Worm.Win32.AutoItGen_290b921acd – Adaware

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Worm creates the following process(es):

Picture.exe:2060
%original file name%.exe:348

The Worm injects its code into the following process(es):

RegSvcs.exe:2128
rundll32.exe:2068

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process RegSvcs.exe:2128 makes changes in the file system.

The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\losvc.exe (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winseclog (33 bytes)

The process Picture.exe:2060 makes changes in the file system.

The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\52apj8vsd4\run.vbs (89 bytes)
%Documents and Settings%\%current user%\52apj8vsd4\13189.vbs (172 bytes)
%Documents and Settings%\%current user%\52apj8vsd4\20042.cmd (68 bytes)

The process %original file name%.exe:348 makes changes in the file system.

The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\52apj8vsd4\36436_1220530013657_3761244_n.jpg (11 bytes)
%Documents and Settings%\%current user%\52apj8vsd4\XmrBi.DRS (231165 bytes)
%Documents and Settings%\%current user%\52apj8vsd4\Picture.exe (31505 bytes)
%Documents and Settings%\%current user%\52apj8vsd4\ENoDVXVP.ZHU (550 bytes)
%Documents and Settings%\%current user%\52apj8vsd4\mgdVlp.MWL (143 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\52apj8vsd4\__tmp_rar_sfx_access_check_275687 (0 bytes)

Registry activity

The process RegSvcs.exe:2128 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 4C 78 57 8F 44 BB AA 7F 5A DF CF B2 88 AA 56"

[HKCU\Software\VB and VBA Program Settings\SrvID\ID]
"ZGKTN4Y24L" = "33333"

[HKCU\Software\VB and VBA Program Settings\INSTALL\DATE]
"ZGKTN4Y24L" = "October 1, 2015"

The process Picture.exe:2060 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF 1A 28 DA 1D F6 65 A0 6C 7E 02 1D 01 5B 79 02"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"52apj8vsd4" = "C:\DOCUME~1\"%CurrentUserName%"\52apj8vsd4\13189.vbs"

The process rundll32.exe:2068 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 FB 44 BD FC DC 1E EB 57 CB 86 54 93 B5 8C 6C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:348 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 B6 0B 97 F5 67 F7 A5 05 90 35 0D 7D AD E0 5B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\52apj8vsd4]
"Picture.exe" = "AutoIt v3 Script"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"shimgvw.dll" = "Windows Picture and Fax Viewer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5	File path
e01ced5c12390ff5256694eda890b33a	c:\Documents and Settings\"%CurrentUserName%"\52apj8vsd4\Picture.exe
faa8ea9027ed6b6c875c247e59285270	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\losvc.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
Picture.exe:2060
%original file name%.exe:348
Delete the original Worm file.
Delete or disinfect the following files created/modified by the Worm:
%Documents and Settings%\%current user%\Local Settings\Temp\losvc.exe (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winseclog (33 bytes)
%Documents and Settings%\%current user%\52apj8vsd4\run.vbs (89 bytes)
%Documents and Settings%\%current user%\52apj8vsd4\13189.vbs (172 bytes)
%Documents and Settings%\%current user%\52apj8vsd4\20042.cmd (68 bytes)
%Documents and Settings%\%current user%\52apj8vsd4\36436_1220530013657_3761244_n.jpg (11 bytes)
%Documents and Settings%\%current user%\52apj8vsd4\XmrBi.DRS (231165 bytes)
%Documents and Settings%\%current user%\52apj8vsd4\Picture.exe (31505 bytes)
%Documents and Settings%\%current user%\52apj8vsd4\ENoDVXVP.ZHU (550 bytes)
%Documents and Settings%\%current user%\52apj8vsd4\mgdVlp.MWL (143 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"52apj8vsd4" = "C:\DOCUME~1\"%CurrentUserName%"\52apj8vsd4\13189.vbs"
Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	165443	165888	4.65539	7347ce1d323320f66e3fb3ff528cd4bb
.rdata	172032	20307	20480	3.71122	540d7f00105a76bf1774011f1d085053
.data	192512	137468	5632	2.40566	476ccd1811246d0fb35182a2820d6c2c
.rsrc	331776	174784	175104	3.60712	d4dcb9a3d04b27ee95980746d9a86765

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Worm connects to the servers at the folowing location(s):

Strings from Dumps

Picture.exe_2060:

