My SandBox Report:
General information
File Name:c:\services.exe
MD5:C5E1547BF29A18FC100FC5D7163FA546
SHA-1:1c4dc3a232cbe569eb31fdf9d576e87e18321c11
File Size:96793 Bytes
Packed:UPX -> Markus & Laszlo ver. [ 1.20 ] <- info from file. [ ! Modified ! ] - Overlay : EXE PE found > Offset : 0
+ Antivirus Detection
Antivir:Found Nothing
AVG:Found Nothing
F-Prot:W32/Trojan.XZK (exact)
Avast:Win32:AutoRun-APJ [Wrm
BitDefender: Trojan.VB.PassView.A
ClamAV:Found Nothing
+ File Identifier
43.8% (.EXE) UPX compressed Win32 Executable (30569/9/7) 38.1% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
12.2% (.EXE) Win32 Executable Generic (8527/13/3)
2.8% (.EXE) Generic Win/DOS Executable (2002/3)
2.8% (.EXE) DOS Executable Generic (2000/1)
43.8% (.EXE) UPX compressed Win32 Executable (30569/9/7) 38.1% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
12.2% (.EXE) Win32 Executable Generic (8527/13/3)
2.8% (.EXE) Generic Win/DOS Executable (2002/3)
2.8% (.EXE) DOS Executable Generic (2000/1)
+ String Found
!This program cannot be run in DOS mode.
.rsrc
Services
Form"
PROMOSI !
S7]Z=
7^xXB/
oGF_V#f
sl/{n
SPaadei
Gved]
OPP`a)
qUUq}
;4336!
Co`and#
|IvE(
<21:-P
TextB
Image
"!&+7/&)4)
!"0A149
%.DIC;
;("(;
%&'()*456789:CD
EFGHIJSTUVWXYZc
stuvwxyz
nxE3wr
{+DCZ
gn;W&
_jW(y
1{f+4
XTn.p
Masn3
$}Esz
H'9=kR
:dS{v
-;OxV
Ytxcr
Oi*hdZ
8np>~
Oc[P\drk
BAB~e
;k@L
1`"~]k\.
Label2
SEMENTARA MASIH
inEG(
$VB5!
'oxEM
Wz|~'
L3tZ4'
ZDgvn
{xb+kP
u]P?h
4\$et5
d@P0[
4MG[o
;LPhLt
Il(V;
e3/H*
8Z_-#
iPXht
_gm Fil{
soft Visual Studio\Vs]
OInf(
urrewerarikmIRC
ahBackdo
MakeMe=
4,
k'u)l
Mdj!gf
keC"[
'l_Gu
3kk&{
mElyo
OpMXok
FClerc\W
EnumsC
TOg
/.ySou
5ZKQa
QgaQa0
BkHr`
oM);X
w:/as
nEb1A
H[H+h
5l9E2
`L6y3h
mv3r?t
6:M44
3"/k!a
oK:tc
,c$OU
,%SHu OMY|
l KOv
AqEso
fQ\k`u
u'r#d
%pI!r
i;D;;v
G#DyO
xc#|ui
|;dWfC){O
g0srf,
f5HM\
W:[C"
,%IK
.$I1=
"d[Q|-c
c$Q-K1z
B8)E5]
_W@`"kO8
[`do`
C[D!H
men - k
)b2V,
Xp@|XH
8`1`.
S'@19B
+ New Process Run
C:\WINDOWS\system32\oobe\Services.exe
+ File And Folder Activity
Files Added
C:\WINDOWS\system32\oobe\Info.txt
C:\WINDOWS\system32\oobe\MyAlbum_slideshow.exe
C:\WINDOWS\system32\oobe\Mypic.zip
C:\WINDOWS\system32\oobe\Pass.txt
C:\WINDOWS\system32\oobe\Pspv.exe
C:\WINDOWS\system32\oobe\Services.exe
C:\WINDOWS\system32\oobe\ZIP.exe
C:\services.exe
+ Registry Changes
Key Added
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Internet Explorer\MenuExt
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Internet Explorer\MenuExt\weeewiitt... orang-orang dara kiut.... jangan lupak add kamek lam friendster kitak okk... mukekkekek@yahoo.com eiheheheeh..
Value Added
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NPF\0000\Control\ActiveService: "NPF"
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall: 0x00000000
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Internet Explorer\Main\FormSuggest Passwords: "yes"
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Internet Explorer\Main\FormSuggest PW Ask: "no"
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Internet Explorer\MenuExt\weeewiitt... orang-orang dara kiut.... jangan lupak add kamek lam friendster kitak okk... mukekkekek@yahoo.com eiheheheeh..\: " "
Value Modified
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "C:\WINDOWS\system32\userinit.exe,"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oobe\Services.exe"
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Internet Explorer\Main\Start Page: "http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Internet Explorer\Main\Start Page: "about:weeewiitt... orang-orang dara kiut.... jangan lupak add kamek lam friendster kitak okk... mukekkekek@yahoo.com eiheheheeh.."
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: 0x00000001
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: 0x00000002
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt: 0x00000000
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt: 0x00000001
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0x00000001
HKU\S-1-5-21-1214440339-854245398-2048386851-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0x00000000