< Hack In The Box 2006: Playing with Botnets for Fun and Profit | The Effect of Stock Spam on Financial Markets >

CWSandbox: First Results

Some time ago I blogged about the diploma thesis on "Automatic Behaviour Analysis of Malware" by Carsten Willems that I supervise. Preliminary results are now available and we will start a beta test soon. Below you find the (rather detailed) results of an analysis of a malicious binary with the md5sum 7f60162c2c0bd2cc7531e51328e98290. Compared to the output by the Norman Sandbox which is available at http://sandbox.norman.no/live_2.html?logfile=816205, the CWSandbox has much more detailed results. If you want more information, don't hesitate to contact Carsten or me.



analysis of c:\analyse\log\7f60162c2c0bd2cc7531e51328e98290.exe\run_1\



proc_1

PID=720

Username=Administrator

Filename=c:\analyse\binary\7f60162c2c0bd2cc7531e51328e98290.exe

MD5=7f60162c2c0bd2cc7531e51328e98290




typDLLHandling:

load DLL "c:\analyse\binary\7f60162c2c0bd2cc7531e51328e98290.exe" => [OK]

load DLL "C:\WINDOWS\system32\ntdll.dll" => [OK]

load DLL "C:\WINDOWS\system32\kernel32.dll" => [OK]

load DLL "C:\WINDOWS\system32\ADVAPI32.dll" => [OK]

load DLL "C:\WINDOWS\system32\RPCRT4.dll" => [OK]

load DLL "C:\WINDOWS\system32\MSVCRT.dll" => [OK]

load DLL "C:\WINDOWS\system32\USER32.dll" => [OK]

load DLL "C:\WINDOWS\system32\GDI32.dll" => [OK]

load DLL "C:\WINDOWS\system32\WININET.dll" => [OK]

load DLL "C:\WINDOWS\system32\CRYPT32.dll" => [OK]

load DLL "C:\WINDOWS\system32\MSASN1.dll" => [OK]

load DLL "C:\WINDOWS\system32\OLEAUT32.dll" => [OK]

load DLL "C:\WINDOWS\system32\ole32.dll" => [OK]

load DLL "C:\WINDOWS\system32\SHLWAPI.dll" => [OK]

load DLL "C:\WINDOWS\system32\WS2_32.dll" => [OK]

load DLL "C:\WINDOWS\system32\WS2HELP.dll" => [OK]

load DLL "C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_xww_a84f1ff9\" => [OK]

load DLL "C:\WINDOWS\system32\comctl32.dll" => [OK]

load DLL "C:\WINDOWS\system32\wsock32.dll" => [OK]

load DLL "C:\WINDOWS\system32\Secur32.dll" => [OK]

load DLL "KERNEL32.DLL" => [OK]

load DLL "ADVAPI32.dll" => [OK]

load DLL "MSVCRT.dll" => [OK]

load DLL "USER32.dll" => [OK]

load DLL "WININET.dll" => [OK]

load DLL "WS2_32.dll" => [OK]

load DLL "advapi32" => [OK]



typFileSystem:

delete file "ftpupd.exe"

open named pipe "\\.\PIPE\lsarpc" (CreationDistribution: "OPEN_EXISTING",DesiredAccess:

"FILE_ANY_ACCESS",Flags: "SECURITY_ANONYMOUS")

copy file "c:\analyse\binary\7f60162c2c0bd2cc7531e51328e98290.exe" to "C:\WINDOWS\system32\rywxaeja.exe"

(CreationDistribution: "")

open file "\SystemRoot\AppPatch\sysmain.sdb" (CreationDistribution: "OPEN_EXISTING",DesiredAccess:

"FILE_ANY_ACCESS,FILE_READ_ATTRIBUTES",Flags: "FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS")

open file "\SystemRoot\AppPatch\systest.sdb" (CreationDistribution: "OPEN_EXISTING",DesiredAccess:

"FILE_ANY_ACCESS,FILE_READ_ATTRIBUTES",Flags: "FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS")

open file "\Device\NamedPipe\ShimViewer" (CreationDistribution: "OPEN_EXISTING",DesiredAccess:

"FILE_ANY_ACCESS,FILE_READ_ATTRIBUTES",Flags: "FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS")

open file "C:\WINDOWS\system32\rywxaeja.exe" (CreationDistribution: "",DesiredAccess: "FILE_ANY_ACCESS",Flags:

"SECURITY_ANONYMOUS")

find file "rywxaeja.exe"



typMutex:

create mutex "uterm13.2i"



typRegistry:

read value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Security Manager"

read value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Disk Defragmenter"

read value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Restore Service"

read value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bot Loader"

read value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysTray"

read value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinUpdate"

read value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update Service"

read value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avserve.exe"

read value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avserve2.exeUpdate Service"

read value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MS Config v13"

create/open key "HKEY_LOCAL_MACHINE\Software\Microsoft\Wireless"

set value "HKEY_LOCAL_MACHINE\Software\Microsoft\Wireless\ID" to "byvcrhcoeoy"

read value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Update"

set value "HKEY_LOCAL_MACHINE\Software\Microsoft\Wireless\Client" to "1"

create/open key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

set value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Update" to

"C:\WINDOWS\system32\rywxaeja.exe"

read value

"HKEY_LOCAL_MACHINE\Software\Microsoft\Wireless\Registry\Machine\SYSTEM\WPA\MediaCenter\Installed"



typProcess:

create a process "C:\WINDOWS\system32\rywxaeja.exe" (ShowWindow:"SW_HIDE", Method:"WinExec") => [OK]



typSystemInfo:

get SystemDirectory



-----------------------------------------------------------------------------------------------------------



proc_2

PID=744

Username=Administrator

Filename=C:\WINDOWS\system32\rywxaeja.exe

MD5=7f60162c2c0bd2cc7531e51328e98290



typDLLHandling:

load DLL "C:\WINDOWS\system32\rywxaeja.exe" => [OK]

load DLL "C:\WINDOWS\system32\ntdll.dll" => [OK]

load DLL "C:\WINDOWS\system32\kernel32.dll" => [OK]

load DLL "C:\WINDOWS\system32\ADVAPI32.dll" => [OK]

load DLL "C:\WINDOWS\system32\RPCRT4.dll" => [OK]

load DLL "C:\WINDOWS\system32\MSVCRT.dll" => [OK]

load DLL "C:\WINDOWS\system32\USER32.dll" => [OK]

load DLL "C:\WINDOWS\system32\GDI32.dll" => [OK]

load DLL "C:\WINDOWS\system32\WININET.dll" => [OK]

load DLL "C:\WINDOWS\system32\CRYPT32.dll" => [OK]

load DLL "C:\WINDOWS\system32\MSASN1.dll" => [OK]

load DLL "C:\WINDOWS\system32\OLEAUT32.dll" => [OK]

load DLL "C:\WINDOWS\system32\ole32.dll" => [OK]

load DLL "C:\WINDOWS\system32\SHLWAPI.dll" => [OK]

load DLL "C:\WINDOWS\system32\WS2_32.dll" => [OK]

load DLL "C:\WINDOWS\system32\WS2HELP.dll" => [OK]

load DLL "C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_xww_a84f1ff9\" => [OK]

load DLL "C:\WINDOWS\system32\comctl32.dll" => [OK]

load DLL "C:\WINDOWS\system32\wsock32.dll" => [OK]

load DLL "C:\WINDOWS\system32\Secur32.dll" => [OK]

load DLL "KERNEL32.DLL" => [OK]

load DLL "ADVAPI32.dll" => [OK]

load DLL "MSVCRT.dll" => [OK]

load DLL "USER32.dll" => [OK]

load DLL "WININET.dll" => [OK]

load DLL "WS2_32.dll" => [OK]

load DLL "advapi32" => [OK]



typFileSystem:

delete file "ftpupd.exe"

open named pipe "\\.\PIPE\lsarpc" (CreationDistribution: "OPEN_EXISTING",DesiredAccess: "FILE_ANY_ACCESS",Flags: "SECURITY_ANONYMOUS")



typMutex:

create mutex "uterm13.2i"



typRegistry:

read value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Security Manager"

read value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Disk Defragmenter"

read value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Restore Service"

read value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bot Loader"

read value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysTray"

read value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinUpdate"

read value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update Service"

read value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avserve.exe"

read value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avserve2.exeUpdate Service"

read value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MS Config v13"

read value "HKEY_LOCAL_MACHINE\Software\Microsoft\Wireless\ID"

read value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Update"

read value "HKEY_LOCAL_MACHINE\Software\Microsoft\Wireless\Client"

delete value "HKEY_LOCAL_MACHINE\Software\Microsoft\Wireless\Client"



typProcess:

open process PID "908", Filename: "C:\WINDOWS\system32\rywxaeja.exe"



typThread:

create remote thread in process PID "908" (dwCreationFlags: "CREATE_SUSPENDED")



typVirtualMemory:

