The document appears to be a malware analysis report that details the behavior and network activity of a suspicious executable file. It found numerous behavioral indicators suggesting the file is a variant of Zeus malware. The analysis observed the file making HTTP requests to a web server, downloading additional files, modifying the registry and executing other processes. The report provided details on the file, network streams, processes and artifacts observed during dynamic analysis in a virtual sandbox environment.
Introduction to Open Source RAG and RAG Evaluation
Пример отчета по анализу вредоносного кода Zeus, подготовленного Cisco AMP Threat Grid
1. Severity: 100 Confidence: 100
Severity: 95 Confidence: 95
Severity: 90 Confidence: 100
Severity: 90 Confidence: 100
Severity: 80 Confidence: 60
Severity: 80 Confidence: 95
Severity: 75 Confidence: 75
Severity: 70 Confidence: 80
Severity: 60 Confidence: 70
Severity: 50 Confidence: 50
Severity: 50 Confidence: 80
Severity: 40 Confidence: 60
Severity: 40 Confidence: 60
Severity: 35 Confidence: 50
Severity: 35 Confidence: 20
Severity: 30 Confidence: 30
Severity: 25 Confidence: 25
Severity: 25 Confidence: 60
Severity: 25 Confidence: 25
Analysis Report
ID 79ec746ef572388896c1485e1b70146f
OS 2600.xpsp.080413-2111
Started 8/7/14 15:53:09
Ended 8/7/14 15:59:27
Duration 0:06:18
Sandbox plague (pilot-d)
Filename 0553733405.exe
Magic Type PE32 executable (GUI) Intel 80386, for MS Windows
Analyzed As exe
SHA256 d9d42df15fad8c80da9102c80c14c2913ccf7ce7e454e8d54a4decd823fc98af
SHA1 d1c9100913bedab19cc127a3cd427b678ac46192
MD5 bdcd4ff82d6894156b945c96ac45b9ec
Warnings
Executable Failed Integrity Check
Behavioral Indicators
Possible ZeuS Variant Detected
Process Modified an Executable File
Netsh.exe Used to Disable Windows Firewall
Netsh.exe Used to Alter Windows Firewall
Process Modified Autorun Registry Key Value
Downloaded PE Executable
Outbound HTTP GET Request
Process Modified File in a User Directory
Potential Sandbox Detection - Enumeration of ProductID
Potential Code Injection Detected
Command Exe File Execution Detected
PE Has Sections Marked Executable and Writable
PE Has Sections Marked Shareable
Possible Double Flux Nameserver Detected [Beta]
Possible Fast Flux Domain Detected [Beta]
Executable with Encrypted Sections
Outbound Communications to Nginx Web Server
PE Resource Indicates Chinese Origin
Outbound HTTP POST Communications
2. Severity: 20 Confidence: 60
Severity: 20 Confidence: 60
Stream: 4 Transaction: 0
Stream: 5 Transaction: 0
Stream: 6 Transaction: 0
Stream: 7 Transaction: 0
Stream: 8 Transaction: 0
Stream: 9 Transaction: 0
Stream: 10 Transaction: 0
Process Enumerated Running Processes Using Tasklist Utility
Process Enumerates TCP/IP Network Configuration
HTTP Traffic
POST http://gokspflol.com:80/LKj839htgHBO/file.php
Server IP: 91.196.54.104
Server Port: 80
Resp. Content: application/octet-stream
