Analysis Summary:

Analysis Date	13.08.2006 00:34:48
Sandbox Version	Beta 1.73
Filename	9928a1e6601cf00d0b7826d13fb556f0.exe

Technical Details:

Analysis Number

Parent ID

Process ID

2004

Filename

c:\analysis\binary\9928a1e6601cf00d0b7826d13fb556f0.exe

Filesize

9609 bytes

MD5

9928a1e6601cf00d0b7826d13fb556f0

Start Reason

AnalysisTarget

Termination Reason

NormalTermination

Start Time

00:00.078

Stop Time

00:05.531

Detection

OK (ClamAV)
Generic.Malware.IXdld.658BDD6B (BDC/Linux-Console)
OK (AntiVir Workstation)

DLL-Handling

Loaded DLLs

c:\analysis\binary\9928a1e6601cf00d0b7826d13fb556f0.exe
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\wsock32.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\Wship6.dll
C:\WINDOWS\system32\pstorec.dll
C:\WINDOWS\system32\ATL.DLL
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\system32\DNSAPI.dll
C:\WINDOWS\System32\winrnr.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\system32\Secur32.dll
KERNEL32.dll
USER32.dll
WS2_32.dll
ADVAPI32.dll
MSWSOCK.dll
VERSION.dll

Filesystem

New Files
C:\WINDOWS\system32\wgareg.exe
Opened Files
\SystemRoot\AppPatch\sysmain.sdb \SystemRoot\AppPatch\systest.sdb \Device\NamedPipe\ShimViewer C:\WINDOWS\explorer.exe
Chronological order
Set File Attributes: C:\WINDOWS\system32\wgareg.exe Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Copy File: c:\analysis\binary\9928a1e6601cf00d0b7826d13fb556f0.exe to C:\WINDOWS\system32\wgareg.exe Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\WINDOWS\explorer.exe () Find File: explorer.exe

Registry

Reads
\Registry\Machine\SYSTEM\WPA\MediaCenter "Installed" \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers "C:\WINDOWS\explorer.exe" \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags "{8daa3198-f1f6-4d1d-9aa1-0a673bd3d3fb}"

Process Management

Creates Process - Filename () CommandLine: (explorer.exe) As User: () Creation Flags: (CREATE_SUSPENDED)

Service Management

Open Service Manager - Name: "SCM"
Open Service - Name: "wgareg"
Create Service - Name: (wgareg) Display Name: (Windows Genuine Advantage Registration Service) File Name: (C:\WINDOWS\system32\wgareg.exe) Control: () Start Type: (SERVICE_AUTO_START)
Start Service - Name: (wgareg) Display Name: () File Name: () Control: () Start Type: ()
Change Service Configuration - Name: (wgareg) Display Name: () File Name: () Control: () Start Type: (SERVICE_NO_CHANGE)
Change Service Configuration - Name: (wgareg) Display Name: (Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.) File Name: () Control: () Start Type: (SERVICE_NO_CHANGE)

System Info

Get System Directory

Threads

Create Remote Thread - Target PID (600) Thread ID ($06FC) Thread ID ($00090000) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED)

Virtual Memory

VM Allocate - Target: (600) Address: ($00090000) Size: (4096) Protect: (PAGE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (600) Address: ($000A0000) Size: (1048576) Protect: (PAGE_READWRITE) Allocation Type: (MEM_RESERVE)
VM Allocate - Target: (600) Address: ($0019E000) Size: (8192) Protect: (PAGE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Protect - Target: (600) Address: ($00090000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (600) Address: ($00090000) Size: (4096) Protect: (PAGE_READWRITE)
VM Protect - Target: (600) Address: ($00090000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (600) Address: ($0019E000) Size: (4096) Protect: (PAGE_READWRITE,PAGE_GUARD)
VM Write - Target: (600) Address: ($00090000) Size: (52)
VM Write - Target: (600) Address: ($00090034) Size: (260)

Analysis Number	2
Parent ID	0
Process ID	528
Filename	services.exe
Filesize	-1 bytes
MD5
Start Reason	SCM
Termination Reason	Timeout
Start Time	00:01.438
Stop Time	02:01.156
Process Management	Creates Process - Filename () CommandLine: (C:\WINDOWS\system32\wgareg.exe) As User: () Creation Flags: (CREATE_SUSPENDED,CREATE_UNICODE_ENVIRONMENT,DETACHED_PROCESS)

