unknown Publisher - 4635935FC972C582632BF45C26BFCB0E - 8192 bytes Process Created - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\svchost.exe - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\csrss.exe - Unknown Publisher - DEF8C81AF6B9ECA2309B735BFF710AAF - 593262 bytes Directory Created - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\csrss.exe - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\download Process Created - C:\WINDOWS\system32\svchost.exe - C:\WINDOWS\msagent\agentsvr.exe - Microsoft Corporation - 5FE50F378415EF5F0663BC4FF51878A1 - 256512 bytes File Created - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\csrss.exe - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\TMP1.$$$ - NOTHING TO HASH - 0 bytes - attr: [] - - Connection Established - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\csrss.exe - TCP - 94.125.182.255 - 6667 File Deleted - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe - %AppData%\IMPOST~1\Temp\bt4023.bat - 220 bytes Connection Established - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\csrss.exe - TCP - 72.10.160.204 - 6667 |
TR/Dropper.Gen (db00bf4a32c4834315106fe8c20b82db):
Process Created - %SAMPLE% - %SAMPLE% - Unknown Publisher - DB00BF4A32C4834315106FE8C20B82DB - 188416 bytes File Modified - %SAMPLE% - C:\WINDOWS\system32\sdra64.exe Directory Created - C:\WINDOWS\system32\winlogon.exe - C:\WINDOWS\system32\lowsec Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 209.190.61.39 - 80 Web Request - C:\WINDOWS\system32\svchost.exe - GET - lsrgta.com - /farmfres/cfg.bin Web Request - C:\WINDOWS\system32\svchost.exe - GET - lsrgta.com - /cgi-sys/suspendedpage.cgi |
Leave a Reply