VMAlloc in process PID "908" (Address: $31500000, Size: 45056, AllocationType: MEM_COMMIT,MEM_RESERVE, Protect: PAGE_READWRITE)

VMProtect in process PID "908" (Address: $31500000, Size: 45056, Protect: PAGE_EXECUTE_READWRITE)

VMProtect in process PID "908" (Address: $31500000, Size: 45056, Protect: PAGE_READWRITE)

VMWrite in process PID "908" (Address: $31500000, Size: 45056)

VMAlloc in process PID "908" (Address: $00000000, Size: 1048576, AllocationType: MEM_RESERVE, Protect: PAGE_READWRITE)

VMAlloc in process PID "908" (Address: $020AE000, Size: 8192, AllocationType: MEM_COMMIT, Protect:

PAGE_READWRITE)

VMProtect in process PID "908" (Address: $020AE000, Size: 4096, Protect: PAGE_READWRITE,PAGE_GUARD)



typWindow:

find window with title "", class: "Shell_TrayWnd"



-----------------------------------------------------------------------------------------------------------



proc_3

PID=908

Username=Administrator

Filename=C:\WINDOWS\Explorer.EXE

MD5=22fe1be02eadde1632e478e4125639e0



typDLLHandling:

load DLL "C:\WINDOWS\Explorer.EXE" => [OK]

load DLL "C:\WINDOWS\system32\ntdll.dll" => [OK]

load DLL "C:\WINDOWS\system32\kernel32.dll" => [OK]

load DLL "C:\WINDOWS\system32\msvcrt.dll" => [OK]

load DLL "C:\WINDOWS\system32\ADVAPI32.dll" => [OK]

load DLL "C:\WINDOWS\system32\RPCRT4.dll" => [OK]

load DLL "C:\WINDOWS\system32\GDI32.dll" => [OK]

load DLL "C:\WINDOWS\system32\USER32.dll" => [OK]

load DLL "C:\WINDOWS\system32\SHLWAPI.dll" => [OK]

load DLL "C:\WINDOWS\system32\SHELL32.dll" => [OK]

load DLL "C:\WINDOWS\system32\ole32.dll" => [OK]

load DLL "C:\WINDOWS\system32\OLEAUT32.dll" => [OK]

load DLL "C:\WINDOWS\system32\BROWSEUI.dll" => [OK]

load DLL "C:\WINDOWS\system32\SHDOCVW.dll" => [OK]

load DLL "C:\WINDOWS\system32\CRYPT32.dll" => [OK]

load DLL "C:\WINDOWS\system32\MSASN1.dll" => [OK]

load DLL "C:\WINDOWS\system32\CRYPTUI.dll" => [OK]

load DLL "C:\WINDOWS\system32\WINTRUST.dll" => [OK]

load DLL "C:\WINDOWS\system32\IMAGEHLP.dll" => [OK]

load DLL "C:\WINDOWS\system32\NETAPI32.dll" => [OK]

load DLL "C:\WINDOWS\system32\WININET.dll" => [OK]

load DLL "C:\WINDOWS\system32\WLDAP32.dll" => [OK]

load DLL "C:\WINDOWS\system32\VERSION.dll" => [OK]

load DLL "C:\WINDOWS\system32\UxTheme.dll" => [OK]

load DLL "C:\WINDOWS\system32\ShimEng.dll" => [OK]

load DLL "C:\WINDOWS\AppPatch\AcGenral.DLL" => [OK]

load DLL "C:\WINDOWS\system32\WINMM.dll" => [OK]

load DLL "C:\WINDOWS\system32\MSACM32.dll" => [OK]

