___ __ _
+ /- / | ____ __ __/ /_ (_)____ -\ +
/s h- / /| | / __ \/ / / / __ \/ / ___/ -h s\
oh-:d/ / ___ |/ / / / /_/ / /_/ / (__ ) /d:-ho
shh+hy- /_/ |_/_/ /_/\__,_/_.___/_/____/ -yh+hhs
-:+hhdhyys/- -\syyhdhh+:-
-//////dhhhhhddhhyss- Analysis Report -ssyhhddhhhhhd\\\\\\-
/++/////oydddddhhyys/ ooooooooooooooooooooo \syyhhdddddyo\\\\\++\
-+++///////odh/- -+hdo\\\\\\\+++-
+++++++++//yy+/: :\+yy\\+++++++++
/+soss+sys//yyo/os++o+: :+o++so\oyy\\sys+ssos+\
+oyyyys++o/+yss/+/oyyyy: :yyyyo\+\ssy+\o++syyyyo+
+oyyyyyyso+os/o/+yyyyyy/ \yyyyyy+\o\so+osyyyyyyo+
[################################################## ###########################]
Analysis Report for Generator.exe
MD5: 02557d8d1fae846c1dc98da734739d4b
[################################################## ###########################]
Summary:
- Performs Registry Activities:
The executable reads and modifies registry values. It also creates and
monitors registry keys.
[================================================== ===========================]
Table of Contents
[================================================== ===========================]
- General information
- sample.exe
a) Registry Activities
b) File Activities
[################################################## ###########################]
1. General Information
[################################################## ###########################]
[================================================== ===========================]
Information about Anubis' invocation
[================================================== ===========================]
Time needed: 49 s
Report created: 05/11/09, 19:57:37 UTC
Termination reason: All tracked processes have exited
Program version: 1.67.0
[################################################## ###########################]
2. sample.exe
[################################################## ###########################]
[================================================== ===========================]
General information about this executable
[================================================== ===========================]
Analysis Reason: Primary Analysis Subject
Filename: sample.exe
MD5: 02557d8d1fae846c1dc98da734739d4b
SHA-1: bc4329e1e232ab0063fc59c6aa7c72ba5edddd19
File Size: 586752 Bytes
Command Line: "C:\sample.exe"
Process-status
at analysis end: dead
Exit Code: 0
[================================================== ===========================]
Load-time Dlls
[================================================== ===========================]
Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
Base Address: [0x7C900000 ], Size: [0x000AF000 ]
Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
Base Address: [0x7C800000 ], Size: [0x000F6000 ]
Module Name: [ C:\WINDOWS\system32\user32.dll ],
Base Address: [0x7E410000 ], Size: [0x00091000 ]
Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
Base Address: [0x77F10000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\advapi32.dll ],
Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
Base Address: [0x77E70000 ], Size: [0x00092000 ]
Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
Base Address: [0x77FE0000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\system32\oleaut32.dll ],
Base Address: [0x77120000 ], Size: [0x0008B000 ]
Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
Base Address: [0x77C10000 ], Size: [0x00058000 ]
Module Name: [ C:\WINDOWS\system32\ole32.dll ],
Base Address: [0x774E0000 ], Size: [0x0013D000 ]
Module Name: [ C:\WINDOWS\system32\version.dll ],
Base Address: [0x77C00000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\comctl32.dll ],
Base Address: [0x5D090000 ], Size: [0x0009A000 ]
Module Name: [ C:\WINDOWS\system32\IMM32.DLL ],
Base Address: [0x76390000 ], Size: [0x0001D000 ]
[================================================== ===========================]
Run-time Dlls
[================================================== ===========================]
Module Name: [ C:\WINDOWS\system32\uxtheme.dll ],
Base Address: [0x5AD70000 ], Size: [0x00038000 ]
Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ],
Base Address: [0x71AA0000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\system32\WS2_32.DLL ],
Base Address: [0x71AB0000 ], Size: [0x00017000 ]
Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
Base Address: [0x74720000 ], Size: [0x0004C000 ]
Module Name: [ C:\WINDOWS\system32\msctfime.ime ],
Base Address: [0x755C0000 ], Size: [0x0002E000 ]
[================================================== ===========================]
2.a) sample.exe - Registry Activities
[================================================== ===========================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ],
Value Name: [ CUAS ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\CTF\SystemShared ],
Value Name: [ CUAS ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\IMM ],
Value Name: [ Ime File ], Value: [ msctfime.ime ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters ],
Value Name: [ WinSock_Registry_Version ], Value: [ 2.0 ], 2 times