Timestamp: +117.032s
POST http://gokspflol.com:80/LKj839htgHBO/file.php
Server IP: 91.196.54.104
Server Port: 80
Resp. Content: application/octet-stream
Timestamp: +117.118s
POST http://gokspflol.com:80/LKj839htgHBO/file.php
Server IP: 91.196.54.104
Server Port: 80
Resp. Content: application/octet-stream
Timestamp: +121.251s
GET http://www.google.com:80/webhp
Server IP: 173.194.46.113
Server Port: 80
Resp. Content: text/html
Timestamp: +140.784s
POST http://gokspflol.com:80/LKj839htgHBO/gate.php
Server IP: 91.196.54.104
Server Port: 80
Resp. Content: application/octet-stream
Timestamp: +142.047s
POST http://gokspflol.com:80/LKj839htgHBO/files/config.dll
Server IP: 91.196.54.104
Server Port: 80
Resp. Content: application/octet-stream
Timestamp: +142.813s
POST http://gokspflol.com:80/LKj839htgHBO/file.php
3. Stream: 11 Transaction: 0
Stream: 2 Query: 1648
Stream: 2 Query: 61567
Stream: 3 Query: 60263
Server IP: 91.196.54.104
Server Port: 80
Resp. Content: application/x-dosexec
Timestamp: +143.1s
POST http://gokspflol.com:80/LKj839htgHBO/gate.php
Server IP: 91.196.54.104
Server Port: 80
Resp. Content: application/octet-stream
Timestamp: +146.421s
DNS Traffic
Query Type: A, Query Data: www.google.com
TTL: -
Timestamp: +139.847s
Query Type: A, Query Data: gokspflol.com
TTL: 150
Timestamp: +116.48s
Query Type: A, Query Data: gokspflol.com
TTL: 150
Timestamp: +116.483s
TCP/IP Streams
Network Stream: 0
Src. IP 172.16.1.1
Src. Port
Dest. IP 172.16.138.194
Dest. Port
Transport ICMP
Artifacts 0
Packets 2
Bytes 96
Timestamp +35.858s
Network Stream: 1
Src. IP 172.16.138.194
Src. Port
Dest. IP 224.0.0.22
Dest. Port
Transport IGMP
Artifacts 0
Packets 2
Bytes 80
Timestamp +37.976s
Network Stream: 2 (DNS)
4. Src. IP 172.16.138.194
Src. Port 1061
Dest. IP 172.16.1.1
Dest. Port 53
Transport UDP
Artifacts 0
Packets 4
Bytes 858
Timestamp +116.48s
Network Stream: 3 (DNS)
Src. IP 172.16.138.194
Src. Port 1062
Dest. IP 172.16.1.1
Dest. Port 53
Transport UDP
Artifacts 0
Packets 2
Bytes 586
Timestamp +116.483s
Network Stream: 4 (HTTP)
Src. IP 172.16.138.194
Src. Port 1063
Dest. IP 91.196.54.104
Dest. Port 80
Transport TCP
Artifacts 1
Packets 164
Bytes 185283
Timestamp +116.906s
Network Stream: 5 (HTTP)
Src. IP 172.16.138.194
Src. Port 1064
Dest. IP 91.196.54.104
Dest. Port 80
Transport TCP
Artifacts 1
Packets 15
Bytes 7134
Timestamp +117.034s
Network Stream: 6 (HTTP)
Src. IP 172.16.138.194
Src. Port 1065
Dest. IP 91.196.54.104
Dest. Port 80
Transport TCP
Artifacts 1
Packets 199
Bytes 230209
Timestamp +121.132s
Network Stream: 7 (HTTP)
Src. IP 172.16.138.194
Src. Port 1066
5. Parent: 1988
Dest. IP 173.194.46.113
Dest. Port 80
Transport TCP
Artifacts 1
Packets 38
Bytes 33625
Timestamp +140.725s
Network Stream: 8 (HTTP)
Src. IP 172.16.138.194
Src. Port 1067
Dest. IP 91.196.54.104
Dest. Port 80
Transport TCP
Artifacts 1
Packets 10
Bytes 1419
Timestamp +141.927s
Network Stream: 9 (HTTP)
