Analysis Date2015-01-06 13:02:13
MD5fa52ac5ecfecdab33fbb06cbd7d92942
SHA10831d0fdddbf6a4dd61d9fcc6b64243b1055d7a2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0bc2ffd32265a08d72b795b18265828d sha1: dd2a446014a37556f39173b802c63a4e46e09366 size: 23552
Section.rdata md5: f179218a059068529bdb4637ef5fa28e sha1: 6035d27db526131eb0f29aee60cfcdbb5072ed7d size: 4608
Section.data md5: 975304d6dd6c4a4f076b15511e2bbbc0 sha1: 1f65340672c91ffd0f2583ff104beaece43c7855 size: 1024
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 40bdbf8508f1c6788f72dc2d97953e22 sha1: 3c03c979c72238ba35bdeb5b12283dab38c0ceaa size: 173568
Timestamp2009-12-05 22:50:46
PackerNullsoft PiMP Stub -> SFX
PEhash06b031c82d74f97da18898011720885557fbc394
IMPhash099c0646ea7282d232219f8807883be0
AV360 Safeno_virus
AVAd-Awareno_virus
AVAlwil (avast)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)no_virus
AVBullGuardno_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftno_virus
AVEset (nod32)NSIS/TrojanDownloader.Chindo.E
AVFortinetW32/Chindo.B!tr.dldr
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)no_virus
AVIkarusno_virus
AVK7no_virus
AVKasperskyDownloader.NSIS.Feasu.o:HEUR:Downloader.NSIS.Feasu.heur
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.Gen.2
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates Filesetup_001.exe
Creates FileBaiduPlayerNetSetup_472.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nse3.tmp\Inetc.dll
Creates Fileins1256858.exe
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nse3.tmp\1.ico
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nse3.tmp\nsProcess.dll
Creates File9377mycs_Y_mgaz2_01.exe
Creates FileG0828_s_70987.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsj2.tmp
Creates Filesetup_3386.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nse3.tmp\3.ico
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\YinsuStart\uninst.lnk
Creates FileIQIYIsetup_l_spl004@kb010.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates File2345Explorer_329242_silence.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nse3.tmp\NSISdl.dll
Creates FilePIPE\srvsvc
Creates FileWanDouJia_runk4_kb.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nse3.tmp\System.dll
Creates FileBrowser_V3.0.1167.3_r_4279_(Build14091614).exe
Creates FileSoHuVA_4.3.0.1-c204900003-ng-nti-s-x.exe
Creates FileC:\Program Files\YinsuStart\Uninstall.exe
Creates FileF0916_s_30911.exe
Creates FileBaiduBrowserOnlineSetupSilent-494-ftn_30000046.exe
Creates FileC:\Documents and Settings\Administrator\Desktop\Intrenet Explorer.lnk
Creates FileQQBrowser_Setup_Hk_78653.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nse3.tmp\i.rar
Deletes Filesetup_001.exe
Deletes FileBaiduPlayerNetSetup_472.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nse3.tmp\Inetc.dll
Deletes FileIQIYIsetup_l_spl004@kb010.exe
Deletes Fileins1256858.exe
Deletes File2345Explorer_329242_silence.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nse3.tmp\1.ico
Deletes File9377mycs_Y_mgaz2_01.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nse3.tmp\NSISdl.dll
Deletes FileG0828_s_70987.exe
Deletes Filesetup_3386.exe
Deletes FileWanDouJia_runk4_kb.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nse3.tmp\3.ico
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nse3.tmp\System.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nse3.tmp
Deletes FileBrowser_V3.0.1167.3_r_4279_(Build14091614).exe
Deletes FileSoHuVA_4.3.0.1-c204900003-ng-nti-s-x.exe
Deletes FileF0916_s_30911.exe
Deletes FileBaiduBrowserOnlineSetupSilent-494-ftn_30000046.exe
Deletes FileQQBrowser_Setup_Hk_78653.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nse3.tmp\i.rar
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsz1.tmp
Creates Process
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexYinsuStart
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSxiazai.9377.com
Winsock DNSdown.yinyue.fm
Winsock DNSpconline.org.cn
Winsock DNSshadu.baidu.com

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Process
↳ Pid 0

Network Details:

DNSint.dpool.sina.com.cn
Type: A
180.149.136.250
DNSpconline.org.cn
Type: A
222.186.60.69
DNSpconline.org.cn
Type: A
222.186.60.70
DNSpconline.org.cn
Type: A
222.186.60.2
DNSpconline.org.cn
Type: A
222.186.60.68
DNSaaa.163vv.com
Type: A
222.186.60.23
DNSaaa.163vv.com
Type: A
222.186.60.60
DNSaaa.163vv.com
Type: A
222.186.60.18
DNSopt.xdwscache.glb0.lxdns.com
Type: A
8.37.234.4
DNSopt.xdwscache.glb0.lxdns.com
Type: A
8.37.235.2
DNSopt.xdwscache.glb0.lxdns.com
Type: A
8.37.235.3
DNSopt.xdwscache.glb0.lxdns.com
Type: A
8.37.235.5
DNSopt.xdwscache.glb0.lxdns.com
Type: A
8.37.235.6
DNSopt.xdwscache.glb0.lxdns.com
Type: A
8.37.234.3
DNSshadu.n.shifen.com
Type: A
123.125.65.162
DNSswwx.n.shifen.com
Type: A
123.125.65.175
DNSdl.p2sp.n.shifen.com
Type: A
61.135.185.123
DNSdldir1.qq.com.cdngc.net
Type: A
174.35.56.224
DNSdldir1.qq.com.cdngc.net
Type: A
174.35.56.82
DNSg.quwen320.com
Type: A
219.238.237.210
DNSdown.gtm.ucweb.com
Type: A
123.150.188.48
DNSdown.gtm.ucweb.com
Type: A
121.14.161.99
DNSna.b9.aicdn.com
Type: A
108.186.7.130
DNSna.b9.aicdn.com
Type: A
108.186.7.131
DNSna.b9.aicdn.com
Type: A
72.8.188.90
DNSna.b9.aicdn.com
Type: A
72.8.188.94
DNSna.b9.aicdn.com
Type: A
72.8.188.98
DNSna.b9.aicdn.com
Type: A
108.186.7.129
DNSdownload.pps.tv.webscache.com
Type: A
119.188.40.81
DNSdownload.2345.com
Type: A
61.147.127.203
DNSdownload.2345.com
Type: A
61.160.245.8
DNSdownload.2345.com
Type: A
61.160.245.11
DNSdownload.2345.com
Type: A
61.160.245.14
DNSdownload.2345.com
Type: A
122.228.248.3
DNSdownload.2345.com
Type: A
218.75.155.244
DNSdownload.2345.com
Type: A
60.191.187.15
DNSdownload.2345.com
Type: A
60.191.223.2
DNSdownload.2345.com
Type: A
60.191.223.4
DNSdownload.2345.com
Type: A
60.191.223.15
DNSdownload.2345.com
Type: A
61.147.127.202
DNSdl.wandoujia.com
Type: A
125.39.216.11
DNSs.lllsoo.com
Type: A
42.120.61.139
DNSdown.yinyue.fm
Type: A
DNSxiazai.9377.com
Type: A
DNSshadu.baidu.com
Type: A
DNSw.x.baidu.com
Type: A
DNSdl.p2sp.baidu.com
Type: A
DNSdldir1.qq.com
Type: A
DNSdown2.uc.cn
Type: A
DNSsoft.lvbaoranshiye.com
Type: A
DNSdl.static.iqiyi.com
Type: A
DNSdownload.2345.cn
Type: A
HTTP GEThttp://int.dpool.sina.com.cn/iplookup/iplookup.php
User-Agent: NSISDL/1.2 (Mozilla)
HTTP GEThttp://pconline.org.cn/1.ico
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://down.yinyue.fm/open/setup_3386.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://xiazai.9377.com/20140928/9377mycs_Y_mgaz2_01.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://shadu.baidu.com/index/fulldownload/30911
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://w.x.baidu.com/go/full/1/70987
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://dl.p2sp.baidu.com/BaiduPlayerContent/BaiduPlayerNetSetup_472.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://dldir1.qq.com/invc/tt/QQBrowser_Setup_Hk_78653.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://g.quwen320.com/d/ins1256858.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://down2.uc.cn/pcbrowser/down.php?pid=4279
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://soft.lvbaoranshiye.com/SoHuVA_4.3.0.1-c204900003-ng-nti-s-x.rar
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://w.x.baidu.com/go/mini/8/30000046
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://dl.static.iqiyi.com/hz/IQIYIsetup_l_spl004@kb010.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://download.2345.cn/silence/2345Explorer_329242_silence.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://dl.wandoujia.com/files/inst/WanDouJia_runk4_kb.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://s.lllsoo.com/click/66947
User-Agent: NSIS_Inetc (Mozilla)
Flows TCP192.168.1.1:1031 ➝ 180.149.136.250:80
Flows TCP192.168.1.1:1032 ➝ 222.186.60.69:80
Flows TCP192.168.1.1:1033 ➝ 222.186.60.23:80
Flows TCP192.168.1.1:1034 ➝ 8.37.234.4:80
Flows TCP192.168.1.1:1035 ➝ 123.125.65.162:80
Flows TCP192.168.1.1:1036 ➝ 123.125.65.175:80
Flows TCP192.168.1.1:1037 ➝ 61.135.185.123:80
Flows TCP192.168.1.1:1038 ➝ 174.35.56.224:80
Flows TCP192.168.1.1:1039 ➝ 219.238.237.210:80
Flows TCP192.168.1.1:1040 ➝ 123.150.188.48:80
Flows TCP192.168.1.1:1041 ➝ 108.186.7.130:80
Flows TCP192.168.1.1:1042 ➝ 123.125.65.175:80
Flows TCP192.168.1.1:1043 ➝ 119.188.40.81:80
Flows TCP192.168.1.1:1044 ➝ 61.147.127.203:80
Flows TCP192.168.1.1:1045 ➝ 125.39.216.11:80
Flows TCP192.168.1.1:1046 ➝ 42.120.61.139:80

Raw Pcap

Strings