SonicALERT
Search

Sonicwall Signatures

 

Go to All Categories list.


  Softcnapp.AMPO
Softcnapp.AMPO is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user's computer in malicious ways. Trojans do not replicate or spread to other computers.

Mutexes created
  • _!MSFTHISTORY!_
  • c:!documents and settings!soumy!local settings!temporary internet files!content.ie5!
  • c:!documents and settings!soumy!cookies!
  • c:!documents and settings!soumy!local settings!history!history.ie5!
  • WininetStartupMutex
  • WininetConnectionMutex
  • WininetProxyRegistryMutex


Directory level activity
  • create - dir - C:\Documents and Settings\TestMachine\Application Data\BundleBind
  • create - dir - C:\Documents and Settings\TestMachine\Application Data\BundleBind\Config
  • create - dir - C:\Documents and Settings\TestMachine\Application Data\BundleBind\Config\Icon
  • create - dir - C:\DOCUME~1\TestMachine\LOCALS~1\Temp\App


File level activity
  • write - file - C:\DOCUME~1\TestMachine\LOCALS~1\Temp\svyrvt.exe
  • write - file - PIPE\lsarpc
  • write - file - C:\Documents and Settings\TestMachine\Application Data\BundleBind\Config\Icon\icon1.png.temp
  • write - file - C:\Documents and Settings\TestMachine\Application Data\BundleBind\Config\Icon\monids.png.temp
  • write - file - C:\Documents and Settings\TestMachine\Application Data\BundleBind\Config\Icon\XiGuaViewer_1123.png.temp
  • write - file - C:\Documents and Settings\TestMachine\Application Data\BundleBind\Config\Icon\zny.png.temp
  • write - file - C:\Documents and Settings\TestMachine\Application Data\BundleBind\Config\Icon\budys.png.temp
  • write - file - C:\Documents and Settings\TestMachine\Application Data\BundleBind\Config\Icon\kuaizip187.png.temp
  • write - file - C:\Documents and Settings\TestMachine\Application Data\BundleBind\Config\Icon\abckantu.png.temp
  • write - file - C:\Documents and Settings\TestMachine\Application Data\BundleBind\Config\Icon\xiaohei.png.temp


Directory level activity
    • Nothing to report


    Registry API calls used
    • RegOpenKeyExW
    • RegQueryInfoKeyW
    • RegEnumKeyExW
    • RegEnumValueW
    • RegCloseKey
    • RegQueryValueExW
    • RegCloseKey


    Registry API calls used
    • NtOpenKey
    • NtEnumerateValueKey
    • NtQueryValueKey
    • RegCreateKeyExW
    • RegQueryValueExW
    • RegCloseKey
    • RegSetValueExW
    • RegOpenKeyExW
    • RegOpenKeyExA
    • RegQueryValueExA
    • RegSetValueExA
    • RegEnumKeyExA
    • RegEnumKeyExW
    • RegQueryInfoKeyA
    • RegEnumValueA
    • RegDeleteValueA
    • NtQueryKey
    • RegQueryInfoKeyW
    • RegEnumValueW
    • RegCreateKeyExA
    • RegCloseKey


    System API calls used
    • LdrLoadDll
    • LdrGetProcedureAddress
    • LdrGetDllHandle
    • IsDebuggerPresent
    • SetWindowsHookExW
    • NtDelayExecution
    • LookupPrivilegeValueW
    • LdrGetProcedureAddress


    Filesystem API calls used
    • CreateDirectoryW
    • NtCreateFile
    • NtQueryInformationFile
    • NtSetInformationFile
    • NtReadFile
    • NtWriteFile
    • MoveFileWithProgressW
    • NtOpenFile
    • NtDeviceIoControlFile
    • FindFirstFileExW
    • NtQueryDirectoryFile
    • NtReadFile

    Network

    UDP source >> destination
    • 192.168.30.9 >> 192.168.30.254
    • 192.168.30.9 >> 192.168.30.255
    • 192.168.30.9 >> 8.8.8.8


    TCP source >> destination
    • 192.168.30.9 >> 101.37.188.42
    • 192.168.30.9 >> 106.75.87.158
    • 192.168.30.9 >> 115.231.130.8
    • 192.168.30.9 >> 157.185.144.116
    • 192.168.30.9 >> 220.243.224.158



    Domains:
    • csdw.sinosteelinvest.com with IP - 106.75.87.158
    • www.sinosteelinvest.com with IP - 115.231.130.8
    • dwonload.sinosteelinvest.com with IP - 157.185.144.116
    • dwonload.sz-qudou.net with IP - 220.243.224.158

    DNS Request:
    • dwonload.sinosteelinvest.com
    • csdw.sinosteelinvest.com
    • dwonload.sz-qudou.net
    • www.sinosteelinvest.com

    HTTP Request:
    • GET URI - http://dwonload.sinosteelinvest.com/xiazaiqi/xiazaiqi.html
    • GET URI - http://dwonload.sinosteelinvest.com/softdata.dat
    • GET URI - http://dwonload.sz-qudou.net/wuming/png/XiGuaViewer_1123.png
    • GET URI - http://dwonload.sz-qudou.net/wuming/png/monids.png
    • GET URI - http://dwonload.sz-qudou.net/wuming/png/budys.png
    • GET URI - http://dwonload.sinosteelinvest.com/xiazaiqi/sxjl.swf
    • GET URI - http://www.sinosteelinvest.com/api.php?id=&qid=&rand=72453&flag=1024&title=&t=
    • GET URI - http://www.sinosteelinvest.com/cfgbin.php?id=&qid=&rand=18487&flag=1024&title=&t=0&u=
    • GET URI - http://dwonload.sz-qudou.net/wuming/png/zny.png
    • GET URI - http://dwonload.sz-qudou.net/wuming/png/xiaohei.png
    • GET URI - http://dwonload.sz-qudou.net/wuming/png/abckantu.png
    • GET URI - http://101.37.188.42/tj.txt?data=MQkJCQkxCVdpbmRvd3NYUAkwCTAJTlVMTAkxMDI0CU5VTEw%3D
    • GET URI - http://www.sinosteelinvest.com/api.php?id=&qid=&rand=95433&flag=1024&title=&t=
    • GET URI - http://csdw.sinosteelinvest.com/position/get03
    • GET URI - http://dwonload.sz-qudou.net/wuming/png/kuaizip187.png
    • GET URI - http://dwonload.sz-qudou.net/wuming/png/icon1.png
    • GET URI - http://www.sinosteelinvest.com/api.php?id=&qid=&rand=25602&flag=1024&title=&t=
    • GET URI - http://www.sinosteelinvest.com/api.php?id=&qid=&rand=96966&flag=1024&title=&t=

    DLL related data
    Number of DLL's imported = 8
    • KERNEL32.dll
    • ADVAPI32.dll
    • SHELL32.dll
    • ole32.dll
    • SHLWAPI.dll
    • urlmon.dll
    • WS2_32.dll
    • WININET.dll


    Relevant Information