最新情報の報告ですが(Fri Jun 17 12:14:32 JST 2011)↓
誤検知の手続きをやりましたので、現時点では下記のアンチウイルスメーカーから本件はマルウェアではありませんとの確認が取りました。
AhnLab-V3、AntiVir、Antiy-AV、Avast、Avast5、AVG、ClamAV
Commtouch、DrWeb、eTrust-Vet、F-Prot、Fortinet、Jiangmin
Kaspersky、Microsoft、NOD32、PCTools、Prevx、Sophos
SUPERAntiSpyware、Symantec、VIPRE
証拠:ウイルス・トータルのスキャン結果
本件の対応は終了です。
誤検知の手続きをやりましたので、現時点では下記のアンチウイルスメーカーから本件はマルウェアではありませんとの確認が取りました。
AhnLab-V3、AntiVir、Antiy-AV、Avast、Avast5、AVG、ClamAV
Commtouch、DrWeb、eTrust-Vet、F-Prot、Fortinet、Jiangmin
Kaspersky、Microsoft、NOD32、PCTools、Prevx、Sophos
SUPERAntiSpyware、Symantec、VIPRE
証拠:ウイルス・トータルのスキャン結果
本件の対応は終了です。
Last update due to this case (Fri Jun 17 12:14:32 JST 2011)
First of allThank you for the help of all Malware Reaearcher for helping to proof this case as a false positive, your cooperation is greatly appreciated. Thank you for the AV makers for your response in correcting the scan result for this false positive.
The current case is agreed to be judged as GOODWARE by the following AV makers after the further analysis conducted:
AhnLab-V3、AntiVir、Antiy-AV、Avast、Avast5、AVG、ClamAV
Commtouch、DrWeb、eTrust-Vet、F-Prot、Fortinet、Jiangmin
Kaspersky、Microsoft、NOD32、PCTools、Prevx、Sophos
SUPERAntiSpyware、Symantec、VIPRE
The proof of this response can be viewed by virus total result
Therefore we close the support for this matter, and for the AV makers who STILL think this is a malware, please be free to analyze further by downloading the sample at the below URL:
http://dl.dropbox.com/u/32230830/AyabanUpdate.exe.rar
First of allThank you for the help of all Malware Reaearcher for helping to proof this case as a false positive, your cooperation is greatly appreciated. Thank you for the AV makers for your response in correcting the scan result for this false positive.
The current case is agreed to be judged as GOODWARE by the following AV makers after the further analysis conducted:
AhnLab-V3、AntiVir、Antiy-AV、Avast、Avast5、AVG、ClamAV
Commtouch、DrWeb、eTrust-Vet、F-Prot、Fortinet、Jiangmin
Kaspersky、Microsoft、NOD32、PCTools、Prevx、Sophos
SUPERAntiSpyware、Symantec、VIPRE
The proof of this response can be viewed by virus total result
Therefore we close the support for this matter, and for the AV makers who STILL think this is a malware, please be free to analyze further by downloading the sample at the below URL:
http://dl.dropbox.com/u/32230830/AyabanUpdate.exe.rar
There are so many False Positive for the Japanese Softwares specially regarding to the Japanese game softwares. This time I would like to make complete report of the false positive for the AV makers to be carefully check the sample before judging an innocent game as malware, specially Japanese software. I do the best I can to make this report can be used for the reference by all Malware Researcher for the False Positive analysis.
The japanese animation game "Ayakashibito/Ayaban" or "Ayakashiban"'s PC version update/patch function was detected as false positive by the multiple Anti Virus vendors as Trojan/Malware. The software is the animation game with the market of the adults, with having few network activities for playing it. The trigger of this false positive is based on 1) the PACKER used by the update file which is meant to make the small size of the installer/setup (causing the CRC counting is different, and so on..) and 2) the software is in Japanese so no one can see the popup message well..
Therefore I hereby making the full analysis on it.
You can downloaded it in Amazon at the below link:
This game which was made by the game office PROPELLER GAME (http://www.propeller-game.com) which the website is as per below :
And the AYABAN game itself was released from 2005, the game's website is quite good you can view it safely at this URL and I put the snapshot image of it:
http://www.propeller-game.com/product/ayakasi/
In 2008 there was an version-up of this game software for the PC version which the update patch is up and online at the vendor's site at the below URL:
http://www.propeller-game.net/support/AyabanUpdate.exe
**) Additional: Due to this misjudged as "malware" URL sample was deleted from server.
**) Additional: Sample can be downloaded in the section 5 of this report
And this update/patch file is now malware-false-positive judged by multiple anti-virus softwares as malware according to the following result of the Virus Total as proof:
Above pages said the scan result of 27/ 42 (64.3%), some major anti-virus vendors claimed this software as the below malware:
TR/Swizzor.5.958
Downloader.Swizzor.RBV
Trojan.Swizzor.18359
Trojan.Agent.ATV
UnclassifiedMalware
Trojan.Siggen2.39152
Win32.TRSwizzor
Trojan.Swizzor.18359
Trojan.Swizzor.18359
Trojan.Swizzor
Riskware
Trojan.Win32.Agent.nctd
Swizzor!gw
Swizzor!gw
W32/Suspicious_Gen2.MQTUY
Trojan/W32.Agent.790528.CV
Trojan.Win32.Generic.1288482E
Troj/Swizzor-RF
Trojan/Agent.nctd
TROJ_SPNR.03CI11
TROJ_SPNR.03CI11
Trojan.Agent.nctd
Trojan.Win32.Generic!BT
Trojan.Win32.S.Agent.790528.B
Trojan.Agent!d1bf4l/Kflk
Downloader.Swizzor.RBV
Trojan.Swizzor.18359
Trojan.Agent.ATV
UnclassifiedMalware
Trojan.Siggen2.39152
Win32.TRSwizzor
Trojan.Swizzor.18359
Trojan.Swizzor.18359
Trojan.Swizzor
Riskware
Trojan.Win32.Agent.nctd
Swizzor!gw
Swizzor!gw
W32/Suspicious_Gen2.MQTUY
Trojan/W32.Agent.790528.CV
Trojan.Win32.Generic.1288482E
Troj/Swizzor-RF
Trojan/Agent.nctd
TROJ_SPNR.03CI11
TROJ_SPNR.03CI11
Trojan.Agent.nctd
Trojan.Win32.Generic!BT
Trojan.Win32.S.Agent.790528.B
Trojan.Agent!d1bf4l/Kflk
The above malware info was wrong, since this is a goodware indeed, by this report I ask to AV makers to remove the FP detection of the current sample.Furthermore, I was having contact with the maker of software and was asked to help to clarify this matter.
To make clarification I made analysis for this sample accordingly as per following steps:
1. Analyzing the suspected malware "AyabanUpdate.exe"
Just now I downloaded the sample as per logged below:
Just in case I checked the source of the network too:
The file itself will look like this after downloaded:
*) See the timestamp of the binary above, the date is in 2008 which is the same as the release date of this patch at the website...
I runs some quick tests on it and found the result as follows:
[+] Sample Info
File name : AyabanUpdate.exe
File size : 790,528 bytes
MD5 : f22c6ad76f664a0aec9444e1b08b9c11
SHA1 : b4b9505a16826c3a2363751659004c88400184ad
SHA256: 124f1f162253fc5b62e5fd18336c746cb209aced83ac3a10ab4931e1949e50bc
[+] Valid PE file.
Identified packer :Installer VISE Custom
[+] Claimed CRC and Actual CRC are different: Claimed: 0, Actual: 838,059
[+] Verifying timestamp from file..... Seems fine
[+] File's info: ........ not written much (maybe ExifTool can't get the result at all of this), below is the text dump on it:
*) According to the file analysis above the CRC check looks different because the the packer. The software maker want to make a small size as possible for this patch, also they put some protection to the code..
--23:30:48-- http://www.propeller-game.net/support/AyabanUpdate.exe
=> `AyabanUpdate.exe.1'
Resolving www.propeller-game.net... 203.183.23.7
Connecting to www.propeller-game.net|203.183.23.7|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 790,528 (772K) [application/octet-stream]
100%[====================================>] 790,528 942.45K/s
23:30:49 (938.35 KB/s) - `AyabanUpdate.exe.1' saved [790528/790528]
=> `AyabanUpdate.exe.1'
Resolving www.propeller-game.net... 203.183.23.7
Connecting to www.propeller-game.net|203.183.23.7|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 790,528 (772K) [application/octet-stream]
100%[====================================>] 790,528 942.45K/s
23:30:49 (938.35 KB/s) - `AyabanUpdate.exe.1' saved [790528/790528]
Just in case I checked the source of the network too:
origin 203.183.23.7 からの出力..
2554 | 203.183.16.0/21 | IDC2554 | JP | FIRSTSERVER.NE.JP | FIRSTSERVER INC
Network cross check:
;; QUESTION SECTION:
;propeller-game.net. IN A
;; ANSWER SECTION:
propeller-game.net. 3600 IN A 203.183.23.7
;; AUTHORITY SECTION:
propeller-game.net. 3600 IN NS nsas4.firstserver.ne.jp.
propeller-game.net. 3600 IN NS nsas3.firstserver.ne.jp.
;; ADDITIONAL SECTION:
nsas3.firstserver.ne.jp. 2546 IN A 164.46.1.79
nsas4.firstserver.ne.jp. 2546 IN A 203.183.96.43
[Querying whois.internic.net]
[Redirected to whois.do-reg.jp]
[Querying whois.do-reg.jp]
[whois.do-reg.jp]
### Do-REG WHOIS database / ###
String for search [ PROPELLER-GAME.NET ]
[Domain Name] PROPELLER-GAME.NET
[Status] clientTransferProhibited
[Nameserver] NSAS3.FIRSTSERVER.NE.JP
[Nameserver] NSAS4.FIRSTSERVER.NE.JP
[Creation Date] 2005-05-11 18:36:34(JST)
[Expiration Date] 2012-05-11 18:36:34(JST)
[Last Update] 2011-05-01 00:07:09(JST)
[Registrant]
kabushikigaisyawill
Name: Kazunobu Yoshida
Address: Sankyou Bldg. 4F,3-11-5 Iidabashi Chiyoda-ku Tokyo, JP
[Admin Contact]
Handle: DRKY0065
Organization: kabushikigaisya will
Name: Kazunobu Yoshida
E-Mail: nic-jp@firstserver.ne.jp
Postal-Code: 102-0072
Address: Sankyou Bldg. 4F,3-11-5 Iidabashi Chiyoda-ku Tokyo, JP
Phone-Number: 03-3234-3765
Fax-Number:
[Tech Contact]
Handle: DRKY0065
Organization: kabushikigaisya will
Name: Kazunobu Yoshida
E-Mail: nic-jp@firstserver.ne.jp
Postal-Code: 102-0072
Address: Sankyou Bldg. 4F,3-11-5 Iidabashi Chiyoda-ku Tokyo, JP
Phone-Number: 03-3234-3765
Fax-Number:
*) Couldn't find any suspicious point at all at this network it is legit & official site of the maker...
