Analysis Date2014-09-06 01:06:44
MD5453dd9684702ca4f97cda6075357ea04
SHA1113a86769f476874bc88617634eff2068bbd7a13

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 87fcbbe578930946d1df9f8a0107a237 sha1: 1abd707c8535f7e4147fee9f6dbe94e6ca98fc9c size: 44032
SectionUPX2 md5: 6ee1402edcc0ca9f30a6db475299a62e sha1: c6c8b065e8a85868c3ec701a5b359eaaebbd2acc size: 512
Timestamp2004-03-19 08:58:54
PackerUPX -> www.upx.sourceforge.net
PEhashe4aa3c470b5ed6121bcb5f7c6d52d70fad258412
IMPhashc7ecd1a0a4200634e300116dcad86d0d

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\msgfixed.exe
Creates ProcessC:\WINDOWS\system32\msgfixed.exe
Creates Mutexjop

Process
↳ C:\WINDOWS\system32\msgfixed.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Msg Fixage ➝
msgfixed.exe\\x00\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Msg Fixage ➝
msgfixed.exe\\x00\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Msg Fixage ➝
msgfixed.exe\\x00\\x00
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutexjop

Network Details:

DNSirc.abjects.net
Type: A
62.210.211.122
DNSirc.abjects.net
Type: A
91.217.189.77
DNSirc.abjects.net
Type: A
94.23.42.81
DNSirc.abjects.net
Type: A
192.186.136.206
DNSirc.abjects.net
Type: A
192.241.89.206
DNSirc.abjects.net
Type: A
195.154.6.113
DNSirc.abjects.net
Type: A
37.59.41.117
DNSirc.abjects.net
Type: A
37.59.60.133
DNSr0x.myvnc.com
Type: A
DNSirc.freshirc.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 62.210.211.122:6667
Flows TCP192.168.1.1:1033 ➝ 62.210.211.122:6667
Flows TCP192.168.1.1:1034 ➝ 62.210.211.122:6667
Flows TCP192.168.1.1:1035 ➝ 62.210.211.122:6667
Flows TCP192.168.1.1:1036 ➝ 62.210.211.122:6667
Flows TCP192.168.1.1:1037 ➝ 62.210.211.122:6667
Flows TCP192.168.1.1:1038 ➝ 62.210.211.122:6667
Flows TCP192.168.1.1:1039 ➝ 62.210.211.122:6667
Flows TCP192.168.1.1:1040 ➝ 62.210.211.122:6667
Flows TCP192.168.1.1:1041 ➝ 62.210.211.122:6667
Flows TCP192.168.1.1:1042 ➝ 62.210.211.122:6667
Flows TCP192.168.1.1:1044 ➝ 62.210.211.122:6667
Flows TCP192.168.1.1:1045 ➝ 62.210.211.122:6667

Raw Pcap
0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d373238   NICK [KuanG]-728
0x00000010 (00016)   37333938 30310d0a 55534552 205b4b75   739801..USER [Ku
0x00000020 (00032)   616e475d 2d303535 34373032 37322030   anG]-055470272 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 37323837    0 :[KuanG]-7287
0x00000040 (00064)   33393830 310d0a                       39801..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d343935   NICK [KuanG]-495
0x00000010 (00016)   30363138 35360d0a 55534552 205b4b75   061856..USER [Ku
0x00000020 (00032)   616e475d 2d333536 32353436 32342030   anG]-356254624 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 34393530    0 :[KuanG]-4950
0x00000040 (00064)   36313835 360d0a                       61856..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d323431   NICK [KuanG]-241
0x00000010 (00016)   35373735 30300d0a 55534552 205b4b75   577500..USER [Ku
0x00000020 (00032)   616e475d 2d323431 35373735 30302030   anG]-241577500 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 32343135    0 :[KuanG]-2415
0x00000040 (00064)   37373530 300d0a                       77500..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d363630   NICK [KuanG]-660
0x00000010 (00016)   32343131 35330d0a 55534552 205b4b75   241153..USER [Ku
0x00000020 (00032)   616e475d 2d343039 34313632 34332030   anG]-409416243 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 36363032    0 :[KuanG]-6602
0x00000040 (00064)   34313135 330d0a                       41153..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d313631   NICK [KuanG]-161
0x00000010 (00016)   30303537 30350d0a 55534552 205b4b75   005705..USER [Ku
0x00000020 (00032)   616e475d 2d333136 37353730 31372030   anG]-316757017 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 31363130    0 :[KuanG]-1610
0x00000040 (00064)   30353730 350d0a                       05705..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d353631   NICK [KuanG]-561
0x00000010 (00016)   38373033 35380d0a 55534552 205b4b75   870358..USER [Ku
0x00000020 (00032)   616e475d 2d353631 38373033 35382030   anG]-561870358 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 35363138    0 :[KuanG]-5618
0x00000040 (00064)   37303335 380d0a                       70358..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d393033   NICK [KuanG]-903
0x00000010 (00016)   36363938 31320d0a 55534552 205b4b75   669812..USER [Ku
0x00000020 (00032)   616e475d 2d313738 31313031 32342030   anG]-178110124 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 39303336    0 :[KuanG]-9036
0x00000040 (00064)   36393831 320d0a                       69812..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d373737   NICK [KuanG]-777
0x00000010 (00016)   38373537 37360d0a 55534552 205b4b75   875776..USER [Ku
0x00000020 (00032)   616e475d 2d373737 38373537 37362030   anG]-777875776 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 37373738    0 :[KuanG]-7778
0x00000040 (00064)   37353737 360d0a                       75776..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d313738   NICK [KuanG]-178
0x00000010 (00016)   38343933 30380d0a 55534552 205b4b75   849308..USER [Ku
0x00000020 (00032)   616e475d 2d313738 38343933 30382030   anG]-178849308 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 31373838    0 :[KuanG]-1788
0x00000040 (00064)   34393330 380d0a                       49308..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d373036   NICK [KuanG]-706
0x00000010 (00016)   34383934 31310d0a 55534552 205b4b75   489411..USER [Ku
0x00000020 (00032)   616e475d 2d363635 36373433 30312030   anG]-665674301 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 37303634    0 :[KuanG]-7064
0x00000040 (00064)   38393431 310d0a                       89411..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d313137   NICK [KuanG]-117
0x00000010 (00016)   32363330 36350d0a 55534552 205b4b75   263065..USER [Ku
0x00000020 (00032)   616e475d 2d333532 39393532 37372030   anG]-352995277 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 31313732    0 :[KuanG]-1172
0x00000040 (00064)   36333036 350d0a                       63065..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d343136   NICK [KuanG]-416
0x00000010 (00016)   39333736 31380d0a 55534552 205b4b75   937618..USER [Ku
0x00000020 (00032)   616e475d 2d373731 36363938 32392030   anG]-771669829 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 34313639    0 :[KuanG]-4169
0x00000040 (00064)   33373631 380d0a                       37618..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d333134   NICK [KuanG]-314
0x00000010 (00016)   32353835 38340d0a 55534552 205b4b75   258584..USER [Ku
0x00000020 (00032)   616e475d 2d323732 34343334 35322030   anG]-272443452 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 33313432    0 :[KuanG]-3142
0x00000040 (00064)   35383538 340d0a                       58584..


Strings
..
.
..
.

.01	+":
}05>'/
||@!5i
* 6A3K
!6B+D`I
<6p,+A
7w}0U^?u
8Td>|G
8\y_tX
9l$\w_
!a36x@
ADVAPI32.dll
Aj%/?t
ATtHS\
[b5/#z
bo#az)1
c7K+h"
CD!X`o:
];cGYy
D5_I<Dw7
.)D$H)
dk/hJ8}
dkyM("
D$t+D$\
D$t#D$h
.d`zabRm
'e{9&=
ExitProcess
EYfKu1.*
FFShnW
)f}g:K
FindWindowA
f;swjl
GetProcAddress
H|J5q5
"HN5d@|
}I,5^>
I&AeEv
iaMDev
InternetOpenA
KERNEL32.DLL
ks7Zbc
|Lh/h;/
LoadLibraryA
l{W@Y2
m;AKis
MPR.dll
nA1}*%
.%of4FF
o@{tOi
P-:>cW 
]+py C
q+:9rp
R24!:?
RegCloseKey
+r}j-'-K
s@:3'{
SHELL32.dll
ShellExecuteA
 s}{hfQJ
s`)L$4
#sV_:=
!swj9V
T:F.MM
!This program cannot be run in DOS mode.
t$t#t$l
USER32.dll
`v]C]PT9
VirtualAlloc
VirtualFree
VirtualProtect
vn7j!`
Vz0]|L
WININET.dll
WNetAddConnection2A
WS2_32.dll
:XAHQ$
X);	C$
}XEFk|
XPTPSW
yCDa`Gv
y"E(RA
-Y!G}Q:
z6stSn
z_-|F=U
|Zn#C T