Software Development && UnEthical Hacking
inicio hacking WiFu WiBOG MDB

FraudLoad   
General

MD5: 849d9354fcb78b9ecd0cbabb84a23b43
SHA1: cd278632b61e1632044a6d58ddb42aeab334d5e8
SHA256: 08d4c8a6e51437049647aa0d65ed32b5b49f0d91f80b1d60d9ea8c50692c86be
ssdeep: 1536:FhJXAdNwpd0Nf6P62rh6/hur7TjdhCEhcd:FjwdNqsfe6Yh0hgTLN0


FileSize: 56 kB
FileType: Win32 EXE
MachineType: Intel 386 or later, and compatibles
OSVersion: 5.1
PEType: PE32
Subsystem: Windows GUI
SubsystemVersion: 4.0


[[ 3 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
UPX0, 0x1000, 0x12000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
UPX1, 0x13000, 0xB000, 0xB000, 7.88, 5be537ab121bdb25172c7bbcf7add5bc
.rsrc, 0x1E000, 0x2000, 0x1C00, 5.47, d43b2051bad6099ef9f41604aad4a0b0


[[ 7 import(s) ]]
KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll: AddAce
MSVCRT.dll: atol
ole32.dll: CoCreateGuid
oleaut32.dll: VariantInit
RPCRT4.dll: UuidCreate
USER32.dll: GetDC


Deteccion: 39/ 41 (95.1%)

AntivirusVersionLast UpdateResult
AhnLab-V32011.03.23.012011.03.23Win-Trojan/Fraudload.56832.AF
AntiVir7.11.5.432011.03.23TR/Dldr.FakeAle.kon
Antiy-AVL2.0.3.72011.03.22Trojan/Win32.FraudLoad.gen
Avast4.8.1351.02011.03.23Win32:Malware-gen
Avast55.0.677.02011.03.23Win32:Malware-gen
AVG10.0.0.11902011.03.23Downloader.Generic9.CHRY
BitDefender7.22011.03.23Trojan.Generic.3231804
CAT-QuickHeal11.002011.03.23TrojanDownloader.FraudLoad.gm
ClamAV0.96.4.02011.03.23Trojan.Downloader-89625
Commtouch5.2.11.52011.03.22W32/FraudLoad.C!Generic
Comodo80732011.03.23MalCrypt.Indus!
DrWeb5.0.2.033002011.03.23Trojan.Fakealert.12876
eSafe7.0.17.02011.03.22Win32.TRDldr.FakeAle
eTrust-Vet36.1.82312011.03.23Win32/Securityessentials2010.F
F-Prot4.6.2.1172011.03.22W32/FraudLoad.C!Generic
F-Secure9.0.16440.02011.03.23Trojan.Generic.3231804
Fortinet4.2.254.02011.03.23-
GData212011.03.23Trojan.Generic.3231804
IkarusT3.1.1.97.02011.03.23Trojan.Win32.FakeAV
Jiangmin13.0.9002011.03.23TrojanDownloader.FraudLoad.lri
K7AntiVirus9.94.41882011.03.23Trojan
McAfee5.400.0.11582011.03.23Downloader-CFA
McAfee-GW-Edition2010.1C2011.03.23Downloader-CFA
Microsoft1.66032011.03.23Rogue:Win32/Fakeinit
NOD3259772011.03.23Win32/TrojanDownloader.FakeAlert.AED
Norman6.07.032011.03.22W32/Fakeinit.V
nProtect2011-02-10.012011.02.15Trojan-Downloader/W32.FraudLoad.56832.R
Panda10.0.3.52011.03.22Adware/SecurityEssentials2010
PCTools7.0.3.52011.03.21RogueAntiSpyware.CoreGuardAntivirus2009!rem
Prevx3.02011.03.26Medium Risk Malware
Rising23.50.01.062011.03.22Suspicious
Sophos4.63.02011.03.23Mal/FakeAV-BW
SUPERAntiSpyware4.40.0.10062011.03.23-
Symantec20101.3.0.1032011.03.23CoreGuardAntivirus2009
TheHacker6.7.0.1.1552011.03.23Trojan/Downloader.FakeAlert.aed
TrendMicro9.200.0.10122011.03.23TROJ_OFICLA.SM
TrendMicro-HouseCall9.200.0.10122011.03.23TROJ_OFICLA.SM
VBA323.12.14.32011.03.23Trojan-Downloader.Win32.FraudLoad.gmc
VIPRE87902011.03.23VirTool.Win32.Obfuscator.hg!b (v)
ViRobot2011.3.23.43722011.03.23Trojan.Win32.Fakeinit.56832
VirusBuster13.6.264.02011.03.22Trojan.DL.FakeAle!y3okK0g8nR8