.text

`.rdata

@.data

.rsrc

@.reloc

SSht:K

PSSSSSSh

Gt.Ht$

t.jGZf;

PSSSh

PVSSh

f;Crt

?#%X.y

GetProcessWindowStation

operator

kernel32.dll

RegDeleteKeyExW

advapi32.dll

oleaut32.dll

Error text not found (please report)

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is compiled without UTF support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with Unicode property support

\N is not supported in a class

WSOCK32.dll

VERSION.dll

WINMM.dll

COMCTL32.dll

MPR.dll

InternetCrackUrlW

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

FtpOpenFileW

FtpGetFileSize

InternetOpenUrlW

WININET.dll

PSAPI.DLL

IPHLPAPI.DLL

USERENV.dll

UxTheme.dll

GetProcessHeap

CreatePipe

GetWindowsDirectoryW

KERNEL32.dll

OpenWindowStationW

SetProcessWindowStation

CloseWindowStation

MapVirtualKeyW

EnumChildWindows

EnumWindows

VkKeyScanW

GetKeyState

GetKeyboardState

SetKeyboardState

GetAsyncKeyState

keybd_event

EnumThreadWindows

ExitWindowsEx

UnregisterHotKey

RegisterHotKey

GetKeyboardLayoutNameW

USER32.dll

SetViewportOrgEx

GDI32.dll

COMDLG32.dll

RegOpenKeyExW

RegCloseKey

RegCreateKeyExW

RegEnumKeyExW

RegDeleteKeyW

ADVAPI32.dll

ShellExecuteW

SHFileOperationW

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

zcÃ

UQ.WP

mI.Us

\.gGL

.FFF

,.bh9

].Whjj*

4,555@5{5

;&<.>

2-262>2 3

7(797@7`7

mscoree.dll

combase.dll

- CRT not initialized

- Attempt to initialize the CRT more than once.

- floating point support not loaded

USER32.DLL

CMDLINERAW

CMDLINE

/AutoIt3ExecuteLine

/AutoIt3ExecuteScript

APPSKEY

789:;?

FTPSETPROXY

GUICTRLRECVMSG

GUICTRLSENDMSG

GUIGETMSG

GUIREGISTERMSG

HOTKEYSET

HTTPSETPROXY

HTTPSETUSERAGENT

ISKEYWORD

MSGBOX

REGENUMKEY

SHELLEXECUTE

SHELLEXECUTEWAIT

TCPACCEPT

TCPCLOSESOCKET

TCPCONNECT

TCPLISTEN

TCPNAMETOIP

TCPRECV

TCPSEND

TCPSHUTDOWN

TCPSTARTUP

TRAYGETMSG

UDPBIND

UDPCLOSESOCKET

UDPOPEN

UDPRECV

UDPSEND

UDPSHUTDOWN

UDPSTARTUP

SendKeyDelay

SendKeyDownDelay

TCPTimeout

WINDOWSDIR

AUTOITEXE

HOTKEYPRESSED

D%s (%d) : ==> %s.:

Line %d:

Line %d (File "%s"):

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

All files (*.*)

Line %d:

04090000

%u.%u.%u.%u

0.0.0.0

Mddddd

"%s" (%d) : ==> %s:

\??\%s

GUI_RUNDEFMSG

AUTOITCALLVARIABLE%d

255.255.255.255

Keyword

AUTOIT.ERROR

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

3, 3, 10, 2

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%d/d/d

%Documents and Settings%\%current user%\52apj8vsd4\Picture.exe

%Documents and Settings%\%current user%\52apj8vsd4\XmrBi.DRS

hXXp://VVV.autoitscript.com/autoit3/

AutoIt3.exe

AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.

Missing operator in expression."Unbalanced brackets in expression.

>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.

Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.

3This keyword cannot be used after a "Then" keyword.

0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.

Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.

HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.

String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

rundll32.exe_2068:

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

IMAGEHLP.dll

rundll32.pdb

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

Windows

Operating System

5.1.2600.5512

YThere is not enough memory to run the file %s.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Missing entry:%s

Error loading %s

RegSvcs.exe_2128:

.text

`.data

.rsrc

MSVBVM60.DLL

bss_server.usrReverseRelay

tmrWebHide

bss_server.Socket

bss_server.usrRelay

ieframe.dll

SHDocVwCtl.WebBrowser

WebBrowser

mswinsck.ocx

MSWinsockLib.Winsock

modLaunchWeb

%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB

C:\Windows\SysWOW64\ieframe.dll

winmm.dll

user32.dll

advapi32.dll

shell32.dll

kernel32.dll

avicap32.dll

advpack.dll

GetAsyncKeyState

SetWindowsHookExA

UnhookWindowsHookEx

GetKeyboardLayout

GetKeyboardState

GetKeyState

SHFileOperationA

CreatePipe

PSAPI.DLL

GetTcpTable

ExitWindowsEx

EnumWindows

WinInet.dll

DeleteUrlCacheEntryA

urlmon

URLDownloadToFileA

ShellExecuteA

keybd_event

CHAT_ADDMSG

VBA6.DLL

ws2_32.dll

D:\Blackshades Project\bs_net\loginserver\msvbvm60.dll\3

AddMsg

olepro32.dll

GdiplusShutdown

RemotePort

LocalPort

WSOCK32.DLL

RegCloseKey

RegOpenKeyExA

ntdll.dll

C:\Windows\SysWOW64\ieframe.oca

%Program Files% (x86)\Microsoft Visual Studio\VB98\mswinsck.oca

tmrTCP

tmrUDP

UDPSocket

UDPFlood

ole32.dll

crypt32.dll

oleaut32.dll

RegOpenKeyA

FindFirstUrlCacheEntryA

FindNextUrlCacheEntryA

`txtPassword

imgLoginPressed

imgLogin

RegCreateKeyA

RegDeleteKeyA

RegEnumKeyExA

gdi32.dll

InternetOpenUrlA

FtpGetFileA

FtpPutFileA

FtpSetCurrentDirectoryA

FtpGetCurrentDirectoryA

FtpOpenFileA

FtpGetFileSize

FtpDeleteFileA

FtpCreateDirectoryA

FtpRemoveDirectoryA

FtpRenameFileA

FtpDownload

FtpUpload

FtpGetDirectory

Http_DownloadFile

cmdShowfiles

msvbvm60.dll

?8??8??8??8??8?

txtPassword

2>e%Xdq

uMsg

strMsg

MsgNum

AllMsgs

lngPort

URL_TARGET

Port

Password

WebURL

Returns/Sets the port to be connected to on the remote computer

Returns/Sets the port used on the local computer

Binds socket to specific port and adapter

Occurs after a send operation has completed

*\AD:\Blackshades Project\bs_net\server\server.vbp

2c49f800-c2dd-11cf-9ad6-0080c7e7b78d

Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5

{00020404-0000-0000-C000-000000000046}

5.5.1

\nir_cmd.bss speak text

\nir_cmd.bss setsysvolume 65535

\nir_cmd.bss mutesysvolume 1

\nir_cmd.bss mutesysvolume 0

\nir_cmd.bss screensaver

\nir_cmd.bss monitor off

\nir_cmd.bss monitor on

PORT

TRANSFERPORT

\rsout.tmp

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\

Keylog

Wscript.Shell

HKEY_CLASSES_ROOT\HTTP\shell\open\command\

\winlogon.exe

iexplore.exe

hXXp://VVV.facebook.com/?ref=home

hXXp://VVV.facebook.com

ADVAPI32.dll

Windows Firewall/Internet Connection Sharing (ICS)

WebCamCapture

\Vuze\Azureus.exe

\LimeWire\LimeWire.exe

\uTorrent\uTorrent.exe

\uTorrent\uTorrent.exe /HIDE

\BitTorrent\bittorrent.exe

\MSWINSCK.OCX

hXXp://

HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1

\cmd.exe

\data.dat

\steam\steam.exe

nkey

dkey

regsvr32.exe

\pws_mail.bss

\pws_mess.bss

\pws_cdk.bss

\pws_ff.bss

\pws_chro.bss

\nir_cmd.bss

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "

:*:Enabled:Windows Messanger" /f

winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2

00000000

winmgmts:\\.\root\cimv2

api.ipinfodb.com

Select * from Win32_Keyboard

GET /v2/ip_query.php?key=

&timezone=off HTTP/1.1

Host: api.ipinfodb.com

GET /v2/ip_query_country.php?key=

Portable

winmgmts:\\.\root\SecurityCenter

\wallpaper.bmp

\wallpaper.jpg

WScript.Shell

WinServer 2003, Web Edition

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName

__oxFrame.class__

Scripting.FileSystemObject

Autorun.ini

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}

Address family not supported by protocol family.

