Download Link: hxxp://kjdhendieldiouyu.com/sw/404/404.exe File Name: 404.exe VirusTotal Result: 4/32 (12.5%) BitDefender 7.2 2008.04.08 Backdoor.Agent.AHJ ClamAV 0.92.1 2008.04.08 Trojan.Agent-14290 Ikarus T3.1.1.26.0 2008.04.08 Backdoor.Agent.AHJ Sunbelt 3.0.1032.0 2008.04.08 Backdoor.Agent.AHJ File Info: File size: 36864 bytes MD5...: b630998f7467cb57856247f5809033c7 SHA1..: f523526a84681c132c8a8910d1b7030104ef0d0d SHA256: 49ed08d1b4864de534e59a65d65ef38ae36cfc321f0fa8d68976c666442ba98f SHA512: 66beb9b9e911c06a20093c2cb277c5eb509be5c0419a35ab39ad7335a4e5f827 110905460eb069877cfbdbe3d4314ba216114f59b4adbfc27ef6323046348631 .text:00401000 ; Format : Portable executable for 80386 (PE) .text:00401000 ; Imagebase : 400000 .text:00401000 ; Section 1. (virtual address 00001000) .text:00401000 ; Virtual size : 000035BE ( 13758.) .text:00401000 ; Section size in file : 00004000 ( 16384.) .text:00401000 ; Offset to raw data for section: 00001000 .text:00401000 ; Flags 60000020: Text Executable Readable .text:00401000 ; Alignment : default .text:00401000 ; OS type : MS Windows .text:00401000 ; Application type: Executable 32bit PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0003 Time/Date stamp: 4689777C Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 010F Magic: 010B Linker version (major): 06 Linker version (minor): 00 Size of code: 00004000 Size of initialized data: 00004000 Size of uninitialized data: 00000000 Address of entry point: 00001010 Base of code: 00001000 Base of data: 00005000 Image base: 00400000 Section alignment: 00001000 File alignment: 00001000 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00009000 Size of headers: 00001000 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags .text 000035BE 00001000 00004000 00001000 60000020 .rdata 000007A0 00005000 00001000 00005000 40000040 .data 000029DC 00006000 00003000 00006000 C0000040 .text:00401106 ; [00000025 BYTES: COLLAPSED FUNCTION __amsg_exit. PRESS KEYPAD "+" TO EXPAND] .text:0040112B ; [00000024 BYTES: COLLAPSED FUNCTION _fast_error_exit. PRESS KEYPAD "+" TO EXPAND] .text:0040114F ; [0000002D BYTES: COLLAPSED FUNCTION __cinit. PRESS KEYPAD "+" TO EXPAND] .text:0040117C ; [00000011 BYTES: COLLAPSED FUNCTION _exit. PRESS KEYPAD "+" TO EXPAND] .text:0040118D ; [00000011 BYTES: COLLAPSED FUNCTION __exit. PRESS KEYPAD "+" TO EXPAND] .text:0040119E ; [00000099 BYTES: COLLAPSED FUNCTION _doexit. PRESS KEYPAD "+" TO EXPAND] .text:00401237 ; [0000001A BYTES: COLLAPSED FUNCTION __initterm. PRESS KEYPAD "+" TO EXPAND] .text:00401251 ; [00000141 BYTES: COLLAPSED FUNCTION __XcptFilter. PRESS KEYPAD "+" TO EXPAND] .text:00401392 ; [00000043 BYTES: COLLAPSED FUNCTION _xcptlookup. PRESS KEYPAD "+" TO EXPAND] .text:004013D5 ; [00000058 BYTES: COLLAPSED FUNCTION __wincmdln. PRESS KEYPAD "+" TO EXPAND] .text:0040142D ; [000000B9 BYTES: COLLAPSED FUNCTION __setenvp. PRESS KEYPAD "+" TO EXPAND] .text:004014E6 ; [00000099 BYTES: COLLAPSED FUNCTION __setargv. PRESS KEYPAD "+" TO EXPAND] .text:0040157F ; [000001B4 BYTES: COLLAPSED FUNCTION _parse_cmdline. PRESS KEYPAD "+" TO EXPAND] .text:00401733 ; [00000132 BYTES: COLLAPSED FUNCTION ___crtGetEnvironmentStringsA. PRESS KEYPAD "+" TO EXPAND] .text:00401865 ; [000001AB BYTES: COLLAPSED FUNCTION __ioinit. PRESS KEYPAD "+" TO EXPAND] Import table (libraries: 1) KERNEL32.dll (imports: 38) GetModuleHandleA