Skip navigation.
Home

Analysis of Braviax.exe

|

Hi,
i got some files named braviax.exe which is downloading the rogues. all of them are of somewhat same sizes. Also when i try to pass it in olly something wrong happens.

http://www.offensivecomputing.net/?q=ocsearch&ocq=4dcfc3c51e92fd35127fb0ec96e2ce8a

this is one of those samples.
when i execute them, using process xplorer i found that there are lots of malware filenames and urls to the malwares are there.(but in (properties->strings->memory)
And when i passed it to die_0.64 which is a tool like PEiD, it showed the file is entropy packed.
So i'm thinking like it is compressed using some technology.

Can anybody please give me some info about this file other than this??

Braviax.exe

I also have a few samples of this. It is pretty nasty. It appears to have to power to stop
quite a few of the usual forensics tools and prevent them from running. Once infected it drops
many different executable files in the root folder of the system drive. Does anyone want to
collaborate on the analysis of this? I have taken many snapshots using VM Workstation and
also have the ram captures taken using Encase Enterprise.

Re: Braviax.exe

I'd be willing to help out. Though, I am pretty new at this. Popping the aforementioned copy of braviax into olly/ida does not produce what I'm used to seeing.

Re: Analysis of Braviax.exe

obscurant1st,
What happens when you pass it to olly? The malware is packed with "Mystic Compressor". These strings begin to become apparent after going through the unpacking routine, the first spot I noticed it was @ 3A000A, though it could have popped up earlier. It seemed like it was packed several times.
Also, in Olly I am using the ARTeam-ollydbg.ini suggested from the Lena tutorial 01.

it is an executable file

it is an executable file used by rogue antispywares like windows antivirus pro,windows antispyware, internet security pro, and a whole lot more. It is related with CRU629.dat and USER32.dat. You need to remove the braviax.exe, cru629.dat, user32.dat,b.exe from your system. These files will try to download the whole package of the trojans and worms and will try to disable services in your computer like regedit.exe, explorer.exe and any other inportant services and processes.

Try to send that file directly to threatexpert.com for further analysis. They will send the a report directly to your email. Then you can try to attach that file here for education purposes.

" wait for the right time, then strike back... "

Braviax Variant.

Also note I had a bad Baviax case a few weeks ago in one of my customers PC's It replaced the Eventlog.dll from the PC and was corrupting mbam.exe every time I tried to execute it... I ran Winternals ERD commander system file checker and if finally got rid of the Trojan completely.