SmartEye malvare

By Pig, October 8, 2010

Remote Host Port Number
184.154.74.130 20
184.154.74.130 21
64.208.241.65 80

* The data identified by the following URLs was then requested from the remote web server:
o http://update.adobe.com/pub/adobe/acrobat/js/6.x/rdr/win/enu/DataScript.js
o http://update.adobe.com/pub/adobe/acrobat/js/6.x/rdr/win/enu/CodeScript.js
o http://update.adobe.com/pub/adobe/acrobat/js/6.x/rdr/win/enu/UIScript.js
o http://update.adobe.com/pub/adobe/acrobat/js/6.x/rdr/win/enu/ResourceScript.js
o http://update.adobe.com/pub/adobe/acrobat/js/6.x/rdr/win/enu/MasterScript.js

USER uploader@demo.ymlook.com
passwd !234567*

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewall
o HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfile
o HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfile

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvanced]
+ HideFileExt = 0x00000001
+ Hidden = 0x00000002
+ SuperHidden = 0x00000001
+ ShowSuperHidden = 0x00000000
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ EnergyCut = “%System%EnergyCut.exe”

so that EnergyCut.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfile]
+ EnableFirewall = 0x00000000
o [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfile]
+ EnableFirewall = 0x00000000

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
EnergyCut.exe %System%energycut.exe 290 816 bytes

* The following modules were loaded into the address space of other process(es):

Module Name Module Filename Address Space Details
powcpl.dll %System%powcpl.dll Process name: AcroRd32.exe
Process filename: %ProgramFiles%adobeacrobat 6.0readeracrord32.exe
Address space: 0x27E0000 – 0x27F5000
powcpl.dll %System%powcpl.dll Process name: EnergyCut.exe
Process filename: %System%energycut.exe
Address space: 0x10000000 – 0x10015000

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash
1 %Temp%{646F6E27-7420-666F-7267-6574206D6500}2010108_6334.bmp 620 454 bytes MD5: 0x3E2321B16E351B020F9922E0E9ED93E6
SHA-1: 0xB317126A5371C931E1FB13D4649D03E392EA55CE
2 %Temp%{646F6E27-7420-666F-7267-6574206D6500}2010108_6344.bmp
%Temp%{646F6E27-7420-666F-7267-6574206D6500}2010108_6354.bmp
%Temp%{646F6E27-7420-666F-7267-6574206D6500}2010108_6414.bmp
%Temp%{646F6E27-7420-666F-7267-6574206D6500}2010108_6424.bmp
%Temp%{646F6E27-7420-666F-7267-6574206D6500}2010108_6434.bmp
%Temp%{646F6E27-7420-666F-7267-6574206D6500}2010108_644.bmp
%Temp%{646F6E27-7420-666F-7267-6574206D6500}2010108_6444.bmp
%Temp%{646F6E27-7420-666F-7267-6574206D6500}2010108_6454.bmp
%Temp%{646F6E27-7420-666F-7267-6574206D6500}2010108_6517.bmp
%Temp%{646F6E27-7420-666F-7267-6574206D6500}2010108_655.bmp 620 454 bytes MD5: 0x5FCFE8AF9075DCFCBBF61F42E1A60641
SHA-1: 0xA3CF7954B030A919FE74945AD2F8BDE5D0D47EA0
3 %Temp%{646F6E27-7420-666F-7267-6574206D6500}2010108_6528.bmp 620 454 bytes MD5: 0x989503D9306D081378E7ADAFFA573E0D
SHA-1: 0x16871F259F5E843931B29F6CE30833881C29549B
4 %Temp%{646F6E27-7420-666F-7267-6574206D6500}KeyStroke.txt 7 068 bytes MD5: 0x88F73D67BB390B9E72BC90B9CEB33AE7
SHA-1: 0xD8F233F0DD8EB0D82C6281FC19D54517F26A8BA0
5 %System%EnergyCut.exe
[file and pathname of the sample #1] 355 226 bytes MD5: 0x77A9C0B43BA528CAE46C521CBC862562
SHA-1: 0x1D050534AD95A156FA11E52F9EA81B0386FCB5F9
6 %System%energycut.pdf
%System%[filename of the sample #1 without extension].pdf 86 426 bytes MD5: 0x67BAB9A5A331413C29D504D7BCD0F434
SHA-1: 0xA2F87D787AD95C796879501991F1AFFF211C3824
7 %System%powcpl.dll 65 024 bytes MD5: 0x1B9402631E0ACFFF0BF3B90FB321B9C7
SHA-1: 0x4D5EA418B50B858E74F25819A55CBB6D10DF8481

Categories: Uncategorized