Examples of Mal/Dorkbot-K include:
Example 1
File Information
- Size
- 351K
- SHA-1
- 06c83f404735f1fa72f167ffa129a7f51b28da55
- MD5
- 4ba0f06da605b01091b2fef75ae1c3ed
- CRC-32
- 3257f7ea
- File type
- Windows executable
- First seen
- 2012-08-26
Other vendor detection
- Kaspersky
- Trojan-Spy.Win32.Zbot.bopd
Runtime Analysis
Dropped Files
- c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.08.20T12.19\Virtual\SXS\Manifests\VmX.dll_0x8C9DF666D50A4D841E2DCEE9556484BF.2.manifest
- c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.08.20T12.19\Native\STUBEXE\@SYSTEM@\cmd.exe
- Size
- 17K
- SHA-1
- c303399405795700ed9ab71692fd219872537964
- MD5
- b2337715e2137fcff576a8ae159fdd02
- CRC-32
- 70ca1d54
- File type
- Windows executable
- First seen
- 2012-09-03
- c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.08.20T12.19\Virtual\XRegistry.tmp
- c:\Documents and Settings\test user\Application Data\Xafu\ixiv.tmp
- Size
- 315
- SHA-1
- 05e6637d36f95187114ed353c3ebc8d24ee52245
- MD5
- ba74b1f2ddbcebc1b1b27be81b4e0ed7
- CRC-32
- f686eb08
- File type
- application/octet-stream
- First seen
- 2012-11-17
- c:\Documents and Settings\test user\Application Data\Xafu\ixiv.xoz
- Size
- 477
- SHA-1
- 46659bf61b4a965db4f473fe248e0ac7278c6cae
- MD5
- de8e6342b8d30f31d56b96e4c1070c01
- CRC-32
- 4655a57d
- File type
- application/octet-stream
- First seen
- 2012-11-17
- c:\Documents and Settings\test user\Application Data\Ucucp\wufy.exe
- Size
- 138K
- SHA-1
- 5e33231cb86afba0999478b94929b6f2995794eb
- MD5
- cf2f2be06411a3f834a3280e2438ab5b
- CRC-32
- a13f9999
- File type
- application/x-ms-dos-executable
- First seen
- 2012-11-17
- c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.08.20T12.19\Virtual\SXS\Xenocode.VMX@1.0.0.0\Xenocode.VMX.manifest
- c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.08.20T12.19\Virtual\SXS\Xenocode.VMX@1.0.0.0\Xenocode.VMX@1.0.0.0.manifest
- c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.08.20T12.19\Native\STUBEXE\@APPDATA@\Ucucp\wufy.exe
- Size
- 17K
- SHA-1
- 77752789e17bb163d447fb3c7d7378fb275223b9
- MD5
- 88ba4603147112669ac867edc376c115
- CRC-32
- ed1627ec
- File type
- application/x-ms-dos-executable
- First seen
- 2012-11-17
Modified Files
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
Registry Keys Created
- HKCU\Software\Microsoft\Internet Explorer\Privacy
- CleanCookies
- 0x00000000
- HKCU\Software\Microsoft\Iqfa
- Ukafc
- □□□□□□□h□□□□□□□@□□□I□p@□□4□P□□□□□@c□□□□□<□@I□□7□Pd□□□□□8□ □□p]□ □□0c□□/□0□□□=□ □□□□□□□□□w□`□□@l□□A□□□□`□□□□□□(□□U□□□□□h□□□□□7□□□□□□□□L□□□□□a□ □□□□□P□□□□□□□□□N□□□□ □□@□□□`□p□□
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- {3181EA68-2764-A33A-EDD4-717780984E1E}
- "c:\Documents and Settings\test user\Application Data\Ucucp\wufy.exe"
- HKCU\Identities
- Identity Login
- 0x00098053
Registry Keys Modified
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
- 1609
- 0x00000000
- HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
- Compact Check Count
- 0x00000007
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
- TimeStamp
- aa 4b 68 23 1c c5 cd 01
Processes Created
- c:\Documents and Settings\test user\local settings\application data\xenocode\sandbox\1.0.0.0\2012.08.20t12.19\native\stubexe\@appdata@\ucucp\wufy.exe
