| Analysis Date | 2014-06-30 01:09:14 |
|---|---|
| MD5 | 51c7fa92c8faa59ee99953d085ebd268 |
| SHA1 | 14d36d743a76509775de1f9152681bbf4f2c0d30 |
Static Details:
| File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
|---|---|---|
| Section | UPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0 | |
| Section | UPX1 md5: c37654572c61b2905e7f54a330dbea6a sha1: 301288d960c330ee4f2ec839bb7e513870a23967 size: 288256 | |
| Section | .rsrc md5: 75e64d125b0dee05f3637940fc6bc2b8 sha1: 092f5e8cee27847e93c07b1b860c722fbe120bcb size: 19456 | |
| Timestamp | 1992-06-19 22:22:17 | |
| Packer | UPX -> www.upx.sourceforge.net | |
| PEhash | dda2635dbb7efb3e9172994c71e14e008f6f7adc | |
| IMPhash | cba5bd52b3e624400ffe41eb22644b79 | |
| AV | 360 Safe | Trojan.PWS.Delf.INE |
| AV | Ad-Aware | Trojan.PWS.Delf.INE |
| AV | Alwil (avast) | Dropper-FJG [Trj] |
| AV | Arcabit (arcavir) | Trojan.Llac.Bdm |
| AV | Authentium | W32/Trojan.DNXI-5341 |
| AV | Avira (antivir) | Worm/Rebhip.V |
| AV | CA (E-Trust Ino) | Win32/Spyrat!generic |
| AV | CAT (quickheal) | Win32.Trojan.Llac.bdm.3.Pack |
| AV | ClamAV | Trojan.Agent-171451 |
| AV | Dr. Web | BackDoor.Cybergate.1 |
| AV | Emsisoft | Trojan.PWS.Delf.INE |
| AV | Eset (nod32) | Win32/Spatet.A |
| AV | Fortinet | W32/Llac.GFU!tr |
| AV | Frisk (f-prot) | W32/Trojan2.JRCA (exact) |
| AV | F-Secure | Backdoor:W32/Spyrat.A |
| AV | Grisoft (avg) | PSW.Generic8.ISF |
| AV | Ikarus | Worm.Win32.Rebhip |
| AV | K7 | Trojan ( 00193f571 ) |
| AV | Kaspersky | Trojan.Win32.Llac.dmdm |
| AV | MalwareBytes | Trojan.Downloader |
| AV | Mcafee | Generic PWS.di |
| AV | Microsoft Security Essentials | Worm:Win32/Rebhip.A |
| AV | MicroWorld (escan) | Trojan.PWS.Delf.INE |
| AV | Norman | win32:win32:win32/Rebhip.O |
| AV | Rising | Backdoor.Win32.Delf.epl |
| AV | Sophos | W32/Rebhip-AR |
| AV | Symantec | W32.Spyrat |
| AV | Trend Micro | TSPY_SPATET.SMT |
| AV | VirusBlokAda (vba32) | Trojan.Llac |
Runtime Details:
| Screenshot |  |
|---|
Process
↳ C:\malware.exe
| Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\JoinBot ➝ C:\Program Files\1033\JoinBot.exe |
|---|---|
| Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies ➝ C:\Program Files\1033\JoinBot.exe |
| Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies ➝ C:\Program Files\1033\JoinBot.exe |
| Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\JoinBot ➝ C:\Program Files\1033\JoinBot.exe |
| Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{V308KSTJ-IA06-6C5P-7151-63B316472UHS}\StubPath ➝ C:\Program Files\1033\JoinBot.exe Restart\\x00 |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\XX--XX--XX.txt |
| Creates File | C:\Program Files\1033\JoinBot.exe |
| Creates Process | C:\Program Files\Internet Explorer\iexplore.exe |
| Creates Mutex | ***MUTEX***_PERSIST |
| Creates Mutex | _x_X_BLOCKMOUSE_X_x_ |
| Creates Mutex | _x_X_PASSWORDLIST_X_x_ |
| Creates Mutex | _x_X_UPDATE_X_x_ |
| Creates Mutex | ***MUTEX*** |
Process
↳ C:\Program Files\Internet Explorer\iexplore.exe
| Registry | HKEY_CURRENT_USER\SOFTWARE\Microsoft\PIDprocess ➝ 784 |
|---|---|
| Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
| Registry | HKEY_CURRENT_USER\SOFTWARE\victim\FirstExecution ➝ 29/06/2014 -- 23:54 |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\UuU.uUu |
| Creates File | PIPE\wkssvc |
