Remote Host Port Number
204.0.5.41 80
204.0.5.51 80
208.43.36.96 80
216.178.38.168 80
74.125.65.155 80
74.125.65.165 80
212.25.51.125 2345 PASS xxx
MODE NEW-[USA|00|P|59898] -ix
JOIN #!gf! test
PONG 22 MOTD
NICK NEW-[USA|00|P|59898]
USER XP-9475 * 0 :COMPUTERNAME
Now talking in #!gf!
Topic On: [ #!gf! ] [ .m.s|.m.e is this you on pic? 🙂 http://facebook.vjwlimited.com/photos.php?= ]
Topic By: [ wd74 ]
File InfoName Value
Size 67072
MD5 38235fad5a1ccd67d3768f08e10904c3
SHA1 93607db31185290a08f0255e15ec0a613cfde2e5
SHA256 7fd32630409e8f83d33b1067bd042e0d8ec59c1591c077f7419ab415a2bfb057
Process Exited
• Keys Created
• Keys Changed
• Keys Deleted
• Values CreatedName Type Size Value
CUSoftwareMicrosoftWindowsCurrentVersionRunJava developer Script Browse REG_SZ 58 “C:Program Filesjusched.exe”
LMSoftwareMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRunJava developer Script Browse REG_SZ 58 “C:Program Filesjusched.exe”
LMSoftwareMicrosoftWindowsCurrentVersionRunJava developer Script Browse REG_SZ 58 “C:Program Filesjusched.exe”
LMSystemCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsListC:TESTsample.exe REG_SZ 136 “C:Program Filesjusched.exe:*:Enabled:Java developer Script Browse”
• Values ChangedName Type Size Value
LMSystemCurrentControlSetServicesSharedAccessEpochEpoch REG_DWORD/REG_DWORD 4/4 0x54/0x56
• Values Deleted
• Directories Created
• Directories Changed
• Directories Deleted
• Files CreatedName Size Last Write Time Creation Time Last Access Time Attr
C:Program Filesjusched.exe 67072 2009.01.12 15:12:47.562 2009.01.12 15:12:47.562 2009.01.12 15:12:47.562 0x7
• Files ChangedName Size Last Write Time Creation Time Last Access Time Attr
C:TESTsample.exe 67072/67072 2009.01.12 15:12:40.265/2009.01.12 15:12:40.265 2009.01.12 15:12:20.546/2009.01.12 15:12:20.546 2009.01.12 15:12:20.546/2009.01.12 15:12:20.546 0x20/0x7
• Files Deleted
• Directories Hidden
• Files Hidden
• Drivers Loaded
• Drivers Unloaded
• Processes CreatedPId Process Name Image Name
0x2cc explorer.exe C:WINDOWSexplorer.exe
0x310 netsh.exe C:WINDOWSsystem32netsh.exe
0x4f4 sample.exe C:TESTsample.exe
0x57c jusched.exe C:Program Filesjusched.exe
• Processes Terminated
• Threads CreatedPId Process Name TId Start Start Mem Win32 Start Win32 Start Mem
0x2ac lsass.exe 0x464 0x7c810856 MEM_IMAGE 0x77e76bf0 MEM_IMAGE
0x2cc explorer.exe 0x4c4 0x7c810867 MEM_IMAGE 0x101e24e MEM_IMAGE
0x310 netsh.exe 0x448 0x7c810867 MEM_IMAGE 0x180885f MEM_IMAGE
0x348 svchost.exe 0xf8 0x7c810856 MEM_IMAGE 0x7c910760 MEM_IMAGE
0x3f4 svchost.exe 0x2d0 0x7c810856 MEM_IMAGE 0x7c910760 MEM_IMAGE
0x3f4 svchost.exe 0x4cc 0x7c810856 MEM_IMAGE 0x762cf0a3 MEM_IMAGE
0x3f4 svchost.exe 0x7bc 0x7c810856 MEM_IMAGE 0x762cf010 MEM_IMAGE
0x484 svchost.exe 0x4e8 0x7c810856 MEM_IMAGE 0x7c910760 MEM_IMAGE
0x4f4 sample.exe 0x384 0x7c810867 MEM_IMAGE 0x40f21f MEM_PRIVATE
0x57c jusched.exe 0x31c 0x7c810867 MEM_IMAGE 0x401240 MEM_IMAGE
• Modules LoadedPId Process Name Base Size Flags Image Name
0x3f4 svchost.exe 0x74ed0000 0xe000 0x80084004 C:WINDOWSsystem32wbemwbemsvc.dll
0x3f4 svchost.exe 0x74ef0000 0x8000 0x800c4004 C:WINDOWSsystem32wbemwbemprox.dll
