Need help with .exe file to see what it's downloading and where

morpheus305 · 15 Apr 2015

Hey guys, I was wondering if anyone can help me out with a problem. My son downloaded and ran .exe filed he shouldn't of. It's one of those .exe files that goes and starts downloading files off the internet. I have no idea what files it actually downloaded and installed. I tried running it in sandboxie but i had no luck figuring it out. I really don't know jack about this stuff. Can someone with experience with this stuff run this file in a controlled, safe environment like a sandbox program and tell what it's actually downloading and where too? I know this is asking a lot but I am very worried that it downloaded and installed some malicious software. If anyone can help me out it would be most appreciated.

Tookeri · 15 Apr 2015

Sandboxie is a great program to track these downloads. To make it as easy as possible:

- Delete the sandbox contents
- Open the .exe file in the empty sandbox
- monitor changes in the Sandboxie Control via View menu - "Files and Folders", or from Windows Explorer in folder c:\sandbox

With an empty sandbox and you only launch this .exe file and no other program, you should be able to find the downloads.

morpheus305 · 15 Apr 2015

Thank tookeri, I found out about this website which allows you to upload a file and it runs and analyzes it for malicious activity. I have no idea if what I am looking at it is good or bad. https://anubis.iseclab.org/?action=r...2e&format=html

Callender · 15 Apr 2015

Hmm. Well I tried installing it but no luck. On my machine it attempted to download files but something blocked the download. I checked and the domain it communicated with is blocked by my hosts file.

Downloaded the file and ran it. It was immediately blocked by my AV so I chose to unblock it.

Need help with .exe file to see what it's downloading and where-gta-5-setup-wizard.jpg

You can see it tries to download some files.

Also blocked by the following security software and I chose to allow installation.

Need help with .exe file to see what it's downloading and where-sa-alert.jpg

Need help with .exe file to see what it's downloading and where-voodooshield-alert.jpg

It then established a connection:

Need help with .exe file to see what it's downloading and where-netstat.jpg

The ip address resolves to:

Need help with .exe file to see what it's downloading and where-virustotal.jpg

That domain was already blocked in my hosts file so no files were downloaded.

Need help with .exe file to see what it's downloading and where-hosts-emeditor.jpg

Sorry but that's as far as I'm willing to test. I also ran monitors for file and registry changes but nothing was created. I guess because the download was blocked.

Also see: https://malwr.com/analysis/OWIzZGNkN...A3NTI4YjUxNWE/

Does it show up in your installed program list?

cyrilhubert · 15 Apr 2015

Hi Callender.
I read the same post in bleepingcomputers.com from the same guy. Thanks for the heads up.
Need help with .exe file to see what it's downloading and where - Am I infected? What do I do?
same guy and name.
Pointing to download some loaded stuff.

morpheus305 · 16 Apr 2015

Thanks Callender for the detailed response and thanks for putting in so much effort into helping me out. Looking at the virustotal screenshot of the ip address that you attached it appears that the ip is associated with other malicious software as well. That is really unfortunate to see. May I ask what security software you use?

Callender · 16 Apr 2015

Well lots. Comodo AV & Firewall, Bitdefender Traffic Light (browser add on), Voodoo Shield Pro, SecureAge Application Whitelisting, Xvirus Web Guard (just testing at the moment), MJ RegWatcher, Threatfire, Spy-The-Spy, MS EMET, Peerblock, Hitman Pro Alert a heavily modified hosts file plus lots of on demand scanners and a few other tools. Also I alternate between Notton Connect Safe DNS and Comodo Secure DNS.