Src. IP 172.16.138.194
Src. Port 1068
Dest. IP 91.196.54.104
Dest. Port 80
Transport TCP
Artifacts 1
Packets 15
Bytes 7095
Timestamp +142.675s
Network Stream: 10 (HTTP)
Src. IP 172.16.138.194
Src. Port 1069
Dest. IP 91.196.54.104
Dest. Port 80
Transport TCP
Artifacts 1
Packets 260
Bytes 295007
Timestamp +142.985s
Network Stream: 11 (HTTP)
Src. IP 172.16.138.194
Src. Port 1070
Dest. IP 91.196.54.104
Dest. Port 80
Transport TCP
Artifacts 1
Packets 10
Bytes 1214
Timestamp +146.299s
Processes
Name: 0553733405.exe
9. Read by: 1156 (cmd.exe)
Documents and SettingsAdministrator...ataLeymtyodsyo.epd
Src: disk
Imports: 0
Type: data
SHA256: 3f10dc24fe2715dc4f69ac3af223bf28375eb1ceb16b569c71f61585eee1bd63
Size: 399066
Exports: 0
AV Sigs: 0
MD5: c867627b458c957c419586313a377e6f
Artifact 5: WINDOWSPrefetchCMD.EXE-087B4001.pf
Src: disk
Imports: 0
Type: data
SHA256: e1807396fbc6f84bcdbe6659293c241048cf13a8c2a72fa8386577edfce523ae
Size: 12932
Exports: 0
AV Sigs: 0
MD5: b371d56172afc6376ed13c29e7c95663
Artifact 6: Documents and SettingsAdministrator...DataElmoyelinw.eco
Src: disk
Imports: 0
Type: data
SHA256: 91dd2f7b3eb6701b35ea3a7148408bbb64c2ef2fcd7322e84bc25e5137d6de0e
Size: 9433
Exports: 0
AV Sigs: 0
MD5: 0da6e692cbee5c0a575d572c344ee841
Artifact 7: Documents and SettingsAdministrator...okAdministrator.wab
Src: disk
Imports: 0
Type: data
SHA256: e24fa116b9f460dc55131a7772cd194188032e55dee0c874dcb4e62c5e0ef23c
Size: 176594
Exports: 0
AV Sigs: 0
MD5: c62276113d0468f8215b5bfcad810066
Artifact 8: Documents and SettingsAdministrator...kAdministrator.wab~
Src: disk
Imports: 0
Type: data
SHA256: e24fa116b9f460dc55131a7772cd194188032e55dee0c874dcb4e62c5e0ef23c
Size: 176594
Exports: 0
AV Sigs: 0
MD5: c62276113d0468f8215b5bfcad810066
Artifact 9: Documents and SettingsAdministrator...trator@google[2].txt
Src: disk
Imports: 0
Type: ASCII text
SHA256: 9ba6b1fdc0c16ac09caa6b5cda53781d4245e800ad478dec7bdc17be74f47d5f
Size: 327
Exports: 0
10. AV Sigs: 0
MD5: 5b07bec122cef3be03daa7d4b2bbdffd
Artifact 10: Documents and SettingsAdministratorCookiesindex.dat
Src: disk
Imports: 0
Type: Internet Explorer cache file version Ver 5.2
SHA256: 3f1e063b094727983567dc59200368c2730fd8cf6d71d43a8ab3348a78d38de2
Size: 32768
Exports: 0
AV Sigs: 0
MD5: fc4fff9fbb16be51485f2affe83b2b82
Artifact 11: Documents and SettingsAdministrator... ExpressFolders.dbx
Src: disk
Imports: 0
Type: MS Outlook Express DBX file, folder database
SHA256: 722d676dc803351cb2ab4a3b4d2f96d9c8d36d4748d93d88f0570f16c4b1f2ff
Size: 75204
Exports: 0
AV Sigs: 0
MD5: c0a6b920be7cc9deed14c88ccd6fc84a
Artifact 12: Documents and SettingsAdministrator...ok ExpressInbox.dbx
Src: disk
Imports: 0
Type: MS Outlook Express DBX file, message database
SHA256: 0a794011f2f9274053eae42ab94be4c8e7ab42977ac188bae474ee3810158a9d
Size: 142036
Exports: 0
AV Sigs: 0
MD5: a5be91c1b79359f28ef1793f88748e93
Artifact 13: Documents and SettingsAdministrator... ExpressOffline.dbx
Src: disk
Imports: 0
Type: MS Outlook Express DBX file, offline database
SHA256: 14ff7ea3f7634352d7e787a69b997d6694ac1f8270db51ad077b24efeffbfa11
Size: 9656
Exports: 0
AV Sigs: 0
MD5: c78f0742eae95fcf92f7f1c6009d9341
Artifact 14: Documents and SettingsAdministrator...pressSent Items.dbx
Src: disk
Imports: 0
Type: MS Outlook Express DBX file, message database
SHA256: 37b9f67bd4301ecf6f56cbdaf697131c20441c3514f67f09510a2e700872a0ff
Size: 76500
Exports: 0
AV Sigs: 0
MD5: 5c9871500ef4f120d08456c18e04bb8c
Artifact 15: Documents and SettingsAdministrator...l SettingsTemp:$I30
Src: disk
Imports: 0
Type: data
11. SHA256: aae89fc0f03e2959ae4d701a80cc3915918c950b159f6abb6c92c1433b1a8534
Size: 8
Exports: 0
AV Sigs: 0
MD5: f5be5308b59e045b7c5b33ee8908cfb7
Artifact 16: Documents and SettingsAdministrator...Temptmp49402139.bat
Src: disk
Imports: 0
Type: JS - JavaScript
SHA256: ab992adf7190584b310ccdc873a2d1bab142d31d176607537479b492fa63a518
Size: 148
Exports: 0
AV Sigs: 0
MD5: eab7ff00f0672cbb464a3559959abb2f
Artifact 17: WINDOWSPrefetch0553733405.EXE-29BD3105.pf
Src: disk
Imports: 0
Type: data
SHA256: 20880208ebe53e348d89929f1c8f0bf6a892b114f217b13ac495ddd23cd29942
Size: 14902
Exports: 0
AV Sigs: 0
MD5: ab1983cb947518905a3b65667e3d8cff
Artifact 18: WINDOWSPrefetchRUNDLL32.EXE-1BC69D2D.pf
Src: disk
Imports: 0
Type: data
SHA256: 096c5f681ef43e46e678ac54e9f17af48dd7c95efa2cf1a1ebba5b2047daf93a
Size: 21148
Exports: 0
AV Sigs: 0
MD5: 85e017caddc84913038e28330f37658a
Artifact 19: WINDOWSPrefetchRUNDLL32.EXE-451FC2C0.pf
Src: disk
Imports: 0
Type: data
SHA256: e3fe1ba179dd050bd194ca69c30ee0ec7db082dfcc06c7f9dd26d6561840e337
Size: 12602
Exports: 0
AV Sigs: 0
MD5: e351d3a15519644e3c7decd1ba1dc8e9
Artifact 20: WINDOWSPrefetchTASKLIST.EXE-10D94B23.pf
Src: disk
Imports: 0
Type: data
SHA256: 4f622d4a580f4bee5811d66d28179c338a4cc1f6bf38a5e9675680df729ec0a5
Size: 24914
Exports: 0
AV Sigs: 0
MD5: 6faf841a8494759936bb136c118abfb0
Artifact 21: WINDOWSPrefetchTMP650921D2.EXE-29C2F8AE.pf
12. Src: disk
Imports: 0
Type: data
SHA256: 936b6a21ddeaa25e2055f9d300944b49c5546f65df08a8cb42a74f46d0584b43
Size: 22678
Exports: 0
AV Sigs: 0
MD5: f67dd18afb660a7134bae1a72655b2f7
Artifact 22: WINDOWSPrefetchNETSH.EXE-085CFFDE.pf
Src: disk
Imports: 0
Type: data
SHA256: c4f069507f3553306c0acd8227e105e0f9799a527fbe20da390fb2f7c4b34a6d
Size: 41782
Exports: 0
AV Sigs: 0
MD5: bd794157750537a4c32841e76a3634af
Artifact 23: WINDOWSPrefetchIPCONFIG.EXE-2395F30B.pf
Src: disk
Imports: 0
Type: data
SHA256: 2122d0f18927c0f7dff9ef130282089c800d38df0dd92da48dc48bd32f041776
Size: 33780
Exports: 0
AV Sigs: 0
MD5: 421634a51df3f4c7daf944ecc11a33c9
Artifact 24: WINDOWSPrefetchLOGONUI.EXE-0AF22957.pf
Src: disk
Imports: 0
Type: data
SHA256: c81b9eebede296d44ba7e86aaf4f36da30808d58f76e5518193bf3720542cf29
Size: 22144
Exports: 0
AV Sigs: 0
MD5: dd7617cbd3490d5be4b622ec57113e57
Artifact 25: WINDOWSPrefetchMIEN.EXE-1ECD8E53.pf
Src: disk
Imports: 0
Type: data
SHA256: 422afe172f39bbb6b40a678a83ca4c2a74e7af494145e15dcd304cc22eb76ae7
Size: 14476
Exports: 0
AV Sigs: 0
MD5: 8e1210eb95e1fd8afd8f9eb07446afc6
Artifact 26: WINDOWSPrefetchWMIPRVSE.EXE-28F301A9.pf
Src: disk
Imports: 0
Type: data
SHA256: 087f1f638c6b4e744aae614a0ffc065ccc22cd279f2c1392c228599a6fd2ffab
Size: 26238
Exports: 0
AV Sigs: 0
13. Related to: stream 4
Related to: stream 5
MD5: 2bbcc62c4ddb77eba7975ce643f378ee
Artifact 27: WINDOWSPrefetchWSCRIPT.EXE-32960AB9.pf
Src: disk
Imports: 0
Type: data
SHA256: 61820969cb9462c523a845cd8306e447c12f8632b0e797e99d51649edeccba2e
Size: 26330
Exports: 0
AV Sigs: 0
MD5: eb8ffc240ad0168c3947bcaef83d7c2e
Artifact 28: WINDOWSPrefetchDEVCON.EXE-1DF04AC9.pf
Src: disk
Imports: 0
Type: data
SHA256: e5cb5d1e5614632c6297fdf942f6999611fad875d3ccecf96c533b38c60b1bfa
Size: 36662
Exports: 0
AV Sigs: 0
MD5: a3c203c1f09879ee036faf37c963aebf
Artifact 29: WINDOWSPrefetchHOSTNAME.EXE-279591F3.pf
Src: disk
Imports: 0
Type: data
SHA256: 02fbbd4abe33f5773f65e1d7a1b76e59571d1790808af48c467f4dbeca5f2997
Size: 13782
Exports: 0
AV Sigs: 0
MD5: 338527a140651b1359578a24ebd45997
Artifact 30: WINDOWSsystem32configSysEvent.Evt
Src: disk
Imports: 0
Type: data
SHA256: 70357674c317165afe935972ab3a6ca4fa509c3855dda3f3e50ce7c71a436276
Size: 65536
Exports: 0
AV Sigs: 0
MD5: abb2c0dfb26138fa0356e7c5e9ec511a
Artifact 31: file.php
Src: network
Imports: 0
Type: PDP-11 kernel overlay
SHA256: 811f4cb6bb5185fe14dd33d91f3dc0ecc3a8a29179fb27e85b8b656601c733dc
Size: 177951
Exports: 0
AV Sigs: 0
MD5: 50221717b96c6dd480d1b1468004ddb0
Artifact 32: file.php
Src: network
Imports: 0
Type: data
SHA256: 2bd8a667e145dddf2f92860d8f827bb6c6a9915cf6fa4fc6ea80443736252149
14. Related to: stream 6
Related to: stream 7
Related to: stream 8
Related to: stream 9
Related to: stream 10
Related to: stream 11
Size: 5776
Exports: 0
AV Sigs: 0
MD5: 4020dd60948d9576dc4f9d059ba4e5bc
Artifact 33: file.php
Src: network
Imports: 0
Type: PDP-11 kernel overlay
SHA256: c03415b3feae5a836fb01d332bc3e4501c9fc92c0f9ba265d2e49e9dd63a89b5
Size: 221471
Exports: 0
AV Sigs: 0
MD5: b2141129aa0dee1862d38d1943783bb0
Artifact 34: webhp
Src: network
Imports: 0
Type: HTML - HTML document, ASCII text, with very lon...
SHA256: 7c56b529307b217425a8e9b3d15d12f1447e75f7280a3c86437def315d243519
Size: 31040
Exports: 0
AV Sigs: 0
MD5: 30947a2072ad3352df2a581daf42c7c5
Artifact 35: gate.php
Src: network
Imports: 0
Type: data
SHA256: 4262e9dae477d9bcd9a5d949ec2e8dd8d59c89f4e66baa024b506545216fd824
Size: 141
Exports: 0
AV Sigs: 0
MD5: bdee3c995288622c106208ef5b294eb5
Artifact 36: config.dll
Src: network
Imports: 0
Type: data
SHA256: 2bd8a667e145dddf2f92860d8f827bb6c6a9915cf6fa4fc6ea80443736252149
Size: 5776
Exports: 0
AV Sigs: 0
MD5: 4020dd60948d9576dc4f9d059ba4e5bc
Artifact 37: file.php
Src: network
Imports: 135
Type: EXE - PE32 executable (GUI) Intel 80386, for MS...