• Windows Api CallsPId Image Name Address Function ( Parameters ) | Return Value
0x4f4 C:TESTsample.exe 0x40577b CopyFileA(lpExistingFileName: “C:TESTsample.exe”, lpNewFileName: “C:WINDOWSjusched.exe”, bFailIfExists: 0x0)|0x1
0x4f4 C:TESTsample.exe 0x40577b CopyFileA(lpExistingFileName: “C:TESTsample.exe”, lpNewFileName: “C:Program Filesjusched.exq”, bFailIfExists: 0x0)|0x1
0x638 C:Program Filesjusched.exe 0x40577b CopyFileA(lpExistingFileName: “C:Program Filesjusched.exe”, lpNewFileName: “C:WINDOWSjusched.exl”, bFailIfExists: 0x0)|0x1
• DNS QueriesDNS Query Text
astro.ic.ac.uk IN A +
ale.pakibili.com IN A +
versatek.com IN A +
journalofaccountancy.com IN A +
transnationale.org IN A +
mas.0730ip.com IN A +
stayontime.info IN A +
www.shearman.com IN A +
insidehighered.com IN A +
ate.lacoctelera.net IN A +
citylie.com IN A +
websitetrafficspy.com IN A +
qun.51.com IN A +
summer-uni-sw.eesp.ch IN A +
shopstyle.com IN A +
xxx.stopklatka.pl IN A +
unclefed.com IN A +
mcsp.lvengine.com IN A +
deirdremccloskey.org IN A +
browseusers.myspace.com IN A +
journals.lww.com IN A +
middleastpost.org IN A +
mas.archivum.info IN A +
scribbidyscrubs.com IN A +
mas.mtime.com IN A +
ols.systemofadown.com IN A +
tripadvisor.com IN A +
mas.tguia.cl IN A +
albertoshistory.info IN A +
mas.josbank.com IN A +
erdbeerlounge.de IN A +
mas.juegosbakugan.net IN A +
screenservice.com IN A +
xxx.jagdcom.de IN A +
old.longjuyt2tugas.com IN A +
heidegger.x-y.net IN A +
southampton.ac.uk IN A +
ope.oaklandathletics.com IN A +
mix.price-erotske.in.rs IN A +
uks.linkedin.com IN A +
opl.munin.irf.se IN A +
jb.asm.org IN A +
mas.ahlamontada.com IN A +
mas.univie.ac.at IN A +
pru.landmines.org IN A +
epp.gunmablog.jp IN A +
mix.thenaturistclub.com IN A +
beta.neogen.ro IN A +
old.youku.com IN A +
goodreads.com IN A +
bobyurl.info IN A +
hrm.uh.edu IN A +
refugee-action.org.uk IN A +
mmm.bolbalatrust.org IN A +
• HTTP QueriesHTTP Query Text
browseusers.myspace.com GET /Browse/Browse.aspx HTTP/1.1
• VerdictAuto Analysis Verdict
Suspicious+
• DescriptionSuspicious Actions Detected
Copies self to other locations
Creates autorun records
Creates files in program files directory
Disables windows firewall
Injects code into other processes
Patches system files
• Mutexes Created or OpenedPId Image Name Address Mutex Name
0x120 C:Program FilesInternet Exploreriexplore.exe 0x76ee3a34 RasPbFile
0x120 C:Program FilesInternet Exploreriexplore.exe 0x771ba3ae _!MSFTHISTORY!_
0x120 C:Program FilesInternet Exploreriexplore.exe 0x771bc1f9 WininetConnectionMutex
0x120 C:Program FilesInternet Exploreriexplore.exe 0x771bc23d WininetProxyRegistryMutex
0x120 C:Program FilesInternet Exploreriexplore.exe 0x771bc2dd WininetStartupMutex
0x120 C:Program FilesInternet Exploreriexplore.exe 0x771d96e1 c:!documents and settings!user!cookies!
0x120 C:Program FilesInternet Exploreriexplore.exe 0x771d96e1 c:!documents and settings!user!local settings!history!history.ie5!
0x120 C:Program FilesInternet Exploreriexplore.exe 0x771d96e1 c:!documents and settings!user!local settings!temporary internet files!content.ie5!
