Skip to content

Malware analysis

looking for the perfect virus
icon

icon

File: Transfer_Slip.scr
MD5: 4fa0e16a43fdb3b66812949f4cc95c60
SHA-1: 9c078a0f963c9b64da42c25619329b50b617bc02
Size:584 KB (598,528 bytes)

Comments: Drake
CompanyName: Drake
FileDescription: Drake
FileVersion: 9.2.0.0
InternalName: Drake.exe
LegalCopyright: Copyright © Drake 2014
OriginalFilename: Drake.exe
ProductName: Drake
ProductVersion: 9.2.0.0
Assembly Version: 9.2.0.0

description

description

Antivirus detection:

MD5: 4fa0e16a43fdb3b66812949f4cc95c60
Verified By NoDistribute: http://NoDistribute.com/result/MclTOEf1tj0h8B2Lzk
Scan Result: 5/34

AVG Free: Clean
Avast: Clean
AntiVir (Avira): Clean
BitDefender: Clean
Clam Antivirus: Clean
COMODO Internet Security: Clean
Dr.Web: Clean
eTrust-Vet: Clean
F-PROT Antivirus: Clean
F-Secure Internet Security: Clean
G Data: Clean
IKARUS Security:Trojan.MSIL.Injector
Kaspersky Antivirus:Trojan-Dropper.Win32.Sysn.aiye
McAfee:Artemis!4FA0E16A43FD
MS Security Essentials: Clean
Norman: Clean
Norton Antivirus: Clean
Panda Security: Clean
A-Squared: Clean
Quick Heal Antivirus:Malware.Generic.Dnt5
Solo Antivirus: Clean
Sophos: Clean
Trend Micro Internet Security: Clean
VBA32 Antivirus: Clean
Zoner AntiVirus: Clean
Ad-Aware: Clean
BullGuard: Clean
FortiClient: Clean
K7 Ultimate: Clean
NANO Antivirus: Clean
Panda CommandLine: Clean
SUPERAntiSpyware: Clean
Twister Antivirus: Clean
VIPRE:Trojan.Win32.Generic.pak=21cobra

process:
Transfer_Slip.scr or GoogleUpdate.exe or WindowsUpdate.exe

persistence:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
GoogleUpdate REG_SZ C:\Documents and Settings\Administrator\Application Data\WinApp\GoogleUpdate.exe.lnk
Windows Update REG_SZ C:\Documents and Settings\Administrator\Application Data\WindowsUpdate.exe

USB spread:
create o copy named Sys.exe (read only + hidden)
autoruns.inf, also read only + hidden

[autorun]
open=Sys.exe
action=Run win32

new files:
c:\Documents and Settings\Administrator\Application Data\
pid.txt contain curent malware process pid //used to have only one instance
pidloc.txt contain curent malware file address // of malware running
WindowsUpdate.exe MD5: 4fa0e16a43fdb3b66812949f4cc95c60

c:\Documents and Settings\Administrator\Application Data\WinApp\
GoogleUpdate.exe MD5: 4fa0e16a43fdb3b66812949f4cc95c60
GoogleUpdate.exe.lnk

network activity:
test internet connection using: whatismyipaddress.com
smtp.googlemail.com:587

malware type: info stealer

For the last weeks, our network has been hacked so you are required to
install the attached program. This will enable a safe connection to
facebook and your location can be secure.

Use this password: Your-NameXX
Facebook is trying to contact all our users immediately but our emailing
resources are limited. Our company would be very grateful if you would
transmit the attached file to your contacts and family as soon as
possible.

IMPORTANT: you will only visualize the program by using a Microsoft
Operating System

Cam asa arata continutul emailului, ca atasament are 2 fisiere unul html cu textul de mai sus si o arhiva zip ce poarta numele destinatarului. Continutul arhivei, Nume-destinatar.exe, este protejat printr-o parola formata din prenumele destinatarului + un numar

File: Your-Name.exe
Size: 412 KB (421,888 bytes)
MD5: 39a74d109b344c099f78a1f3b3133a4c
SHA-1: b4f9c88b0b93d9ac736092647184ab3128639e75

fileproperties

file properties

Antivirus detection:

MD5: 39a74d109b344c099f78a1f3b3133a4c
Verified By NoDistribute: http://NoDistribute.com/result/v1sUO7EYLmkA49
Scan Result: 8/34

AVG Free: Clean
Avast:Win32:Downloader-TLD [Trj]
AntiVir (Avira): Clean
BitDefender:Gen:Variant.Symmi.22722
Clam Antivirus: Clean
COMODO Internet Security: Clean
Dr.Web: Clean
eTrust-Vet: Clean
F-PROT Antivirus: Clean
F-Secure Internet Security:Gen:Variant.Symmi.22722
G Data:Gen:Variant.Symmi.22722, Win32:Downloader-TLD [Trj]
IKARUS Security: Clean
Kaspersky Antivirus:HEUR:Trojan.Win32.Generic
McAfee: Clean
MS Security Essentials: Clean
Norman: Clean
Norton Antivirus: Clean
Panda Security: Clean
A-Squared:Gen:Variant.Symmi.22722 (B)
Quick Heal Antivirus: Clean
Solo Antivirus: Clean
Sophos: Clean
Trend Micro Internet Security: Clean
VBA32 Antivirus: Clean
Zoner AntiVirus: Clean
Ad-Aware:Gen:Variant.Symmi.22722
BullGuard:Gen:Variant.Symmi.22722
FortiClient: Clean
K7 Ultimate: Clean
NANO Antivirus: Clean
Panda CommandLine: Clean
SUPERAntiSpyware: Clean
Twister Antivirus: Clean
VIPRE: Clean

process:
Desigur ca nu e compatibil cu sistemul meu, cu toate acestea, ruleaza fara nici o problema.

