Friday, October 27, 2017

Quick Sample Analysis

File detail:
File Name: Micrbarin.exe
MD5: 21AE834BDD5B89BACACCA4D51CF82148
Size: 3.64 MB
NSIS installer file

This file is NSIS installer, we found inside the strings.

Behavioural Analysis
Executed the Micrabarin.exe in the controlled environment to observe the behaviour. We got new processes comes in the memory and windows security alert block the process by stating that the file is adobe flash player. And those new processes are having flash player icon.

Registry traces:
HKEY_CURRENT_USER\Software\TektonIT
HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System
HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System\Server
HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System\Server\Parameters

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache "C:\Documents and Settings\All Users\rutserv.exe" Data: Adobe Flash Player 27.0 r0
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\ShellNoRoam\MUICache "C:\Documents and Settings\All Users\rutserv.exe"   Data: Adobe Flash Player 27.0 r0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "sys"
Data: c:\ProgramData\rutserv.exe
HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System\Server\Parameters "CalendarRecordSettings"
Data: (data too large: 1182 bytes)
HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System\Server\Parameters "FUSClientPath"
Data: C:\Documents and Settings\All Users\rfusclient.exe
HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System\Server\Parameters "InternetId"
Data: (data too large: 352 bytes)
HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System\Server\Parameters "notification"
Data: (data too large: 563 bytes)
HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System\Server\Parameters "Options"
Data: (data too large: 1391 bytes)
HKEY_CURRENT_USER\Software\TektonIT\Remote Manipulator System\Server\Parameters "Password"
Data: (data too large: 256 bytes)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\Documents and Settings\All Users\rutserv.exe"
Data: C:\Documents and Settings\All Users\rutserv.exe:*:Enabled:Adobe Flash Player 27.0 r0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\Documents and Settings\All Users\rutserv.exe"
Data: C:\Documents and Settings\All Users\rutserv.exe:*:Enabled:Adobe Flash Player 27.0 r0

File created
c:\Documents and Settings\All Users\rfusclient.exe
c:\Documents and Settings\All Users\rutserv.exe


Post made by
newWorld
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Operating system - Part 1:

 In our blog, we published several articles on OS concepts which mostly on the perspective for malware analysis/security research. In few in...