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\NameSpace_Catalog5 ],
Value Name: [ Num_Catalog_Entries ], Value: [ 3 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\NameSpace_Catalog5 ],
Value Name: [ Serial_Access_Num ], Value: [ 4 ], 2 times
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\000000 000001 ],
Value Name: [ DisplayString ], Value: [ Tcpip ], 4 times
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\000000 000001 ],
Value Name: [ Enabled ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\000000 000001 ],
Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\mswsock.dll ], 2 times
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\000000 000001 ],
Value Name: [ ProviderId ], Value: [ 0x409d05229e7ecf11ae5a00aa00a7112b ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\000000 000001 ],
Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\000000 000001 ],
Value Name: [ SupportedNameSpace ], Value: [ 12 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\000000 000001 ],
Value Name: [ Version ], Value: [ 0 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\000000 000002 ],
Value Name: [ DisplayString ], Value: [ NTDS ], 4 times
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\000000 000002 ],
Value Name: [ Enabled ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\000000 000002 ],
Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\winrnr.dll ], 2 times
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\000000 000002 ],
Value Name: [ ProviderId ], Value: [ 0xee37263b80e5cf11a55500c04fd8d4ac ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\000000 000002 ],
Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\000000 000002 ],
Value Name: [ SupportedNameSpace ], Value: [ 32 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\000000 000002 ],
Value Name: [ Version ], Value: [ 0 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\000000 000003 ],
Value Name: [ DisplayString ], Value: [ Network Location Awareness (NLA) Namespace ], 4 times
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\000000 000003 ],
Value Name: [ Enabled ], Value: [ 1 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\000000 000003 ],
Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\mswsock.dll ], 2 times
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\000000 000003 ],
Value Name: [ ProviderId ], Value: [ 0x3a244266a83ba64abaa52e0bd71fdd83 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\000000 000003 ],
Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\000000 000003 ],
Value Name: [ SupportedNameSpace ], Value: [ 15 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\000000 000003 ],
Value Name: [ Version ], Value: [ 0 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9 ],
Value Name: [ Next_Catalog_Entry_ID ], Value: [ 1012 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9 ],
Value Name: [ Num_Catalog_Entries ], Value: [ 11 ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9 ],
Value Name: [ Serial_Access_Num ], Value: [ 4 ], 2 times
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\0000000 00001 ],
Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\0000000 00002 ],
Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\0000000 00003 ],
Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\0000000 00004 ],
Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\rsvpsp.d ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\0000000 00005 ],
Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\rsvpsp.d ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\0000000 00006 ],
Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\0000000 00007 ],
Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\0000000 00008 ],
Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\0000000 00009 ],
Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\0000000 00010 ],
Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\0000000 00011 ],
Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Monitored Registry Keys:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\NameSpace_Catalog5 ],
Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 1 time
Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9 ],
Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 1 time
[================================================== ===========================]
2.b) sample.exe - File Activities
[================================================== ===========================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\WINDOWS\system32\MSCTF.dll ]
File Name: [ C:\WINDOWS\system32\Msimtf.dll ]
File Name: [ C:\WINDOWS\system32\WS2HELP.dll ]
File Name: [ C:\WINDOWS\system32\WS2_32.DLL ]
File Name: [ C:\WINDOWS\system32\msctfime.ime ]
File Name: [ C:\WINDOWS\system32\uxtheme.dll ]
[################################################## ###########################]
International Secure Systems Lab
http://www.iseclab.org
Vienna University of Technology Eurecom France UC Santa Barbara
http://www.tuwien.ac.at http://www.eurecom.fr http://www.cs.ucsb.edu
Contact:
anubis@iseclab.org