Malware | Joachim De Zutter
8th of October 2011

Sent from IP 174.91.185.46 TCP port 55643

http://www.utrace.de/?query=174.91.185.46
Provider: Bell Canada (Gatineau, Canada)

Filesize: 348704
MD5: 042d061531f0eddb111457bbf37eab40
SHA1: 741ef60d163babfe56635a1531cba85d164d1f34
SHA256: eb9ec607b869ece978bf44eade36182696297d80a3752e52c173f9604eba2adc

On execution, the following error was displayed 2 times:

"The application failed to initialize properly (0xc0000005). Click on OK to terminate the application."

http://www.virustotal.com/file-scan/report.html?id=eb9ec607b869ece978bf44eade36182696297d80a3752e52c173f9604eba2adc-1318111439

The file embeds an EXE file which has been XOR encrypted with key "fuckyouman".

Filesize: 303616
MD5: 9d388cea1848f5152da4c93e4727ddbe
SHA1: de4a7960da5ab5d5cd41e20c47ebc8b5555be893
SHA256: c25d88d84af101b33caec63338fce43b7fdbb0d59752a42d995741fecb4f8ceb

When that file is executed, the following behavior is witnessed:

Establishes a TCP connection with 68.178.232.99.

http://www.utrace.de/?query=68.178.232.99
Provider: GoDaddy.com (Greenwich, United States)

Performs a DNS query for mothafuckinnn.sytes.net, which resolved to 174.95.119.117

http://www.utrace.de/?query=174.95.119.117
Provider: Bell Canada (Gatineau, Canada)

Tries to establish a TCP connection with TCP port 100 and 200 of mothafuckinnn.sytes.net

Copies itself to %WINDIR%\system32\WinDir\svchost.exe

http://www.virustotal.com/file-scan/report.html?id=c25d88d84af101b33caec63338fce43b7fdbb0d59752a42d995741fecb4f8ceb-1318725820