Audio_Recording_MP3
MD5: FDC170166CB958E138E7D401F3C6F896
SHA256: A3253B1732A50146038A68B3B46260F80BEC6C1C
Download (pass infected)pcap fileAudio_Recording_MP3.exe
Creates: c:\Documents and Settings\Administrator\Local Settings\Application Data\blbljsqp.exe (file name random)
Value changes: HKCU\software\microsoft\windows\currentversion\explorer\shell folders[local appdata] GET /gley/index.php?r=gate&id=e81b9088&group=30.05.2012&debug=0 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: krasguatanany.ru
HTTP/1.1 404 Not Found
Server: nginx/1.1.19
Date: Thu, 07 Jun 2012 16:09:56 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 294
Connection: keep-alive
Vary: Accept-Encoding
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /gley/index.php was not found on this server.</p>
<hr>
<address>Apache/2.2.16 (Debian) Server at krasguatanany.ru Port 80</address>
</body></html>
ET signature discussion
Nathan Fowler | 8 May 17:45
Re: Create Signatures
On 05/08/12 09:40, Phil Robinson wrote:
> hxxp://bing[.]com/afyu/index.php?r=gate&id=[N]&group=[D]&debug=0
> hxxp://twitter[.]com/nygul/index.php?r=gate&ac=[N]&group=[D]&debug=0
> hxxp://fb[.]com/dwrgh/index.php?r=gate&fg=[N]&group=[D]&debug=0
> hxxp://google[.]com/efwgh/index.php?r=gate&cc=[N]&group=[D]&debug=0
> hxxp://everkosmo2012[.]ru/ab/index.php?r=gate&id=[N]&group=[D]&debug=0
>
> I was unable to find any exiting signatures. Can someone help? Thanks.....
Looks like here's an example,
http:// everkosmo2012.ru/ab/index.php?r=gate&id=00cd1a40&group=20.04.2012&debug=0
Not sure what this is called though,
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN -
Check-in Not sure what this is called"; flow:established,to_server;
content:".php?r=gate"; http_uri; fast_pattern; content:"&group=";
http_uri; distance:0; content:"&debug="; http_uri; distance:0;
classtype:trojan-activity; sid:x; rev:1;)
https://www.virustotal.com/file/1c464848df9a803f01035dacf70888a9d942e42ed44e071443a9742930a23dd4/analysis/
| SHA256: | 1c464848df9a803f01035dacf70888a9d942e42ed44e071443a9742930a23dd4 |
| File name: | 1338806789.Audio_Recording_MP3-itYk.exe |
| Detection ratio: | 24 / 41 |
| Analysis date: | 2012-06-04 10:46:37 UTC ( 3 days, 5 hours ago ) |
0
2
More details
| Antivirus | Result | Update |
|---|---|---|
| AhnLab-V3 | Win-Trojan/Kuluoz.54272 | 20120604 |
| AntiVir | TR/Crypt.XPACK.Gen | 20120604 |
| Antiy-AVL | - | 20120604 |
| Avast | Win32:Dropper-gen [Drp] | 20120604 |
| AVG | Downloader.Generic12.CFBJ | 20120604 |
| BitDefender | Trojan.Generic.KDV.637381 | 20120604 |
| ByteHero | - | 20120531 |
| CAT-QuickHeal | - | 20120604 |
| ClamAV | - | 20120602 |
| Commtouch | - | 20120604 |
| Comodo | - | 20120604 |
| DrWeb | Trojan.MulDrop3.51893 | 20120604 |
| Emsisoft | Trojan-Downloader.Win32.Dapato!IK | 20120604 |
| eSafe | - | 20120603 |
| F-Prot | - | 20120603 |
| F-Secure | Trojan.Generic.KDV.637381 | 20120604 |
| Fortinet | W32/Dapato.LON!tr.dldr | 20120603 |
| Ikarus | Trojan-Downloader.Win32.Dapato | 20120604 |
| Jiangmin | - | 20120604 |
| K7AntiVirus | - | 20120601 |
| Kaspersky | Trojan-Downloader.Win32.Dapato.lon | 20120604 |
| McAfee | Generic Downloader.z | 20120604 |
| McAfee-GW-Edition | Generic Downloader.z | 20120604 |
| Microsoft | TrojanDownloader:Win32/Kuluoz.B | 20120602 |
| NOD32 | Win32/TrojanDownloader.Zortob.B | 20120604 |
| Norman | W32/Troj_Generic.BZPCE | 20120603 |
| nProtect | Trojan.Generic.KDV.637381 | 20120604 |
| Panda | Trj/CI.A | 20120603 |
| PCTools | Trojan.Gen | 20120604 |
| Rising | - | 20120604 |
| Sophos | Troj/Agent-WGO | 20120604 |
| SUPERAntiSpyware | - | 20120602 |
| Symantec | Trojan.Gen | 20120604 |
| TheHacker | - | 20120531 |
| TotalDefense | - | 20120604 |
| TrendMicro | TROJ_KRYPTIK.XCV | 20120604 |
| TrendMicro-HouseCall | TROJ_KRYPTIK.XCV | 20120604 |
| VBA32 | - | 20120604 |
| VIPRE | Trojan.Win32.Generic!BT | 20120604 |
| ViRobot | - | 20120604 |
| VirusBuster |