SHA256: bdf243b7a296f7aecc366c799e3fb865ee3aff7c72d8d942e2b2632a347fe5c3
I downloaded this sample from Malshare.
I started decoding PE hex to text file and found that the PE file has embedded another file which will be dropped on execution.
Filename: help.exe
SHA256: 837bef64239be017a2aac92852576efc7d84774d90f64e9d69c5cc3a2b4ecce4
It also drops Autoexec.bat.exe file and Autoexec.exe files at C:\ location. (But it didn’t drop these files instead it dropped AutoRun.INF and AutoRun.exe)
Also found computer username emartinez in path to PDB file, that means this file must be compiled on a machine under this user account.
and username janettedoe in another path to startup programs
I executed this PE file for dynamic analysis. I found this file dropped Helpme.exe, AutoRun.INF same location I have seen in hex code.
Files Dropped:
- C:\Windows\System32\HelpMe.exe
- C:\AutoRun.INF
- C:\AutoRun.exe
Screenshots
AUTORUN.INF file at location C:\
AUTORUN.INF file executes executable AutoRun.exe file. (Below screenshot)
Another executable dropped at below location
C:\$Recycle.Bin\S-1-5-18
C:\$Recycle.Bin\S-1-5-21-3461203602-4096304019-2269080069-100
I did rename C:\$Recycle.Bin\S-1-5-18\desktop.ini file to desktop.ini.exe and double click to execute it. It has given error Cannot create file “C:\Windows\System32\HelpMe.exe
Then I executed desktop.ini.exe file with administrative privilege (before execute this file I had commented AutoRun.exe file at location C:\) and this file executed C:\Windows\System32\HelpMe.exe which dropped file AutoRun.exe at location C:\
I disassembled AutoRun.exe file and found this creates file Soft.lnk which again has path to execute HelpMe.exe on windows startup.
Below soft.lnk has comment Stone, I hate you! this file has target to execute AUTORUN.INF.exe
No internet connectivity has been tested from this malware, as this analysis done offline.
Malware Analysis 