2554 | 203.183.16.0/21 | IDC2554 | JP | FIRSTSERVER.NE.JP | FIRSTSERVER INC
Network cross check:
;; QUESTION SECTION:
;propeller-game.net. IN A
;; ANSWER SECTION:
propeller-game.net. 3600 IN A 203.183.23.7
;; AUTHORITY SECTION:
propeller-game.net. 3600 IN NS nsas4.firstserver.ne.jp.
propeller-game.net. 3600 IN NS nsas3.firstserver.ne.jp.
;; ADDITIONAL SECTION:
nsas3.firstserver.ne.jp. 2546 IN A 164.46.1.79
nsas4.firstserver.ne.jp. 2546 IN A 203.183.96.43
[Querying whois.internic.net]
[Redirected to whois.do-reg.jp]
[Querying whois.do-reg.jp]
[whois.do-reg.jp]
### Do-REG WHOIS database / ###
String for search [ PROPELLER-GAME.NET ]
[Domain Name] PROPELLER-GAME.NET
[Status] clientTransferProhibited
[Nameserver] NSAS3.FIRSTSERVER.NE.JP
[Nameserver] NSAS4.FIRSTSERVER.NE.JP
[Creation Date] 2005-05-11 18:36:34(JST)
[Expiration Date] 2012-05-11 18:36:34(JST)
[Last Update] 2011-05-01 00:07:09(JST)
[Registrant]
kabushikigaisyawill
Name: Kazunobu Yoshida
Address: Sankyou Bldg. 4F,3-11-5 Iidabashi Chiyoda-ku Tokyo, JP
[Admin Contact]
Handle: DRKY0065
Organization: kabushikigaisya will
Name: Kazunobu Yoshida
E-Mail: nic-jp@firstserver.ne.jp
Postal-Code: 102-0072
Address: Sankyou Bldg. 4F,3-11-5 Iidabashi Chiyoda-ku Tokyo, JP
Phone-Number: 03-3234-3765
Fax-Number:
[Tech Contact]
Handle: DRKY0065
Organization: kabushikigaisya will
Name: Kazunobu Yoshida
E-Mail: nic-jp@firstserver.ne.jp
Postal-Code: 102-0072
Address: Sankyou Bldg. 4F,3-11-5 Iidabashi Chiyoda-ku Tokyo, JP
Phone-Number: 03-3234-3765
Fax-Number:
*) Couldn't find any suspicious point at all at this network it is legit & official site of the maker...
The file itself will look like this after downloaded:
*) See the timestamp of the binary above, the date is in 2008 which is the same as the release date of this patch at the website...
I runs some quick tests on it and found the result as follows:
[+] Sample Info
File name : AyabanUpdate.exe
File size : 790,528 bytes
MD5 : f22c6ad76f664a0aec9444e1b08b9c11
SHA1 : b4b9505a16826c3a2363751659004c88400184ad
SHA256: 124f1f162253fc5b62e5fd18336c746cb209aced83ac3a10ab4931e1949e50bc
[+] Valid PE file.
Identified packer :Installer VISE Custom
[+] Claimed CRC and Actual CRC are different: Claimed: 0, Actual: 838,059
[+] Verifying timestamp from file..... Seems fine
[+] File's info: ........ not written much (maybe ExifTool can't get the result at all of this), below is the text dump on it:
Machine: 0x14C
NumberOfSections: 0x4
TimeDateStamp: 0x4353C357 [Mon Oct 17 15:29:27 2005 UTC]
PointerToSymbolTable: 0x0
NumberOfSymbols: 0x0
SizeOfOptionalHeader: 0xE0
Characteristics: 0x10F
Flags: IMAGE_FILE_LOCAL_SYMS_STRIPPED, IMAGE_FILE_32BIT_MACHINE, IMAGE_FILE_EXECUTABLE_IMAGE, IMAGE_FILE_LINE_NUMS_STRIPPED, IMAGE_FILE_RELOCS_STRIPPED
Magic: 0x10B
MajorLinkerVersion: 0x6
MinorLinkerVersion: 0x0
SizeOfCode: 0x4000
SizeOfInitializedData: 0xBE000
SizeOfUninitializedData: 0x0
AddressOfEntryPoint: 0x13A2
BaseOfCode: 0x1000
BaseOfData: 0x5000
ImageBase: 0x400000
SectionAlignment: 0x1000
FileAlignment: 0x1000
MajorOperatingSystemVersion: 0x4
MinorOperatingSystemVersion: 0x0
MajorImageVersion: 0x0
MinorImageVersion: 0x0
MajorSubsystemVersion: 0x4
MinorSubsystemVersion: 0x0
Reserved1: 0x0
SizeOfImage: 0xC3000
SizeOfHeaders: 0x1000
CheckSum: 0x0
Subsystem: 0x2
DllCharacteristics: 0x0
SizeOfStackReserve: 0x100000
