Malware analysis

8 septembre 2006

During this rainy afternoon, i decided to analyze a malware that i received. Feedback welcomed.

MD5: 5120a93d69a1c1640c3063c562a13218 SHA1: 7718135fba2c30812cb8df729aa3d395fcd7e61a File size: 11776 bytes

STATIC ANALYSIS

Anti virus detection:

- Avast 4.7.844.0 09.19.2006 Win32:Banload-XB
- ClamAV devel-20060426 09.21.2006 no virus found
- DrWeb 4.33 09.21.2006 Trojan.DownLoader.12368
- Kaspersky 4.0.2.24 09.21.2006 Trojan-Downloader.Win32.Banload.aqp
- Symantec 8.0 09.21.2006 no virus found

Strings:
PEC2

C:\Arquivos de programas\Microsoft Visual Studio\VB98\VB6.OLB
@*\AD:\kls\novo loader vb\sedexx1\Project1.vbp
http://bedtrader.com/tmp/fotos/ousadas/avgdos1.scr
avgdos1.scr
http://bedtrader.com/tmp/fotos/ousadas/logs.scr
logs.scr
http://bedtrader.com/tmp/fotos/ousadas/msn.scr
msn.scr
explorer http://www.claubanza.blogger.com.br/bar%20do%20sacha9.jpg
http://www1.enargas.gov.ar/Images/avgdos1.scr
http://www1.enargas.gov.ar/Images/logs.scr
http://www1.enargas.gov.ar/Images/msn.scr
@*\AD:\kls\novo loader vb\sedexx1\Project1.vbp
Comments
Arquivo de V
deo.
CompanyName
Arquivo de V
deo.
FileDescription
Arquivo de V
deo.
ProductName
Arquivo de V
deo.
FileVersion
1.00
ProductVersion
1.00
InternalName
img1
OriginalFilename
img1.exe

DYNAMIC ANALYSIS

Run:
So i run it in my lab, i saw some interesting things.

It opened the ports 1139 TCP and 1135 UDP.

Try to connect first to 24.196.63.133:80, get avgdos1.scr, logs.scr and msn.scr (GET /tmp/fotos/ousadas/avgdos1.scr HTTP/1.1). Seems to be down at this time.
Connect to 200.47.72.34:80, get avgdos1.scr, logs.scr and msn.scr (GET /Images/avgdos1.scr HTTP/1.1) , it seems to be up at this time. Resolve to www1.enargas.gov.ar (string hard coded, it is defaced at this time (”hacked by bact3ry best”).

Connect to http://www.claubanza.blogger.com.br/bar%20do%20sacha9.jpg, maybe to count the number of infection ?

Create avgdos1.scr to %\WINNT\ (it is what will be runned after the infection, i saw something like 40 process avgdos1.scr in my task manager !)

More soon…

Publié Malware analysis | Un commentaire »