0x120 C:Program FilesInternet Exploreriexplore.exe 0x777904d3 WininetStartupMutex
0x120 C:Program FilesInternet Exploreriexplore.exe 0x77f76e78 Shell.CMruPidlList
0x120 C:Program FilesInternet Exploreriexplore.exe 0x7c81a838 ShimCacheMutex
0x4f4 C:TESTsample.exe 0x402502 Micro Upe
0x4f4 C:TESTsample.exe 0x771ba3ae _!MSFTHISTORY!_
0x4f4 C:TESTsample.exe 0x771bc21c WininetConnectionMutex
0x4f4 C:TESTsample.exe 0x771bc23d WininetProxyRegistryMutex
0x4f4 C:TESTsample.exe 0x771bc2dd WininetStartupMutex
0x4f4 C:TESTsample.exe 0x771d9710 c:!documents and settings!user!cookies!
0x4f4 C:TESTsample.exe 0x771d9710 c:!documents and settings!user!local settings!history!history.ie5!
0x4f4 C:TESTsample.exe 0x771d9710 c:!documents and settings!user!local settings!temporary internet files!content.ie5!
0x638 C:Program Filesjusched.exe 0x402502 Micro Upe
0x638 C:Program Filesjusched.exe 0x771ba3ae _!MSFTHISTORY!_
0x638 C:Program Filesjusched.exe 0x771bc21c WininetConnectionMutex
0x638 C:Program Filesjusched.exe 0x771bc23d WininetProxyRegistryMutex
0x638 C:Program Filesjusched.exe 0x771bc2dd WininetStartupMutex
0x638 C:Program Filesjusched.exe 0x771d9710 c:!documents and settings!user!cookies!
0x638 C:Program Filesjusched.exe 0x771d9710 c:!documents and settings!user!local settings!history!history.ie5!
0x638 C:Program Filesjusched.exe 0x771d9710 c:!documents and settings!user!local settings!temporary internet files!content.ie5!
0x714 C:WINDOWSjusched.exe 0x402502 Micro Upe
0x714 C:WINDOWSjusched.exe 0x402c36 Micro Upe
0x714 C:WINDOWSjusched.exe 0x74c8326b oleacc-msaa-loaded
0x714 C:WINDOWSjusched.exe 0x76ee3a34 RasPbFile
0x714 C:WINDOWSjusched.exe 0x771ba3ae _!MSFTHISTORY!_
0x714 C:WINDOWSjusched.exe 0x771bc21c WininetConnectionMutex
0x714 C:WINDOWSjusched.exe 0x771bc23d WininetProxyRegistryMutex
0x714 C:WINDOWSjusched.exe 0x771bc2dd WininetStartupMutex
0x714 C:WINDOWSjusched.exe 0x771d9710 c:!documents and settings!user!cookies!
0x714 C:WINDOWSjusched.exe 0x771d9710 c:!documents and settings!user!local settings!history!history.ie5!
0x714 C:WINDOWSjusched.exe 0x771d9710 c:!documents and settings!user!local settings!temporary internet files!content.ie5!
• Events Created or OpenedPId Image Name Address Event Name
0x120 C:Program FilesInternet Exploreriexplore.exe 0x7473d2a8 CTF.ThreadMIConnectionEvent.00000628.00000000.00000005
0x120 C:Program FilesInternet Exploreriexplore.exe 0x7473d2a8 CTF.ThreadMarshalInterfaceEvent.00000628.00000000.00000005
0x120 C:Program FilesInternet Exploreriexplore.exe 0x7473d2a8 MSCTF.SendReceive.Event.ICG.IC
0x120 C:Program FilesInternet Exploreriexplore.exe 0x7473d2a8 MSCTF.SendReceiveConection.Event.ICG.IC
0x120 C:Program FilesInternet Exploreriexplore.exe 0x769c4ec2 Globaluserenv: User Profile setup event
0x120 C:Program FilesInternet Exploreriexplore.exe 0x77de5f48 GlobalSvcctrlStartEvent_A3752DX
0x154 C:WINDOWSsystem32net1.exe 0x77de5f48 GlobalSvcctrlStartEvent_A3752DX
0x2a4 C:WINDOWSsystem32sc.exe 0x77de5f48 GlobalSvcctrlStartEvent_A3752DX
0x304 C:WINDOWSsystem32net1.exe 0x77de5f48 GlobalSvcctrlStartEvent_A3752DX
0x378 C:WINDOWSsystem32net1.exe 0x77de5f48 GlobalSvcctrlStartEvent_A3752DX
0x70c C:WINDOWSsystem32net1.exe 0x77de5f48 GlobalSvcctrlStartEvent_A3752DX
0x714 C:WINDOWSjusched.exe 0x769c4ec2 Globaluserenv: User Profile setup event
0x714 C:WINDOWSjusched.exe 0x77de5f48 GlobalSvcctrlStartEvent_A3752DX