A little look at the public sandboxes

[JohnC]

Norman Sandbox
Submission URL: http://www.norman.com/microsites/nsic/Submit/en-uk
Report: by email

ieupdater.exe : Not detected by Sandbox (Signature: Suspicious_F.gen)


 [ DetectionInfo ]
    * Sandbox name: NO_MALWARE
    * Signature name: Suspicious_F.gen
    * Compressed: YES
    * TLS hooks: NO
    * Executable type: Application
    * Executable file structure: OK

 [ General information ]
    * File might be compressed.
    * Decompressing Unk3!FSG?.
    * File length:         3113 bytes.
    * MD5 hash: adee6bebe557da172083a3168afad273.

 [ Changes to filesystem ]
    * Creates file C:\WINDOWS\ltidau.tmp.

 [ Changes to registry ]
    * Creates key "HKLM\System\CurrentControlSet\Services\Google Online Services".
    * Sets value "ImagePath"="c:\sample.exe -A" in key "HKLM\System\CurrentControlSet\Services\Google Online Services".
    * Sets value "DisplayName"="Google Online Services" in key "HKLM\System\CurrentControlSet\Services\Google Online Services".

 [ Network services ]
    * Downloads file from http://58.65.239.115/check/wnieedi.php as ltidau.tmp.
    * Connects to "58.65.239.115" on port 80 (TCP).
    * Opens URL: 58.65.239.115/check/wnieedi.php.

 [ Process/window information ]
    * Attempts to access service "Google Online Services".
    * Creates service "Google Online Services (Google Online Services)" as "c:\sample.exe -A".
    * Creates process "sample.exe".

 [ Signature Scanning ]
    * C:\WINDOWS\ltidau.tmp (4096 bytes) : no signature detection.
 

ThreatExpert
Submission URL: http://www.threatexpert.com/submit.aspx
Report URL: http://www.threatexpert.com/report.aspx?md5=adee6bebe557da172083a3168afad273

Submission Summary:
Submission details:
Submission received: 31 May 2008, 05:07:00
Processing time: 4 min 23 sec
Submitted sample:
File MD5: 0xADEE6BEBE557DA172083A3168AFAD273
Filesize: 3,113 bytes
Alias: Trojan.DL.Tipikit.Gen [PCTools]
Summary of the findings:
What's been found Severity Level
Downloads/requests other files from Internet. 


 

Technical Details:
 

 File System Modifications

The following file was created in the system:
# Filename(s) File Size File MD5 Alias
1 [file and pathname of the sample #1]  3,113 bytes 0xADEE6BEBE557DA172083A3168AFAD273 Trojan.DL.Tipikit.Gen [PCTools]


 

 Memory Modifications

There was a new process created in the system:
Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] 36,864 bytes


There was a new service created in the system:
Service Name Display Name Status Service Filename
Google Online Services Google Online Services "Running" [file and pathname of the sample #1] -A


 

 Registry Modifications

The following Registry Keys were created:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GOOGLE_ONLINE_SERVICES
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GOOGLE_ONLINE_SERVICES\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GOOGLE_ONLINE_SERVICES\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Google Online Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Google Online Services\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Google Online Services\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GOOGLE_ONLINE_SERVICES
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GOOGLE_ONLINE_SERVICES\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GOOGLE_ONLINE_SERVICES\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Google Online Services
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Google Online Services\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Google Online Services\Enum
The newly created Registry Values are:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GOOGLE_ONLINE_SERVICES\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "Google Online Services"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GOOGLE_ONLINE_SERVICES\0000]
Service = "Google Online Services"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Google Online Services"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GOOGLE_ONLINE_SERVICES]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Google Online Services\Enum]
0 = "Root\LEGACY_GOOGLE_ONLINE_SERVICES\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Google Online Services\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Google Online Services]
Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "[file and pathname of the sample #1] -A"
DisplayName = "Google Online Services"
ObjectName = "LocalSystem"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GOOGLE_ONLINE_SERVICES\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "Google Online Services"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GOOGLE_ONLINE_SERVICES\0000]
Service = "Google Online Services"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Google Online Services"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GOOGLE_ONLINE_SERVICES]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Google Online Services\Enum]
0 = "Root\LEGACY_GOOGLE_ONLINE_SERVICES\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Google Online Services\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Google Online Services]
Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "[file and pathname of the sample #1] -A"
DisplayName = "Google Online Services"
ObjectName = "LocalSystem"
The following Registry Values were modified:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
(Default) = 0x0000000B
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
(Default) = 0x0000000B
 

 Other details

The following Internet downloads were started (the retrieved bits are saved into the local file):
URL to be downloaded Filename for the downloaded bits
http://58.65.239.115/check/tpktsk.php ltidau.tmp
http://58.65.239.115/check/wnieedi.php ltidau.tmp

