Analysis Date2014-06-24 11:12:53
MD5a3d471f94689db2ae38b2a6a0e13d7ba
SHA1155cec2f44b432de5d0ee7b4284c71b2b7d8e4d1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: bd3dc78d90e3ece15adefc3f6f1131a8 sha1: ea590b7be65d6dfb95fa8698befd88a18922e692 size: 153088
Section.rdata md5: 1b6d88b22891d51e4a0f51108c0953e0 sha1: 70f7d6e59803b1b10c9bed1a3f577c30f12ff239 size: 1536
Section.data md5: 69797a94e16cedd77da993e417750dbf sha1: 7baf211eeccc23f3cff4e7f9d4e00a808cb05894 size: 38400
Section.imul md5: a0aa577f56d780247551ae89b7e4658e sha1: fef47b6ab36b797c0e406afc98a6b218a7d699e2 size: 512
Timestamp2005-10-28 15:57:31
VersionPrivateBuild: 1396
PEhashfd6702b5740d65b2eeca0c394fc389256b82ab7c
IMPhashff30fd0cceae65d339d2532a7e95cda3

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{EEEB680D-AE62-4375-B93E-E9AE5FF585C1}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSpdasoftstorage.com
Winsock DNS127.0.0.1
Winsock DNShealthylifenow.com
Winsock DNSsupportminidevices.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Network Details:

DNShealthylifenow.com
Type: A
208.109.208.147
DNSzonetf.com
Type: A
208.73.211.242
DNSzonetf.com
Type: A
208.73.211.163
DNSzonetf.com
Type: A
208.73.211.174
DNSzonetf.com
Type: A
208.73.211.175
DNSzonetf.com
Type: A
208.73.211.193
DNSsupportminidevices.com
Type: A
DNSpdasoftstorage.com
Type: A
HTTP GEThttp://healthylifenow.com/templates/7349/images/header_logo.jpg?v79=92&tq=gJ4WK%2FSUh%2FTNhRMw9YLJ%2BMSTUivqg4b0w5JEfqHXarVJ%2BQhhAAQ%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNtX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2F82%2BcoJuX%2BSNxL5ygm1C4lKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 208.109.208.147:80
Flows TCP192.168.1.1:1032 ➝ 208.73.211.242:80

Raw Pcap

Strings