GetStartupInfoA GetCommandLineA GetVersion ExitProcess TerminateProcess GetCurrentProcess UnhandledExceptionFilter GetModuleFileNameA FreeEnvironmentStringsA FreeEnvironmentStringsW WideCharToMultiByte GetEnvironmentStrings GetEnvironmentStringsW SetHandleCount GetStdHandle GetFileType GetEnvironmentVariableA GetVersionExA HeapDestroy HeapCreate VirtualFree HeapFree RtlUnwind WriteFile GetCPInfo GetACP GetOEMCP HeapAlloc VirtualAlloc HeapReAlloc GetProcAddress LoadLibraryA MultiByteToWideChar LCMapStringA LCMapStringW GetStringTypeA GetStringTypeW File System Activity: 2047 5:53:22 PM 404.exe:480 QUERY INFORMATION E:\Infected\404.exe SUCCESS FileNameInformation 2048 5:53:22 PM 404.exe:480 QUERY INFORMATION E:\Infected\404.exe SUCCESS FileNameInformation 2049 5:53:22 PM 404.exe:480 OPEN C:\WINDOWS\Prefetch\404.EXE-3307B6C2.pf NOT FOUND Options: Open Access: All 2050 5:53:22 PM 404.exe:480 READ C: SUCCESS Offset: 0 Length: 4096 2051 5:53:22 PM 404.exe:480 OPEN E:\Infected SUCCESS Options: Open Directory Access: Traverse 2052 5:53:22 PM 404.exe:480 QUERY INFORMATION E:\Infected\404.exe.Local NOT FOUND Attributes: Error 2053 5:53:22 PM 404.exe:480 READ E:\Infected\404.exe SUCCESS Offset: 20480 Length: 4096 2054 5:53:22 PM 404.exe:480 READ E:\Infected\404.exe SUCCESS Offset: 4096 Length: 16384 2055 5:53:22 PM 404.exe:480 READ E:\Infected\404.exe SUCCESS Offset: 24576 Length: 12288 2056 5:53:22 PM 404.exe:480 CLOSE E:\Infected SUCCESS RegistryActivity: 4665 26.36527061 404.exe:480 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ SUCCESS Access: 0x82000000 4666 26.36533356 404.exe:480 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRoot SUCCESS "C:\WINDOWS" 4667 26.36587524 404.exe:480 CloseKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ SUCCESS 4668 26.36766243 404.exe:480 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ SUCCESS Access: 0x82000000 4669 26.36771011 404.exe:480 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRoot SUCCESS "C:\WINDOWS" 4670 26.36778831 404.exe:480 CloseKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ SUCCESS 4671 26.36853981 404.exe:480 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ SUCCESS Access: 0x82000000 4672 26.36858559 404.exe:480 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRoot SUCCESS "C:\WINDOWS" 4673 26.36866188 404.exe:480 CloseKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ SUCCESS 4674 26.39634895 404.exe:480 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\404.exe NOT FOUND 4675 26.39768410 404.exe:480 OpenKey HKLM\System\CurrentControlSet\Control\Terminal Server SUCCESS Access: 0x20019 4676 26.39775848 404.exe:480 QueryValue HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat SUCCESS 0x0 4677 26.39782143 404.exe:480 CloseKey HKLM\System\CurrentControlSet\Control\Terminal Server SUCCESS 4678 26.43162155 404.exe:480 OpenKey HKLM\System\CurrentControlSet\Control\Terminal Server SUCCESS Access: 0x20019 4679 26.43166542 404.exe:480 QueryValue HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat SUCCESS 0x0 4680 26.43172836 404.exe:480 CloseKey HKLM\System\CurrentControlSet\Control\Terminal Server SUCCESS The binary didnt drop or create any file in the system. It is possible that the malware eludes itself when it detects a VM environment. Further Analysis required. Uploading the file to MMPC.