Submission Summary:

• Submission details:
• Submission received: 1 October 2012, 00:23:12
• Processing time: 11 min 45 sec
• Submitted sample:
• File MD5: 0xDA2537F668942526FAA4B8487B635AEB
• File SHA-1: 0x7710631F01D31F242BC3798E973B29C734588190
• Filesize: 667,680 bytes
• Alias:
• Packed.Win32.CPEX-based.ht [Kaspersky Lab]
• Backdoor.Win32.Zegost [Ikarus]

Technical Details:

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\logs.dat	15 bytes	MD5: 0xE21BD9604EFE8EE9B59DC7605B927A2A SHA-1: 0x3240ECC5EE459214344A1BAAC5C2A74046491104	Troj/RebhipCn-A [Sophos]
2	%AppData%\Microsoft\Crypto\RSA\S-1-5-21-606747145-764733703-839522115-1003\699c4b9cdebca7aaea5193cae8a50098_a7bcc1a4-f7a4-4502-8650-8579e607f7f7	50 bytes	MD5: 0x5B63D4DD8C04C88C0E30E494EC6A609A SHA-1: 0x884D5A8BDC25FE794DC22EF9518009DCF0069D09	(not available)
3	%Temp%\UuU.uUu	8 bytes	MD5: 0xACB70EC8C9532E2F84A835D959CDBDA9 SHA-1: 0xCEF3AA617F62B7053DCC2FB8FB3CFB749CD14EE9	(not available)
4	%Temp%\XX--XX--XX.txt	235,373 bytes	MD5: 0x1ECC7C17F5BAC177451C56C78BFEC21A SHA-1: 0x151678845BCB5FC3000C3DD955C37FFBD736C808	Trojan.Agent [Ikarus]
5	%Temp%\XxX.xXx	8 bytes	MD5: 0x7DEA362B3FAC8E00956A4952A3D4F474 SHA-1: 0x05FE405753166F125559E7C9AC558654F107C7E9	(not available)
6	[file and pathname of the sample #1] %Windir%\winr\64bit.exe	667,680 bytes	MD5: 0xDA2537F668942526FAA4B8487B635AEB SHA-1: 0x7710631F01D31F242BC3798E973B29C734588190	Packed.Win32.CPEX-based.ht [Kaspersky Lab] Backdoor.Win32.Zegost [Ikarus]

• Notes:
• %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
• %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
• %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

• The following directory was created:
• %Windir%\winr

Memory Modifications

• There were new processes created in the system:

• There were new memory pages created in the address space of the system process(es):

Registry Modifications

• The following Registry Keys were created:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5B86UL47-NG86-C4XI-TQFP-K0L2WP35R17S}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
• HKEY_CURRENT_USER\Software\Victim

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5B86UL47-NG86-C4XI-TQFP-K0L2WP35R17S}]
• StubPath = "%Windir%\winr\64bit.exe Restart"

so that 64bit.exe runs every time Windows starts

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
• Policies = "%Windir%\winr\64bit.exe"

so that 64bit.exe runs every time Windows starts

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• HKLM = "%Windir%\winr\64bit.exe"

so that 64bit.exe runs every time Windows starts

• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
• Policies = "%Windir%\winr\64bit.exe"

so that 64bit.exe runs every time Windows starts

• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
• HKCU = "%Windir%\winr\64bit.exe"

so that 64bit.exe runs every time Windows starts

• [HKEY_CURRENT_USER\Software\Victim]
• FirstExecution = "01/10/2012 -- 00:23"
• NewIdentification = "Victim"

Other details

• To mark the presence in the system, the following Mutex objects were created:
• _x_X_UPDATE_X_x_
• _x_X_PASSWORDLIST_X_x_
• _x_X_BLOCKMOUSE_X_x_
• ***MUTEX***
• ***MUTEX***_SAIR

• The following Host Name was requested from a host database:
• kernel32.zapto.org

• There was registered attempt to establish connection with the remote host. The connection details are:

Outbound traffic (potentially malicious)

• There was an outbound traffic produced on port 4001: