(cache) VirusTotal - Free Online Virus, Malware and URL Scanner

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 2 VT Community user(s) with a total of 9299 reputation credit(s) say(s) this sample is malware.

File name:

sis.exe

Submission date:

2011-10-17 16:32:04 (UTC)

Current status:

queued queued analysing finished

Result:

VT Community

malware
Safety score: 0.0%

Compact

Print results

Antivirus	Version	Last Update	Result

Additional information
MD5 : 2287f555bc5e0e432b12433015d6bdce
SHA1 : a9f10f29a65bd6503843fa7cfb4914917f1644f1
SHA256: 8b882cebe0a2207e216429fd26e0b269dee2a32f4789fe3af2b3b0c9a908eef4
File size : 466432 bytes
First seen: 2011-10-17 16:32:04
Last seen : 2011-10-17 16:32:04
Magic:

VT Community

User:
SATINFO

Reputation:
3186 credits

Comment date:
2011-10-05 15:02:09 (UTC)
malware en proceso de monitorizacion[*lb*][*lb*]www.satinfo.es
Tags: Malware, jorik, fakealert, 371288

Was this comment helpful? Yes (0) | No (0) | Report abuse

User:
SATINFO

Reputation:
3186 credits

Comment date:
2011-10-05 16:01:55 (UTC)
VARIANTE DE aFAKE TOOL DATA RESTORE[*lb*][*lb*]CONTROLADO A PARTIR DE ELISTARA 24.02[*lb*][*lb*]www.satinfo.es

Was this comment helpful? Yes (0) | No (0) | Report abuse

User:
unixfreaxjp

Reputation:
6113 credits

Comment date:
2011-10-17 08:42:23 (UTC)
This is a Trojan Fake Alert/Fraud with the file SIS.EXE.[*lb*]For the detail analysis please see the below URL[*lb*][code] http://unixfreaxjp.blogspot.com/2011/10/trojanfakefraud-sysexe.html [/code][*lb*][*lb*]-----[*lb*]Zero Day Japan http://0day.jp[*lb*]Malware/Security Blog: http://unixfreaxjp.blogspot.com[*lb*]Twitter: @unixfreaxjp[*lb*]Hendrik ADRIAN (アドリアン　ヘンドリック)
Tags: Malware, SpamAttachmentOrLink, DriveByDownload, jorik, fakealert, 371288

Was this comment helpful? Yes (0) | No (0) | Report abuse

User:
unixfreaxjp

Reputation:
6113 credits

Comment date:
2011-10-17 09:17:34 (UTC)
Analysis: [*lb*][code]=================================[*lb*]MALWARE BINARY ANALYSIS:[*lb*]=================================[*lb*]This malware has the below suspicious points: [*lb*]1. Claimed CRC and Actual CRC are different: [*lb*]-----------------------------------------------------------[*lb*]Claimed: 514,930 Actual: 516,950[*lb*]-----------------------------------------------------------[*lb*][*lb*]2. Found Interesting System Calls Made:[*lb*]-----------------------------------------------------------[*lb*]0x40626c GetCurrentProcess[*lb*]0x406280 GetTickCount[*lb*]0x4062b8 CloseHandle[*lb*]-----------------------------------------------------------[*lb*][*lb*]3. Displaying Online Behaviour [*lb*]-----------------------------------------------------------[*lb*]Remote Host Port Number[*lb*]193.105.154.22 80[*lb*]and getting the reply as follow (during BEHAVIOR TEST)[*lb*]==> http://quick-411054.com/404.php?type=stats&affid=574&subid=01&iruns[*lb*]-----------------------------------------------------------[*lb*][*lb*]4. Read registry below:[*lb*]-----------------------------------------------------------[*lb*]Key Name Value Times[*lb*]HKLM\SYSTEM\CurrentControlSet\Control\Session Manager CriticalSectionTimeout 2592000 1 [*lb*]HKLM\System\CurrentControlSet\Control\Terminal Server TSAppCompat 0 1 [*lb*]-----------------------------------------------------------[*lb*][*lb*]5. The suspicios entropi:[*lb*]-----------------------------------------------------------[*lb*]Entropy 7.66691205108 [*lb*]Name: .HFJAG[*lb*]Misc: 0x19C0E [*lb*]Misc_PhysicalAddress: 0x19C0E [*lb*]Misc_VirtualSize: 0x19C0E [*lb*]VirtualAddress: 0x8000 [*lb*]SizeOfRawData: 0x19E00 [*lb*]PointerToRawData: 0x5A00 [*lb*]PointerToRelocations: 0x0 [*lb*]PointerToLinenumbers: 0x0 [*lb*]NumberOfRelocations: 0x0 [*lb*]NumberOfLinenumbers: 0x0 [*lb*]Characteristics: 0xC0000040 [*lb*][*lb*]Entropy 7.75132488655 [*lb*]Name: .HAGSJ[*lb*]Misc: 0x19C0B [*lb*]Misc_PhysicalAddress: 0x19C0B [*lb*]Misc_VirtualSize: 0x19C0B [*lb*]VirtualAddress: 0x23000 [*lb*]SizeOfRawData: 0x19E00 [*lb*]PointerToRawData: 0x1FA00 [*lb*]PointerToRelocations: 0x0 [*lb*]PointerToLinenumbers: 0x0 [*lb*]NumberOfRelocations: 0x0 [*lb*]NumberOfLinenumbers: 0x0 [*lb*]Characteristics: 0xC0000040 [*lb*][*lb*]Entropy 0.554430923355 [*lb*]Name: .81777[*lb*]Misc: 0x86 [*lb*]Misc_PhysicalAddress: 0x86 [*lb*]Misc_VirtualSize: 0x86 [*lb*]VirtualAddress: 0x3D000 [*lb*]SizeOfRawData: 0x200 [*lb*]PointerToRawData: 0x39800 [*lb*]PointerToRelocations: 0x0 [*lb*]PointerToLinenumbers: 0x0 [*lb*]NumberOfRelocations: 0x0 [*lb*]NumberOfLinenumbers: 0x0 [*lb*]Characteristics: 0xC0000040 [*lb*][*lb*]Entropy 7.74746338576 [*lb*]Name: .JA132[*lb*]Misc: 0x19C0B [*lb*]Misc_PhysicalAddress: 0x19C0B [*lb*]Misc_VirtualSize: 0x19C0B [*lb*]VirtualAddress: 0x3E000 [*lb*]SizeOfRawData: 0x19E00 [*lb*]PointerToRawData: 0x39A00 [*lb*]PointerToRelocations: 0x0 [*lb*]PointerToLinenumbers: 0x0 [*lb*]NumberOfRelocations: 0x0 [*lb*]NumberOfLinenumbers: 0x0 [*lb*]Characteristics: 0xC0000040 [*lb*][*lb*]Entropy 7.74600125866 [*lb*]Name: .5a46[*lb*]Misc: 0x19C0B [*lb*]Misc_PhysicalAddress: 0x19C0B [*lb*]Misc_VirtualSize: 0x19C0B [*lb*]VirtualAddress: 0x58000 [*lb*]SizeOfRawData: 0x19E00 [*lb*]PointerToRawData: 