Analysis Date2013-12-27 21:08:01
MD5bbeacdb2d17ffea8af891bf8deb8b8dc
SHA1042c3b90c2d7d72eb3b0da8c4128b0e4dfa568a7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8557397115ee97dd748646c4e72a0251 sha1: e7e46385041c3499e090d346bf072de3be25d361 size: 2560
Section.rdata md5: 3ba799e5f1abc3984cf9e2b4b856dc05 sha1: 5a520faafe757c49e4c617d29ca806504ff16a79 size: 2048
Section.data md5: 202a0f14ba4a024e6a35d5895669b769 sha1: b8e1afb4a2434014e0daabb226ccfe0fcfa4debf size: 512
Section.rsrc md5: 67447673d39f5cbb0b14d2b56b256b06 sha1: 6039a2bdf486c1c7a050f125c19435acb396f032 size: 28054
Timestamp2055-05-25 18:10:40
Pdb pathg:\acro_root_at\acrobat\viewer\win\output\acrobat\AcroRd32Info.pdb
VersionLegalCopyright: Copyright 1984-2006 Adobe Systems Incorporated and its licensors. All rights reserved.
FileVersion: 8.0.0.2006102200
CompanyName: Adobe Systems Incorporated
ProductName: Adobe Reader
ProductVersion: 8.0.0.2006102200
FileDescription: Adobe Reader 8.0
OriginalFilename: AcroRd32Info.exe
PEhash6d5bf5da0fc6110f0d36f9f38f086da3d36745bb
AVmsseVirus:Win32/Virut.K
AVaviraW32/Virut.X
AVmcafeeW32/Madangel.a
AVavgWin32/Madang.C
AVclamavTrojan.Downloader.Small-1607

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Serverx ➝
C:\WINDOWS\system32\Serverx.exe\\x00^\\xb9\\x10\\x00\\x06\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\xdd\\x07\\x0c\\x00\\x06\\x00\\x1c\\x00\\x01\\x00\\t\\x00\\x10\\x00\\x0f\\x00\\x01\\x00\\x00\\x000\\xfe\\x12\\x00\\x00\\x00\\x00\\x00|\\x00\\x00\\x00\\xd0\\xcf\\x90|h\\xfe\\x12\\x00x\\xfe\\x12\\x00\\xd1Wlev]neo]ne\\x1f_ne\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00!^ne|\\x00\\x00\\x00\\x03\\x01\\x00\\x00\\x00\\xe0\\xfd\\x7f\\x03\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x05\\x00\\x00x\\xfe\\x12\\x000\\xae\\x80|t\\xb8me!\\x00\\x00\\x00x\\xff\\x12\\x00\\x88\\xfe\\x12\\x000\\xae\\x80|D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00\\x00\\x00|\\x00\\x00\\x00x\\x06\\x00\\x00\\xc2\\xaa@\\x00
Creates Fileisignup.exe
Creates Filemsmsgs.exe
Creates Fileiedw.exe
Creates Filemonitor.exe
Creates Filesetup.exe
Creates FileDW20.EXE
Creates FileAdobeUpdateManager.exe
Creates Fileicwconn1.exe
Creates Filemsnsusii.exe
Creates FileC:\WINDOWS\system32\Serverx.exe
Creates FileAcroRd32.exe
Creates FileDWTRIG20.EXE
Creates Filemsinfo32.exe
Creates Fileicwrmind.exe
Creates Filereader_sl.exe
Creates Filemoviemk.exe
Creates Fileacroaum.exe
Creates Filemsimn.exe
Creates FileMsncli.exe
Creates Filewab.exe
Creates Filewabmig.exe
Creates Filewb32.exe
Creates FileDigcore.exe
Creates FileServerx.exe
Creates Fileinetwiz.exe
Creates Fileconf.exe
Creates Fileicwconn2.exe
Creates Fileinstmsiw.exe
Creates FileAcroRd32Info.exe
Creates Filecb32.exe
Creates Filesetup50.exe
Creates Filesapisvr.exe
Creates FileSetup.exe
Creates Fileoemig50.exe
Creates Fileicwtutor.exe
Creates FileIEXPLORE.EXE
Creates ProcessC:\WINDOWS\system32\setupx.exe
Creates ProcessC:\malware.exe
Creates MutexAngry Angel v3.0

Process
↳ C:\malware.exe

Creates MutexAngry Angel v3.0

Process
↳ C:\WINDOWS\Explorer.EXE

Process
↳ C:\WINDOWS\system32\setupx.exe

Network Details:


