Summary
Files detected as Mal/CryptBox-A have been generically identified as malware.
Detailed analysis
Example behaviors of Mal/CryptBox-A follow:
Example 1
Other vendor detection
- Avira
- TR/Dropper.Gen
- Kaspersky
- Trojan-Downloader.Win32.Injecter.bca
Runtime Analysis
Copies Itself To
- C:\WINDOWS\system32\daemon.exe
- F:/RECYCLER/S-1-6-21-2434476521-1645641927-702000330-1542/redmond.exe
Dropped Files
- C:\WINDOWS\system32\daemonhelper.exe
- F:/RECYCLER/S-1-6-21-2434476521-1645641927-702000330-1542/Desktop.ini
- F:/autorun.inf
Registry Keys Created
- HKCU\Software\Microsoft\Internet Explorer\Download
- RunInvalidSignatures
- no
- HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- C:\WINDOWS\system32\daemon.exe
- C:\WINDOWS\system32\daemon.exe:*:Enabled:Explorer
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper
- t
- 22
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Daemon Tools
- C:\WINDOWS\system32\daemon.exe
Registry Keys Modified
- HKCU\Software\Microsoft\Internet Explorer\Download
- CheckExeSignatures
- 0x00000001
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
- LowRiskFileTypes
- .zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.bat;.cmd;.pif;.scr;.mov;.mp3;.wav
HTTP Requests
- http://whatismyip.com/automation/n09230945.asp
DNS Requests
- bogus.com
- test.com
- wibble.com
- www.whatismyip.com
Example 2
Other vendor detection
- Avira
- TR/Dropper.Gen
- Kaspersky
- Trojan-Downloader.Win32.Injecter.bca
Runtime Analysis
Registry Keys Created
- HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{F3Q02IS2-6ANW-8U8F-8M0X-84FTUA1U75PS}
- StubPath
- "c:\sample.exe"
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
- Microsoft Enterprise Manager
- c:\sample.exe
- HKCU\Software\Microsoft\Windows NT\CurrentVersion
- (Default)
- h1U}mfybi,kxl
Registry Keys Modified
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- Userinit
- C:\WINDOWS\system32\userinit.exe,"c:\sample.exe",
DNS Requests
Example 3
Other vendor detection
- Avira
- TR/Dropper.Gen
- Kaspersky
- Trojan-Downloader.Win32.Injecter.bca
- Trend
- WORM_SPYBOT.MLA
Runtime Analysis
Copies Itself To
- C:\WINDOWS\system32\msmg.exe
- F:/RECYCLER/S-1-6-21-2434476521-1645641927-702000330-1542/volume.exe
Dropped Files
- F:/RECYCLER/S-1-6-21-2434476521-1645641927-702000330-1542/Desktop.ini
- Size
- 63
- SHA-1
- e724f5cadcfb550fa11d85df3ea4cece9ac1ae60
- MD5
- f0dff782993722f33f8a51016476f786
- CRC-32
- bf490c12
- File type
- application/octet-stream
- First seen
- 2010-09-14
- F:/autorun.inf
- C:\WINDOWS\system32\retinascan.exe
- C:\Documents and Settings\support\Local Settings\Temp\Message
Registry Keys Created
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
- libqthread22
- 22
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Messenger Gateway
- C:\WINDOWS\system32\msmg.exe
- HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- C:\WINDOWS\system32\msmg.exe
- C:\WINDOWS\system32\msmg.exe:*:Enabled:Explorer
- HKCU\Software\Microsoft\Internet Explorer\Download
- RunInvalidSignatures
- no
Registry Keys Modified
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
- LowRiskFileTypes
- .zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.bat;.cmd;.pif;.scr;.mov;.mp3;.wav
- HKCU\Software\Microsoft\Internet Explorer\Download
- CheckExeSignatures
- 0x00000001
HTTP Requests
- http://whatismyip.com/automation/n09230945.asp
DNS Requests
- 255.255.255.255.in-addr.arpa
- bogus.com
- test.com
- wibble.com
- www.whatismyip.com