| Creates File | \Device\Afd\Endpoint |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\XxX.xXx |
| Creates File | C:\Documents and Settings\Administrator\Application Data\logs.dat |
| Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temp\UuU.uUu |
| Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temp\XX--XX--XX.txt |
| Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temp\XxX.xXx |
| Creates Process | "C:\Program Files\1033\JoinBot.exe" |
| Creates Mutex | ***MUTEX***_PERSIST |
| Creates Mutex | SPY_NET_RATMUTEX |
| Creates Mutex | _x_X_PASSWORDLIST_X_x_ |
| Creates Mutex | ***MUTEX***_SAIR |
| Creates Mutex | ***MUTEX*** |
Process
↳ C:\WINDOWS\Explorer.EXE
| Registry | HKEY_CURRENT_USER\SessionInformation\ProgramCount ➝ NULL |
|---|---|
| Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{V308KSTJ-IA06-6C5P-7151-63B316472UHS}\StubPath ➝ C:\Program Files\1033\JoinBot.exe |
| Creates Process | C:\Program Files\1033\JoinBot.exe |
| Creates Process | C:\Program Files\1033\JoinBot.exe |
| Creates Mutex | ***MUTEX***_PERSIST |
| Creates Mutex | SPY_NET_RATMUTEX |
| Creates Mutex | ***MUTEX*** |
| Creates Mutex | ***MUTEX***_SAIR |
Process
↳ Pid 4
Process
↳ Pid 492
Process
↳ \??\C:\WINDOWS\system32\csrss.exe
| Creates Mutex | SPY_NET_RATMUTEX |
|---|
Process
↳ \??\C:\WINDOWS\system32\winlogon.exe
| Creates Mutex | SPY_NET_RATMUTEX |
|---|
Process
↳ C:\WINDOWS\system32\services.exe
| Creates File | pipe\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER |
|---|---|
| Creates File | PIPE\lsarpc |
| Creates Mutex | SPY_NET_RATMUTEX |
Process
↳ C:\Program Files\1033\JoinBot.exe
| Creates Mutex | _x_X_BLOCKMOUSE_X_x_ |
|---|---|
| Creates Mutex | _x_X_PASSWORDLIST_X_x_ |
| Creates Mutex | _x_X_UPDATE_X_x_ |
| Creates Mutex | ***MUTEX*** |
Process
↳ C:\WINDOWS\system32\lsass.exe
| Creates File | PIPE\lsarpc |
|---|---|
| Creates File | \Device\Afd\Endpoint |
| Creates File | UNC\WORKGROUP*\MAILSLOT\NET\NETLOGON |
| Creates Mutex | SPY_NET_RATMUTEX |
| Winsock DNS | 192.168.1.1 |
Process
↳ C:\WINDOWS\system32\svchost.exe
| Creates Mutex | SPY_NET_RATMUTEX |
|---|
Process
↳ C:\WINDOWS\system32\svchost.exe
| Creates Mutex | SPY_NET_RATMUTEX |
|---|
Process
↳ C:\WINDOWS\System32\svchost.exe
| Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝ NULL |
|---|---|
| Creates File | PIPE\lsarpc |
| Creates File | C:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG |
| Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
| Creates Mutex | SPY_NET_RATMUTEX |
Process
↳ C:\WINDOWS\system32\svchost.exe
| Creates Mutex | SPY_NET_RATMUTEX |
|---|
Process
↳ C:\WINDOWS\system32\svchost.exe
| Creates Mutex | SPY_NET_RATMUTEX |
|---|
Process
↳ C:\WINDOWS\system32\spoolsv.exe
| Creates Mutex | SPY_NET_RATMUTEX |
|---|
Process
↳ C:\WINDOWS\System32\alg.exe
| Creates Mutex | SPY_NET_RATMUTEX |
|---|
Process
↳ C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
| Creates Mutex | SPY_NET_RATMUTEX |
|---|
Process
↳ C:\WINDOWS\system32\svchost.exe
| Creates Mutex | SPY_NET_RATMUTEX |
|---|
Process
↳ Pid 1164
Process
↳ C:\Program Files\1033\JoinBot.exe
| Creates File | PIPE\lsarpc |
|---|---|
| Creates Mutex | _x_X_PASSWORDLIST_X_x_ |
| Creates Mutex | _x_X_UPDATE_X_x_ |
Network Details:
| DNS | spektrocraft.no-ip.org Type: A |
|---|---|
| Flows TCP | 192.168.1.1:1031 ➝ 192.168.1.1:81 |
Raw Pcap
Strings
r
O
.
...og
.
.
m
..
l.f
r
O
.
...og
.
.
m
..
l.f
*
..9*-
e.
..4
?9.
.
.
