Analysis Date2014-04-22 04:52:03
MD556a36da10bba1fbd5ad1283626f92a56
SHA107bb51b977a3c4e86201d84ccdf33619ceb28db7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 7e110d970b205025a00aec14bdb4ecd8 sha1: 670ea9a2a598ca82a2bb8f6583c68991326df9f0 size: 17920
Section.rsrc md5: bd1e97d6c296861747c036490bec28bb sha1: 545d4a5f52dba3c4361f1c4dec6de693052da06f size: 2560
Timestamp2008-12-13 06:11:54
VersionInternalName: adclient
FileVersion: 2.00.0045
CompanyName: Microsoft Corporation
ProductName: Microsoft Internet Explorer
ProductVersion: 2.00.0045
OriginalFilename: adclient.exe
PackerUPX -> www.upx.sourceforge.net
PEhashbcab8d2c24bf58eb5762b7c470e2672e167635f6
IMPhash4d74e511b184f2947da8ec10979fc51a
AVaviraTR/Crypt.CFI.Gen
AVmcafeeAdClicker.p
AVavgWin32/DH{JVdO}
AVclamavTrojan.VB-5831

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFF59B.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File\Device\Netbios
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSwww.jpgls.com
Winsock URLhttp://top.etads.cn/netmen/GetAD.ashx?cpa=1&u=00-00-00-00-00-00
Winsock URLhttp://www.jpgls.com/netmen/downer.bin

Network Details:

DNScf-protected-www.jpgls.com.cdn.cloudflare.net
Type: A
108.162.196.71
DNScf-protected-www.jpgls.com.cdn.cloudflare.net
Type: A
108.162.197.71
DNSwww.jpgls.com
Type: A
DNStop.etads.cn
Type: A
HTTP GEThttp://www.jpgls.com/netmen/downer.bin
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 108.162.196.71:80

Raw Pcap
0x00000000 (00000)   47455420 2f6e6574 6d656e2f 646f776e   GET /netmen/down
0x00000010 (00016)   65722e62 696e2048 5454502f 312e310d   er.bin HTTP/1.1.
0x00000020 (00032)   0a416363 6570743a 202a2f2a 0d0a4163   .Accept: */*..Ac
0x00000030 (00048)   63657074 2d456e63 6f64696e 673a2067   cept-Encoding: g
0x00000040 (00064)   7a69702c 20646566 6c617465 0d0a5573   zip, deflate..Us
0x00000050 (00080)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000060 (00096)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000070 (00112)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x00000080 (00128)   646f7773 204e5420 352e313b 20535631   dows NT 5.1; SV1
0x00000090 (00144)   3b202e4e 45542043 4c522032 2e302e35   ; .NET CLR 2.0.5
0x000000a0 (00160)   30373237 290d0a48 6f73743a 20777777   0727)..Host: www
0x000000b0 (00176)   2e6a7067 6c732e63 6f6d0d0a 436f6e6e   .jpgls.com..Conn
0x000000c0 (00192)   65637469 6f6e3a20 4b656570 2d416c69   ection: Keep-Ali
0x000000d0 (00208)   76650d0a 0d0a                         ve....


Strings
1
1

080404B0
2.00.0045
adclient
adclient.exe
CompanyName
FileVersion
InternalName
Microsoft Corporation
Microsoft Internet Explorer
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
0&;GY1 pD
0Q<!s	
?2'E;q
2F+Ph4Z)IN
2Q[xd,/'o
3j;4#6
4M\H8(
6?*1`7d
6Cc6/2
 ]}6.OLB
=72[)Go+pmDH]
>7g5]l
7#~_webb
.8$0iN
8RRh%S
?9HN&9dF
?aAbDL
a/frmIE_CPCmod
	a%{UrlKa
b^`q?<l
BxToRig
~ceExi
CM L	+,
Cookie
 'd'$%
D2Function>
#D9Sp'soJ
dXxZVT
E#tg pH!MOk
EVENTm_T
ExitProcess
FF-@<B
fgb=<;p
+FgKn'S(`4
f	o#82
FpFS<+
frameUSHDoc
gb?=!)et
GetProcAddress
!&G#<r
@hKx*gwX 
h r$Cr
ick_If
ie_cpc
iNev3g
IP@ W C@
?jCn."
K 7^r '
kCloylC
KERNEL32.DLL
{KkRf5|
koK%'h
lAllC8<
&leasO
	l@G4WFQ
LoadLibraryA
m'" e3
MethCallEngin
 m'	F&
Mi Cach
Microsoft I
mP<T7T%Qu
MSVBVM60.DLL
!;N3c-z
;{N8K1
[#{nVS
objLink
OMb0S2C'
[ONexNO|
,Opens|6
]pAe:06
`#P<L-Y0D^
'$$pM2r$
"p|m[k
ppHN`+/p
r23p4rU 'Sl5
ReySta
Rich)zi
r#N$lt,F
@@rr!C
@=.rsrc
s'b(IL
_SINK_
<<sm=I
,+:[SV%]s
s&	WKPl:
system32\loca9j
tc?uwnN
'.textg!
!This program cannot be run in DOS mode.
txtLF#
uaA.w3u
URLDow
{Ux'u-
\:;\<v]
#vb6chs.dllJ*.
VB'C:\Pr
VirtualProtect
v/p'x[c
VwCtl.WebB
w- Fi-s\
WINDOWS\
/wm	glGc
wwww;0
wwwwwpp
wwwwww;
wwwwwwws
wwwwwwwww?
wwwwwwwwww
wwwwwwwwwwwL
wwwwwwwwwwwpp
wwwwwwwwwwwpt
x0AxPr!
xJwco8<
XPTPSW
  /y@bT
Y&HHD4
%Y.PPm)
z@7M3z-
Zk4-(#