Saturday, January 2, 2010

Analysis on Win32.Viking.b

The sample i got from vx.netlux.org, Win32.Viking.b. It is an oldies in the age. Let it running in the vm after some baseline process.

Here the result :
Once the execution, it creates a new file Logo1_.exe.

File: Logo1_.exe
Size: 57344 Bytes
MD5: 4B76AAA70F11A65EE48ACAA886C823DE

Processes:
PID ParentPID User Path
1764 1228 HOME-B0E0982E28:Administrator C:\WINDOWS\Logo1_.exe

The registry key that affected :

RegKeys
--------------------------------------------------
SOFTWARE\Borland\Delphi\RTL
Software\Soft\DownloadWWW\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
Software\Soft\DownloadWWW\

The PE header info (From perdr)

The import section

DLL: kernel32.dll
Addr: 000180DC hint: 0(0000) Name: DeleteCriticalSection
Addr: 000180E0 hint: 0(0000) Name: LeaveCriticalSection
Addr: 000180E4 hint: 0(0000) Name: EnterCriticalSection
Addr: 000180E8 hint: 0(0000) Name: InitializeCriticalSection
Addr: 000180EC hint: 0(0000) Name: VirtualFree
Addr: 000180F0 hint: 0(0000) Name: VirtualAlloc
Addr: 000180F4 hint: 0(0000) Name: LocalFree
Addr: 000180F8 hint: 0(0000) Name: LocalAlloc
Addr: 000180FC hint: 0(0000) Name: GetVersion
Addr: 00018100 hint: 0(0000) Name: GetCurrentThreadId
Addr: 00018104 hint: 0(0000) Name: WideCharToMultiByte
Addr: 00018108 hint: 0(0000) Name: MultiByteToWideChar
Addr: 0001810C hint: 0(0000) Name: GetThreadLocale
Addr: 00018110 hint: 0(0000) Name: GetStartupInfoA
Addr: 00018114 hint: 0(0000) Name: GetModuleFileNameA
Addr: 00018118 hint: 0(0000) Name: GetLocaleInfoA
Addr: 0001811C hint: 0(0000) Name: GetCommandLineA
Addr: 00018120 hint: 0(0000) Name: FreeLibrary
Addr: 00018124 hint: 0(0000) Name: ExitProcess
Addr: 00018128 hint: 0(0000) Name: WriteFile
Addr: 0001812C hint: 0(0000) Name: UnhandledExceptionFilter
Addr: 00018130 hint: 0(0000) Name: RtlUnwind
Addr: 00018134 hint: 0(0000) Name: RaiseException
Addr: 00018138 hint: 0(0000) Name: GetStdHandle

DLL: user32.dll
Addr: 00018140 hint: 0(0000) Name: GetKeyboardType
Addr: 00018144 hint: 0(0000) Name: MessageBoxA
Addr: 00018148 hint: 0(0000) Name: CharNextA

DLL: advapi32.dll
Addr: 00018150 hint: 0(0000) Name: RegQueryValueExA
Addr: 00018154 hint: 0(0000) Name: RegOpenKeyExA
Addr: 00018158 hint: 0(0000) Name: RegCloseKey

DLL: oleaut32.dll
Addr: 00018160 hint: 0(0000) Name: SysFreeString
Addr: 00018164 hint: 0(0000) Name: SysReAllocStringLen
Addr: 00018168 hint: 0(0000) Name: SysAllocStringLen

DLL: kernel32.dll
Addr: 00018170 hint: 0(0000) Name: TlsSetValue
Addr: 00018174 hint: 0(0000) Name: TlsGetValue
Addr: 00018178 hint: 0(0000) Name: LocalAlloc
Addr: 0001817C hint: 0(0000) Name: GetModuleHandleA

DLL: advapi32.dll
Addr: 00018184 hint: 0(0000) Name: RegSetValueExA
Addr: 00018188 hint: 0(0000) Name: RegQueryValueExA
Addr: 0001818C hint: 0(0000) Name: RegOpenKeyExA
Addr: 00018190 hint: 0(0000) Name: RegCreateKeyExA
Addr: 00018194 hint: 0(0000) Name: RegCloseKey
Addr: 00018198 hint: 0(0000) Name: LookupAccountSidA
Addr: 0001819C hint: 0(0000) Name: LookupAccountNameA
Addr: 000181A0 hint: 0(0000) Name: GetSidSubAuthorityCount
Addr: 000181A4 hint: 0(0000) Name: GetSidSubAuthority
Addr: 000181A8 hint: 0(0000) Name: GetSidIdentifierAuthority
Addr: 000181AC hint: 0(0000) Name: FreeSid
Addr: 000181B0 hint: 0(0000) Name: AllocateAndInitializeSid

