Scribd
Upload
152 views8 pages

WildFire Malware Analysis Report

The sample was found to be malware on Windows XP. It created and modified files, queried DNS, connected to remote hosts, created processes, and modified the Windows registry to establish persistence. Process activity included creating dw20.exe and sample.exe modifying configuration settings related to file locations.

Uploaded by

Anuar Valdivi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
152 views8 pages

WildFire Malware Analysis Report

The sample was found to be malware on Windows XP. It created and modified files, queried DNS, connected to remote hosts, created processes, and modified the Windows registry to establish persistence. Process activity included creating dw20.exe and sample.exe modifying configuration settings related to file locations.

Uploaded by

Anuar Valdivi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

WildFire Analysis Report

WildFire Analysis Report 1


1 File Information 2
2 Static Analysis 2
3 Dynamic Analysis 2
3.1. VM1 (Windows XP, Adobe Reader 9.4.0, Flash 10, Office 2007) 2
3.1.1. Behavioral Summary 2
3.1.2. Network Activity 3
3.1.3. Host Activity 3
Process Activity 3
Process Name - DW20.EXE 3
Process Name - sample.exe 3
Event Timeline 4
3.2. VM2 (Windows 7 x64 SP1, Adobe Reader 11, Flash 11, Office 2010) 6
3.2.1. Behavioral Summary 6
3.2.2. Network Activity 6
3.2.3. Host Activity 7
Process Activity 7
Process Name - dw20.exe 7
Process Name - sample.exe 7
Event Timeline 7

1/8
1 File Information

File Type PE

File Signer

SHA-256 4c95f16963a7ce9b0a25a41f4c002114dd70cb90c0ba958174ef72c4188effa1

SHA-1 b9b4673c62c1c209fc9abe5714e96ee8aef3023b

MD5 787f94c8ed14a54d3e0b8614c8d34b05

File Size 92160bytes

First Seen Timestamp 2021-07-27 23:20:02 UTC

Verdict Malware

Antivirus Coverage VirusTotal Information

2 Static Analysis

This sample was not found to contain any high-risk content during a pre-screening analysis of the sample.

3 Dynamic Analysis

3.1. VM1 (Windows XP, Adobe Reader 9.4.0, Flash 10, Office 2007)

3.1.1. Behavioral Summary

This sample was found to be malware on this virtual machine.

Behavior Severity

Created or modified a file in the Windows system folder


The Windows system folder contains configuration files and executables that control the underlying functions of the
system. Malware often modifies the contents of this folder to manipulate the system, establish persistence, and avoid
detection.

Created or modified a file


Legitimate software creates or modifies files to preserve data across system restarts. Malware may create or modify files
to deliver malicious payloads or maintain persistence on a system.

Started a process
A process running on the system may start additional processes to perform actions in the background. This behavior is
common to legitimate software as well as malware.

Sample tries to access the generic query interface to the DNS namespace.
Sample tries to access the generic query interface to the DNS namespace.

Modified the Windows Registry


The Windows Registry houses system configuration settings and options, including information about installed
applications, services, and drivers. Malware often modifies registry data to establish persistence on the system and avoid
detection.

2/8
Sent email
A common goal of malware is to send spam or emails with malicious attachments, allowing it to spread beyond, or move
laterally within, the network.

Attempted to sleep for a long period


Malware analysis environments have a limited amount of time in which to execute code and deliver a verdict. To subvert
this process, malware often delays execution, or "sleeps," for a long period, allowing it to avoid detection.

3.1.2. Network Activity


DNS Queries

Domain Name Query Type DNS Response

mail.apj.org.pe A 190.12.76.45

apj.org.pe NS ns2.opticalip.com.pe

apj.org.pe NS ns1.opticalip.com.pe

Connections

Host Port Protocol Country

190.12.76.45 25 TCP PE

3.1.3. Host Activity


Process Activity

Process Name - DW20.EXE

(command: C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE)
No activity recorded for this process.

Process Name - sample.exe

(command: C:\Documents and Settings\Administrator\sample.exe)

Process Activity

Child Process Action

C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE,dw20.exe -x -s 800 Create

File Activity

File Action Size(B) File Type Hash

md5:4e23b28b044f3
520001b6884ffade55
1
sha1:c27a2b9dc5179
af2704e08b5beafd0c
C:\Documents and Settings\Administrator\Local Settings\Application
Create 68456 unknown 382680263
Data\GDIPFONTCACHEV1.DAT
sha256:4d7a5a7e371
98e22bdd872d332d0
7227e28b92f148389
3dc38c54c6dccd61f0
e

Registry Activity

Registry Key Value Action

3/8
\REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-
500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell C:\Documents and Settings\Administrator\Application Data Set
Folders\AppData

\REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-
C:\Documents and Settings\Administrator\Local Settings\Temporary
500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Set
Internet Files
Folders\Cache

\REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-
C:\Documents and Settings\Administrator\Local Settings\Application
500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Set
Data
Folders\Local AppData

\REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333- C:\Documents and Settings\Administrator\Local Settings\Application


Set
500\Software\Microsoft\GDIPlus\FontCachePath Data

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\E C:\Documents and Settings\Administrator\Local Settings\Application


Create
xplorer\User Shell Folders Data

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\E C:\Documents and Settings\Administrator\Local Settings\Application


Create
xplorer\Shell Folders Data

HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotific C:\Documents and Settings\Administrator\Local Settings\Application


Create
ation\Default Data

C:\Documents and Settings\Administrator\Local Settings\Application


HKEY_CURRENT_USER\Software\Microsoft\GDIPlus Create
Data

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Par C:\Documents and Settings\Administrator\Local Settings\Application


Create
ameters Data

Created Mutexes

Mutex Name

CTF.LBES.MutexDefaultS-1-5-21-515967899-776561741-1417001333-500

CTF.Compart.MutexDefaultS-1-5-21-515967899-776561741-1417001333-500

CTF.Asm.MutexDefaultS-1-5-21-515967899-776561741-1417001333-500

CTF.Layouts.MutexDefaultS-1-5-21-515967899-776561741-1417001333-500

CTF.TMD.MutexDefaultS-1-5-21-515967899-776561741-1417001333-500

CTF.TimListCache.FMPDefaultS-1-5-21-515967899-776561741-1417001333-500MUTEX.DefaultS-1-5-21-515967899-776561741-1417001333-500

Global\.net data provider for sqlserver

Global\.net data provider for oracle

Global\.net clr networking

Event Timeline

1 Created Process C:\Documents and Settings\Administrator\sample.exe

Set key \REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-


2 500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData to value C:\Documents and
Settings\Administrator\Application Data

3 Created mutex CTF.LBES.MutexDefaultS-1-5-21-515967899-776561741-1417001333-500

4 Created mutex CTF.Compart.MutexDefaultS-1-5-21-515967899-776561741-1417001333-500

5 Created mutex CTF.Asm.MutexDefaultS-1-5-21-515967899-776561741-1417001333-500

6 Created mutex CTF.Layouts.MutexDefaultS-1-5-21-515967899-776561741-1417001333-500

7 Created mutex CTF.TMD.MutexDefaultS-1-5-21-515967899-776561741-1417001333-500

Created mutex CTF.TimListCache.FMPDefaultS-1-5-21-515967899-776561741-1417001333-500MUTEX.DefaultS-1-5-21-


8
515967899-776561741-1417001333-500

4/8
Set key \REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-
9 500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache to value C:\Documents and
Settings\Administrator\Local Settings\Temporary Internet Files

Set key \REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-


10 500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Local AppData to value C:\Documents and
Settings\Administrator\Local Settings\Application Data

11 Created file C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

Set key \REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-500\Software\Microsoft\GDIPlus\FontCachePath to


12
value C:\Documents and Settings\Administrator\Local Settings\Application Data

13 Created mutex Global\.net data provider for sqlserver

14 Created mutex Global\.net data provider for sqlserver

15 Created mutex Global\.net data provider for sqlserver

16 Created mutex Global\.net data provider for sqlserver

17 Created mutex Global\.net data provider for sqlserver

18 Created mutex Global\.net data provider for sqlserver

19 Created mutex Global\.net data provider for sqlserver

20 Created mutex Global\.net data provider for sqlserver

21 Created mutex Global\.net data provider for sqlserver

22 Created mutex Global\.net data provider for sqlserver

23 Created mutex Global\.net data provider for sqlserver

24 Created mutex Global\.net data provider for oracle

25 Created mutex Global\.net data provider for oracle

26 Created mutex Global\.net data provider for oracle

27 Created mutex Global\.net data provider for oracle

28 Created mutex Global\.net data provider for oracle

29 Created mutex Global\.net data provider for oracle

30 Created mutex Global\.net data provider for oracle

31 Created mutex Global\.net data provider for oracle

32 Created mutex Global\.net data provider for oracle

33 Created mutex Global\.net data provider for oracle

34 Created mutex Global\.net data provider for oracle

35 Created mutex Global\.net clr networking

36 Created mutex Global\.net clr networking

37 Created mutex Global\.net clr networking

38 Created mutex Global\.net clr networking

39 Created mutex Global\.net clr networking

40 Created mutex Global\.net clr networking

41 Created mutex Global\.net clr networking

42 Created mutex Global\.net clr networking

43 Created mutex Global\.net clr networking

5/8
44 Created mutex Global\.net clr networking

45 Created mutex Global\.net clr networking

46 Created Process C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE

3.2. VM2 (Windows 7 x64 SP1, Adobe Reader 11, Flash 11, Office
2010)

3.2.1. Behavioral Summary

This sample was found to be malware on this virtual machine.