SizeOfStackCommit: 0x1000
SizeOfHeapReserve: 0x100000
SizeOfHeapCommit: 0x1000
LoaderFlags: 0x0
NumberOfRvaAndSizes: 0x10
NumberOfSections: 0x4
TimeDateStamp: 0x4353C357 [Mon Oct 17 15:29:27 2005 UTC]
PointerToSymbolTable: 0x0
NumberOfSymbols: 0x0
SizeOfOptionalHeader: 0xE0
Characteristics: 0x10F
Flags: IMAGE_FILE_LOCAL_SYMS_STRIPPED, IMAGE_FILE_32BIT_MACHINE, IMAGE_FILE_EXECUTABLE_IMAGE, IMAGE_FILE_LINE_NUMS_STRIPPED, IMAGE_FILE_RELOCS_STRIPPED
Magic: 0x10B
MajorLinkerVersion: 0x6
MinorLinkerVersion: 0x0
SizeOfCode: 0x4000
SizeOfInitializedData: 0xBE000
SizeOfUninitializedData: 0x0
AddressOfEntryPoint: 0x13A2
BaseOfCode: 0x1000
BaseOfData: 0x5000
ImageBase: 0x400000
SectionAlignment: 0x1000
FileAlignment: 0x1000
MajorOperatingSystemVersion: 0x4
MinorOperatingSystemVersion: 0x0
MajorImageVersion: 0x0
MinorImageVersion: 0x0
MajorSubsystemVersion: 0x4
MinorSubsystemVersion: 0x0
Reserved1: 0x0
SizeOfImage: 0xC3000
SizeOfHeaders: 0x1000
CheckSum: 0x0
Subsystem: 0x2
DllCharacteristics: 0x0
SizeOfStackReserve: 0x100000
SizeOfStackCommit: 0x1000
SizeOfHeapReserve: 0x100000
SizeOfHeapCommit: 0x1000
LoaderFlags: 0x0
NumberOfRvaAndSizes: 0x10
*) According to the file analysis above the CRC check looks different because the the packer. The software maker want to make a small size as possible for this patch, also they put some protection to the code..
2. Disassembly the suspected malware "AyabanUpdate.exe"
I'm not going to be long on this the result is below:
[+] Loaded DLLs and it's CALLs list:
*) not found the some significant malware calls...
These below calls maybe becoming the suspected factors, but some goodware I know also using it for the copyright protections..
[+] Some suspicious calls
Furthermore I was checking some blocks of disassembly data to find the suspicous section, but nothing has found, below is the data of the 1st block dump:
*) basically I couldn't find the harmful code on it..
[+] Loaded DLLs and it's CALLs list:
-----------------------------
KERNEL32.dll
-----------------------------
KERNEL32.dll.LockResource Hint[469]
KERNEL32.dll.LoadResource Hint[455]
KERNEL32.dll.FindResourceA Hint[163]
KERNEL32.dll.GetStringTypeW Hint[342]
KERNEL32.dll.CreateFileA Hint[52]
KERNEL32.dll.LCMapStringW Hint[448]
KERNEL32.dll.LCMapStringA Hint[447]
KERNEL32.dll.MultiByteToWideChar Hint[484]
KERNEL32.dll.SetStdHandle Hint[636]
KERNEL32.dll.LoadLibraryA Hint[450]
KERNEL32.dll.GetProcAddress Hint[318]
KERNEL32.dll.SizeofResource Hint[661]
KERNEL32.dll.WriteFile Hint[735]
KERNEL32.dll.GetStringTypeA Hint[339]
KERNEL32.dll.CloseHandle Hint[27]
KERNEL32.dll.GetModuleHandleA Hint[294]
KERNEL32.dll.GetStartupInfoA Hint[336]
KERNEL32.dll.GetCommandLineA Hint[202]
KERNEL32.dll.GetVersion Hint[372]
KERNEL32.dll.ExitProcess Hint[125]
KERNEL32.dll.TerminateProcess Hint[670]
KERNEL32.dll.GetCurrentProcess Hint[247]
KERNEL32.dll.UnhandledExceptionFilter Hint[685]
KERNEL32.dll.GetModuleFileNameA Hint[292]
KERNEL32.dll.FreeEnvironmentStringsA Hint[178]
KERNEL32.dll.FreeEnvironmentStringsW Hint[179]
KERNEL32.dll.WideCharToMultiByte Hint[722]
KERNEL32.dll.GetEnvironmentStrings Hint[262]
KERNEL32.dll.GetEnvironmentStringsW Hint[264]
KERNEL32.dll.SetHandleCount Hint[621]
KERNEL32.dll.GetStdHandle Hint[338]
KERNEL32.dll.GetFileType Hint[277]
KERNEL32.dll.HeapDestroy Hint[413]
KERNEL32.dll.HeapCreate Hint[411]
KERNEL32.dll.VirtualFree Hint[703]
KERNEL32.dll.HeapFree Hint[415]
KERNEL32.dll.RtlUnwind Hint[559]
KERNEL32.dll.GetLastError Hint[282]
KERNEL32.dll.SetFilePointer Hint[618]
KERNEL32.dll.GetCPInfo Hint[191]
KERNEL32.dll.GetACP Hint[185]
KERNEL32.dll.GetOEMCP Hint[305]
KERNEL32.dll.HeapAlloc Hint[409]
KERNEL32.dll.VirtualAlloc Hint[699]
KERNEL32.dll.HeapReAlloc Hint[418]
KERNEL32.dll.FlushFileBuffers Hint[170]
-----------------------------
USER32.dll
-----------------------------
USER32.dll.SetDlgItemTextA Hint[556]
USER32.dll.GetDlgItem Hint[258]
USER32.dll.EnableWindow Hint[183]
USER32.dll.PostQuitMessage Hint[480]
USER32.dll.SetWindowTextA Hint[606]
USER32.dll.EndDialog Hint[185]
USER32.dll.DialogBoxParamA Hint[147]
-----------------------------
ADVAPI32.dll
-----------------------------
ADVAPI32.dll.RegQueryValueExA Hint[379]
ADVAPI32.dll.RegCloseKey Hint[347]
ADVAPI32.dll.RegOpenKeyA Hint[369]
KERNEL32.dll
-----------------------------
KERNEL32.dll.LockResource Hint[469]
KERNEL32.dll.LoadResource Hint[455]
KERNEL32.dll.FindResourceA Hint[163]
KERNEL32.dll.GetStringTypeW Hint[342]
KERNEL32.dll.CreateFileA Hint[52]
KERNEL32.dll.LCMapStringW Hint[448]
KERNEL32.dll.LCMapStringA Hint[447]
KERNEL32.dll.MultiByteToWideChar Hint[484]
KERNEL32.dll.SetStdHandle Hint[636]
KERNEL32.dll.LoadLibraryA Hint[450]
KERNEL32.dll.GetProcAddress Hint[318]
KERNEL32.dll.SizeofResource Hint[661]
KERNEL32.dll.WriteFile Hint[735]
KERNEL32.dll.GetStringTypeA Hint[339]
KERNEL32.dll.CloseHandle Hint[27]
KERNEL32.dll.GetModuleHandleA Hint[294]
KERNEL32.dll.GetStartupInfoA Hint[336]
KERNEL32.dll.GetCommandLineA Hint[202]
KERNEL32.dll.GetVersion Hint[372]
KERNEL32.dll.ExitProcess Hint[125]
KERNEL32.dll.TerminateProcess Hint[670]
KERNEL32.dll.GetCurrentProcess Hint[247]
KERNEL32.dll.UnhandledExceptionFilter Hint[685]
KERNEL32.dll.GetModuleFileNameA Hint[292]
KERNEL32.dll.FreeEnvironmentStringsA Hint[178]
KERNEL32.dll.FreeEnvironmentStringsW Hint[179]
KERNEL32.dll.WideCharToMultiByte Hint[722]
KERNEL32.dll.GetEnvironmentStrings Hint[262]
KERNEL32.dll.GetEnvironmentStringsW Hint[264]
KERNEL32.dll.SetHandleCount Hint[621]
KERNEL32.dll.GetStdHandle Hint[338]
KERNEL32.dll.GetFileType Hint[277]
KERNEL32.dll.HeapDestroy Hint[413]
KERNEL32.dll.HeapCreate Hint[411]
KERNEL32.dll.VirtualFree Hint[703]
KERNEL32.dll.HeapFree Hint[415]
KERNEL32.dll.RtlUnwind Hint[559]
KERNEL32.dll.GetLastError Hint[282]
KERNEL32.dll.SetFilePointer Hint[618]
KERNEL32.dll.GetCPInfo Hint[191]
KERNEL32.dll.GetACP Hint[185]
KERNEL32.dll.GetOEMCP Hint[305]
KERNEL32.dll.HeapAlloc Hint[409]
KERNEL32.dll.VirtualAlloc Hint[699]
KERNEL32.dll.HeapReAlloc Hint[418]
KERNEL32.dll.FlushFileBuffers Hint[170]
-----------------------------
USER32.dll
-----------------------------
USER32.dll.SetDlgItemTextA Hint[556]
USER32.dll.GetDlgItem Hint[258]
USER32.dll.EnableWindow Hint[183]
USER32.dll.PostQuitMessage Hint[480]
USER32.dll.SetWindowTextA Hint[606]
USER32.dll.EndDialog Hint[185]
USER32.dll.DialogBoxParamA Hint[147]
-----------------------------
ADVAPI32.dll
-----------------------------
ADVAPI32.dll.RegQueryValueExA Hint[379]
ADVAPI32.dll.RegCloseKey Hint[347]
ADVAPI32.dll.RegOpenKeyA Hint[369]
*) not found the some significant malware calls...
These below calls maybe becoming the suspected factors, but some goodware I know also using it for the copyright protections..
[+] Some suspicious calls
Some malwares uses this for blocking debugging:
0x405034 LoadLibraryA
0x405038 GetProcAddress
0x405048 CloseHandle
0x405064 GetCurrentProcess
DEP Setting Change trace
0x405094 HeapCreate
0x4050bc VirtualAlloc
0x405034 LoadLibraryA
0x405038 GetProcAddress
0x405048 CloseHandle
0x405064 GetCurrentProcess
DEP Setting Change trace
0x405094 HeapCreate
0x4050bc VirtualAlloc
Furthermore I was checking some blocks of disassembly data to find the suspicous section, but nothing has found, below is the data of the 1st block dump:
[0x4013a2L] mov ebp esp
[0x4013a3L] push 0xff
[0x4013a5L] push 0x4050f0
[0x4013a7L] push 0x4027f8
[0x4013acL] mov eax [fs:0x0]
[0x4013b1L] push eax
[0x4013b7L] mov [fs:0x0] esp
[0x4013b8L] sub esp 0x58
[0x4013bfL] push ebx
[0x4013c2L] push esi
[0x4013c3L] push r15d
[0x4013c4L] mov [bp-0x18] esp
[0x4013c5L] call [0x405058]
[0x4013c8L] xor edx edx
[0x4013ceL] mov dl ah
[0x4013d0L] mov [0x407b38] edx
[0x4013d2L] mov ecx eax
[0x4013d8L] and ecx 0xff
[0x4013daL] mov [0x407b34] ecx
[0x4013e0L] shl ecx 0x8
[0x4013e6L] add ecx edx
[0x4013e9L] mov [0x407b30] ecx
[0x4013ebL] shr eax 0x10
[0x4013f1L] mov [0x407b2c] eax
[0x4013f4L] xor esi esi
[0x4013f9L] push esi
[0x4013fbL] call 0x4026c1L
[0x4013fcL] pop ecx
[0x401401L] test eax eax
[0x401402L] jnz 0x40140eL
[0x401404L] push 0x1c
[0x401406L] call 0x4014bdL
[0x401408L] pop ecx
[0x40140dL] mov [bp-0x4] esi
[0x40140eL] call 0x402516L
[0x401411L] call [0x405054]
[0x401416L] mov [0x409058] eax
[0x40141cL] call 0x4023e4L
[0x401421L] mov [0x407b14] eax
[0x401426L] call 0x402197L
[0x40142bL] call 0x4020deL
[0x401430L] call 0x401e00L
[0x401435L] mov [bp-0x30] esi
[0x40143aL] lea eax [bp-0x5c]
[0x40143dL] push eax
[0x401440L] call [0x405050]
[0x401441L] call 0x402086L
[0x401447L] mov [bp-0x64] eax
[0x40144cL] test [bp-0x30] 0x1
[0x40144fL] jz 0x40145bL
[0x401453L] movzx eax [bp-0x2c]
[0x401455L] jmp near 0x40145eL
[0x401459L] push eax
[0x40145eL] push [bp-0x64]
[0x40145fL] push esi
[0x401462L] push esi
[0x401463L] call [0x40504c]
[0x401464L] push eax
[0x40146aL] call 0x401000L
[0x40146bL] mov [bp-0x60] eax
[0x401470L] push eax
[0x401473L] call 0x401e2dL
[0x401474L] mov eax [bp-0x14]
[0x401479L] mov ecx [ax]
[0x40147cL] mov ecx [cx]
[0x40147eL] mov [bp-0x68] ecx
[0x401480L] push eax
[0x401483L] push ecx
[0x401484L] call 0x401f02L
[0x401485L] pop ecx
[0x40148aL] pop ecx
[0x40148bL] ret
[0x4013a3L] push 0xff
[0x4013a5L] push 0x4050f0
[0x4013a7L] push 0x4027f8
[0x4013acL] mov eax [fs:0x0]
[0x4013b1L] push eax
[0x4013b7L] mov [fs:0x0] esp
[0x4013b8L] sub esp 0x58
[0x4013bfL] push ebx
[0x4013c2L] push esi
[0x4013c3L] push r15d
[0x4013c4L] mov [bp-0x18] esp
[0x4013c5L] call [0x405058]
[0x4013c8L] xor edx edx
[0x4013ceL] mov dl ah
[0x4013d0L] mov [0x407b38] edx
[0x4013d2L] mov ecx eax
[0x4013d8L] and ecx 0xff
[0x4013daL] mov [0x407b34] ecx
[0x4013e0L] shl ecx 0x8
[0x4013e6L] add ecx edx
[0x4013e9L] mov [0x407b30] ecx
[0x4013ebL] shr eax 0x10
[0x4013f1L] mov [0x407b2c] eax
[0x4013f4L] xor esi esi
[0x4013f9L] push esi
[0x4013fbL] call 0x4026c1L
[0x4013fcL] pop ecx
[0x401401L] test eax eax
[0x401402L] jnz 0x40140eL
[0x401404L] push 0x1c
[0x401406L] call 0x4014bdL
[0x401408L] pop ecx
[0x40140dL] mov [bp-0x4] esi
[0x40140eL] call 0x402516L
[0x401411L] call [0x405054]
[0x401416L] mov [0x409058] eax
[0x40141cL] call 0x4023e4L
[0x401421L] mov [0x407b14] eax
[0x401426L] call 0x402197L
[0x40142bL] call 0x4020deL
[0x401430L] call 0x401e00L
[0x401435L] mov [bp-0x30] esi
[0x40143aL] lea eax [bp-0x5c]
[0x40143dL] push eax
[0x401440L] call [0x405050]
[0x401441L] call 0x402086L
[0x401447L] mov [bp-0x64] eax
[0x40144cL] test [bp-0x30] 0x1
[0x40144fL] jz 0x40145bL
[0x401453L] movzx eax [bp-0x2c]
[0x401455L] jmp near 0x40145eL
[0x401459L] push eax
[0x40145eL] push [bp-0x64]
[0x40145fL] push esi
[0x401462L] push esi
[0x401463L] call [0x40504c]
[0x401464L] push eax
[0x40146aL] call 0x401000L
[0x40146bL] mov [bp-0x60] eax
[0x401470L] push eax
[0x401473L] call 0x401e2dL
[0x401474L] mov eax [bp-0x14]
[0x401479L] mov ecx [ax]
[0x40147cL] mov ecx [cx]
[0x40147eL] mov [bp-0x68] ecx
[0x401480L] push eax
[0x401483L] push ecx
[0x401484L] call 0x401f02L
[0x401485L] pop ecx
[0x40148aL] pop ecx
[0x40148bL] ret
*) basically I couldn't find the harmful code on it..
3. The Behavior Analysis of the suspected malware "AyabanUpdate.exe"
I just run it in my Virtual environment and see how it runs well as per below explanation:
*) explanation:
1. This program creates the popup with the messages: "The update of the Ayaban is started, press to continue..."
2. During the popup started first time, it loads the DLL needed to run it, and found activities for searching the installation of the previous versions..
3. After you click the button the program will search the game, and if not found it will popup the message "Ayakashiban Game is not installed..", then if you press the EXIT button the program will exit normally (below is the memory check of the program and it's exit)
The network activity of it, actually for most of the people who is not instaling the game WILL NOT FIND ANY network activity of it, below is the capture of the netstat command of BEFORE and AFTER program exited.
Furthermore I checked the changes of the Windows registry, but no changes found, neither no file created or downloaded.
*) explanation:
1. This program creates the popup with the messages: "The update of the Ayaban is started, press to continue..."
2. During the popup started first time, it loads the DLL needed to run it, and found activities for searching the installation of the previous versions..
3. After you click the button the program will search the game, and if not found it will popup the message "Ayakashiban Game is not installed..", then if you press the EXIT button the program will exit normally (below is the memory check of the program and it's exit)
The network activity of it, actually for most of the people who is not instaling the game WILL NOT FIND ANY network activity of it, below is the capture of the netstat command of BEFORE and AFTER program exited.
Furthermore I checked the changes of the Windows registry, but no changes found, neither no file created or downloaded.
4. The detection references:
Just in case of I missed somethimg, I made some reference scanning to many sites as per below results. These results is not showing the malware judgement significantly.
4.1. Threat Expert
In Threat Expert check, only the False Positive detection which claiming this sample as a malware, the message and the link is as per below:
http://www.threatexpert.com/report.aspx?md5=f22c6ad76f664a0aec9444e1b08b9c11
4.2 Some online sandbox results
The below links are the COMODO and Sunbelt sandbox results, I do not think this result is showing any malware activities:
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=55221811&cs=9EA6B45D8908505FDC3C0ED3FD838D5F
http://camas.comodo.com/cgi-bin/submit?file=124f1f162253fc5b62e5fd18336c746cb209aced83ac3a10ab4931e1949e50bc
4.1. Threat Expert
In Threat Expert check, only the False Positive detection which claiming this sample as a malware, the message and the link is as per below:
http://www.threatexpert.com/report.aspx?md5=f22c6ad76f664a0aec9444e1b08b9c11
4.2 Some online sandbox results
The below links are the COMODO and Sunbelt sandbox results, I do not think this result is showing any malware activities:
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=55221811&cs=9EA6B45D8908505FDC3C0ED3FD838D5F
http://camas.comodo.com/cgi-bin/submit?file=124f1f162253fc5b62e5fd18336c746cb209aced83ac3a10ab4931e1949e50bc
5. The Result (In progress...)
At this moment (Tue Jun 14 13:06:29 JST 2011) AVG and AntiVir are the first ones who confirming this FP, and updated their database to correct the FP with the great response time. Respect!
The Result in VT scanning now is changing from 27 /42 (64.3%) to 25/ 42 (59.5%) at this moment.
Sadly, yesterday the FP sample has been removed from the reported malware URL on the ground of this misjudged as "malware". I got some requests from analyssts who would like to help and re-review the current sample.
So , if you as malware analyst can participate into this check the sample to clarify the innocent software which is misjudged as malware by "the" AV vendors, please be free to review by downloading the sample from the below URL to analyze:
--------------------------sample download-----------------------------------------
http://dl.dropbox.com/u/32230830/AyabanUpdate.exe.rar (pwd: infected)
Sample Info
File name : AyabanUpdate.exe
File size : 790,528 bytes
MD5 : f22c6ad76f664a0aec9444e1b08b9c11
SHA1 : b4b9505a16826c3a2363751659004c88400184ad
SHA256: 124f1f162253fc5b62e5fd18336c746cb209aced83ac3a10ab4931e1949e50bc
----------------------------------------------------------------------------------------
If you find and agree this is a FP please add your review and for those who claims malware please write YOUR REASON WHY (Yes, it is a challange!) in the Virus Total page and choose your checkpoint of GOODWARE or MALWARE , and will be greatly appreciated.
I received many Questions regarding to this FP case, So far the asked questions and answers I compiled below:
============================
QUESTIONS & ANSWERS (Q & A)
============================
Q: Why the CRC values od sample is different (actual and stated)?
A: Because the developer was using the packer to make the small size of the installer
Q: Why there are some suspicious entropy detected during some quick analysis by sandbox?
A: Same as above, reason is the packer was used. But is the legit packer was used: Installer VISE Custom
Q: Some blocking debugging calls detected at the below Address, why?
0x405034 LoadLibraryA
0x405038 GetProcAddress
0x405048 CloseHandle
0x405064 GetCurrentProcess
A: Simply protecting the installer for disassembly, is a special feature bonus as in game software as an update, so the developers making it hard to crack, that's it.
Q: What is the explanation of DEP Setting Change trace as below then?
0x405094 HeapCreate
0x4050bc VirtualAlloc
A: Is easy, DEP (Data Execution Prevention) can be turned on/off IF the PC users know how to do it. But some gamers don't know how to set it and found the installer couldn't run smoothly. As a shortcut for this solution the developers is changing the DEP values to allow installer to run smoothly, that simple. Complete reference which explaining that DEP settings "is allowed" to be changed by Microsoft : http://windows.microsoft.com/en-US/windows-vista/Change-Data-Execution-Prevention-settings
Q: Why there are so many FP consensus taken in this case then?
A: Mostly the automation scan system is the first way the AV makers PIC checks the sample. So the binary analysis points above will be noted as suspicious.
Furthermore if running into the sandbox(behavior checks), is a Japanese software, so no one can read well what is written in the interface, which was saying, "The update of the Ayaban is started, pls press next button to continue..."
Of course f you press the next button then the program will search for the main installation of the game to be patched. Which is mostly in foreign PC will not be detected, and will show up the other popup saying "Ayakashiban Game is not installed.. Pls press the End button".
The Result in VT scanning now is changing from 27 /42 (64.3%) to 25/ 42 (59.5%) at this moment.
Sadly, yesterday the FP sample has been removed from the reported malware URL on the ground of this misjudged as "malware". I got some requests from analyssts who would like to help and re-review the current sample.
So , if you as malware analyst can participate into this check the sample to clarify the innocent software which is misjudged as malware by "the" AV vendors, please be free to review by downloading the sample from the below URL to analyze:
--------------------------sample download-----------------------------------------
http://dl.dropbox.com/u/32230830/AyabanUpdate.exe.rar (pwd: infected)
Sample Info
File name : AyabanUpdate.exe
File size : 790,528 bytes
MD5 : f22c6ad76f664a0aec9444e1b08b9c11
SHA1 : b4b9505a16826c3a2363751659004c88400184ad
SHA256: 124f1f162253fc5b62e5fd18336c746cb209aced83ac3a10ab4931e1949e50bc
----------------------------------------------------------------------------------------
If you find and agree this is a FP please add your review and for those who claims malware please write YOUR REASON WHY (Yes, it is a challange!) in the Virus Total page and choose your checkpoint of GOODWARE or MALWARE , and will be greatly appreciated.
I received many Questions regarding to this FP case, So far the asked questions and answers I compiled below:
============================
QUESTIONS & ANSWERS (Q & A)
============================
Q: Why the CRC values od sample is different (actual and stated)?
A: Because the developer was using the packer to make the small size of the installer
Q: Why there are some suspicious entropy detected during some quick analysis by sandbox?
A: Same as above, reason is the packer was used. But is the legit packer was used: Installer VISE Custom
Q: Some blocking debugging calls detected at the below Address, why?
0x405034 LoadLibraryA
0x405038 GetProcAddress
0x405048 CloseHandle
0x405064 GetCurrentProcess
A: Simply protecting the installer for disassembly, is a special feature bonus as in game software as an update, so the developers making it hard to crack, that's it.
Q: What is the explanation of DEP Setting Change trace as below then?
0x405094 HeapCreate
0x4050bc VirtualAlloc
A: Is easy, DEP (Data Execution Prevention) can be turned on/off IF the PC users know how to do it. But some gamers don't know how to set it and found the installer couldn't run smoothly. As a shortcut for this solution the developers is changing the DEP values to allow installer to run smoothly, that simple. Complete reference which explaining that DEP settings "is allowed" to be changed by Microsoft : http://windows.microsoft.com/en-US/windows-vista/Change-Data-Execution-Prevention-settings
Q: Why there are so many FP consensus taken in this case then?
A: Mostly the automation scan system is the first way the AV makers PIC checks the sample. So the binary analysis points above will be noted as suspicious.
Furthermore if running into the sandbox(behavior checks), is a Japanese software, so no one can read well what is written in the interface, which was saying, "The update of the Ayaban is started, pls press next button to continue..."
Of course f you press the next button then the program will search for the main installation of the game to be patched. Which is mostly in foreign PC will not be detected, and will show up the other popup saying "Ayakashiban Game is not installed.. Pls press the End button".
----
ゼロデイ・ジャパン
http://0day.jp
マルウェア研究所
アドリアン・ヘンドリック
Sponsored by: 株式会社ケイエルジェイテック
Tweet
0 件のコメント:
コメントを投稿