Examples of Troj/Zbot-DKD include:
Example 1
File Information
- Size
- 309K
- SHA-1
- 2b4daf056af5e8793f5eb8e935c9ca1612bcd331
- MD5
- 7039fcb560d64d53ae6d36aa3364e564
- CRC-32
- 58ff57d3
- File type
- application/x-ms-dos-executable
- First seen
- 2012-12-30
Example 2
File Information
- Size
- 309K
- SHA-1
- e61caf8c217a11e7aac03a34275e49d48bdb9923
- MD5
- 2e7890e8945f8ec95a41675efd458f5c
- CRC-32
- a083804f
- File type
- application/x-ms-dos-executable
- First seen
- 2012-12-30
Runtime Analysis
Dropped Files
- c:\Documents and Settings\test user\Application Data\Ubugon\otil.tmp
- Size
- 563
- SHA-1
- bedfb4b6b9f832e2f3418eb5d15dc366615f3d06
- MD5
- e3c3454f82604eff29b98f563f45bd06
- CRC-32
- 22aa71e9
- File type
- application/octet-stream
- First seen
- 2012-12-30
- c:\Documents and Settings\test user\Application Data\Ubugon\otil.sou
- Size
- 477
- SHA-1
- 6f5da0a73d48a5b07ccc252d419e60788db8f2fd
- MD5
- a9b1b74ffdf7ea4e7a13a161a1f0f48b
- CRC-32
- 03e488d6
- File type
- application/octet-stream
- First seen
- 2012-12-30
- c:\Documents and Settings\test user\Application Data\Syox\cyzey.exe
- Size
- 309K
- SHA-1
- 2b4daf056af5e8793f5eb8e935c9ca1612bcd331
- MD5
- 7039fcb560d64d53ae6d36aa3364e564
- CRC-32
- 58ff57d3
- File type
- application/x-ms-dos-executable
- First seen
- 2012-12-30
Modified Files
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
Registry Keys Created
- HKCU\Software\Microsoft\Yhzyi
- Zemuacke
- B□□p□□`□□□□□□□□□□□Pw□□□□□□□□□□□!□`□□□□□□□□□□□□m□□B□ (□□B□ □□`□□PY□□□□□□□□D□ □□□□□@□□PK□@□□□□□□#□□Z□p□□@□□p□□□□□ □□□□□□□□□S□@□□□□□□□□@L□□□□□□□pI□pR□□□□□□□0□□□/□□□□□h□□y□□4□□I□
- HKCU\Identities
- Identity Login
- 0x00098053
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- {6A9A7B90-053B-D077-F2D7-684384E4AC04}
- "c:\Documents and Settings\test user\Application Data\Syox\cyzey.exe"
- HKCU\Software\Microsoft\Internet Explorer\Privacy
- CleanCookies
- 0x00000000
Registry Keys Modified
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
- TimeStamp
- de cb 4d c4 3d e6 cd 01
- HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
- Compact Check Count
- 0x00000008
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
- 1609
- 0x00000000
Processes Created
- c:\Documents and Settings\test user\application data\syox\cyzey.exe
- c:\windows\system32\cmd.exe
HTTP Requests
- http://www.google.com/webhp
- http://www.whitecrossproperties.co.uk/wp-content/plugins/akismet/ans/server/format.bin
DNS Requests
- www.google.com
- www.whitecrossproperties.co.uk