fake error

fake error


aqocfsgddnlr.exe (C:\Documents and Settings\Administrator\Application Data\yvlzmezvcwvsl\aqocfsgddnlr.exe)

    sogovsk.exe (C:\Documents and Settings\Administrator\Application Data\yvlzmezvcwvsl\sogovsk.exe)
watch dog

watch dog

Network activity:

materialsupply.net/index.php?email=Your@email.address&method=post
subjectdistance.net/index.php?email=Your@email.address&method=post
winteroffice.net/index.php?email=Your@email.address&method=post
subjectoffice.net/index.php?email=Your@email.address&method=post
winterarrive.net/index.php?email=Your@email.address&method=post
subjectarrive.net/index.php?email=Your@email.address&method=post
finishsupply.net/index.php?email=Your@email.address&method=post
leavesupply.net/index.php?email=Your@email.address&method=post
finishdistance.net/index.php?email=Your@email.address&method=post
leavedistance.net/index.php?email=Your@email.address&method=post
finishoffice.net/index.php?email=Your@email.address&method=post
leaveoffice.net/index.php?email=Your@email.address&method=post
finisharrive.net/index.php?email=Your@email.address&method=post
leavearrive.net/index.php?email=Your@email.address&method=post
sweetsupply.net/index.php?email=Your@email.address&method=post
probablysupply.net/index.php?email=Your@email.address&method=post
sweetdistance.net/index.php?email=Your@email.address&method=post
probablydistance.net/index.php?email=Your@email.address&method=post
sweetoffice.net/index.php?email=Your@email.address&method=post
probablyoffice.net/index.php?email=Your@email.address&method=post
sweetarrive.net/index.php?email=Your@email.address&method=post
probablyarrive.net/index.php?email=Your@email.address&method=post
severalsupply.net/index.php?email=Your@email.address&method=post
severaldistance.net/index.php?email=Your@email.address&method=post
materialdistance.net/index.php?email=Your@email.address&method=post
severaloffice.net/index.php?email=Your@email.address&method=post
materialoffice.net/index.php?email=Your@email.address&method=post
severalarrive.net/index.php?email=Your@email.address&method=post
materialarrive.net/index.php?email=Your@email.address&method=post
severastrong.net/index.php?email=Your@email.address&method=post
laughstrong.net/index.php?email=Your@email.address&method=post
severatrouble.net/index.php?email=Your@email.address&method=post
laughtrouble.net/index.php?email=Your@email.address&method=post
severapresident.net/index.php?email=Your@email.address&method=post
laughpresident.net/index.php?email=Your@email.address&method=post
severacaught.net/index.php?email=Your@email.address&method=post
laughcaught.net/index.php?email=Your@email.address&method=post
simplestrong.net/index.php?email=Your@email.address&method=post
motherstrong.net/index.php?email=Your@email.address&method=post
simpletrouble.net/index.php?email=Your@email.address&method=post
mothertrouble.net/index.php?email=Your@email.address&method=post
simplepresident.net/index.php?email=Your@email.address&method=post
motherpresident.net/index.php?email=Your@email.address&method=post
simplecaught.net/index.php?email=Your@email.address&method=post
mothercaught.net/index.php?email=Your@email.address&method=post
mountainstrong.net/index.php?email=Your@email.address&method=post
possiblestrong.net/index.php?email=Your@email.address&method=post
mountaintrouble.net/index.php?email=Your@email.address&method=post
possibletrouble.net/index.php?email=Your@email.address&method=post
mountainpresident.net/index.php?email=Your@email.address&method=post
possiblepresident.net/index.php?email=Your@email.address&method=post
mountaincaught.net/index.php?email=Your@email.address&method=post
possiblecaught.net/index.php?email=Your@email.address&method=post
perhapsstrong.net/index.php?email=Your@email.address&method=post
windowstrong.net/index.php?email=Your@email.address&method=post
perhapstrouble.net/index.php?email=Your@email.address&method=post
windowtrouble.net/index.php?email=Your@email.address&method=post
perhapspresident.net/index.php?email=Your@email.address&method=post
windowpresident.net/index.php?email=Your@email.address&method=post
perhapscaught.net/index.php?email=Your@email.address&method=post
windowcaught.net/index.php?email=Your@email.address&method=post
winterstrong.net/index.php?email=Your@email.address&method=post
subjectstrong.net/index.php?email=Your@email.address&method=post
wintertrouble.net/index.php?email=Your@email.address&method=post
subjecttrouble.net/index.php?email=Your@email.address&method=post
winterpresident.net/index.php?email=Your@email.address&method=post
subjectpresident.net/index.php?email=Your@email.address&method=post
wintercaught.net/index.php?email=Your@email.address&method=post
subjectcaught.net/index.php?email=Your@email.address&method=post
finishstrong.net/index.php?email=Your@email.address&method=post
leavestrong.net/index.php?email=Your@email.address&method=post
finishtrouble.net/index.php?email=Your@email.address&method=post
leavetrouble.net/index.php?email=Your@email.address&method=post
finishpresident.net/index.php?email=Your@email.address&method=post
leavepresident.net/index.php?email=Your@email.address&method=post
finishcaught.net/index.php?email=Your@email.address&method=post
leavecaught.net/index.php?email=Your@email.address&method=post
sweetstrong.net/index.php?email=Your@email.address&method=post
probablystrong.net/index.php?email=Your@email.address&method=post
sweettrouble.net/index.php?email=Your@email.address&method=post
probablytrouble.net/index.php?email=Your@email.address&method=post
sweetpresident.net/index.php?email=Your@email.address&method=post
probablypresident.net/index.php?email=Your@email.address&method=post
sweetcaught.net/index.php?email=Your@email.address&method=post
probablycaught.net/index.php?email=Your@email.address&method=post

