-
2009-05-14 10:12:41
-
a. ShellExecuteExA - Can be used to run applications
b. Socket APIs - Make network connections
c. File API - read/modify files
-
a. 60.248.52.95 - Potential network signature
b. http://www.ueopen.com/test.html - Potential network signature
c. cmd.exe - The malware could be trying to run shell commands
d. *(SY)# - Potential network signature, possible used for a remote shell prompt
-
Connects to 60.248.52.95, offers up a remote shell, then deletes itself
-
Process name. Ensures procmon data involves the sample
-
Nothing particular, except for the command it runs to delete itself
cmd.exe /c del $PATH > null
-
a. Connects to port 443 on 60.248.52.95
b. *(SY)# - Remote shell prompt
-
The file's self deletion was a nuisance. This can be overcome by keeping a separate copy, or by NOP'ing the delete call
-
To act as a backdoor by offering a remote shell to the attacker
-
02658bc9801f98dfdf167accf57f6a36
-
a. CreateProcessA - Execute applications
b. WriteFile - Write to files
c. HttpOpenRequestA - Access websites
-
a. wuauclt.exe - Windows update program, potential trojan or disguise
b. cmd /c - run shell commands
c. 69.25.50.10 - Potential network signature
-
Nothing appears on screen. In the background it is attempting to connect to 69.25.50.10, but fails. If it succeeds it offers a remote shell.
-
Process name. Ensures procmon data involves the sample
-
Runs wuauclt.exe
-
Connects to 69.25.50.10. Remote pseudo-shell commands (putf, getf, /tasks/, exit)
-
No, though more information could have been made available if 69.25.50.10 was up
-
Acts as a backdoor, allowing remote file access and program execution.
-
Yes, very few strings and imports. VirtualSize >> Size of Raw Data. Possibly UPX packed.
-
No, UPX reports an error, "file is modified/hacked/protected; take care!!!"
-
a. Mozilla/4.0 - Possible user agent
b. http://%s/%s/ - Format string for making URLs
c. www.practicalmalwareanalysis.com - Potential network signature
-
Connects to website "http://<url from resources>/<base64 local hostname>/"
-
No
-
The URL and user agent
-
The packing, I'm not sure what else the malware is doing besides connecting out. This program will have to be unpacked manually.
-
Besides reporting the hostname to the attacker, there's no way to tell without further analysis.