load DLL "C:\WINDOWS\system32\USERENV.dll" => [OK]

load DLL "C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_xww_a84f1ff9\" => [OK]

load DLL "C:\WINDOWS\system32\comctl32.dll" => [OK]

load DLL "C:\WINDOWS\system32\appHelp.dll" => [OK]

load DLL "C:\WINDOWS\system32\CLBCATQ.DLL" => [OK]

load DLL "C:\WINDOWS\system32\COMRes.dll" => [OK]

load DLL "C:\WINDOWS\System32\cscui.dll" => [OK]

load DLL "C:\WINDOWS\System32\CSCDLL.dll" => [OK]

load DLL "C:\WINDOWS\System32\themeui.dll" => [OK]

load DLL "C:\WINDOWS\System32\Secur32.dll" => [OK]

load DLL "C:\WINDOWS\System32\MSIMG32.dll" => [OK]

load DLL "C:\WINDOWS\system32\xpsp2res.dll" => [OK]

load DLL "C:\WINDOWS\System32\actxprxy.dll" => [OK]

load DLL "C:\WINDOWS\System32\msutb.dll" => [OK]

load DLL "C:\WINDOWS\System32\MSCTF.dll" => [OK]

load DLL "C:\WINDOWS\system32\ntshrui.dll" => [OK]

load DLL "C:\WINDOWS\system32\ATL.DLL" => [OK]

load DLL "C:\WINDOWS\system32\urlmon.dll" => [OK]

load DLL "C:\WINDOWS\system32\WINSTA.dll" => [OK]

load DLL "C:\WINDOWS\System32\webcheck.dll" => [OK]

load DLL "C:\WINDOWS\System32\WSOCK32.dll" => [OK]

load DLL "C:\WINDOWS\System32\WS2_32.dll" => [OK]

load DLL "C:\WINDOWS\System32\WS2HELP.dll" => [OK]

load DLL "C:\WINDOWS\System32\stobject.dll" => [OK]

load DLL "C:\WINDOWS\System32\BatMeter.dll" => [OK]

load DLL "C:\WINDOWS\System32\POWRPROF.dll" => [OK]

load DLL "C:\WINDOWS\System32\SETUPAPI.dll" => [OK]

load DLL "C:\WINDOWS\System32\WTSAPI32.dll" => [OK]

load DLL "C:\WINDOWS\system32\NETSHELL.dll" => [OK]

load DLL "C:\WINDOWS\system32\rtutils.dll" => [OK]

load DLL "C:\WINDOWS\system32\credui.dll" => [OK]

load DLL "C:\WINDOWS\system32\iphlpapi.dll" => [OK]

load DLL "C:\WINDOWS\system32\msi.dll" => [OK]

load DLL "C:\WINDOWS\system32\LINKINFO.dll" => [OK]

load DLL "C:\WINDOWS\system32\browselc.dll" => [OK]

load DLL "C:\WINDOWS\system32\DUSER.dll" => [OK]

load DLL "C:\WINDOWS\system32\MPR.dll" => [OK]

load DLL "C:\WINDOWS\System32\drprov.dll" => [OK]

load DLL "C:\WINDOWS\System32\ntlanman.dll" => [OK]

load DLL "C:\WINDOWS\System32\NETUI0.dll" => [OK]

load DLL "C:\WINDOWS\System32\NETUI1.dll" => [OK]

load DLL "C:\WINDOWS\System32\NETRAP.dll" => [OK]

load DLL "C:\WINDOWS\System32\SAMLIB.dll" => [OK]

load DLL "C:\WINDOWS\System32\davclnt.dll" => [OK]

load DLL "C:\WINDOWS\system32\WZCSAPI.DLL" => [OK]

load DLL "C:\WINDOWS\system32\wzcdlg.dll" => [OK]

load DLL "C:\WINDOWS\system32\WINHTTP.dll" => [OK]

load DLL "C:\WINDOWS\system32\shdoclc.dll" => [OK]

load DLL "ws2_32" => [OK]

load DLL "wininet" => [OK]

load DLL "msvcrt" => [OK]

load DLL "advapi32" => [OK]

load DLL "user32" => [OK]

load DLL "comctl32.dll" => [OK]

load DLL "RASAPI32.DLL" => [OK]

load DLL "RTUTILS.DLL" => [OK]

load DLL "sensapi.dll" => [OK]

load DLL "ntdll.dll" => [OK]

load DLL "SHELL32.dll" => [OK]

load DLL "USERENV.dll" => [OK]

load DLL "netapi32.dll" => [OK]

load DLL "WS2_32.dll" => [OK]



typFileSystem:

get file attributes of "c:\analyse\cwsandbox.exe"

open named pipe "\\.\PIPE\InitShutdown" (CreationDistribution: "OPEN_EXISTING",DesiredAccess:

"FILE_ANY_ACCESS",Flags: "SECURITY_ANONYMOUS")

open file "C:\WINDOWS\system32\rywxaeja.exe" (CreationDistribution: "OPEN_EXISTING",DesiredAccess:

"FILE_ANY_ACCESS",Flags: "SECURITY_ANONYMOUS")

open named pipe "\\.\PIPE\winreg" (CreationDistribution: "OPEN_EXISTING",DesiredAccess:

"FILE_ANY_ACCESS",Flags: "SECURITY_ANONYMOUS")

open named pipe "\\.\PIPE\lsarpc" (CreationDistribution: "OPEN_EXISTING",DesiredAccess:

"FILE_ANY_ACCESS",Flags: "SECURITY_ANONYMOUS")

find file "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Connections\Pbk*.pbk"

find file "C:\WINDOWS\system32\Ras*.pbk"

get file attributes of "c:\autoexec.bat"

open file "c:\autoexec.bat" (CreationDistribution: "OPEN_EXISTING",DesiredAccess:

"FILE_ANY_ACCESS,FILE_READ_ATTRIBUTES",Flags: "FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS")

find file "C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Network\Connections\Pbk*.pbk"

create/open file "\Device\RasAcd" (CreationDistribution: "OPEN_ALWAYS",DesiredAccess:

"FILE_ANY_ACCESS,FILE_READ_ATTRIBUTES",Flags: "FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS")



typMutex:

create mutex "u8"

create mutex "u9"

create mutex "u10"

create mutex "u11"

create mutex "u12"

create mutex "u13"

create mutex "u13i"

create mutex "u13.2i"

create mutex "u14"

create mutex "uterm13.2i"

create mutex "RasPbFile"



typRegistry:

read value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Update"

read value "HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService\DefaultAuthLevel"



typService:

open service "RASMAN"

enumerate services



typSystemInfo:

get Systemtime

get SystemDirectory

get Computername



typUser:

get actual username

impersonate as user "Administrator"



typWinSock:

socket 0

Winsock initialized (WSAStartup)

GetHostByName for host "moscow-advokat.ru"

GetHostByName for host "ced.dal.net" => 194.14.236.50

socket 2864

[TCP] Try to connect host "0.0.0.0", remoteport: 6667

[TCP] Try to connect host "0.0.0.0", remoteport: 6667

[TCP] Try to connect host "0.0.0.0", remoteport: 6667

[TCP] Try to connect host "0.0.0.0", remoteport: 6667

[TCP] Try to connect host "0.0.0.0", remoteport: 6667

[TCP] Try to connect host "0.0.0.0", remoteport: 6667

[TCP] Try to connect host "0.0.0.0", remoteport: 6667

[TCP] Try to connect host "0.0.0.0", remoteport: 6667

[TCP] Try to connect host "0.0.0.0", remoteport: 6667

[TCP] Try to connect host "194.14.236.50", remoteport: 6667

Connection established

socket 2928

[TCP] Listen on localport: 113

Accepted a connection from host "194.14.236.50", remoteport: 1906, localport: 113, used childsocket: 4228

socket 2952

[TCP] Listen on localport: 3067

socket 2964

[TCP] Listen on localport: 3885

socket 3032

[TCP] Try to connect host "180.47.73.210", remoteport: 445

[TCP] Try to connect host "18.0.38.8", remoteport: 445

[TCP] Try to connect host "18.0.169.92", remoteport: 445

[TCP] Try to connect host "73.225.162.34", remoteport: 445
This entry was posted by Thorsten Holz on Sunday, April 30. 2006 at 14:56. and is filed under honeynets. You can leave a response, or trackback from your own blog.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

    No comments


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA