Download Link: hxxp://aaa.tesekl.info/winint.exe File Name: winint.exe File size: 17408 bytes <-- Packed with UPX MD5: f6e7de2925fad4092e91aba83ba453db SHA1: 9396c1226f05a4be0118a77cb6b43a4a203b0cc7 PEiD: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser packers: UPX packers: UPX packers: PE_Patch.UPX, UPX Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=DE07F53C007F3E50440B00B45CA05F008DC65AC8 VirusTotal Result: 9/32 (28.13%) AhnLab-V3: Win-Trojan/Xema.variant Avast: Win32:Trojan-gen {UPX} eSafe: suspicious Trojan/Worm Ewido: Dropper.Small.axj Fortinet: W32/Generic.A!tr Ikarus: Virus.Win32.Trojan McAfee: Generic Packed Panda: Trj/SysW.A Prevx1: Heuristic: Suspicious File With Bad Parent Associations File Info: PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0003 Time/Date stamp: 471C4C27 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 010F Magic: 010B Linker version (major): 06 Linker version (minor): 00 Size of code: 00004000 Size of initialized data: 00001000 Size of uninitialized data: 00009000 Address of entry point: 0000DBD0 Base of code: 0000A000 Base of data: 0000E000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 0000F000 Size of headers: 00001000 Checksum: 00000000 Sub system: 0003 - Windows character-mode user interface (CUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags UPX0 00009000 00001000 00000000 00000400 E0000080 UPX1 00004000 0000A000 00003E00 00000400 E0000040 UPX2 00001000 0000E000 00000200 00004200 C0000040 Import table (libraries: 3) KERNEL32.DLL (imports: 4) LoadLibraryA GetProcAddress VirtualProtect ExitProcess ole32.dll (imports: 1) CoInitialize SETUPAPI.dll (imports: 1) SetupCopyOEMInfW Unpacking with UPX: File size Ratio Format Name -------------------- ------ ----------- ----------- 45056 <- 17408 38.64% win32/pe winint.exe Unpacked 1 file. File Name: winint.exe File size: 45056 bytes <-- Unpacked with UPX MD5: fcbfffcb2450a0c032e29dca86630cab SHA1: a2c2556dd2f7c125a48c28d8cab0ef5f5223f65f PEiD: Armadillo v1.71 VirusTotal Result: 3/30 (10%) Avast: Win32:Agent-TBP Ewido: Dropper.Small.axj Panda: Trj/SysW.A File Info: PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0003 Time/Date stamp: 471C4C27 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 010F Magic: 010B Linker version (major): 06 Linker version (minor): 00 Size of code: 00006000 Size of initialized data: 00005000 Size of uninitialized data: 00000000 Address of entry point: 0000184A Base of code: 00001000 Base of data: 00007000 Image base: 00400000 Section alignment: 00001000 File alignment: 00001000 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 0000C000 Size of headers: 00001000 Checksum: 00000000 Sub system: 0003 - Windows character-mode user interface (CUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Object01: .text RVA: 00001000 Offset: 00001000 Size: 00006000 Flags: 60000020 Object02: .rdata RVA: 00007000 Offset: 00007000 Size: 00001000 Flags: 40000040 Object03: .data RVA: 00008000 Offset: 00008000 Size: 00003000 Flags: C0000040 Number of Imported Modules = 3 (decimal) Import Module 001: KERNEL32.DLL Import Module 002: ole32.dll Import Module 003: SETUPAPI.dll +++++++++++++++++++ IMPORT MODULE DETAILS +++++++++++++++ Import Module 001: KERNEL32.DLL Addr:000076BC hint(0000) Name: GetLastError Addr:000076CA hint(0000) Name: SetStdHandle Addr:000076D8 hint(0000) Name: LCMapStringW Addr:000076E6 hint(0000) Name: LCMapStringA Addr:000076F4 hint(0000) Name: SetFilePointer Addr:00007704 hint(0000) Name: FlushFileBuffers Addr:00007716 hint(0000) Name: LoadLibraryA Addr:00007724 hint(0000) Name: GetProcAddress Addr:00007734 hint(0000) Name: HeapReAlloc Addr:00007742 hint(0000) Name: VirtualAlloc Addr:00007750 hint(0000) Name: GetOEMCP Addr:0000775A hint(0000) Name: GetACP Addr:00007762 hint(0000) Name: GetCommandLineA Addr:00007774 hint(0000) Name: GetVersion Addr:00007780 hint(0000) Name: ExitProcess Addr:0000778E hint(0000) Name: TerminateProcess Addr:000077A0 hint(0000) Name: GetCurrentProcess Addr:000077B4 hint(0000) Name: UnhandledExceptionFilter Addr:000077CE hint(0000) Name: GetModuleFileNameA Addr:000077E2 hint(0000) Name: FreeEnvironmentStringsA Addr:000077FC hint(0000) Name: FreeEnvironmentStringsW Addr:00007816 hint(0000) Name: WideCharToMultiByte Addr:0000782C hint(0000) Name: GetEnvironmentStrings Addr:00007844 hint(0000) Name: GetEnvironmentStringsW Addr:0000785C hint(0000) Name: SetHandleCount Addr:0000786C hint(0000) Name: GetStdHandle Addr:0000787A hint(0000) Name: GetFileType Addr:00007888 hint(0000) Name: GetStartupInfoA Addr:0000789A hint(0000) Name: GetModuleHandleA Addr:000078AC hint(0000) Name: GetEnvironmentVariableA Addr:000078C6 hint(0000) Name: GetVersionExA Addr:000078D6 hint(0000) Name: HeapDestroy Addr:000078E4 hint(0000) Name: HeapCreate Addr:000078F0 hint(0000) Name: VirtualFree Addr:000078FE hint(0000) Name: HeapFree Addr:00007908 hint(0000) Name: RtlUnwind Addr:00007914 hint(0000) Name: WriteFile Addr:00007920 hint(0000) Name: HeapAlloc Addr:0000792C hint(0000) Name: MultiByteToWideChar Addr:00007942 hint(0000) Name: GetStringTypeA Addr:00007952 hint(0000) Name: GetStringTypeW Addr:00007962 hint(0000) Name: GetCPInfo Addr:0000796E hint(0000) Name: CloseHandle Import Module 002: ole32.dll Addr:0000797C hint(0000) Name: CoCreateInstance Addr:0000798E hint(0000) Name: CoUninitialize Addr:0000799E hint(0000) Name: CoTaskMemAlloc Addr:000079AE hint(0000) Name: CoTaskMemFree Addr:000079BE hint(0000) Name: CoInitialize Import Module 003: SETUPAPI.dll Addr:000079CC hint(0000) Name: SetupCopyOEMInfW Addr:000079DE hint(0000) Name: SetupFindFirstLineW Addr:000079F4 hint(0000) Name: SetupGetStringFieldW Addr:00007A0A hint(0000) Name: SetupOpenInfFileW Addr:00007A1E hint(0000) Name: SetupCloseInfFile Gets dropped by the malware identified as: Trojan.DL.Win32.Mnless.ef W32/DLoader.DXVP Heur.Trojan.Generic DLOADER.Trojan Analysis: Drops copies of the malware binary: %systemroot%\system32\ wincom.exe 36864 bytes Registry Created [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ WinCOM \ Security] "Security" = hex: 01,00,14,80, a0, 00,00,00, ac, 00,00,00,14,00,00,00,30,00,00,00,02, \ 00,1 c, 00,01,00,00,00,02,80,14,00, ff, 01,0 f, 00,01,01,00,00,00,00,00,01,00,00, \ 00,00,02,00,70,00,04,00,00,00,00,00,18,00, fd, 01,02,00,01,01,00,00,00,00,00, \ 05,12,00,00,00,00,00,00,00,00,00,1 c, 00 ff, 01,0 f, 00,01,02,00,00,00,00,00,05, \ 20,00,00,00,20,02,00,00,00,00,00,00,00,00,18,00,8 d, 01,02,00,01,01,00,00,00, \ 00,00,05,0 b, c 00,00,00,20,02,00,00,00,00,1, 00, fd, 01,02,00,01,02,00,00,00,00, \ 00,05,20,00,00,00,23,02,00,00,00,00,00,00,01,01,00,00,00,00,00,05,12,00,00, \ 00,01,01,00,00,00,00,00,05,12,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinCOM\Enum] "0"="Root\\LEGACY_WINCOM\\0000" "Count"=dword:00000001 "NextInstance"=dword:00000001 Betwork Activities: Download Trojan horse: 0000CFE0 1314CFE0 0 c:\winsys.exe 0000CFF0 1314CFF0 0 http://aaa.tesekl.info/winint.exe 0000D014 1314D014 0 c:\winsys.inf 0000D024 1314D024 0 http://aaa.tesekl.info/winsys.inf 0000D048 1314D048 0 c:\winsys.sys 0000D058 1314D058 0 http://aaa.tesekl.info/winsys.exe 0000D0D8 1314D0D8 0 c:\winsys.exe 0000D0E8 1314D0E8 0 http://aaa.tesekl.info/winint.exe 0000D10C 1314D10C 0 c:\winsys.inf 0000D11C 1314D11C 0 http://aaa.tesekl.info/winsys.inf 0000D140 1314D140 0 c:\winsys.sys 0000D150 1314D150 0 http://aaa.tesekl.info/winsys.exe