*Gracias a VirusTotal


Uso de Packer, Crypter, Binder: SI

TrID:
UPX compressed Win32 Executable (38.5%)
Win32 EXE Yoda's Crypter (33.5%)
Win32 Executable Generic (10.7%)
Win32 Dynamic Link Library (generic) (9.5%)
Clipper DOS Executable (2.5%)


Strings dentro del ejecutable: Archivo TXT

» GetExitCodeProcess
» FlushFileBuffers
» LockResource
» FindFirstFileW
» CreateEventW
» LoadLibraryExA
» GetTickCount
» lstrcatW
» VirtualAlloc
» FindResourceA


Comportamiento General

1. Al ejecutar el archivo se muestra el siguiente mensaje:
2. Después de un periodo de tiempo el virus cierra todos los programas e impide abrirlos de nuevo mostrando el siguiente mensaje:
3. Al abrir el Internet Explorer se muestran los siguientes mensajes:




Modificaciones en el Registro de Windows: Archivo TXT

----------------------------------
Keys added
----------------------------------
HKLM\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-security-essentials.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\get-key-se10.com
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_RASMAN\0000\Control
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_TAPISRV\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control
HKU\S-1-5-21-2000478354-839522115-725345543-500\Software\Microsoft\Internet Explorer\PhishingFilter
HKU\S-1-5-21-2000478354-839522115-725345543-500\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\c
HKU\S-1-5-21-2000478354-839522115-725345543-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-security-essentials.com
HKU\S-1-5-21-2000478354-839522115-725345543-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\download-soft-package.com
HKU\S-1-5-21-2000478354-839522115-725345543-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\download-software-package.com
HKU\S-1-5-21-2000478354-839522115-725345543-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\get-key-se10.com
HKU\S-1-5-21-2000478354-839522115-725345543-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is-software-download.com


----------------------------------
Values added
----------------------------------
HKLM\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8: 0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-security-essentials.com\http: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\get-key-se10.com\http: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA: 0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe: "C:\WINDOWS\system32\smss32.exe"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_RASMAN\0000\Control\ActiveService: "RasMan"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_TAPISRV\0000\Control\ActiveService: "TapiSrv"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control\ActiveService: "RasMan"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control\ActiveService: "TapiSrv"
HKU\S-1-5-21-2000478354-839522115-725345543-500\Software\8636065b-fef0-4255-b14f-54639f7900a4: "8636065b-fef0-4255-b14f-54639f7900a4"
HKU\S-1-5-21-2000478354-839522115-725345543-500\Software\Microsoft\Internet Explorer\PhishingFilter\Enabled: 0x00000000
HKU\S-1-5-21-2000478354-839522115-725345543-500\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8: 0x00000000
HKU\S-1-5-21-2000478354-839522115-725345543-500\Software\Microsoft\Windows\CurrentVersion\Explorer\EnableAutoTray: 0x00000000
HKU\S-1-5-21-2000478354-839522115-725345543-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is-software-download.com\http: 0x00000002
HKU\S-1-5-21-2000478354-839522115-725345543-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\get-key-se10.com\http: 0x00000002
HKU\S-1-5-21-2000478354-839522115-725345543-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\download-software-package.com\http: 0x00000002
HKU\S-1-5-21-2000478354-839522115-725345543-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\download-soft-package.com\http: 0x00000002
HKU\S-1-5-21-2000478354-839522115-725345543-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-security-essentials.com\http: 0x00000002
HKU\S-1-5-21-2000478354-839522115-725345543-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flag: 0x00000043
HKU\S-1-5-21-2000478354-839522115-725345543-500\Software\Microsoft\Windows\CurrentVersion\Run\smss32.exe: "C:\WINDOWS\system32\smss32.exe"


----------------------------------
Values modified
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "C:\WINDOWS\system32\userinit.exe,"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "C:\WINDOWS\system32\winlogon32.exe"


Conexiones HTTP: SI

A través de un servidor DNS especial para la prueba podemos analizar algunos de los contenidos de los paquetes enviados:

http://for-sunny-se-com/loads.php?code=03
http://buy-security-essentials.com/buy/?code=03


Servidores con los cuales se establencen conexiones:

Domain NameICANN RegistrarIP AddressIP LocationOrigin
for-sunny-se.com FINDYOUADOMAIN.COM LLC208.73.210.29 California - Los Angeles - Oversee.net
winter-smile.com EUROPEANCONNECTIONONLINE.COM LLC208.73.210.29 California - Los Angeles - Oversee.net
is-software-download.com----
get-key-se10.com----
download-software-package.com----
download-soft-package.com----
buy-security-essentials.com----
Inicio       ||       Comunidad       ||      Servicios       ||      Proyectos       ||      Hacking       ||      Contáctenos