Behavior Severity

Created or modified a file


Legitimate software creates or modifies files to preserve data across system restarts. Malware may create or modify files
to deliver malicious payloads or maintain persistence on a system.

Started a process
A process running on the system may start additional processes to perform actions in the background. This behavior is
common to legitimate software as well as malware.

Sample tries to access the generic query interface to the DNS namespace.
Sample tries to access the generic query interface to the DNS namespace.

Modified the Windows Registry


The Windows Registry houses system configuration settings and options, including information about installed
applications, services, and drivers. Malware often modifies registry data to establish persistence on the system and avoid
detection.

Attempted to sleep for a long period


Malware analysis environments have a limited amount of time in which to execute code and deliver a verdict. To subvert
this process, malware often delays execution, or "sleeps," for a long period, allowing it to avoid detection.

Sent email
A common goal of malware is to send spam or emails with malicious attachments, allowing it to spread beyond, or move
laterally within, the network.

3.2.2. Network Activity


DNS Queries

Domain Name Query Type DNS Response

msftncsi.com NS ns4-205.azure-dns.info

msftncsi.com NS ns3-205.azure-dns.org

dns.msftncsi.com AAAA fd3e:4f5a:5b81::1

apj.org.pe NS ns2.opticalip.com.pe

msftncsi.com NS ns1-205.azure-dns.com

apj.org.pe NS ns1.opticalip.com.pe

mail.apj.org.pe A 190.12.76.45

msftncsi.com NS ns2-205.azure-dns.net

dns.msftncsi.com A 131.107.255.255

Connections

Host Port Protocol Country

190.12.76.45 25 TCP PE

6/8
3.2.3. Host Activity
Process Activity

Process Name - dw20.exe

(command: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\\dw20.exe)
No activity recorded for this process.

Process Name - sample.exe

(command: C:\Users\Administrator\sample.exe)

Process Activity

Child Process Action

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\\dw20.exe,dw20.exe -x -s 192 Create

File Activity

File Action Size(B) File Type Hash

md5:97d492b140588
aeb62f229bd889f9cd
1
sha1:2c03e725082f6
59f6fc2c2cbe6dd2f76
C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT Create 108840 unknown 4383fddf
sha256:4b1c3959300
a9019199f8f6de5184
4741be95e5461b0b1
87e23f65d2096515b
2

Registry Activity

Registry Key Value Action

HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotific
Create
ation\Default

Created Mutexes

Mutex Name

Global\.net data provider for sqlserver

Global\.net data provider for oracle

Global\.net clr networking

Event Timeline

1 Created Process C:\Users\Administrator\sample.exe

2 Created file C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT

3 Created mutex Global\.net data provider for sqlserver

4 Created mutex Global\.net data provider for sqlserver

5 Created mutex Global\.net data provider for sqlserver

6 Created mutex Global\.net data provider for sqlserver

7 Created mutex Global\.net data provider for sqlserver

7/8
8 Created mutex Global\.net data provider for sqlserver

9 Created mutex Global\.net data provider for sqlserver

10 Created mutex Global\.net data provider for sqlserver

11 Created mutex Global\.net data provider for sqlserver

12 Created mutex Global\.net data provider for sqlserver

13 Created mutex Global\.net data provider for sqlserver

14 Created mutex Global\.net data provider for oracle

15 Created mutex Global\.net data provider for oracle

16 Created mutex Global\.net data provider for oracle

17 Created mutex Global\.net data provider for oracle

18 Created mutex Global\.net data provider for oracle

19 Created mutex Global\.net data provider for oracle

20 Created mutex Global\.net data provider for oracle

21 Created mutex Global\.net data provider for oracle

22 Created mutex Global\.net data provider for oracle

23 Created mutex Global\.net data provider for oracle

24 Created mutex Global\.net data provider for oracle

25 Created mutex Global\.net clr networking

26 Created mutex Global\.net clr networking

27 Created mutex Global\.net clr networking

28 Created mutex Global\.net clr networking

29 Created mutex Global\.net clr networking

30 Created mutex Global\.net clr networking

31 Created mutex Global\.net clr networking

32 Created mutex Global\.net clr networking

33 Created mutex Global\.net clr networking

34 Created mutex Global\.net clr networking

35 Created mutex Global\.net clr networking

36 Created Process C:\Windows\Microsoft.NET\Framework64\v2.0.50727\\dw20.exe

8/8

You might also like