Operation already in progress.

Operation now in progress.

Socket operation on nonsocket.

Operation not supported.

Protocol family not supported.

Protocol not supported.

Socket type not supported.

Winsock.dll version out of range.

CSocketMaster.SocketExists

CSocketMaster.PostSocket

CSocketMaster.ConnectToIP

CSocketMaster.ResolveIfHostname

CSocketMaster.SendBufferedDataUDP

CSocketMaster.SendBufferedData

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1

$('#jschl_answer').val(

application/x-www-form-urlencoded

abe2869f-9b47-4cd9-a358-c22904dba7f7

/stext mess.dat

\mess.dat

/stext mail.dat

\mail.dat

/stext ffpw.dat

\ffpw.dat

Web Site

Password

/stext chro.dat

\chro.dat

Action URL

SOFTWARE\MICROSOFT\Windows NT\CurrentVersion

Windows

SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command

http\shell\open\command

127.0.0.1

\dump.txt

\uTorrent\uTorrent.exe /DIRECTORY

255.255.255.255

finalizarprocessoportas

CONNECT %s:%i HTTP/1.0

SOFTWARE\Classes\http\shell\open\command

Software\Classes\http\shell\open\command

Software\Microsoft\Windows NT\CurrentVersion\SystemRestore

code.is.a.winner

Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule

SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\DigitalProductId

bps1.exe

bhookpl.dll

bnfa.exe

drvloadn.dll

drvloadx.dll

VNCHooks.dll

xr4tdwa.exe

\rspad.dat

shutdown.exe

TCnRawKeyBoard

HuntHTTPDownload

autorun.inf

explorer.exe

hXXps://onlineeast#.bankofamerica.com

winlogon.exe

moz_logins

WEBCAMLIVE

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

\system32\userinit.exe,

notepad.exe

\system32\userinit.exe

steam.exe

hl.exe

@*\AD:\Blackshades Project\bs_net\server\server.vbp

RegSvcs.exe_2128_rwx_00400000_0007A000:

.text

`.data

.rsrc

MSVBVM60.DLL

bss_server.usrReverseRelay

tmrWebHide

bss_server.Socket

bss_server.usrRelay

ieframe.dll

SHDocVwCtl.WebBrowser

WebBrowser

mswinsck.ocx

MSWinsockLib.Winsock

modLaunchWeb

%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB

C:\Windows\SysWOW64\ieframe.dll

winmm.dll

user32.dll

advapi32.dll

shell32.dll

kernel32.dll

avicap32.dll

advpack.dll

GetAsyncKeyState

SetWindowsHookExA

UnhookWindowsHookEx

GetKeyboardLayout

GetKeyboardState

GetKeyState

SHFileOperationA

CreatePipe

PSAPI.DLL

GetTcpTable

ExitWindowsEx

EnumWindows

WinInet.dll

DeleteUrlCacheEntryA

urlmon

URLDownloadToFileA

ShellExecuteA

keybd_event

CHAT_ADDMSG

VBA6.DLL

ws2_32.dll

D:\Blackshades Project\bs_net\loginserver\msvbvm60.dll\3

AddMsg

olepro32.dll

GdiplusShutdown

RemotePort

LocalPort

WSOCK32.DLL

RegCloseKey

RegOpenKeyExA

ntdll.dll

C:\Windows\SysWOW64\ieframe.oca

%Program Files% (x86)\Microsoft Visual Studio\VB98\mswinsck.oca

tmrTCP

tmrUDP

UDPSocket

UDPFlood

ole32.dll

crypt32.dll

oleaut32.dll

RegOpenKeyA

FindFirstUrlCacheEntryA

FindNextUrlCacheEntryA

`txtPassword

imgLoginPressed

imgLogin

RegCreateKeyA

RegDeleteKeyA

RegEnumKeyExA

gdi32.dll

InternetOpenUrlA

FtpGetFileA

FtpPutFileA

FtpSetCurrentDirectoryA

FtpGetCurrentDirectoryA

FtpOpenFileA

FtpGetFileSize

FtpDeleteFileA

FtpCreateDirectoryA

FtpRemoveDirectoryA

FtpRenameFileA

FtpDownload

FtpUpload

FtpGetDirectory

Http_DownloadFile

cmdShowfiles

msvbvm60.dll

?8??8??8??8??8?