- c:\Documents and Settings\test user\local settings\application data\xenocode\sandbox\1.0.0.0\2012.08.20t12.19\native\stubexe\@system@\cmd.exe
HTTP Requests
- http://grainmunch.pro/grain/config.bin
DNS Requests
Example 2
File Information
- Size
- 351K
- SHA-1
- 0f0b818caa45e75d2a6a1436d34e777aec594346
- MD5
- 9572739d889233db298dd0cd524f8ffd
- CRC-32
- 87691622
- File type
- Windows executable
- First seen
- 2012-08-05
Other vendor detection
- Kaspersky
- Trojan-Spy.Win32.Zbot.bopd
Runtime Analysis
Dropped Files
- c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.07.19T06.20\Virtual\SXS\Xenocode.VMX@1.0.0.0\Xenocode.VMX.manifest
- c:\Documents and Settings\test user\Application Data\Eqzule\haic.gah
- Size
- 477
- SHA-1
- 173e7be266329ed28f518a9c5a5636ba13ed8f36
- MD5
- dc0f834d818c6d5b23106e18ac92afe0
- CRC-32
- c41c1d62
- File type
- application/octet-stream
- First seen
- 2012-11-18
- c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.07.19T06.20\Native\STUBEXE\@APPDATA@\Qalufu\umfea.exe
- Size
- 17K
- SHA-1
- c9cb71db677aba57df1d373ac831e9aa75f0d352
- MD5
- 2d7bf9b0f13aa97af95a75e0c4e78e84
- CRC-32
- 5b7f70fb
- File type
- application/x-ms-dos-executable
- First seen
- 2012-11-18
- c:\Documents and Settings\test user\Application Data\Eqzule\haic.tmp
- Size
- 315
- SHA-1
- a0a434b68ba45a402be6eb9f10a8fc654d5e6f20
- MD5
- c359e8fa56a2280b718deb7adf96de2f
- CRC-32
- 5f406b46
- File type
- application/octet-stream
- First seen
- 2012-11-18
- c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.07.19T06.20\Virtual\SXS\Manifests\VmX.dll_0x8C9DF666D50A4D841E2DCEE9556484BF.2.manifest
- c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2012.07.19T06.20\Virtual\SXS\Xenocode.VMX@1.0.0.0\Xenocode.VMX@1.0.0.0.manifest
- c:\Documents and Settings\test user\Application Data\Qalufu\umfea.exe
- Size
- 138K
- SHA-1
- af30c5ad40fa2ea92ee3c0ab542082c697911aa8
- MD5
- 53ffb3c862f02268874a37377a420fe1
- CRC-32
- db2467a0
- File type
- application/x-ms-dos-executable
- First seen
- 2012-11-18
Modified Files
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
Registry Keys Created
- HKCU\Identities
- Identity Login
- 0x00098053
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- {DEB5F4A1-4BF0-9C17-7B46-C95CA45E9D17}
- "c:\Documents and Settings\test user\Application Data\Qalufu\umfea.exe"
- HKCU\Software\Microsoft\Internet Explorer\Privacy
- CleanCookies
- 0x00000000
- HKCU\Software\Microsoft\Yfub
- Voem
- D7□□□□□□□@T□@b□□a□□□□□□□p□□□-□□□□0□□□□□P□□0:□□□□□□□ □□P>□`V□P□□0□□P□□□)□□U□□7□□S□□□□□□□p□□□g□P□□P□□□□□p□□□□□□f□□□□Pa□□}□@p□□□□□□□@□□□u□□□□@*□□□□□□□□V□□□□@□□□□□□□□□x□□_□`&□□□□
Registry Keys Modified
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
- 1609
- 0x00000000
- HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
- Compact Check Count
- 0x00000007
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
- TimeStamp
- c2 3f 5d 97 1f c5 cd 01
Processes Created
- c:\Documents and Settings\test user\local settings\application data\xenocode\sandbox\1.0.0.0\2012.07.19t06.20\native\stubexe\@appdata@\qalufu\umfea.exe
- c:\windows\system32\cmd.exe
HTTP Requests
- http://plaingrovesource.net/techo/config.bin
DNS Requests
Example 3
File Information
- Size
- 351K
- SHA-1
- 1c33b468c47aed7c8ab7ac8b064e6cd9246fde43
- MD5
- aeb41d05275ad4747621a2846576581e
- CRC-32
- 12d807e1
- File type
- Windows executable
- First seen