Submission URL: http://research.sunbelt-software.com/Submit.aspx
Report URL: http://research.sunbelt-software.com/ViewMalware.aspx?id=4569991
(Just from Network Activity)

Download URLs
http://58.65.239.115/check/tpktsk.php (58.65.239.115) 
http://58.65.239.115/check/xwjusum.php?hjpfzv=ittaow&tsk=680 (58.65.239.115) 
http://58.65.239.115/check/xwjusum.php?hjpfzv=ittaow&tsk=484 (58.65.239.115) 
http://58.65.239.42/fj64hjn/bhos.exe (58.65.239.42) 
http://98.199.242.170/packed_Installer_ERB.exe (98.199.242.170) 
http://209.160.72.146/ldr_205_160.exe (209.160.72.146) 
Outgoing connection to remote server: 58.65.239.115 TCP port 80
Outgoing connection to remote server: 58.65.239.42 TCP port 80
Outgoing connection to remote server: 98.199.242.170 TCP port 80
Outgoing connection to remote server: 209.160.72.146 TCP port 80
Download URLs
http://91.203.92.18/progs/eirvu/famucbjhco.php?adv=adv492 (91.203.92.18) 
http://91.203.92.18/progs/eirvu/gxwiqbnmh.php (91.203.92.18) 
http://91.203.92.18/progs/eirvu/umrqmyaaq.php (91.203.92.18) 
http://91.203.92.18/progs/eirvu/rzljeqykwh.php (91.203.92.18) 
http://91.203.92.18/progs/eirvu/xnqtfjv.php (91.203.92.18) 
http://91.203.92.18/progs/eirvu/avupbzyxf.php (91.203.92.18) 
http://91.203.92.18/progs/eirvu/xsqmx (91.203.92.18) 
http://91.203.92.18/progs/eirvu/tbvugoai.php?adv=adv492&code1=PNJD&code2=1119&id=1421297239&p=1 (91.203.92.18) 
Outgoing connection to remote server: 91.203.92.18 TCP port 80
Outgoing connection to remote server: 91.203.92.18 TCP port 80
Outgoing connection to remote server: 91.203.92.18 TCP port 80
Outgoing connection to remote server: 91.203.92.18 TCP port 80
Outgoing connection to remote server: 91.203.92.18 TCP port 80
Outgoing connection to remote server: 91.203.92.18 TCP port 80
Outgoing connection to remote server: 91.203.92.18 TCP port 80
Outgoing connection to remote server: 91.203.92.18 TCP port 80
Download URLs
http://208.72.169.54/nnn1?i=1 (208.72.169.54) 
http://208.72.169.54/nnn2?i=1 (208.72.169.54) 
http://208.72.169.54/nnn3?i=1 (208.72.169.54) 
Outgoing connection to remote server: 208.72.169.54 TCP port 80
Outgoing connection to remote server: 208.72.169.54 TCP port 80
Outgoing connection to remote server: 208.72.169.54 TCP port 80
Download URLs
http://72.36.158.106/now/?&v=viper125 (72.36.158.106) 
http://72.36.158.106/now/manda.php?id=1421298886&v=viper125 (72.36.158.106) 
http://78.129.208.105/exe2/3913124.exe (78.129.208.105) 
Outgoing connection to remote server: 72.36.158.106 TCP port 80
Outgoing connection to remote server: 72.36.158.106 TCP port 80
Outgoing connection to remote server: 78.129.208.105 TCP port 80
Download URLs
http://91.203.92.18/uniq.php?id=1421297239 (91.203.92.18) 
http://91.203.92.18/ddos.php (91.203.92.18) 
Outgoing connection to remote server: 91.203.92.18 TCP port 80
Outgoing connection to remote server: 91.203.92.18 TCP port 80
Outgoing connection to remote server: 89.149.226.52 TCP port 80

Look at the difference between the information Sunbelt gives you regarding what this downloads. You get a lot more information. I'd assume this is because you're also getting information about what some of the downloaded components download aswell. But it seems a lot more useful.

Just incase you're curious of the file used: enterinmind.com/check/vers195.php?q=8
VirusTotal log: http://www.virustotal.com/analisis/d3c2f893b4a30bb77b2b8d569f0c03fa

[tjs]

Try anubis too:
http://anubis.iseclab.org/index.php

Thanks,
TJS

[JohnC]

Try anubis too:
http://anubis.iseclab.org/index.php

Thanks,
TJS

This gave more than threatexpert and norman aswell: http://anubis.iseclab.org/result.php?taskid=69ee01b532d34174311aabc6908319d1

Thanks for the url.