txtPassword

2>e%Xdq

uMsg

strMsg

MsgNum

AllMsgs

lngPort

URL_TARGET

Port

Password

WebURL

Returns/Sets the port to be connected to on the remote computer

Returns/Sets the port used on the local computer

Binds socket to specific port and adapter

Occurs after a send operation has completed

*\AD:\Blackshades Project\bs_net\server\server.vbp

2c49f800-c2dd-11cf-9ad6-0080c7e7b78d

Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5

{00020404-0000-0000-C000-000000000046}

5.5.1

\nir_cmd.bss speak text

\nir_cmd.bss setsysvolume 65535

\nir_cmd.bss mutesysvolume 1

\nir_cmd.bss mutesysvolume 0

\nir_cmd.bss screensaver

\nir_cmd.bss monitor off

\nir_cmd.bss monitor on

PORT

TRANSFERPORT

\rsout.tmp

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\

Keylog

Wscript.Shell

HKEY_CLASSES_ROOT\HTTP\shell\open\command\

\winlogon.exe

iexplore.exe

hXXp://VVV.facebook.com/?ref=home

hXXp://VVV.facebook.com

ADVAPI32.dll

Windows Firewall/Internet Connection Sharing (ICS)

WebCamCapture

\Vuze\Azureus.exe

\LimeWire\LimeWire.exe

\uTorrent\uTorrent.exe

\uTorrent\uTorrent.exe /HIDE

\BitTorrent\bittorrent.exe

\MSWINSCK.OCX

hXXp://

HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1

\cmd.exe

\data.dat

\steam\steam.exe

nkey

dkey

regsvr32.exe

\pws_mail.bss

\pws_mess.bss

\pws_cdk.bss

\pws_ff.bss

\pws_chro.bss

\nir_cmd.bss

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "

:*:Enabled:Windows Messanger" /f

winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2

00000000

winmgmts:\\.\root\cimv2

api.ipinfodb.com

Select * from Win32_Keyboard

GET /v2/ip_query.php?key=

&timezone=off HTTP/1.1

Host: api.ipinfodb.com

GET /v2/ip_query_country.php?key=

Portable

winmgmts:\\.\root\SecurityCenter

\wallpaper.bmp

\wallpaper.jpg

WScript.Shell

WinServer 2003, Web Edition

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName

__oxFrame.class__

Scripting.FileSystemObject

Autorun.ini

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}

Address family not supported by protocol family.

Operation already in progress.

Operation now in progress.

Socket operation on nonsocket.

Operation not supported.

Protocol family not supported.

Protocol not supported.

Socket type not supported.

Winsock.dll version out of range.

CSocketMaster.SocketExists

CSocketMaster.PostSocket

CSocketMaster.ConnectToIP

CSocketMaster.ResolveIfHostname

CSocketMaster.SendBufferedDataUDP

CSocketMaster.SendBufferedData

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1

$('#jschl_answer').val(

application/x-www-form-urlencoded

abe2869f-9b47-4cd9-a358-c22904dba7f7

/stext mess.dat

\mess.dat

/stext mail.dat

\mail.dat

/stext ffpw.dat

\ffpw.dat

Web Site

Password

/stext chro.dat

\chro.dat

Action URL

SOFTWARE\MICROSOFT\Windows NT\CurrentVersion

Windows

SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command

http\shell\open\command

127.0.0.1

\dump.txt

\uTorrent\uTorrent.exe /DIRECTORY

255.255.255.255

finalizarprocessoportas

CONNECT %s:%i HTTP/1.0

SOFTWARE\Classes\http\shell\open\command

Software\Classes\http\shell\open\command

Software\Microsoft\Windows NT\CurrentVersion\SystemRestore

code.is.a.winner

Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule

SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\DigitalProductId

bps1.exe

bhookpl.dll

bnfa.exe

drvloadn.dll

drvloadx.dll

VNCHooks.dll

xr4tdwa.exe

\rspad.dat

shutdown.exe

TCnRawKeyBoard

HuntHTTPDownload

autorun.inf

explorer.exe

hXXps://onlineeast#.bankofamerica.com

winlogon.exe

moz_logins

WEBCAMLIVE

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

\system32\userinit.exe,

notepad.exe

\system32\userinit.exe

steam.exe

hl.exe

@*\AD:\Blackshades Project\bs_net\server\server.vbp

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps