Scribd
Upload
86 views7 pages

Jenis Virus

virus mematikan

Uploaded by

Marten Kelimutu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
86 views7 pages

Jenis Virus

virus mematikan

Uploaded by

Marten Kelimutu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

12/21/23, 2:08 PM Malware analysis success.exe Malicious activity | ANY.

RUN - Malware Sandbox Online

General Info
File name: success.exe

Full analysis: https://app.any.run/tasks/3c4aa768-74c8-49ee-a5d7-5abead5c2da1

Verdict: Malicious activity

Analysis date: May 17, 2018 at 01:55:33

OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)

Tags: evasion

Indicators:
MIME: application/x-dosexec

File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

MD5: DE225405F8E348BFBB5BA8ABDC092B48

SHA1: C04AD314F2A77275464FA9E516859287C9818E23

SHA256: 473D50C8FBCAB1A88603E67FCBF878ACD761806F3C88B05195E75C2BBE8016CB

SSDEEP: 12288:pomHu4B7ScNyaPdYwLcGgBOs3YuDfkYsOCPSaB/8CnbSunwPQrNuDdTviCbppiOX:po2Wc4aPd/oBOM5sQAb5w4rgDdTvFR

Software environment set and analysis options

Launch configuration
Task duration: 120 seconds Heavy Evasion option: off Network geolocation: off

Additional time used: 60 seconds MITM proxy: off Privacy: Public submission

Fakenet option: off Route via Tor: off Autoconfirmation of UAC: on

Network: on

Software preset Hotfixes


Internet Explorer 8.0.7601.17514 undefined Client LanguagePack Package
7-Zip 16.04 (16.04) Client Refresh LanguagePack Package

Adobe Acrobat Reader DC MUI (15.007.20033) CodecPack Basic Package

Adobe Flash Player 26 ActiveX (26.0.0.137) Foundation Package

CCleaner (5.35) IE Troubleshooters Package

FileZilla Client 3.31.0 (3.31.0) InternetExplorer Optional Package

Google Chrome (61.0.3163.100) KB2534111

Google Update Helper (1.3.33.5) KB2999226

Java 8 Update 92 (8.0.920.14) KB976902

Java Auto Updater (2.8.92.14) LocalPack AU Package

Microsoft .NET Framework 4.6.1 (4.6.01055) LocalPack CA Package

Microsoft Office Access MUI (English) 2010 (14.0.6029.1000) LocalPack GB Package

Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000) LocalPack US Package

Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000) LocalPack ZA Package

Microsoft Office Home and Business 2010 (14.0.6029.1000) ProfessionalEdition

Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000) UltimateEdition

Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000) WinMan WinIP Package TopLevel

Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)

Microsoft Office Proof (English) 2010 (14.0.6029.1000)

Microsoft Office Proof (French) 2010 (14.0.6029.1000)

Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)

Microsoft Office Proofing (English) 2010 (14.0.6029.1000)


Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)

Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)

Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)

Microsoft Office Single Image 2010 (14.0.6029.1000)

Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)

Microsoft Visual C++ 2005 Redistributable (8.0.61001)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)

Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (11.0.61030.0)

Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 (11.0.61030)

Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 (11.0.61030)

Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)

Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)

Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)

Microsoft Visual C++ 2017 Redistributable (x86) - 14.12.25810 (14.12.25810.0)

Microsoft Visual C++ 2017 x86 Additional Runtime - 14.12.25810 (14.12.25810)

Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.12.25810 (14.12.25810)

Mozilla Firefox 55.0.3 (x86 en-US) (55.0.3)

https://any.run/report/473d50c8fbcab1a88603e67fcbf878acd761806f3c88b05195e75c2bbe8016cb/3c4aa768-74c8-49ee-a5d7-5abead5c2da1/ 1/7
12/21/23, 2:08 PM Malware analysis success.exe Malicious activity | ANY.RUN - Malware Sandbox Online
Mozilla Maintenance Service (55.0.3)

Notepad++ (32-bit x86) (7.5.4)

Opera 12.15 (12.15.1748)

Skype™ 7.39 (7.39.102)

VLC media player (2.2.6)

Behavior activities
MALICIOUS SUSPICIOUS INFO

Application was dropped or rewritten from another process Starts CMD.EXE for commands execution Application was crashed
IWC.exe (PID: 2620) success.exe (PID: 4020) IWC.exe (PID: 2620)
ygyuig.exe (PID: 4076)
Runs app for hidden code execution Dropped object may contain Bitcoin addresses
success.exe (PID: 4020) Application launched itself ygyuig.exe (PID: 3980)
ygyuig.exe (PID: 4076) ygyuig.exe (PID: 4076) success.exe (PID: 4020)

Actions looks like stealing of personal data Uses REG.EXE to modify Windows registry
ygyuig.exe (PID: 3980) cmd.exe (PID: 3244)

Changes the autorun value in the registry Executable content was dropped or overwritten
ygyuig.exe (PID: 3980) success.exe (PID: 4020)
reg.exe (PID: 2492) ygyuig.exe (PID: 3980)

Checks for external IP


ygyuig.exe (PID: 3980)

Malware configuration
No Malware configuration.

Static information
TRiD EXIF

.dll | Win32 Dynamic Link Library (generic) (43.5) EXE


.exe | Win32 Executable (generic) (29.8) AssemblyVersion: 0.0.0.0
.exe | Generic Win/DOS Executable (13.2) ProductVersion: 0.0.0.0
.exe | DOS Executable Generic (13.2) OriginalFileName: success.exe

LegalCopyright:

InternalName: success.exe

FileVersion: 0.0.0.0

FileDescription:

CharacterSet: Unicode

LanguageCode: Neutral
FileSubtype: -

ObjectFileType: Executable application

FileOS: Win32

FileFlags: (none)

FileFlagsMask: 0x003f

ProductVersionNumber: 0.0.0.0

FileVersionNumber: 0.0.0.0

Subsystem: Windows GUI

SubsystemVersion: 4

ImageVersion: -

OSVersion: 4

EntryPoint: 0xcacfe

UninitializedDataSize: -

InitializedDataSize: 177152

CodeSize: 822784

LinkerVersion: 8

PEType: PE32

TimeStamp: 2018:05:10 22:48:55+02:00

MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386

Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 10-May-2018 20:48:55

FileDescription: -

FileVersion: 0.0.0.0

https://any.run/report/473d50c8fbcab1a88603e67fcbf878acd761806f3c88b05195e75c2bbe8016cb/3c4aa768-74c8-49ee-a5d7-5abead5c2da1/ 2/7
12/21/23, 2:08 PM Malware analysis success.exe Malicious activity | ANY.RUN - Malware Sandbox Online
InternalName: success.exe

LegalCopyright: -

OriginalFilename: success.exe

ProductVersion: 0.0.0.0

Assembly Version: 0.0.0.0

DOS Header PE Headers

Magic number: MZ Signature: PE

Bytes on last page of file: 0x0090 Machine: IMAGE_FILE_MACHINE_I386

Pages in file: 0x0003 Number of sections: 3

Relocations: 0x0000 Time date stamp: 10-May-2018 20:48:55

Size of header: 0x0004 Pointer to Symbol Table: 0x00000000

Min extra paragraphs: 0x0000 Number of symbols: 0


Max extra paragraphs: 0xFFFF Size of Optional Header: 0x00E0

Initial SS value: 0x0000 Characteristics: IMAGE_FILE_32BIT_MACHINE

Initial SP value: 0x00B8 IMAGE_FILE_EXECUTABLE_IMAGE

Checksum: 0x0000

Initial IP value: 0x0000

Initial CS value: 0x0000

Overlay number: 0x0000

OEM identifier: 0x0000

OEM information: 0x0000

Address of NE header: 0x00000080

Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy

.text 0x00002000 0x000C8D04 0x000C8E00 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 7.99619

.rsrc 0x000CC000 0x0002B184 0x0002B200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 3.70265

.reloc 0x000F8000 0x0000000C 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, 0.0776332


IMAGE_SCN_MEM_READ

Resources
Title Entropy Size Codepage Language Type

1 3.16184 580 Latin 1 / Western European UNKNOWN RT_VERSION

2 2.64417 67624 Latin 1 / Western European UNKNOWN RT_ICON

3 3.20051 38056 Latin 1 / Western European UNKNOWN RT_ICON

4 3.2616 21640 Latin 1 / Western European UNKNOWN RT_ICON

5 3.08264 16936 Latin 1 / Western European UNKNOWN RT_ICON

6 3.55375 9640 Latin 1 / Western European UNKNOWN RT_ICON

7 3.65588 4264 Latin 1 / Western European UNKNOWN RT_ICON

8 4.17498 2440 Latin 1 / Western European UNKNOWN RT_ICON

9 4.51649 1128 Latin 1 / Western European UNKNOWN RT_ICON

Imports
mscoree.dll

Video and screenshots

https://any.run/report/473d50c8fbcab1a88603e67fcbf878acd761806f3c88b05195e75c2bbe8016cb/3c4aa768-74c8-49ee-a5d7-5abead5c2da1/ 3/7
12/21/23, 2:08 PM Malware analysis success.exe Malicious activity | ANY.RUN - Malware Sandbox Online

Processes
Total processes Monitored processes Malicious processes Suspicious processes