DLL: kernel32.dll
Addr: 000181B8 hint: 0(0000) Name: WriteProcessMemory
Addr: 000181BC hint: 0(0000) Name: WriteFile
Addr: 000181C0 hint: 0(0000) Name: VirtualFreeEx
Addr: 000181C4 hint: 0(0000) Name: VirtualAllocEx
Addr: 000181C8 hint: 0(0000) Name: TerminateProcess
Addr: 000181CC hint: 0(0000) Name: SuspendThread
Addr: 000181D0 hint: 0(0000) Name: SizeofResource
Addr: 000181D4 hint: 0(0000) Name: SetThreadContext
Addr: 000181D8 hint: 0(0000) Name: SetLastError
Addr: 000181DC hint: 0(0000) Name: SetFileTime
Addr: 000181E0 hint: 0(0000) Name: SetFilePointer
Addr: 000181E4 hint: 0(0000) Name: SetFileAttributesA
Addr: 000181E8 hint: 0(0000) Name: ResumeThread
Addr: 000181EC hint: 0(0000) Name: ReadFile
Addr: 000181F0 hint: 0(0000) Name: OpenProcess
Addr: 000181F4 hint: 0(0000) Name: MapViewOfFile
Addr: 000181F8 hint: 0(0000) Name: LockResource
Addr: 000181FC hint: 0(0000) Name: LoadResource
Addr: 00018200 hint: 0(0000) Name: LoadLibraryA
Addr: 00018204 hint: 0(0000) Name: IsBadReadPtr
Addr: 00018208 hint: 0(0000) Name: GlobalFree
Addr: 0001820C hint: 0(0000) Name: GlobalAlloc
Addr: 00018210 hint: 0(0000) Name: GetWindowsDirectoryA
Addr: 00018214 hint: 0(0000) Name: GetVersionExA
Addr: 00018218 hint: 0(0000) Name: GetThreadContext
Addr: 0001821C hint: 0(0000) Name: GetTempPathA
Addr: 00018220 hint: 0(0000) Name: GetTempFileNameA
Addr: 00018224 hint: 0(0000) Name: GetProcAddress
Addr: 00018228 hint: 0(0000) Name: GetModuleHandleA
Addr: 0001822C hint: 0(0000) Name: GetLastError
Addr: 00018230 hint: 0(0000) Name: GetFileTime
Addr: 00018234 hint: 0(0000) Name: GetFileSize
Addr: 00018238 hint: 0(0000) Name: GetDriveTypeA
Addr: 0001823C hint: 0(0000) Name: GetCurrentProcessId
Addr: 00018240 hint: 0(0000) Name: GetCurrentProcess
Addr: 00018244 hint: 0(0000) Name: GetComputerNameA
Addr: 00018248 hint: 0(0000) Name: FreeResource
Addr: 0001824C hint: 0(0000) Name: FreeLibrary
Addr: 00018250 hint: 0(0000) Name: FindResourceA
Addr: 00018254 hint: 0(0000) Name: FindNextFileA
Addr: 00018258 hint: 0(0000) Name: FindFirstFileA
Addr: 0001825C hint: 0(0000) Name: FindClose
Addr: 00018260 hint: 0(0000) Name: FileTimeToLocalFileTime
Addr: 00018264 hint: 0(0000) Name: FileTimeToDosDateTime
Addr: 00018268 hint: 0(0000) Name: ExitProcess
Addr: 0001826C hint: 0(0000) Name: DuplicateHandle
Addr: 00018270 hint: 0(0000) Name: DeleteFileA
Addr: 00018274 hint: 0(0000) Name: CreateThread
Addr: 00018278 hint: 0(0000) Name: CreateSemaphoreA
Addr: 0001827C hint: 0(0000) Name: CreateProcessA
Addr: 00018280 hint: 0(0000) Name: CreateFileMappingA
Addr: 00018284 hint: 0(0000) Name: CreateFileA
Addr: 00018288 hint: 0(0000) Name: CopyFileA
Addr: 0001828C hint: 0(0000) Name: CompareStringA
Addr: 00018290 hint: 0(0000) Name: CloseHandle

DLL: mpr.dll
Addr: 00018298 hint: 0(0000) Name: WNetOpenEnumA
Addr: 0001829C hint: 0(0000) Name: WNetEnumResourceA
Addr: 000182A0 hint: 0(0000) Name: WNetCloseEnum
Addr: 000182A4 hint: 0(0000) Name: WNetCancelConnectionA
Addr: 000182A8 hint: 0(0000) Name: WNetCancelConnection2A
Addr: 000182AC hint: 0(0000) Name: WNetAddConnection2A

DLL: user32.dll
Addr: 000182B4 hint: 0(0000) Name: CreateWindowExA
Addr: 000182B8 hint: 0(0000) Name: UpdateWindow
Addr: 000182BC hint: 0(0000) Name: TranslateMessage
Addr: 000182C0 hint: 0(0000) Name: SendMessageA
Addr: 000182C4 hint: 0(0000) Name: RegisterClassA
Addr: 000182C8 hint: 0(0000) Name: PostThreadMessageA
Addr: 000182CC hint: 0(0000) Name: PostMessageA
Addr: 000182D0 hint: 0(0000) Name: LoadCursorA
Addr: 000182D4 hint: 0(0000) Name: GetWindowTextA
Addr: 000182D8 hint: 0(0000) Name: GetMessageA
Addr: 000182DC hint: 0(0000) Name: GetDesktopWindow
Addr: 000182E0 hint: 0(0000) Name: FindWindowExA
Addr: 000182E4 hint: 0(0000) Name: FindWindowA
Addr: 000182E8 hint: 0(0000) Name: DispatchMessageA
Addr: 000182EC hint: 0(0000) Name: DefWindowProcA

DLL: wsock32.dll
Addr: 000182F4 hint: 0(0000) Name: WSACleanup
Addr: 000182F8 hint: 0(0000) Name: WSAStartup
Addr: 000182FC hint: 0(0000) Name: gethostname
Addr: 00018300 hint: 0(0000) Name: gethostbyname
Addr: 00018304 hint: 0(0000) Name: inet_ntoa
Addr: 00018308 hint: 0(0000) Name: inet_addr

Trid result

No comments:

Post a Comment