0x53800 [*lb*]PointerToRelocations: 0x0 [*lb*]PointerToLinenumbers: 0x0 [*lb*]NumberOfRelocations: 0x0 [*lb*]NumberOfLinenumbers: 0x0 [*lb*]Characteristics: 0xC0000040 [*lb*]-----------------------------------------------------------[*lb*][*lb*]6. The all DLL & Calls:[*lb*]-----------------------------------------------------------[*lb*][IMAGE_IMPORT_DESCRIPTOR][*lb*]OriginalFirstThunk: 0x6388 [*lb*]Characteristics: 0x6388 [*lb*]TimeDateStamp: 0xFFFFFFFF [Sun Feb 07 06:28:15 2106 UTC][*lb*]ForwarderChain: 0xFFFFFFFF[*lb*]Name: 0x6470 [*lb*]FirstThunk: 0x6200 [*lb*]msvcrt.dll._controlfp Hint[214] Bound: 0x00006200[*lb*]msvcrt.dll._except_handler3 Hint[237] Bound: 0x00006204[*lb*]msvcrt.dll.__set_app_type Hint[152] Bound: 0x00006208[*lb*]msvcrt.dll.__p__fmode Hint[133] Bound: 0x0000620C[*lb*]msvcrt.dll.__p__commode Hint[128] Bound: 0x00006210[*lb*]msvcrt.dll._adjust_fdiv Hint[182] Bound: 0x00006214[*lb*]msvcrt.dll.__setusermatherr Hint[154] Bound: 0x00006218[*lb*]msvcrt.dll._initterm Hint[315] Bound: 0x0000621C[*lb*]msvcrt.dll._acmdln Hint[168] Bound: 0x00006220[*lb*]msvcrt.dll.exit Hint[656] Bound: 0x00006224[*lb*]msvcrt.dll._cexit Hint[200] Bound: 0x00006228[*lb*]msvcrt.dll._XcptFilter Hint[78] Bound: 0x0000622C[*lb*]msvcrt.dll._exit Hint[246] Bound: 0x00006230[*lb*]msvcrt.dll._c_exit Hint[197] Bound: 0x00006234[*lb*]msvcrt.dll.??2@YAPAXI@Z Hint[17] Bound: 0x00006238[*lb*]msvcrt.dll.??3@YAXPAX@Z Hint[18] Bound: 0x0000623C[*lb*]msvcrt.dll.__getmainargs Hint[109] Bound: 0x00006240[*lb*]msvcrt.dll.wcstok Hint[822] Bound: 0x00006244[*lb*]msvcrt.dll._wtol Hint[628] Bound: 0x00006248[*lb*][*lb*][IMAGE_IMPORT_DESCRIPTOR][*lb*]OriginalFirstThunk: 0x63D8 [*lb*]Characteristics: 0x63D8 [*lb*]TimeDateStamp: 0xFFFFFFFF [Sun Feb 07 06:28:15 2106 UTC][*lb*]ForwarderChain: 0xFFFFFFFF[*lb*]Name: 0x6582 [*lb*]FirstThunk: 0x6250 [*lb*]ADVAPI32.dll.RegOpenKeyExW Hint[485] Bound: 0x00006250[*lb*]ADVAPI32.dll.RegCloseKey Hint[458] Bound: 0x00006254[*lb*]ADVAPI32.dll.AllocateAndInitializeSid Hint[29] Bound: 0x00006258[*lb*]ADVAPI32.dll.ImpersonateSelf Hint[56] Bound: 0x0000625C[*lb*]ADVAPI32.dll.FreeSid Hint[225] Bound: 0x00006260[*lb*]ADVAPI32.dll.RegQueryValueExW Hint[495] Bound: 0x00006264[*lb*][*lb*][IMAGE_IMPORT_DESCRIPTOR][*lb*]OriginalFirstThunk: 0x63D8 [*lb*]Characteristics: 0x63D8 [*lb*]TimeDateStamp: 0xFFFFFFFF [Sun Feb 07 06:28:15 2106 UTC][*lb*]ForwarderChain: 0xFFFFFFFF[*lb*]Name: 0x6582 [*lb*]FirstThunk: 0x6250 [*lb*]ADVAPI32.dll.RegOpenKeyExW Hint[485] Bound: 0x00006250[*lb*]ADVAPI32.dll.RegCloseKey Hint[458] Bound: 0x00006254[*lb*]ADVAPI32.dll.AllocateAndInitializeSid Hint[29] Bound: 0x00006258[*lb*]ADVAPI32.dll.ImpersonateSelf Hint[56] Bound: 0x0000625C[*lb*]ADVAPI32.dll.FreeSid Hint[225] Bound: 0x00006260[*lb*]ADVAPI32.dll.RegQueryValueExW Hint[495] Bound: 0x00006264[*lb*][*lb*][IMAGE_IMPORT_DESCRIPTOR][*lb*]OriginalFirstThunk: 0x63F4 [*lb*]Characteristics: 0x63F4 [*lb*]TimeDateStamp: 0xFFFFFFFF [Sun Feb 07 06:28:15 2106 UTC][*lb*]ForwarderChain: 0xFFFFFFFF[*lb*]Name: 0x65FD [*lb*]FirstThunk: 0x626C [*lb*]KERNEL32.dll.GetCurrentProcess Hint[315] Bound: 0x0000626C[*lb*]KERNEL32.dll.TerminateProcess Hint[842] Bound: 0x00006270[*lb*]KERNEL32.dll.GetSystemTimeAsFileTime Hint[448] Bound: 0x00006274[*lb*]KERNEL32.dll.GetCurrentProcessId Hint[316] Bound: 0x00006278[*lb*]KERNEL32.dll.GetCurrentThreadId Hint[318] Bound: 0x0000627C[*lb*]KERNEL32.dll.GetTickCount