Analysis Date2014-03-01 19:57:28
MD5f1865dda3ff9e085e7da7d4e19d72011
SHA10cb17159a72cf6b37a0715501f8f0cc28fc3127b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: bcefd13d879b5aa1628d5731462b1935 sha1: 5e05fbf6b8bf012397b847cd5d10aee153dc895d size: 75264
Section.data md5: 0eb9af4768d13f3fe805922a21fcbf55 sha1: 9665ae9e81ee6c6c0d2193973be588eb90aa031c size: 2560
Section.idata md5: 7f9440e32acb299f3bda96288136b63a sha1: 1d51ab1fb34c6b541f544524a63c3d9d73f566f9 size: 4096
Section.rsrc md5: 268a04383dbc7e86a53e982e1da21c2c sha1: 5d008fc03fb658231e94722b64715e90f270a97c size: 12800
Timestamp2005-08-03 16:31:58
PackerRAR SFX
PEhash865e2876baa75b3d067df745655e1ef3a3eed45c
IMPhasha6d1f237a38b6e7d3a48b606fa0d7939
AVavgDownloader.Generic9.BFFX
AVaviraTR/Dldr.Troxen.2150
AVmcafeeRDN/Downloader.a!nz
AVmsseTrojanDownloader:Win32/Troxen!rts
AVmsseTrojan:Win32/Provis!rts

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileTXPlatform.exe
Creates FileSystam.exe
Creates ProcessC:\WINDOWS\system32\Systam.exe

Process
↳ cmd /c ipconfig/all > C:\WINDOWS\system32\macmac.txt

Creates FileC:\WINDOWS\system32\macmac.txt
Creates Processipconfig /all

Process
↳ C:\WINDOWS\system32\Systam.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates Process"C:\WINDOWS\system32\TXPlatform.exe"
Creates ServiceNetwork Security Agent - C:\WINDOWS\system32\Systam.exe

Process
↳ "C:\WINDOWS\system32\TXPlatform.exe"

Creates FileC:\WINDOWS\system32\runtrue.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\WINDOWS\system32\runcount.txt
Creates FileC:\WINDOWS\system32\qqver.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DF13BA.tmp
Creates Processcmd /c ipconfig/all > C:\WINDOWS\system32\macmac.txt
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ ipconfig /all

Winsock DNS192.168.254.254

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ Pid 1024

Process
↳ Pid 1124

Process
↳ Pid 1200

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1852

Process
↳ Pid 1184

Network Details:

DNSyd.ecoma.glb0.lxdns.com
Type: A
209.170.78.77
DNSyd.ecoma.glb0.lxdns.com
Type: A
209.170.78.73
DNSyd.ecoma.glb0.lxdns.com
Type: A
209.170.78.72
DNSwww.ip138.cn
Type: A
218.133.22.66
DNSwww.ip138.com
Type: A
HTTP GEThttp://www.ip138.com/ips.asp
User-Agent: MyAgent
HTTP GEThttp://www.ip138.cn/
User-Agent: MyAgent
Flows TCP192.168.1.1:1031 ➝ 209.170.78.77:80
Flows TCP192.168.1.1:1032 ➝ 218.133.22.66:80

Raw Pcap
0x00000000 (00000)   47455420 2f697073 2e617370 20485454   GET /ips.asp HTT
0x00000010 (00016)   502f312e 310d0a55 7365722d 4167656e   P/1.1..User-Agen
0x00000020 (00032)   743a204d 79416765 6e740d0a 486f7374   t: MyAgent..Host
0x00000030 (00048)   3a207777 772e6970 3133382e 636f6d0d   : www.ip138.com.
0x00000040 (00064)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000050 (00080)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d794167   User-Agent: MyAg
0x00000020 (00032)   656e740d 0a486f73 743a2077 77772e69   ent..Host: www.i
0x00000030 (00048)   70313338 2e636e0d 0a436163 68652d43   p138.cn..Cache-C
0x00000040 (00064)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x00000050 (00080)   0d0a0d0a 74657874 2f68746d 6c0d0a44   ....text/html..D
0x00000060 (00096)   6174653a 20536174 2c203031 204d6172   ate: Sat, 01 Mar
0x00000070 (00112)   20323031 34203139 3a33313a 30362047    2014 19:31:06 G
0x00000080 (00128)   4d540d0a 0d0a3c68 746d6c3e 0a20203c   MT....<html>.  <
0x00000090 (00144)   68656164 3e0a2020 20203c74 69746c65   head>.    <title
0x000000a0 (00160)   3e343034 204e6f74 20466f75 6e643c2f   >404 Not Found</
0x000000b0 (00176)   7469746c 653e0a20 203c2f68 6561643e   title>.  </head>
0x000000c0 (00192)   0a20203c 626f6479 3e0a2020 20203c68   .  <body>.    <h
0x000000d0 (00208)   313e4e6f 7420466f 756e643c 2f68313e   1>Not Found</h1>
0x000000e0 (00224)   0a202020 203c703e 596f7572 2062726f   .    <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
/
 
%
"
\
NYRCN
..._ 
\"
01A0__
\\
\
.
:
.
x

(&A)
about:blank
ASKNEXTVOL
</b> 
 <b>
(&B)...
<br><br> <lI>
b<style>body{font-family:"Arial,
(&C)
(&D)
DVCLAL(
(&E):
";font-size:12;}</style><ul><li>
GETPASSWORD1
hmsctls_progress32
jjjj
(&L)
</lI>
</li><br><br>)<li>
LICENSEDLG	RENAMEDLG
</lI></ul>
(&N)
(&R)
REPLACEFILEDLG
Rs$@
 %s 
"%s"
 %s CRC 
%s CRC 
Shell.Explorer
STARTDLG
(&W)...
 Windows 
WinRAR 
(&Y)
?*<>|"
0&2dH>
 (08@P`p
0R[@u7u
+!0X'3H
0+.*"y9
 18mp^
33!D	3
41iE/I
4<=3gAMN
4k/4eM
4Y_cOW
4Y_cOW	
>59</k
5!E5G8
_@6YS,
72qS\{
^7o"q*
8bL_@Z
AdjustTokenPrivileges
ADVAPI32.DLL
AIEGCD
aof(J:|
AQRPhD
ASKNEXTVOL
Azbgt0F
B,24I)
b2@IVi
B9]Z3q
@b	gck(W
b<;sg[?
*BVrn{X
C,;C$s/
ceQ&^	gdk
CharToOemBuffA
CharUpperA
CloseHandle
CLSIDFromString
CMT	QU
C^NAV&
CoCreateInstance
COMCTL32.DLL
COMDLG32.DLL
CommDlgExtendedError
CompareStringA
CopyRect
CreateDirectoryA
CreateDirectoryW
CreateFileA
CreateFileW
CreateStreamOnHGlobal
CreateWindowExA
|$|;|$d
D$0+D$<
`.data
D$`;D$\}
D$,;D$0u	
&;D$Dr
D$`;D$T
D$`;D$T|
DefWindowProcA
Delete
DeleteFileA
DeleteFileW
DeleteObject
DestroyIcon
DestroyWindow
DialogBoxParamA
DispatchMessageA
&;D$Lw
DosDateTimeToFileTime
D$T;D$\|
dto>W2
;D$Tt\
Ef:SSgzm;$	
EnableWindow
EndDialog
ExitProcess
ExpandEnvironmentStringsA
ExtSign
fbc:N:
FDbE	u
F	;_/f
FFF))EE	FFFF))))))
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
FindResourceA
FindWindowExA
-	fK"m
FR9I|<v
FreeLibrary
g33WwQ
GDI32.DLL
GetClassNameA
GetClientRect
GetCommandLineA
GetCPInfo
GetCurrentDirectoryA
GetCurrentProcess
GetDateFormatA
GetDlgItem
GetDlgItemTextA
GetFileAttributesA
GetFileAttributesW
GetFileType
GetFullPathNameA
GetLastError
GetLocaleInfoA
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetNumberFormatA
GetOpenFileNameA
GetParent
GETPASSWORD1
GetProcAddress
GetProcessHeap
GetStdHandle
GetSysColor
GetSystemMetrics
GetTempPathA
GetTickCount
GetTimeFormatA
GetVersionExA
GetWindow
GetWindowLongA
GetWindowRect
GetWindowTextA
GlobalAlloc
gwS3	3
gwS37%w`	
hBPh_OH
<head><meta http-equiv="content-type" content="text/html; charset=
HeapAlloc
HeapFree
HeapReAlloc
hf4?N4;'wx
*=H!LB
</html>
<html>
'H/	vm
I84?a2
IB1#24'
.idata
+IfN!!`
-IhK2X
InitCommonControlsEx
Install
IpXN!I
]IQC(;P
IsDBCSLeadByte
IsWindow
IsWindowVisible
-J|5Ka
J9x& 4
JlHTh_)
KERNEL32.DLL
.*?^Kw$7
KX;tfFF|
);l$8u
lE,\Ot
License
LICENSEDLG
L$\)L$T
LoadBitmapA
LoadCursorA
LoadIconA
LoadLibraryA
LoadStringA
LocalFileTimeToFileTime
LookupPrivilegeValueA
LQ56g!
lstrcmpiA
lstrlenA
MapWindowPoints
MessageBoxA
*messages***
+"mIbJ
MoveFileA
MoveFileExA
Mp(	0!
MultiByteToWideChar
\M>V|g
m`vY/M
M>WqOGg
M;Z4s+;Z,s
N4Y_cOW
&nbsp;
N_^[Y]
OemToCharA
OemToCharBuffA
`O/f&Tnx
OjpWS"
oLB~wv
OLE32.DLL
OleInitialize
OleUninitialize
;o$m%0
OOYMl`~
OpenProcessToken
.=oPvLn
Overwrite
'ox :a(u
}P>3k?O
p5PDHc(
PA<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Roshal.WinRAR.WinRAR" type="win32" /> <description>WinRAR archiver.</description> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> </assembly>
PC@=0q
Pd`WLv
PeekMessageA
penc-N
PExLa/
-'p>""o
PostMessageA
	"|P]p
PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
Presetup
ProgramFilesDir
PsXhhs
Q4ZuF_L
Qaf#zm
q*B8\$
QHK=Dp
QoR)s&
__rar_
RarHtmlClassName
RarSFX
ReadFile
RegCloseKey
RegCreateKeyExA
RegisterClassExA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
RENAMEDLG
REPLACEFILEDLG
riched20.dll
riched32.dll
RichEdit
#Rn	,W
@.rsrc
rtmp%d
:r)tyW
ru:P?t
S1JPMP
SavePath
%s.%d.tmp
SendDlgItemMessageA
SendMessageA
SeRestorePrivilege
SeSecurityPrivilege
SetCurrentDirectoryA
SetDlgItemTextA
SetEndOfFile
SetEnvironmentVariableA
SetFileAttributesA
SetFileAttributesW
SetFilePointer
SetFileSecurityA
SetFileSecurityW
SetFileTime
SetFocus
SetLastError
SetMenu
SetWindowLongA
SetWindowPos
SetWindowTextA
sfxname
SHAutoComplete
SHBrowseForFolderA
SHChangeNotify
SHELL32.DLL
ShellExecuteExA
SHFileOperationA
SHGetFileInfoA
SHGetMalloc
SHGetPathFromIDListA
SHGetSpecialFolderLocation
shlwapi.dll
Shortcut
ShowWindow
sIh$FA
Silent
Software\Microsoft\Windows\CurrentVersion
Software\WinRAR SFX
%s%s%d
%s %s %s
STARTDLG
</style>
<style>
<style>body{font-family:"Arial";font-size:12;}</style>
sWMNL6
Systam.exe
SystemTimeToFileTime
T$0+L$8
TempMode
tfkL$@)
This program must be run under Win32
tKb(Wc
t Kt<Kt[
TranslateMessage
TRTV*+
T$(;T$,
tUpKUU
TXPlatform.exe
u)?	?{
Ub/?zc
uLu{+Z
U_\n*b
UpdateWindow
USER32.DLL
utf-8"></head>
u-V3Iao
v{};KA!
vL}H>T
V#^+mU
vorA'L
Vzx\Ozf!c
WaitForInputIdle
WaitForSingleObject
WideCharToMultiByte
	%Wl%s
WriteFile
wsprintfA
wvsprintfA
Wwgu"'P
WwR"'P
WwS7'u
x5b;58
X"C0D6
XD`3Pv
X-[fP^;
x}w,tX
YNANRC
{<:y&q?	
_^[YY]
:yYO@j[|
$YZ_^[
YZ]_^[
zi	G=Q
#Z&nl8
znrkYC
;Z$sa;Z
_ZTs@l,