7. Analysis and report examples
Email-Worm.Win32.NetSky.p
Analysis:
Detailed report of suspicious malware actions:
Defined file type copied to Windows folder: D:\WINDOWS\AVBgle.exe
Defined registry AutoStart location added or modified: machine\software\microsoft\Windows\CurrentVersion\Run\MSInfo = D:\WINDOWS\AVBgle.exe
Internet connection: Connects to "212.27.42.58 (free.fr)" on port 25.
Internet connection: Connects to "72.14.221.27 (1e100.net)" on port 25.
Internet connection: Connects to "64.12.138.153 (aol.com)" on port 25.
Internet connection: Connects to "72.167.238.201 (secureserver.net)" on port 25.
Created an event named: E4162AEC-7EEF-4ea6-8FB5-E2B6A3CE3504
Report:
[ General information ]
* Filename: c:\test\test.exe
* File length: 16384 bytes
* MD5 hash: 9d7006e30fdf15e9c8e03e62534b3a3e
* SHA1 hash: e92e8baed155215b38b02b280268b63b9a151528
* SHA256 hash:
1cfd62b017f237699f20d8c099d510fd0b360e86257056ad6e05d7d96e0a245c
[ Changes to filesystem ]
* Creates file D:\WINDOWS\AVBgle.exe
* Creates file D:\WINDOWS\base64.tmp
[ Changes to registry ]
* Deletes Registry key HKEY_LOCAL_MACHINE\software\Classes\clsid\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
* Creates value "MSInfo=D:\WINDOWS\AVBgle.exe" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
* Modifies value "SavedLegacySettings=3C00000044000000010000000000000000000000000000000400000000000000A04E57F7782DCA0101000000C0A800040000000000000000" in
key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\ Internet Settings\Connections old value "SavedLegacySettings=3C00000043000000010000000000000000000000000000000400000000000000A04E57F7782DCA0101000000C0A800040000000000000000"
[ Network services ]
* Looks for an Internet connection.
* Connects to "212.27.42.58 (free.fr)" on port 25.
* Connects to "72.14.221.27 (1e100.net)" on port 25.
* Connects to "64.12.138.153 (aol.com)" on port 25.
* Connects to "72.167.238.201 (secureserver.net)" on port 25.
[ Process/window information ]
* Creates a mutex Bgl_*L*o*o*s*e*.
* Creates a mutex _!MSFTHISTORY!_.
* Creates a mutex d:!documents and settings!test!configuración local!archivos temporales de internet!content.ie5!.
* Creates a mutex d:!documents and settings!test!cookies!.
* Creates a mutex d:!documents and settings!test!configuración local!historial!history.ie5!.
* Creates a mutex RasPbFile.
* Creates an event named "E4162AEC-7EEF-4ea6-8FB5-E2B6A3CE3504".
P2P-Worm.Win32.Goldun.a
Analysis:
Detailed report of suspicious malware actions:
Defined file type copied to Windows folder: D:\WINDOWS\system32\mcfCC4.dll
Defined file type copied to Windows folder: D:\WINDOWS\system32\mcfdrv.sys
Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\DllName =
6D00630066004300430034002E0064006C006C000000
Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\Startup = mcfCC4Sta
Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\Impersonate = 01000000
Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\Asynchronous = 01000000
Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\MaxWait = 01000000
Defined registry AutoStart location added or modified: machine\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4\key4 = [36590096273976988461[Test]
Defined registry AutoStart location added or modified: machine\SYSTEM\CurrentControlSet\Services\BusterSvc\SandboxedServices = mcfdrv
Defined registry AutoStart location added or modified: machine\SYSTEM\CurrentControlSet\Services\mcfdrv\Type = 01000000
Defined registry AutoStart location added or modified: machine\SYSTEM\CurrentControlSet\Services\mcfdrv\Start = 01000000
Defined registry AutoStart location added or modified: machine\SYSTEM\CurrentControlSet\Services\mcfdrv\DisplayName = MCFservice
Defined registry AutoStart location added or modified: machine\SYSTEM\CurrentControlSet\Services\mcfdrv\ImagePath = D:\WINDOWS\system32\mcfdrv.sys
Detected backdoor listening on port: 4050
Created a service named: MCFservice
Created an event named: E4162AEC-7EEF-4ea6-8FB5-E2B6A3CE3504
Report:
[ General information ]
* Filename: c:\test\test.exe
* File length: 20049 bytes
* MD5 hash: a1f9189a474ca1b73dff4ebe05621981
* SHA1 hash: d33271300cb3487e11df8eb162f5cc92fbd4790e
* SHA256 hash: 6b0104d0514aefef7b67e89c4d7ac8a58be2ecfb5648e3a595271d07ce05b07b
[ Changes to filesystem ]
* Creates file D:\WINDOWS\system32\mcfCC4.dll
* Creates file D:\WINDOWS\system32\mcfdrv.sys
[ Changes to registry ]
* Creates value "DllName=6D00630066004300430034002E0064006C006C000000" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4
* Creates value "Startup=mcfCC4Sta" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4
* Creates value "Impersonate=01000000" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4
* Creates value "Asynchronous=01000000" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4
* Creates value "MaxWait=01000000" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4
* Creates value "key4=[36590096273976988461[Test]" in key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\mcfCC4
* Creates value "SandboxedServices=mcfdrv" in key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BusterSvc
* Creates value "Type=01000000" in key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfdrv
* Creates value "Start=01000000" in key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfdrv
* Creates value "DisplayName=MCFservice" in key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfdrv
* Creates value "ImagePath=D:\WINDOWS\system32\mcfdrv.sys" in key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcfdrv
[ Network services ]
* Backdoor functionality on port 4050.
[ Process/window information ]
* Creates a service named "MCFservice".
* Creates an event named "E4162AEC-7EEF-4ea6-8FB5-E2B6A3CE3504".