Advanced File Analysis System

Information Discovery

Reads data out of its own binary image Show sources

api_process_name	process: 9ea7d8ba25a4bad3016c138b414c5613d1b9df79.exe, pid: 2940, offset: 0x0004e845, length: 0x00002cb0
api_process_name	process: 9ea7d8ba25a4bad3016c138b414c5613d1b9df79.exe, pid: 2940, offset: 0x000515e5, length: 0x0003cfc0
api_process_name	process: setup.exe, pid: 2764, offset: 0x000690ee, length: 0x000018c8
api_process_name	process: setup.exe, pid: 2764, offset: 0x0006aa2c, length: 0x0003a9da

Networking

Attempts to connect to a dead IP:Port (3 unique times) Show sources

network_host_ip	66.225.197.197:80 (United States)
network_host_ip	23.215.130.203:80 (United States)
network_host_ip	72.21.91.29:80 (United States)

Performs some HTTP requests Show sources

network_url	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAGC%2BAmOouYmuRo7J4Qfua8%3D
network_url	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTuqL92L3tjkN67RNFF%2FEdvT6NEzAQUwBKyKHRoRmfpcCV0GgBFWwZ9XEQCEA7cK%2FJk9VZxucRii0Q9yCY%3D
network_url	http://crl3.digicert.com/DigiCertBaltimoreCA-2G2.crl
network_url	http://crl4.digicert.com/DigiCertBaltimoreCA-2G2.crl

Malware Analysis System Evasion

Detects VMware through the presence of a registry key Show sources

registry_query

HKEY_CURRENT_USER\Software\VMware, Inc.

Checks the presence of disk drives in the registry, possibly for anti-virtualization Show sources

registry_query

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0

Attempts to identify installed analysis tools by registry key Show sources

registry_query	HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2
registry_query	HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2
registry_query	HKEY_CLASSES_ROOT\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2
registry_query	HKEY_CURRENT_CONFIG\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2
registry_query	HKEY_USERS\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2
registry_query	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2
registry_query	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2
registry_query	HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2
registry_query	HKEY_CURRENT_CONFIG\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2
registry_query	HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2
registry_query	HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark
registry_query	HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark
registry_query	HKEY_CLASSES_ROOT\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark
registry_query	HKEY_CURRENT_CONFIG\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark
registry_query	HKEY_USERS\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark
registry_query	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark
registry_query	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark
registry_query	HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark
registry_query	HKEY_CURRENT_CONFIG\Software\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark
registry_query	HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark

Hooking and other Techniques for Hiding Protection

Creates RWX memory Show sources

injection_rwx_memory

0x00000040, NtAllocateVirtualMemory or VirtualProtectEx

Data Obfuscation

Drops a binary and executes it Show sources

file_dropped	C:\Users\user\AppData\Local\Temp\is-4B3OL.tmp\BonjourEi.exe
file_dropped	C:\Users\user\AppData\Local\Temp\is-B1JA9.tmp\9ea7d8ba25a4bad3016c138b414c5613d1b9df79.tmp
file_dropped	C:\Program Files (x86)\trs\6894647.exe
file_dropped	C:\Users\user\AppData\Local\Temp\is-4B3OL.tmp\setup.exe
file_dropped	C:\Users\user\AppData\Local\Temp\is-1A7UH.tmp\setup.tmp

File Name: 9ea7d8ba25a4bad3016c138b414c5613d1b9df79

File Type: PE32 executable (GUI) Intel 80386, for MS Windows

SHA1: 9ea7d8ba25a4bad3016c138b414c5613d1b9df79

MD5: 5b1a0d21643c69a853ebdad223d6bbc0