Skip navigation.
Home

Possible Trojan.Gromozon analysis

|

6733938c83af5bbca91ebb4e3913c734

hckf.exe

PACKER:
FSG 2.0 -> bart/xt easily unpacked with
http://ap0x.jezgra.net/RL!deFSG%202.0.rar

creates files:

C:\DOCUME~1\username\LOCALS~1\Temp\022171f8.bat

I set a break point on WriteFile() in Ollydbg and
after passing an exception I found:

0012F00C 0012F088 ASCII ":a\r\n@del %1\r\n@if exist %1 goto a\r\n@del %0"

After advancing it a bit the file had
data which when edited shows:

:a
@del %1
@if exist %1 goto a
@del %0

So this is the "delete yourself" routine.

Im wondering if this has a vmware detection feature
because it doesnt seem to do
anything other than delete itself.

I do however see a cmd.exe process spawned so I set a breakpoint on CreateProcessA():

0012EFE0 0040165D /CALL to CreateProcessA
0012EFE4 00000000 |ModuleFileName = NULL
0012EFE8 0012F0CC |CommandLine = "cmd.exe /c
\"\"C:\\DOCUME~1\\username\\LOCALS~1\\Temp\\02397659.bat\"
\"C:\\Documents and Settings\\username\\Desktop\\hckf.exe\"\""
0012EFEC 00000000 |pProcessSecurity = NULL
0012EFF0 00000000 |pThreadSecurity = NULL
0012EFF4 00000000 |InheritHandles = FALSE
0012EFF8 00000000 |CreationFlags = 0
0012EFFC 00000000 |pEnvironment = NULL
0012F000 00000000 |CurrentDir = NULL
0012F004 0012F014 |pStartupInfo = 0012F014
0012F008 0012F058 \pProcessInfo = 0012F058

STRINGS:

000001F2 004001F2 0 KERNEL32.dll
00001CAA 00401CAA 0 CreateMutexA
00001CBA 00401CBA 0 OpenMutexA
00001CC8 00401CC8 0 LoadLibraryA
00001CD8 00401CD8 0 SetUnhandledExceptionFilter
00001CF6 00401CF6 0 GetModuleHandleA
00001D0A 00401D0A 0 GetLastError
00001D1A 00401D1A 0 Sleep
00001D22 00401D22 0 GetTempPathA
00001D32 00401D32 0 GetTickCount
00001D42 00401D42 0 ExitProcess
00001D50 00401D50 0 GetModuleFileNameA
00001D66 00401D66 0 lstrcmpiA
00001D72 00401D72 0 FreeLibrary
00001D80 00401D80 0 GetProcAddress
00001D92 00401D92 0 LocalAlloc
00001DA0 00401DA0 0 LocalFree
00001DAC 00401DAC 0 CreateProcessA
00001DBE 00401DBE 0 CreateFileA
00001DCC 00401DCC 0 WriteFile
00001DD8 00401DD8 0 CloseHandle
00001DE6 00401DE6 0 SetFileAttributesA
00001DFC 00401DFC 0 lstrlenA
00001E08 00401E08 0 GetVersion
00001E16 00401E16 0 lstrcpyA
00001E20 00401E20 0 KERNEL32.dll
00001E30 00401E30 0 wsprintfA
00001E3A 00401E3A 0 USER32.dll
00006188 00406188 0 LoadLibraryA
00006196 00406196 0 GetProcAddress
0000703D 0040703D 0 KERNEL32.dll
0000704A 0040704A 0 USER32.dll
00007057 00407057 0 CreateMutexA
00007066 00407066 0 OpenMutexA
00007073 00407073 0 LoadLibraryA
00007082 00407082 0 SetUnhandledExceptionFilter
000070A0 004070A0 0 GetModuleHandleA
000070B3 004070B3 0 GetLastError
000070C2 004070C2 0 Sleep
000070CA 004070CA 0 GetTempPathA
000070D9 004070D9 0 GetTickCount
000070E8 004070E8 0 ExitProcess
000070F6 004070F6 0 GetModuleFileNameA
0000710B 0040710B 0 lstrcmpiA
00007117 00407117 0 FreeLibrary
00007125 00407125 0 GetProcAddress
00007136 00407136 0 LocalAlloc
00007143 00407143 0 LocalFree
0000714F 0040714F 0 CreateProcessA
00007160 00407160 0 CreateFileA
0000716E 0040716E 0 WriteFile
0000717A 0040717A 0 CloseHandle
00007188 00407188 0 SetFileAttributesA
0000719D 0040719D 0 lstrlenA
000071A8 004071A8 0 GetVersion
000071B5 004071B5 0 lstrcpyA
000071C0 004071C0 0 wsprintfA

Gromozon

http://fileinfo.prevx.com/fileinfo.asp?PXC=5c7362911723