41 8 4 0

Behavior graph

cmd.exe reg.exe
no specs

start success.exe cmd.exe ygyuig.exe


no specs no specs
ygyuig.exe drop and start iwc.exe dw20.exe
no specs

Specs description

Program did not start Low-level access to the HDD Process was added to the startup Debug information is available

Probably Tor was used Behavior similar to spam Task has injected processes Executable file was dropped

Known threat RAM overrun Network attacks were detected Integrity level elevation

Connects to the network CPU overrun Process starts the services System was rebooted

Application downloaded the Actions similar to stealing personal


Task contains several apps running Task has apps ended with an error
executable file data

File is detected by antivirus software Inspected object has suspicious PE Behavior similar to exploiting Task contains an error or was
structure the vulnerability rebooted

The process has the malware config

Process information

PID CMD Path Indicators Parent process

4020 "C:\Users\admin\AppData\Local\Temp\success.exe" C:\Users\admin\AppData\Local\Temp\success.exe explorer.exe

Information

User: admin Integrity Level: MEDIUM

Description: Exit code: 0

Version: 0.0.0.0

https://any.run/report/473d50c8fbcab1a88603e67fcbf878acd761806f3c88b05195e75c2bbe8016cb/3c4aa768-74c8-49ee-a5d7-5abead5c2da1/ 4/7
12/21/23, 2:08 PM Malware analysis success.exe Malicious activity | ANY.RUN - Malware Sandbox Online

3612 "cmd" C:\Windows\system32\cmd.exe — success.exe

Information

User: admin Company: Microsoft Corporation

Integrity Level: MEDIUM Description: Windows Command Processor

Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)

4076 "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start — cmd.exe


Menu\Programs\Startup\ygyuig.exe" Menu\Programs\Startup\ygyuig.exe

Information

User: admin Integrity Level: MEDIUM

Description: Exit code: 0

Version: 0.0.0.0

3244 "cmd" C:\Windows\system32\cmd.exe — ygyuig.exe

Information

User: admin Company: Microsoft Corporation

Integrity Level: MEDIUM Description: Windows Command Processor

Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)

2492 reg add C:\Windows\system32\reg.exe cmd.exe


"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe
rsion\Run" /f /v "hvhyukghb" /d "cmd /c type
"C:\Users\admin\AppData\Local\Temp\hvhyukghb.txt" | cmd"

Information

User: admin Company: Microsoft Corporation

Integrity Level: MEDIUM Description: Registry Console Tool

Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)

3980 "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start ygyuig.exe


Menu\Programs\Startup\ygyuig.exe" Menu\Programs\Startup\ygyuig.exe

Information

User: admin Integrity Level: MEDIUM

Description: Version: 0.0.0.0

2620 "C:\Users\admin\AppData\Local\Temp\IWC.exe" C:\Users\admin\AppData\Local\Temp\IWC.exe ygyuig.exe


C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup\ygyuig.exe

Information

User: admin Integrity Level: MEDIUM

Version: 1.0.0.0

768 dw20.exe -x -s 508 C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe — IWC.exe

Information

User: admin Company: Microsoft Corporation

Integrity Level: MEDIUM Description: Microsoft .NET Error Reporting Shim

Version: 2.0.50727.4927 (NetFXspW7.050727-4900)

Registry activity
Total events Read events Write events Delete events

464 446 18 0

Modification events

(PID) Process: (2492) reg.exe Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Operation: write Name: hvhyukghb

Value: cmd /c type C:\Users\admin\AppData\Local\Temp\hvhyukghb.txt | cmd

(PID) Process: (3980) ygyuig.exe Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ygyuig_RASAPI32

Operation: write Name: EnableFileTracing

Value: 0

(PID) Process: (3980) ygyuig.exe Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ygyuig_RASAPI32

Operation: write Name: EnableConsoleTracing

Value: 0

(PID) Process: (3980) ygyuig.exe Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ygyuig_RASAPI32

https://any.run/report/473d50c8fbcab1a88603e67fcbf878acd761806f3c88b05195e75c2bbe8016cb/3c4aa768-74c8-49ee-a5d7-5abead5c2da1/ 5/7
12/21/23, 2:08 PM Malware analysis success.exe Malicious activity | ANY.RUN - Malware Sandbox Online
Operation: write Name: FileTracingMask

Value: 4294901760

(PID) Process: (3980) ygyuig.exe Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ygyuig_RASAPI32


Operation: write Name: ConsoleTracingMask

Value: 4294901760

(PID) Process: (3980) ygyuig.exe Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ygyuig_RASAPI32

Operation: write Name: MaxFileSize

Value: 1048576

(PID) Process: (3980) ygyuig.exe Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ygyuig_RASAPI32

Operation: write Name: FileDirectory

Value: %windir%\tracing

(PID) Process: (3980) ygyuig.exe Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ygyuig_RASMANCS

Operation: write Name: EnableFileTracing

Value: 0

(PID) Process: (3980) ygyuig.exe Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ygyuig_RASMANCS

Operation: write Name: EnableConsoleTracing

Value: 0

(PID) Process: (3980) ygyuig.exe Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ygyuig_RASMANCS

Operation: write Name: FileTracingMask

Value: 4294901760

(PID) Process: (3980) ygyuig.exe Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ygyuig_RASMANCS

Operation: write Name: ConsoleTracingMask

Value: 4294901760

(PID) Process: (3980) ygyuig.exe Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ygyuig_RASMANCS

Operation: write Name: MaxFileSize

Value: 1048576

(PID) Process: (3980) ygyuig.exe Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ygyuig_RASMANCS

Operation: write Name: FileDirectory

Value: %windir%\tracing

(PID) Process: (3980) ygyuig.exe Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Operation: write Name: Foster Wheeler Ltd


Value: C:\Users\admin\AppData\Local\Temp\Foster Wheeler Ltd\Foster Wheeler Ltd.exe

(PID) Process: (3980) ygyuig.exe Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

Operation: write Name: UNCAsIntranet

Value: 0

(PID) Process: (3980) ygyuig.exe Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

Operation: write Name: AutoDetect

Value: 1

Files activity
Executable files Suspicious files Text files Unknown types

4 0 1 0

Dropped files

PID Process Filename Type

4076 ygyuig.exe C:\Users\admin\AppData\Local\Temp\hvhyukghb.txt text


MD5: 84E8C02034F4F72F04EB62AF7C431075 SHA256: B7993E73243B0233C8695762B2CA150F7C84C7D6830AEB6B14C7EAD52CEEB68D

3980 ygyuig.exe C:\Users\admin\AppData\Local\Temp\tmpG342.tmp executable


MD5: DE225405F8E348BFBB5BA8ABDC092B48 SHA256: 473D50C8FBCAB1A88603E67FCBF878ACD761806F3C88B05195E75C2BBE8016CB

3980 ygyuig.exe C:\Users\admin\AppData\Local\Temp\Foster Wheeler Ltd\Foster Wheeler Ltd.exe executable

MD5: DE225405F8E348BFBB5BA8ABDC092B48 SHA256: 473D50C8FBCAB1A88603E67FCBF878ACD761806F3C88B05195E75C2BBE8016CB

4020 success.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ygyuig.exe executable


MD5: DE225405F8E348BFBB5BA8ABDC092B48 SHA256: 473D50C8FBCAB1A88603E67FCBF878ACD761806F3C88B05195E75C2BBE8016CB

3980 ygyuig.exe C:\Users\admin\AppData\Local\Temp\IWC.exe executable


MD5: F683769B947501B5A98376619D5938BB SHA256: C2CAE82E01D954E3A50FEAEBCD3F75DE7416A851EA855D6F0E8AAAC84A507CA3

https://any.run/report/473d50c8fbcab1a88603e67fcbf878acd761806f3c88b05195e75c2bbe8016cb/3c4aa768-74c8-49ee-a5d7-5abead5c2da1/ 6/7
12/21/23, 2:08 PM Malware analysis success.exe Malicious activity | ANY.RUN - Malware Sandbox Online

Network activity
HTTP(S) requests TCP/UDP connections DNS requests Threats

1 1 1 0

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation

3980 ygyuig.exe GET 200 216.146.38.70:80 http://checkip.dyndns.org/ US html 103 b shared

Connections

PID Process IP Domain ASN CN Reputation

3980 ygyuig.exe 216.146.38.70:80 checkip.dyndns.org Dynamic Network Services, Inc. US shared

DNS requests

Domain IP Reputation

checkip.dyndns.org 216.146.38.70 shared


162.88.96.194
216.146.43.71
131.186.113.135
131.186.113.136
162.88.100.200

Threats

PID Process Class Message

— — Misc activity ET INFO DYNAMIC_DNS Query to *.dyndns. Domain

3980 ygyuig.exe Potential Corporate Privacy Violation ET POLICY External IP Lookup - checkip.dyndns.org

3980 ygyuig.exe Potentially Bad Traffic ET POLICY DynDNS CheckIp External IP Address Server Response

Debug output strings


No debug info

Interactive malware hunting service ANY.RUN


© 2017-2023 ANY.RUN LLC. ALL RIGHTS RESERVED

https://any.run/report/473d50c8fbcab1a88603e67fcbf878acd761806f3c88b05195e75c2bbe8016cb/3c4aa768-74c8-49ee-a5d7-5abead5c2da1/ 7/7

You might also like