The following process was started by process: 2

Analysis Number

Parent ID

Process ID

972

Filename

C:\WINDOWS\system32\wgareg.exe

Filesize

9609 bytes

MD5

9928a1e6601cf00d0b7826d13fb556f0

Start Reason

CreateProcess

Termination Reason

Timeout

Start Time

00:02.625

Stop Time

02:01.125

Detection

OK (ClamAV)
Generic.Malware.IXdld.658BDD6B (BDC/Linux-Console)
OK (AntiVir Workstation)

DLL-Handling

Loaded DLLs

C:\WINDOWS\system32\wgareg.exe
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\wsock32.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\Wship6.dll
C:\WINDOWS\system32\pstorec.dll
C:\WINDOWS\system32\ATL.DLL
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\system32\DNSAPI.dll
C:\WINDOWS\System32\winrnr.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\system32\Secur32.dll
KERNEL32.dll
USER32.dll
WS2_32.dll
ADVAPI32.dll
MSWSOCK.dll
dnsapi.dll

Filesystem

New Files
\Device\RasAcd
Chronological order
Set File Attributes: C:\WINDOWS\debug\dcpromo.log Flags: (FILE_ATTRIBUTE_READONLY,SECURITY_ANONYMOUS) Create/Open File: \Device\RasAcd (OPEN_ALWAYS)

Mutexes

Creates Mutex: wgareg

Registry

Create or Open
HKEY_LOCAL_MACHINE\software\microsoft\ole HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa HKEY_LOCAL_MACHINE\system\currentcontrolset\services\lanmanserver\parameters HKEY_LOCAL_MACHINE\software\microsoft\security center HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\standardprofile
Changes
HKEY_LOCAL_MACHINE\software\microsoft\ole "enabledcom" = n HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa "restrictanonymous" = [REG_DWORD, value: 00000001] HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa "restrictanonymoussam" = [REG_DWORD, value: 00000001] HKEY_LOCAL_MACHINE\system\currentcontrolset\services\lanmanserver\parameters "autoshareserver" = [REG_DWORD, value: 00000000] HKEY_LOCAL_MACHINE\system\currentcontrolset\services\lanmanserver\parameters "autosharewks" = [REG_DWORD, value: 00000000] HKEY_LOCAL_MACHINE\software\microsoft\security center "antivirusdisablenotify" = [REG_DWORD, value: 00000001] HKEY_LOCAL_MACHINE\software\microsoft\security center "antivirusoverride" = [REG_DWORD, value: 00000001] HKEY_LOCAL_MACHINE\software\microsoft\security center "firewalldisablenotify" = [REG_DWORD, value: 00000001] HKEY_LOCAL_MACHINE\software\microsoft\security center "firewalldisableoverride" = [REG_DWORD, value: 00000001] HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile "enablefirewall" = [REG_DWORD, value: 00000000] HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\standardprofile "enablefirewall" = [REG_DWORD, value: 00000000]
Reads
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "DefaultAuthLevel"

Service Management

Open Service Manager - Name: "SCM"
Open Service - Name: "sharedaccess"
Control Service - Name: (sharedaccess) Display Name: () File Name: () Control: (SERVICE_CONTROL_STOP) Start Type: ()
Change Service Configuration - Name: (sharedaccess) Display Name: () File Name: () Control: () Start Type: (SERVICE_DISABLED)

System Info

Get Windows Directory

Network Activity

DNS Lookup
Host Name	IP Address
bniu.househot.com	61.189.243.240

C&C Server: 61.189.243.240:18067
Server Password:
Username: n1-00b81cd0
Nickname: n1-00b81cd0
Joined channel #n1 nert4mp1

The following process was started by process: 1

Analysis Number	4
Parent ID	1
Process ID	600
Filename	explorer.exe
Filesize	-1 bytes
MD5
Start Reason	CreateProcess
Termination Reason	Timeout
Start Time	00:05.203
Stop Time	02:01.234

Report generated at 13.08.2006 00:34:48 with CWSandbox Version Beta 1.73
This analysis was created by the CWSandbox Copyright © 2006 Carsten Willems
Copyright © 1996-2006 Sunbelt Software. All rights reserved.