Analysis Summary:

Analysis Date	05.10.2006 01:17:22
Sandbox Version	Beta 1.80
Filename	d337a417c3e62c6e134b23a431fc8ccd.exe

Technical Details:

Analysis Number

Parent ID

Process ID

516

Filename

c:\analysis\binary\d337a417c3e62c6e134b23a431fc8ccd.exe

Filesize

872448 bytes

MD5

d337a417c3e62c6e134b23a431fc8ccd

Start Reason

AnalysisTarget

Termination Reason

Timeout

Start Time

00:00.047

Stop Time

02:00.735

Detection

Trojan.Spy.Banker-126 (ClamAV)
Generic.Banker.Delf.7E6456EC (BDC/Linux-Console)
Trojan/Spy.Banbra.BD (AntiVir Workstation)

DLL-Handling

Loaded DLLs

c:\analysis\binary\d337a417c3e62c6e134b23a431fc8ccd.exe
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\version.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\wininet.dll
C:\WINDOWS\system32\CRYPT32.dll
C:\WINDOWS\system32\MSASN1.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\wsock32.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\
C:\WINDOWS\system32\Wship6.dll
C:\WINDOWS\system32\pstorec.dll
C:\WINDOWS\system32\ATL.DLL
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\system32\DNSAPI.dll
C:\WINDOWS\System32\winrnr.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\system32\Secur32.dll
c:\analysis\binary\d337a417c3e62c6e134b23a431fc8ccd.DEU
c:\analysis\binary\d337a417c3e62c6e134b23a431fc8ccd.DE
uxtheme.dll
olepro32.dll
WS2_32.DLL
comctl32.dll
RASAPI32.DLL
RTUTILS.DLL
SHELL32.dll
USERENV.dll
netapi32.dll
rpcrt4.dll

Filesystem

New Files
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\system32.exe C:\Documents and Settings\All Users\start menu\programs\startup\system32.exe C:\WINDOWS\system32\system32.exe \Device\RasAcd
Opened Files
\\.\PIPE\lsarpc c:\autoexec.bat
Chronological order
Copy File: c:\analysis\binary\d337a417c3e62c6e134b23a431fc8ccd.exe to C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\system32.exe Copy File: c:\analysis\binary\d337a417c3e62c6e134b23a431fc8ccd.exe to C:\Documents and Settings\All Users\start menu\programs\startup\system32.exe Copy File: c:\analysis\binary\d337a417c3e62c6e134b23a431fc8ccd.exe to C:\WINDOWS\system32\system32.exe Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Get File Attributes: c:\autoexec.bat Flags: (SECURITY_ANONYMOUS) Open File: c:\autoexec.bat (OPEN_EXISTING) Find File: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\.pbk Find File: C:\WINDOWS\system32\Ras\.pbk Find File: C:\Documents and Settings\foobar\Application Data\Microsoft\Network\Connections\Pbk\*.pbk Create/Open File: \Device\RasAcd (OPEN_ALWAYS) Find File: C:\WINDOWS\system32\Netaps.txt

Mutexes

Creates Mutex: fataL MuTexXx
Creates Mutex: RasPbFile

Registry

Create or Open
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\MS SETUP (ACME)\
Changes
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "system32" = C:\WINDOWS\system32\system32.exe
Reads
Software\Microsoft\Windows\CurrentVersion\ThemeManager "Compositing" Control Panel\Desktop "LameButtonText" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion "ProductName" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion "CurrentVersion" HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "DefaultAuthLevel"

Process Management

Creates Process - Filename () CommandLine: (IExplore WWW_GetWindowInfo) As User: () Creation Flags: ()

Service Management

Open Service Manager - Name: "SCM"
Open Service - Name: "RASMAN"

System Info

Get System Directory
Get Computer Name
Get System Time

User Management

Impersonate User - Domain: () User: (foobar)

Window

Enum Windows

Network Activity

DNS Lookup
Host Name	IP Address
gsmtp185.google.com	64.233.185.27

SMTP: 64.233.185.27:25
Username / Password: /
Content: From: "!Mensagem [Cartao]!" Subject: FOO [Infectado por fataL] To: xtinfecs@gmail.com Date: Thu, 5 Oct 2006 01:15:26 +0200 X-Priority: 1 X-Library: Indy 9.00.10 !============fataL CorP============! !Maquina?: FOO! !Vítima LOGADA: ! !IP: 123.456.789.abc! !Data de Abertura: 05.10.2006 Hora de Abertura: 01:15:24 !Sistema?: Microsoft Windows XP (version 5.1)! !Endereço da Placa: 00-AB-CD-EF-GH-00! !============fataL CorP============!

Analysis Number	2
Parent ID	0
Process ID	704
Filename	services.exe
Filesize	-1 bytes
MD5
Start Reason	SCM
Termination Reason	Timeout
Start Time	00:02.641
Stop Time	02:00.766

Report generated at 05.10.2006 01:17:22 with CWSandbox Version Beta 1.80
This analysis was created by the CWSandbox Copyright © 2006 Carsten Willems
Copyright © 1996-2006 Sunbelt Software. All rights reserved.