.:
DVCLAL
GEINF
ICON_STANDARD
MAINICON
PACKAGEINFO
XX-XX-XX-XX
!"#$%
.</0($)
&'()*+,-./0123
*0+43,#Q
"04q5t}\d
07-|j.j
0a4h71
0FvP-ow
~0kbRH
>0n9CM#
0n"m,a2)
0vjq>5
0Wxxt|
^11Y\v
%,1,[A
1=g {.
&2csup=!o
\2|dH\.
2gS.4U
2H@<<xK
; 2j-Y
2KWEJhY5
2l6PU`~
_2,M,`Q
~2peOZ
=34,aL
3 Avenger by NhT^j@
3B>E+[
3P!<6gK
3svo /yq
40*b>N
40rX0l
?456789:;<=
[4@.7'
= 4 8Vhz
-4cd9-a358-c22904dba7f7
]4=FH^
4 f\X>
4Q_4-m7|
:?~4Qg
?[_5?
55274-640-267306239
\ ]5BK?
5<| C0vmj7
5r5k[o
,-6c3F
6:IE7_deco
6n(Je*i
^.=6}o>
6#p"aE
6ulQtGk
7";[~_.
,754\P
764874-317703751$/@
76irXL
7C|5T)
7Dy$jn
7_FIREFOX'IELOGIN
7 I0[8
,@7MCd
7Me)0T
7o.%J)
7P?xT1
=7UPDAT
/'7(;wB
7ye5 gnQ
8asf&:9
?{8CJ}8
8t`9TD,
8>=ybw
/<@&9
90JKZJ
93790@D
95|$:;
-9D^p*'8
9[~m\<
''9|X
A:1T =
:a}8;;
a'9le1
)|AaQd0
abe2869f-9b47T
Ab#EjOp
'Active S
Ad2Cm@"
a"D{d\
=AD_}gC
advapi32.dll
AHp{hF
AO Zgg|
A@P#`@
AppDataWS
]a$Q1s
AUTO WEB%D
aXWHh
"a.|+)Z/
[B7E7V7L
bapin*
Bc5WBg
BC)>Cm
[b$[m?
B~R0Y(
`Bs"|`bC<
?)BSzo
b^X#u5
&C2FtI
c*"7CZ
C`9tlCNX
CA|ttP,
CAutostar
" CcBC
Cd/wPz
#cfoMY
~"^chXG
(c_Iw5
}CLSID2T
CoTaskMemFree
crypt32.dll
CryptUnprotectData
<CSCuW
CSRFV?
c@Z-hQ
![d08P
D7]5vU
D7kCit
#d8WpU
d>8yq&
DAEMON
DFV1PB
,dgo3.
Dl4F.};
?.dll.C
!dlp4I
dMemory
dn6m,,$
^DPTy7
D}Sf>9%
DS.#Q8
%DtssC
D"&UF'
||d}X/H~
D*z|kU?
>DzULe$^R
"` e/;
:E?1DTi
E1)JA"(
+e5t^+
'E6u7x
)eabi
eDc``E6
EditSvr
eDxR%"|I
ee%D2C
eGgk'l
ehf\gP`D,np
+?EJCc
](E#LaRErL
E$nVCe
}E]s=}
e;u)jV
.eX8$0
ExitProcess
eySlot/"h
EZShiE
F2t~5FB
^F%4MW
F8KOQ0
fb R{7
FDxH6l
fiOq >
f('|Mc
.f?nB3
Fold2
F?P<Uo2jA|
FST6_Hew
^=g=#a
Gax^TW
G(bqGe
GetModu
GetProcAddress
GiW;?%
gRA/d8
gramFile
GrOoNnIiHhF
G%"Tb@0
G>>v|E
G(Vlbk
G?wrt!
gZfs,.
<H^\{
<H2A+S
!h\7(k
H{9d]L1)d
H #Dy0r
hH{9o?
?H)L2I
H(M# f
H>}R?k
HrWrqBU
HTN%t`
hX*86X
+h<@zw8
;i`3CGZ6<VuC
ieD$-G(
IJKDEFG
})IL8,
I@oC,R
#i<PoU
i T< CD5
i+v@%-
iWLL6,
izeofR(ouR
J1B^vK
J2s'WB"eg0Bd
.J@C3B
)je=B+
jF-rDj
jk7t_Z
Jm\mnmjmk
=JOX+'
JrxPjm
J*>UBH
j([^_Wm
;j=xDB
J^Y+0>%
\K|0X<
\k!2}=
K_CN.G
KERNEL32.DLL
kernel32NLoad
@kF(SNmW&
?k+g/)
kgtr^QT
KONO.[<
KRMcC_(
k t6%T
'kY(J.
_KzD hT
{&L[4O
L~&,8
lExecut
lFmDir*
"ListFir
L@mn{B+
LoadLibraryA
l~~|obG
lQj8(h
LsaClose
lstrlenA
lt0$ bz
LtLCJh
lwk3nv
lzG5PEK
M5k'2P>v
M8B\T{
mcN'R#V|
.$_Mefau
mgYSH^
m'H-'0p>
mm.+&h
M~MJ/]
,M@$O:
mozcrt19@
Mozilln
ms\SHag!/t`:/
;>mV9N
.n2'Yi
n3VlCF
N"57b\
n6lB=Z
[NcCBW
Network\Connec!
Next?`Z
//NGDl
`\NNNNX
(NO_BJTJ
NOIP.abc
No-ip J|
n>pdjbW
nspr4Q
'NSS_I
?+n#|t6
nt.>t^
NW& rm
+o0h$i
"oAsvi
o?{E}
OFTWARE\pplo
og_sB'
oHfYmJU
O&I$C<,)
ojo]1%
ole32.dll
oleaut32.dll
#OLIm
oolh,p.Snapshot7H4
\opZ\comm
or+][E
ortions Copyright (c) 19
os<^P^6
o!S<y6
OToq'W
OwA+?7
Ox_X_BLOCKMOUSE
@p"/"\
P >@?8
p8\8q<
?p8d9X:L;\
/'PASSWORDL
%_\Pc[8
PCREDE
'_PERSISTBC(
P]FnIFw
pg*KM?~
pgS0F
PJXq](
PK11_b
PKZj7V
plc%Oplds
pN3i>(
p{nF]P/wx
}\PolDie.
|$%|prG
ProcAddress
PScL'L
>PS |o
pstorec.dll
PStoreCreateInstance
ptApiO
P}t[fj]D0
pWkrDUC
pxdyXzL{
=q_81A
,QBfK6
Q<bPb<
;qC*y<
QjHAP3
qlite3]
qrgdvef` \]_
;QvmcT
QyqEMM
r1KHXa
R5qkt9
rasapi32.dll
RasEnumEntriesA
$R-C-I
rD\TP[
rE|.BA
_-Rf;`
r/H=qT?
Rm =Dj
Rojmha=
RPeBZ7L!
}\RRSi_
RsH$5}wz
Rtl8wc
RZ}T .
~>S4u68
S7^X+O
SCvAb_
sD(48$>
shell32.dll
SHGetSpecialFolderPathA
sl 7"e
S<O]?d
*[S{ox
SPSTORECLM
* .ssf
{S{#t?
svFFT\
s'xGz8H
<>S^xX=
\\.\Sy
sYi-\5
SysFreeString
[`@T;*
t$(,0
t7gpfapT
TaFl7r
tb7L>;)
TF{DFx
This program must be run under Win32
TIH*>b
tL(u?w
]TM[lOT
T<n0B/
Tnl|PQ
To4QU6
ToAscii
TObject
\Tt8dH.
:tvCV\:
;t(xn&cw%
txt/2lK.
~T\y9l}
u5vti?#
U8Dzr<E
>|u}~]aW
||uDgKr
Ufn)jY
Ui\4en+
\U\m\(
UnitIn
UPAT)}
up$WU\
({uQcaw
user32.dll
UtdngRR4
uTtXVvQ.qPpR
UType4
^U_u&|
U|U:c?G
uURLHis
uw-JcM
v3y#tu
V{7?fB
VifWL;
}V .IG
VirtualAlloc
VirtualFree
VirtualProtect
vmE,mkx
vrmg+g,
(v-RyCn
v%*'T}
VUB'/ c
]w4M4kU@(^
w6T&\;
_w"''7'
W?9/$}
w~"={A|
W-".b`
W\BS U
<{.WCU
wIF)1KqC
\Windows\Cur.ntV
w#lliF
wLtXw\
|wMZnP
wptukst_
W VB''
!wY0$(
wZb\YE\
x10sHM
:{ X=5C
X7?X)s
Xb0aT
_%XCtC
XD6yE8%
xFF58tT
XfTtP<
xk1KexWVL
);XK+a
x!KbKZ
|xNNNNtplhNNNNd
XPTPSW
Xs7i7zF
|xtplhd`
^XUQ4oW
\XX2<4
y8k"OU
-:(:Y9
:yBA8'D
y.C-Z]
Y= :d&
yDU3^84
Y;k~cB
ylE&qh
yMv<[\
"Yq5'C
>ytEt%f
+Y}V[X
yXE#bA
Y*X(#Qn9~
~^y\XTPLHD@N
z=BI<
z`|E}G
Z=`fm8/p
z`?Ipe
ZJ",:-*
zj:y2hX
Z/ LXt
;z}N|v
Z?<o,|G
&'zOtN
Zubtw\?
/zuul#@
"zX>>
=Z'ZC+V