Raw Pcap

Strings
0409
040904E4
102306at
8.0.0.2006102200
AcroRd32Info.exe
Adobe Reader
Adobe Reader 8.0
Adobe Systems Incorporated
API_ADOBE_PUBLIC_KEY
build
BuildInfo
CompanyName
Copyright 1984-2006 Adobe Systems Incorporated and its licensors. All rights reserved.
English
EnglishName
FileDescription
FileVersion
LanguageId
LanguageInfo
LegalCopyright
OriginalFilename
ProductName
ProductVersion
Read
Signature
StringFileInfo
T405_ADOBE_PUBLIC_KEY
Translation
VarFileInfo
VS_VERSION_INFO
031204000000Z
040716000000Z
060919000000Z
061023072956Z0
081203235959Z0W1
091105235959Z0
0http://crl.verisign.com/ThawteTimestampingCA.crl0
131203235959Z0S1
140715235959Z0
2Terms of use at https://www.verisign.com/rpa (c)041.0,
3http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0
5Digital ID Class 3 - Microsoft Software Validation v21
'6WjB3K~
?7!Op1
8ma_F W
8'.WjB3
.9(sRY
_acmdln
Acrobat Engineering1$0"
AcroRd32.dll
_adjust_fdiv
Adobe Systems, Incorporated0
Adobe Systems, Incorporated1>0<
ADVAPI32.DLL
_amsg_exit
Angry Angel v3.0
      <assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50608.0" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADx
BIB.dll
California1
*cB3{@F
"cd#^Z
_cexit
Class3CA2048-1-430
.Class 3 Public Primary Certification Authority
.Class 3 Public Primary Certification Authority0
CloseHandle
closesocket
_configthreadlocale
connect
_controlfp_s
cR8O)t+
CreateKernelThread
CreateMutexA
CreateRemoteThread
CreateThread
_crt_debugger_hook
==d6|h
@.data
_decode_pointer
DeleteFileA
  </dependency>
  <dependency>
    </dependentAssembly>
    <dependentAssembly>
DllHasRun
__dllonexit
Durbanville1
_encode_pointer
_except_handler4_common
=.exet
FindClose
FindFirstFileA
FindNextFileA
FindWindowA
FreeLibrary
g:\acro_root_at\acrobat\viewer\win\output\acrobat\AcroRd32Info.pdb
GetCommandLineA
GetComputerNameA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDriveTypeA
gethostbyname
GetLastError
__getmainargs
GetProcAddress
GetStartupInfoA
GetSystemDirectoryA
GetSystemTime
GetSystemTimeAsFileTime
GetTickCount
GetWindow
GetWindowThreadProcessId
HeapSetInformation
>H:RC3
 http://crl.verisign.com/pca3.crl0
"http://crl.verisign.com/tss-ca.crl0
/http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0D
http://ocsp.verisign.com0
http://ocsp.verisign.com0?
https://www.verisign.com/rpa0
https://www.verisign.com/rpa01
http://vguarder.91i.net/user.htm
http://vguarder.bravehost.com/user.htm
.idata
@;Ih9z
_initterm
_initterm_e
InterlockedCompareExchange
InterlockedExchange
_invoke_watson
IsDebuggerPresent
_ismbblead
~JO0P9(
kernel32.dll
KERNEL32.dll
_lclose
_lcreat
_llseek
LoadLibraryA
_lopen
_lread
_lwrite
MessageBoxA
MPR.DLL
MSVCR80.dll
-nj?v)
>N:RC2
_onexit
OpenMutexA
OpenProcess
PA<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
__p__commode
/PDFShell
__p__fmode
pR3BFs
QueryPerformanceCounter
`.rdata
RegisterServiceProcess
RegNotifyChangeKeyValue
RegOpenKeyA
RegQueryValueExA
RegSetValueExA
.reloc
RSDS'R
*s&0B?b
San Jose1$0"
sazOlN:
=.scrt
SendMessageA
Serverx
\Serverx.exe
__set_app_type
SetCurrentDirectoryA
SetFileAttributesA
SetFileTime
SetUnhandledExceptionFilter
\setupx.exe
__setusermatherr
SHELL32.DLL
ShellExecuteA
ShowCursor
socket
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
strstr
sx1}n\
TerminateProcess
TerminateThread
Thawte1
Thawte Certification1
Thawte Timestamping CA0
!This program cannot be run in DOS mode.
This program must be run under Win32
TSA2048-1-530
TSA2048-1-540
%-TW?~
U;AG(C
UnhandledExceptionFilter
_unlock
\updatex.exe
USER32.DLL
V4Xf=`
%VeriSign Class 3 Code Signing 2004 CA
%VeriSign Class 3 Code Signing 2004 CA0
VeriSign, Inc.1
VeriSign, Inc.1/0-
VeriSign, Inc.1+0)
VeriSign, Inc.1705
"VeriSign Time Stamping Services CA
"VeriSign Time Stamping Services CA0
&VeriSign Time Stamping Services Signer0
VeriSign Trust Network1;09
VirtualAllocEx
VWh !@
WaitForSingleObject
{{wEsc
Western Cape1
WideCharToMultiByte
=windtz
WinExec
WinMain
    =winn
WNetCloseEnum
WNetEnumResourceA
WNetOpenEnumA
WriteProcessMemory
WSACleanup
WSAStartup
WSOCK32.DLL
wsprintfA
_XcptFilter
XU5wfKX
:>,Y|)~