Analysis Date2014-07-16 16:38:30
MD53856a86acee29da5772d50ef5d0d03bd
SHA10e4d065a8d47845d699133b012daef187eb3563c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: ffa711567ef6474866c8c5bdcb6049a1 sha1: 550368d5b116cf4aea0c2ed346fee7d6570a8187 size: 178688
Section.rdata md5: a69e696e956da1345316101aa11cbfad sha1: 610ff167008b59738452c072ae20d945c1214413 size: 4096
Section.data md5: 3c8c3c66e3b0c3c0dd8c4e3e404bb194 sha1: d5524b0e414f8f3dc32a8e5f90f6560faa4e6370 size: 23040
Section.tls md5: df35998b47a3e5fe73b16dba05d5f973 sha1: 1d1d0ef9689e0a948babd790063bb3b8d510d376 size: 512
Timestamp2005-10-18 06:21:37
VersionPrivateBuild: 1580
PEhashba8323fbc22b89c62250383de92b889c41544bc4
IMPhash1d1d6d3f42039b4346c4bee456e03ca2
AV360 SafeTrojan.Generic.5502685
AVAd-AwareTrojan.Generic.5502685
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.E.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Cycbot-4567
AVDr. WebBackDoor.Gbot.29
AVEmsisoftTrojan.Generic.5502685
AVEset (nod32)Win32/Kryptik.LCE
AVFortinetW32/FraudLoad.MK!tr
AVFrisk (f-prot)W32/Goolbot.E.gen!Eldorado (generic, not disinfectable)
AVF-SecureTrojan.Generic.5502685
AVGrisoft (avg)Cryptic.CFW
AVIkarusTrojan.Win32.FakeAV
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.i
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Trojan.Generic.5502685
AVNormanwinpe/Cycbot.BP
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen3
AVTrend MicroBKDR_CYCBOT.SMX
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSdlsystemtwo.com
Winsock DNS127.0.0.1
Winsock DNSmyfreewirelessnet.com
Winsock DNSfreepatentsonline.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSfreepatentsonline.com
Type: A
144.202.252.20
DNSmyfreewirelessnet.com
Type: A
DNSdlsystemtwo.com
Type: A
HTTP GEThttp://freepatentsonline.com/images/pdf.jpg?v31=7&tq=gJ4WK%2FSUh5zAhRMw9YLJkMSTUivqg4acw5NEfqHUarVJ%2BQhhaGE%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 144.202.252.20:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 7064662e   GET /images/pdf.
0x00000010 (00016)   6a70673f 7633313d 37267471 3d674a34   jpg?v31=7&tq=gJ4
0x00000020 (00032)   574b2532 46535568 357a4168 524d7739   WK%2FSUh5zAhRMw9
0x00000030 (00048)   594c4a6b 4d535455 69767167 34616377   YLJkMSTUivqg4acw
0x00000040 (00064)   354e4566 71485561 72564a25 32425168   5NEfqHUarVJ%2BQh
0x00000050 (00080)   68614745 25334420 48545450 2f312e30   haGE%3D HTTP/1.0
0x00000060 (00096)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000070 (00112)   6f73650d 0a486f73 743a2066 72656570   ose..Host: freep
0x00000080 (00128)   6174656e 74736f6e 6c696e65 2e636f6d   atentsonline.com
0x00000090 (00144)   0d0a4163 63657074 3a202a2f 2a0d0a55   ..Accept: */*..U
0x000000a0 (00160)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x000000b0 (00176)   6c612f32 2e300d0a 0d0a                la/2.0....


Strings
R....*@.tMR.
Y.#
=....
G......|..g.,i
.. 
..
..
....9.
0
j<.U..D....y5.G
.A
...s....<
.`D
...
.
..G.S.2
.Wi.`..%
...
g[8..+.
..
'..b...
...P..
H.>...5=).'.
......C../..<.9
...
!Q
f.......E....
040904b0
1580
D$'3
Fd$R
gfes
PrivateBuild
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
<:)/>;
3+%~Z/}
_~{4jY
56Mt~h
}8=._@
88i<l}
8=ik!z\L)
8lBCVA
8u(Vw8r
,;(|-9
9[bD<u
ADVAPI32.dll
aJ0^V9
|\bIHa
BindMoniker
CloseHandle
CM_Get_DevNode_Status
CMP_WaitNoPendingInstallEvents
CoCreateInstance
CoInitialize
CompareStringA
CoTaskMemAlloc
CoTaskMemFree
CoUninitialize
CreateBindCtx
CreateDialogParamA
CreateDIBitmap
CreateDirectoryA
CreateEventA
CreateFiberEx
CreateFileA
CreateItemMoniker
CreateMutexA
CreateProcessA
CreateSemaphoreA
CreateThread
CryptCreateHash
CryptDestroyHash
CryptDestroyKey
CryptEncrypt
CryptGetHashParam
CryptHashData
CryptImportKey
CryptReleaseContext
cs8[;;
CS\gTV4+
@.data
DefineDosDeviceA
DeleteCriticalSection
DeleteFileA
DestroyWindow
DeviceIoControl
'DEx `
dF9D<EF8
DispatchMessageA
&?e54FY
eC0Ss?
-e-D`+
EnterCriticalSection
EnumResourceNamesW
FlushFileBuffers
FlushInstructionCache
\FmCEW
fn.#q]\
FreeLibrary
GDI32.dll
GetACP
GetAdaptersInfo
GetBestInterface
GetComputerNameA
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetDesktopWindow
GetDevicePowerState
GetDiskFreeSpaceA
GetFileAttributesA
GetLastError
GetLocaleInfoA
GetLocalTime
GetModuleFileNameA
GetModuleHandleA
GetPrivateProfileStringA
GetQueueStatus
GetRunningObjectTable
GetSystemDirectoryA
GetSystemInfo
GetSystemTime
GetTempPathA
GetThreadPriority
GetTickCount
GetUserNameA
GetVersion
GetVersionExA
GetWindowsDirectoryA
GlobalMemoryStatus
[GQ^>ERg
h5TyIF
=h?,m:Tg
\}[)i/
:i2b(sg
II(^YR
ijOxwA
InitializeCriticalSection
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
InternetCloseHandle
InternetOpenA
InternetOpenUrlA
InternetReadFile
iphlpapi.dll
IsBadReadPtr
IsBadWritePtr
J54t{,Z
jH(7=g
JRichu
-.KAoB
KERNEL32.dll
kF$M<<j
L77UI%
LeaveCriticalSection
_(l=HH
_llseek
LoadLibraryA
LoadLibraryExA
LocalAlloc
LocalFree
lstrlenA
lX^w+3
|m(nNQ
MsgWaitForMultipleObjects
/n4M4{
N+`<4u^
nw2Xwe
N <#xB
nzhU'sd
o7<?.Zq
ole32.dll
o=lm92
.oMn7o9#
OutputDebugStringA
oXIq8&
p6W!;[{{7G,u
.PboVD`~?
P(c	oQ
PeekMessageA
PostThreadMessageA
q fN507
QueryDosDeviceA
QueryPerformanceCounter
`.rdata
ReadFile
RealGetWindowClassA
RegCloseKey
RegCreateKeyExA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegisterWindowMessageA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ReleaseDC
ReleaseMutex
ResetEvent
SendARP
SetEvent
SetLastError
SetThreadPriority
SETUPAPI.dll
SetupDiGetDeviceRegistryPropertyW
SHELL32.dll
SHGetSpecialFolderPathA
SHGetSpecialFolderPathW
ShowWindow
S@l)`Aa
StgCreateDocfile
StgIsStorageFile
StgOpenStorage
StringFromGUID2
!This program cannot be run in DOS mode.
timeGetTime
timeSetEvent
ulr@#x_
USER32.dll
VirtualAlloc
VirtualFree
VirtualQuery
v'nFB}
WaitForMultipleObjects
WaitForSingleObject
w>h/O?
WININET.dll
WINMM.dll
~:W~,K
~w}L=b
WriteFile
wsprintfA
wvsprintfA
wVT}IF
X5u.J.9%
_ !(XA
x~c CX
X)G:]Ktb6tOf
(*X)/|!I
xo5W}?r
YaI_7 I!
YJ8IuD
yXX~,5