new files:
c:\Documents and Settings\Administrator\Application Data\yvlzmezvcwvsl\
aqocfsgddnlr.exe (Hidden) MD5: 39a74d109b344c099f78a1f3b3133a4c
aqocfsgddnlr.mq
sogovsk.exe (Hidden) MD5: 39a74d109b344c099f78a1f3b3133a4c

persistence:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Netlogon Collector Virtual Event c:\documents and settings\administrator\application data\yvlzmezvcwvsl\aqocfsgddnlr.exe

ForceOp.exe

ForceOp.exe

File name: ForceOp.exe
MD5: 2b006dd5d496c7ad7040d5c8efab0240
SHA-1: 6b4070a5ee59dbc30a71d766442f52fbad6de4ab
Size: 1.82 MB (1,917,440 bytes)

details

details

Antivirus detection:

MD5: 2b006dd5d496c7ad7040d5c8efab0240
Verified By NoDistribute: http://NoDistribute.com/result/4YgI3DlXP7M2oJA9

AVG Free:Trojan horse Autoit_c.ATDC
Avast:Win32:Malware-gen
AntiVir (Avira):DR/AutoIt.Gen2
BitDefender:Trojan.GenericKD.1716380
Clam Antivirus:Win.Trojan.11477628
COMODO Internet Security:Malware@fya0u6p5xw7s
Dr.Web: Clean
eTrust-Vet: Clean
F-PROT Antivirus: Clean
F-Secure Internet Security:Trojan.GenericKD.1716380
G Data:Trojan.GenericKD.1716380
IKARUS Security:Backdoor.Win32.DarkKomet
Kaspersky Antivirus: Clean
McAfee:Artemis!2B006DD5D496
MS Security Essentials: Clean
Norman:winpe/Troj_Generic.UOKHC
Norton Antivirus: Clean
Panda Security: Clean
A-Squared:Trojan.GenericKD.1716380 (B)
Quick Heal Antivirus:Backdoor.DarkKomet.g5
Solo Antivirus: Clean
Sophos: Clean
Trend Micro Internet Security: Clean
VBA32 Antivirus: Clean
Zoner AntiVirus:INFECTED [Trojan.Autoit.NPP]
Ad-Aware:Trojan.GenericKD.1716380
BullGuard:Trojan.GenericKD.1716380
FortiClient: Clean
K7 Ultimate:Trojan ( 00492e361 )
NANO Antivirus:Trojan.Win32.DarkKomet.dbaajp
Panda CommandLine: Clean
SUPERAntiSpyware: Clean
Twister Antivirus:Trojan.264FEF29B6FC0C72
VIPRE:Trojan.Win32.Generic=21BT

process:
ForceOp.exe
IPOR.exe (C:\Documents and Settings\Administrator\My Documents\JEVA\IPOR.exe)

network activity:
slothyster.no-ip.biz 1604

persistence:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\Documents and Settings\Administrator\My Documents\JEVA\IPOR.exe c:\documents and settings\administrator\my documents\jeva\ipor.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Apple Posh C:\Documents and Settings\Administrator\My Documents\JEVA\IPOR.exe
JervaC:\Documents and Settings\Administrator\My Documents\JEVA\IPOR.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Apple Posh C:\Documents and Settings\Administrator\My Documents\JEVA\IPOR.exe

new files:
C:\Documents and Settings\Administrator\Application Data\dclogs\
2014-07-17-5.dc

C:\Documents and Settings\Administrator\My Documents\JEVA\
IPOR.exe MD5: 2b006dd5d496c7ad7040d5c8efab0240

malware type: Darkcomet, keylogger, rat, info-stealer

removal:
kill process ForceOp.exe/IPOR.exe
remove persistence entry from registry
delete C:\Documents and Settings\Administrator\My Documents\JEVA\IPOR.exe