SHA256: 91c3bae800c6b14d8193cdca7f33278311959246d41a0d458a0934ff6b1bde73
Size: 283851
Exports: 0
AV Sigs: 0
MD5: 9aef6af237d06556637b499ad7345a04
Artifact 38: gate.php
Src: network
15. Related to: 652 (svchost.exe)
Related to: 428 (winlogon.exe)
Related to: 1824 (cmd.exe)
Related to: 1148 (Explorer.EXE)
Related to: 844 (svchost.exe)
Imports: 0
Type: data
SHA256: 6c4664d381cd2a6e87c6893d13a4d75bb4559a15461e12c1b011a205d3cd51ee
Size: 64
Exports: 0
AV Sigs: 0
MD5: 92cc8391446bae9a6fef609b07a68d9d
Artifact 39: 652-svchost.exe
Src: memory
Imports: 79
Type: EXE - PE32 executable (GUI) Intel 80386, for MS...
SHA256: fb609c3d1eb1851b61bb44fc164ef008472ab72f782fa4e60a455d50d30218a7
Size: 14336
Exports: 0
AV Sigs: 0
MD5: 807f5d5522abfc807efa5739d649949c
Artifact 40: 428-winlogon.exe
Src: memory
Imports: 0
Type: EXE - PE32 executable (GUI) Intel 80386, for MS...
SHA256: 1bb5f4cfe651743eb16d980cfa95b1510e66da63bfde997bdfb8e4aa9518d549
Size: 507904
Exports: 0
AV Sigs: 0
MD5: 1f20ae415f85c144fdd2519664203fc0
Artifact 41: 1824-cmd.exe
Src: memory
Imports: 189
Type: EXE - PE32 executable (console) Intel 80386, fo...
SHA256: 566e95987e726bcf4dd5978a0d0368d05d85939f2481ee49efa0541a6e240de2
Size: 389120
Exports: 0
AV Sigs: 0
MD5: dcad668219b5e5adbe52cdf4506a9aa5
Artifact 42: 1148-Explorer.EXE
Src: memory
Imports: 500
Type: EXE - PE32 executable (GUI) Intel 80386, for MS...
SHA256: bed85aa91ebf640e127778c04db19f8c732daef46385200277a000c794635243
Size: 1033728
Exports: 0
AV Sigs: 0
MD5: c3bbb0b3ce8cdbd67451059ea2e956ab
Artifact 43: 844-svchost.exe
Src: memory
Imports: 79
Type: EXE - PE32 executable (GUI) Intel 80386, for MS...
SHA256: 32e868489cfe58845f82c411d4b775a0d400e8e2f230c2bfa5e5235172f6601f
Size: 14336
Exports: 0
AV Sigs: 0
MD5: 2ca8172407e110f5b16d596f822796dc
16. Related to: 796 (svchost.exe)
Files Created: 7 Files Read: 13 Files Modified: 12 Files Deleted: 0
Artifact 44: 796-svchost.exe
Src: memory
Imports: 79
Type: EXE - PE32 executable (GUI) Intel 80386, for MS...
SHA256: 9009548aad78bb3725d4eb84b96cc74dc376d54420a64e40c12100da84ed8d99
Size: 14336
Exports: 0
AV Sigs: 0
MD5: 3638f4255fa8aa729a57874fa566c088
Registry Activity
Created Keys
Modified Keys
Filesystem
Activity
All information contained in this report is confidential and proprietary information belonging solely to ThreatGRID, Inc.
This document is client confidential and is intended for internal customer use only. The information contained herein is the
property of ThreatGRID and may not be copied, used or disclosed in whole or in part, stored in a retrieval system or
transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) without the prior
written permission of ThreatGRID.
Generated by ThreatBRAIN