Hint[468] Bound: 0x00006280[*lb*]KERNEL32.dll.UnhandledExceptionFilter Hint[859] Bound: 0x00006284[*lb*]KERNEL32.dll.GetCommandLineW Hint[266] Bound: 0x00006288[*lb*]KERNEL32.dll.InterlockedDecrement Hint[540] Bound: 0x0000628C[*lb*]KERNEL32.dll.GetModuleHandleW Hint[377] Bound: 0x00006290[*lb*]KERNEL32.dll.FormatMessageW Hint[236] Bound: 0x00006294[*lb*]KERNEL32.dll.GetLastError Hint[360] Bound: 0x00006298[*lb*]KERNEL32.dll.LocalFree Hint[590] Bound: 0x0000629C[*lb*]KERNEL32.dll.ExpandEnvironmentStringsW Hint[186] Bound: 0x000062A0[*lb*]KERNEL32.dll.CreateProcessW Hint[102] Bound: 0x000062A4[*lb*]KERNEL32.dll.SetUnhandledExceptionFilter Hint[822] Bound: 0x000062A8[*lb*]KERNEL32.dll.GetModuleHandleA Hint[374] Bound: 0x000062AC[*lb*]KERNEL32.dll.GetStartupInfoA Hint[430] Bound: 0x000062B0[*lb*]KERNEL32.dll.QueryPerformanceCounter Hint[660] Bound: 0x000062B4[*lb*]KERNEL32.dll.CloseHandle Hint[49] Bound: 0x000062B8[*lb*]KERNEL32.dll.InterlockedIncrement Hint[544] Bound: 0x000062BC[*lb*][*lb*][IMAGE_IMPORT_DESCRIPTOR][*lb*]OriginalFirstThunk: 0x644C [*lb*]Characteristics: 0x644C [*lb*]TimeDateStamp: 0xFFFFFFFF [Sun Feb 07 06:28:15 2106 UTC][*lb*]ForwarderChain: 0xFFFFFFFF[*lb*]Name: 0x67CC [*lb*]FirstThunk: 0x62C4 [*lb*]USER32.dll.DestroyIcon Hint[150] Bound: 0x000062C4[*lb*]USER32.dll.LoadIconW Hint[444] Bound: 0x000062C8[*lb*][*lb*][IMAGE_IMPORT_DESCRIPTOR][*lb*]OriginalFirstThunk: 0x6458 [*lb*]Characteristics: 0x6458 [*lb*]TimeDateStamp: 0xFFFFFFFF [Sun Feb 07 06:28:15 2106 UTC][*lb*]ForwarderChain: 0xFFFFFFFF[*lb*]Name: 0x67F3 [*lb*]FirstThunk: 0x62D0 [*lb*]ole32.dll.CoUninitialize Hint[104] Bound: 0x000062D0[*lb*]ole32.dll.CoInitialize Hint[58] Bound: 0x000062D4[*lb*]ole32.dll.CoCreateInstance Hint[16] Bound: 0x000062D8[*lb*][*lb*]SHLWAPI.dll Ordinal[219] (Imported by Ordinal) Bound: 0x000062E0[*lb*]-----------------------------------------------------------[*lb*][*lb*]=================================[*lb*]MALWARE BEHAVIOR ANALYSIS:[*lb*]=================================[*lb*]7. Program is not self terminated (alive as daemon leaving its name in process)[*lb*]8. It asking connection to the remote site and as per above explained, and It brings you to register your personal information to the remote site, with popping the browser to the registration page as per picture URL below:[*lb*]-----------------------------------------------------------[*lb*]https://lh6.googleusercontent.com/-4JLlY3NL4iA/TpvrZwKnYDI/AAAAAAAACog/3j5IMw5Rkm8/s481/005.jpg[*lb*]-----------------------------------------------------------[*lb*][/code] [*lb*][*lb*]-----[*lb*]Zero Day Japan http://0day.jp[*lb*]Malware/Security Blog: http://unixfreaxjp.blogspot.com[*lb*]Twitter: @unixfreaxjp[*lb*]Hendrik ADRIAN (アドリアン　ヘンドリック)
Tags: jorik, fakealert, 371288

Was this comment helpful? Yes (0) | No (0) | Report abuse

Add your comment... Remember that when you write comments as an anonymous user they receive the lowest possible reputation. So if you have not signed in yet don't forget to do so. How to markup your comments?

Goodware

Malware

Spam attachment/link

P2P download

Propagating via IM

Network worm

Drive-by-download

ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

email
password
	Keep me logged in
	Signing in, please wait...
	Login failed, please try again

Virustotal is a service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...