7. Analysis and report examples


Email-Worm.Win32.NetSky.p


Analysis:


Detailed report of suspicious malware actions:


Defined file type copied to Windows folder: D:\WINDOWS\AVBgle.exe

Defined registry AutoStart location added or modified: machine\software\microsoft\Windows\CurrentVersion\Run\MSInfo = D:\WINDOWS\AVBgle.exe

Internet connection: Connects to "212.27.42.58 (free.fr)" on port 25.

Internet connection: Connects to "72.14.221.27 (1e100.net)" on port 25.

Internet connection: Connects to "64.12.138.153 (aol.com)" on port 25.

Internet connection: Connects to "72.167.238.201 (secureserver.net)" on port 25.

Created an event named: E4162AEC-7EEF-4ea6-8FB5-E2B6A3CE3504


Report:


[ General information ]

* Filename: c:\test\test.exe

* File length: 16384 bytes

* MD5 hash: 9d7006e30fdf15e9c8e03e62534b3a3e

* SHA1 hash: e92e8baed155215b38b02b280268b63b9a151528

* SHA256 hash:

1cfd62b017f237699f20d8c099d510fd0b360e86257056ad6e05d7d96e0a245c


[ Changes to filesystem ]

* Creates file D:\WINDOWS\AVBgle.exe

* Creates file D:\WINDOWS\base64.tmp


[ Changes to registry ]

* Deletes Registry key HKEY_LOCAL_MACHINE\software\Classes\clsid\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

* Creates value "MSInfo=D:\WINDOWS\AVBgle.exe" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run

* Modifies value "SavedLegacySettings=3C00000044000000010000000000000000000000000000000400000000000000A04E57F7782DCA0101000000C0A800040000000000000000" in

key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\ Internet Settings\Connections old value "SavedLegacySettings=3C00000043000000010000000000000000000000000000000400000000000000A04E57F7782DCA0101000000C0A800040000000000000000"


[ Network services ]

* Looks for an Internet connection.

* Connects to "212.27.42.58 (free.fr)" on port 25.

* Connects to "72.14.221.27 (1e100.net)" on port 25.

* Connects to "64.12.138.153 (aol.com)" on port 25.

* Connects to "72.167.238.201 (secureserver.net)" on port 25.


[ Process/window information ]

* Creates a mutex Bgl_*L*o*o*s*e*.

* Creates a mutex _!MSFTHISTORY!_.

* Creates a mutex d:!documents and settings!test!configuración local!archivos temporales de internet!content.ie5!.

* Creates a mutex d:!documents and settings!test!cookies!.

* Creates a mutex d:!documents and settings!test!configuración local!historial!history.ie5!.

* Creates a mutex RasPbFile.

* Creates an event named "E4162AEC-7EEF-4ea6-8FB5-E2B6A3CE3504".



P2P-Worm.Win32.Goldun.a


Analysis:


Detailed report of suspicious malware actions:


Defined file type copied to Windows folder: D:\WINDOWS\system32\mcfCC4.dll

Defined file type copied to Windows folder: D:\WINDOWS\system32\mcfdrv.sys

Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\DllName =

6D00630066004300430034002E0064006C006C000000

Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\Startup = mcfCC4Sta

Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\Impersonate = 01000000

Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\Asynchronous = 01000000

Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\MaxWait = 01000000

Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\key4 = [36590096273976988461[Test]

Defined registry AutoStart location added or modified: machine\SYSTEM\CurrentControlSet\Services\BusterSvc\SandboxedServices = mcfdrv

Defined registry AutoStart location added or modified: machine\SYSTEM\CurrentControlSet\Services\mcfdrv\Type = 01000000

Defined registry AutoStart location added or modified: machine\SYSTEM\CurrentControlSet\Services\mcfdrv\Start = 01000000

Defined registry AutoStart location added or modified: machine\SYSTEM\CurrentControlSet\Services\mcfdrv\DisplayName = MCFservice

Defined registry AutoStart location added or modified: machine\SYSTEM\CurrentControlSet\Services\mcfdrv\ImagePath = D:\WINDOWS\system32\mcfdrv.sys

Detected backdoor listening on port: 4050

Created a service named: MCFservice

Created an event named: E4162AEC-7EEF-4ea6-8FB5-E2B6A3CE3504


Report:


[ General information ]

* Filename: c:\test\test.exe

* File length: 20049 bytes

* MD5 hash: a1f9189a474ca1b73dff4ebe05621981


* SHA1 hash: d33271300cb3487e11df8eb162f5cc92fbd4790e

* SHA256 hash: 6b0104d0514aefef7b67e89c4d7ac8a58be2ecfb5648e3a595271d07ce05b07b


[ Changes to filesystem ]

* Creates file D:\WINDOWS\system32\mcfCC4.dll

* Creates file D:\WINDOWS\system32\mcfdrv.sys


[ Changes to registry ]

* Creates value "DllName=6D00630066004300430034002E0064006C006C000000" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4

* Creates value "Startup=mcfCC4Sta" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4

* Creates value "Impersonate=01000000" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4

* Creates value "Asynchronous=01000000" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4

* Creates value "MaxWait=01000000" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4

* Creates value "key4=[36590096273976988461[Test]" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4

* Creates value "SandboxedServices=mcfdrv" in key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BusterSvc

* Creates value "Type=01000000" in key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfdrv

* Creates value "Start=01000000" in key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfdrv

* Creates value "DisplayName=MCFservice" in key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfdrv


* Creates value "ImagePath=D:\WINDOWS\system32\mcfdrv.sys" in key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfdrv


[ Network services ]

* Backdoor functionality on port 4050.


[ Process/window information ]

* Creates a service named "MCFservice".

* Creates an event named "E4162AEC-7EEF-4ea6-8FB5-E2B6A3CE3504".