- 2012-01-03
Other vendor detection
- Kaspersky
- Trojan-Spy.Win32.Zbot.bopd
Runtime Analysis
Dropped Files
- c:\Documents and Settings\test user\Application Data\Orca\akwi.tmp
- Size
- 315
- SHA-1
- 396085aa8baef947e0b1e3ea3cf067f8e1548f89
- MD5
- 9783a1980b1966a442116b551a7999f7
- CRC-32
- ccac0cdf
- File type
- application/octet-stream
- First seen
- 2012-11-17
- c:\Documents and Settings\test user\Application Data\Orca\akwi.aha
- Size
- 477
- SHA-1
- 557d48877acbc8d430d0b9b9fb25b7cee4f418a4
- MD5
- 649bb49b2c16156ab88d8515e8ecb666
- CRC-32
- eb3c656a
- File type
- application/octet-stream
- First seen
- 2012-11-17
- c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2011.12.13T07.13\Virtual\SXS\Xenocode.VMX@1.0.0.0\Xenocode.VMX.manifest
- c:\Documents and Settings\test user\Application Data\Icpe\tosow.exe
- Size
- 138K
- SHA-1
- c57cecbd349d6556dadb08cbf5a95bab8a423c05
- MD5
- 1e5029df3062fdc1238d418f63be61aa
- CRC-32
- a4700ce7
- File type
- application/x-ms-dos-executable
- First seen
- 2012-11-17
- c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2011.12.13T07.13\Virtual\SXS\Xenocode.VMX@1.0.0.0\Xenocode.VMX@1.0.0.0.manifest
- c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2011.12.13T07.13\Virtual\SXS\Manifests\VmX.dll_0x8C9DF666D50A4D841E2DCEE9556484BF.2.manifest
- c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2011.12.13T07.13\Virtual\XRegistry.tmp
- c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2011.12.13T07.13\Native\STUBEXE\@APPDATA@\Icpe\tosow.exe
- Size
- 17K
- SHA-1
- 96f58c0df466d551ef068a626818f608595d02bf
- MD5
- f577f57b5f12f277b1d87106f7836cd7
- CRC-32
- 40b42e77
- File type
- application/x-ms-dos-executable
- First seen
- 2011-12-21
- c:\Documents and Settings\test user\Local Settings\Application Data\Xenocode\Sandbox\1.0.0.0\2011.12.13T07.13\Native\STUBEXE\@SYSTEM@\cmd.exe
- Size
- 17K
- SHA-1
- 44896ad95f9462690947a15b796a891c14af8ce2
- MD5
- 84ced7e9bcc8fa554c6e89a0d8f7fdb4
- CRC-32
- dd6814cf
- File type
- application/x-ms-dos-executable
- First seen
- 2012-01-22
Modified Files
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
Registry Keys Created
- HKCU\Software\Microsoft\Higeeh
- Vyoqx
- □□□0□□P□□□f□□}□□□□□g□□I□□O□□□□□□□`□□□7□□□□□K□ □□`□□@7□@d□□□□□!□@K□□c□□□□@□□□□□□□□□□□@□□□□□□□□□□□□A□□0□PE□□□□□1□@□□□>□□□□P□□□□□□□□□□□□6□□l□ □□□!□ □□□□□□□□□4□□D□□G□□□□□□□`□□@u□
- HKCU\Software\Microsoft\Internet Explorer\Privacy
- CleanCookies
- 0x00000000
- HKCU\Identities
- Identity Login
- 0x00098053
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- {B9BD555D-55DB-29AA-C758-B1E96AE4C954}
- "c:\Documents and Settings\test user\Application Data\Icpe\tosow.exe"
Registry Keys Modified
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
- 1609
- 0x00000000
- HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
- Compact Check Count
- 0x00000007
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
- TimeStamp
- ea f0 a1 ee 1d c5 cd 01
Processes Created
- c:\Documents and Settings\test user\local settings\application data\xenocode\sandbox\1.0.0.0\2011.12.13t07.13\native\stubexe\@appdata@\icpe\tosow.exe
- c:\Documents and Settings\test user\local settings\application data\xenocode\sandbox\1.0.0.0\2011.12.13t07.13\native\stubexe\@system@\cmd.exe
HTTP Requests
- http://80.82.64.71/~checking/launch/config.bin
IP Connections