Analysis Date2014-09-10 20:48:28
MD518a1e0cec7487d041008e8fb810a5d19
SHA115fc15a818b7029661c155558c4dc1cdbc2dd7df

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 74ec36577abe120231fff09388fe0a05 sha1: bdfe46fc28e9286040b7564e004e8c2f9868e1c2 size: 11776
SectionDATA md5: 4bbcc87e890b97aeebcf3fa383b84c3f sha1: 260c3fa3871dfde1741fb530c2e25c3df7cd85ba size: 61440
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 8da36ace83b05595e77fddf03fa43489 sha1: a88dabad521cd4c415d4a7e4a3101beb271f421f size: 1024
Section.edata md5: 2a9d0698bf11fb1831518a2b36f6e8d4 sha1: 3ff687c3b6562bc37f2704debaa60df3f6c3cc18 size: 512
Section.reloc md5: d0963cd7e08df78c8e893f9a85a4a1f1 sha1: 9c8befa0a363d167eaa7b855fdfa185eb07f542b size: 512
Section.rsrc md5: 767b0600d1dc835bf5697767275b1900 sha1: 1faa5d8d76a340d58e644f0d0e74c343f7e47c90 size: 1024
Timestamp1992-06-19 22:22:17
PEhash2eec63bba9eeb557db4644226dce4896fbe0392e
IMPhash3ab9d66a09c911ad05edffd659c13b6b

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1806 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Process"C:\WINDOWS\system32\cmd.exe" /q /c "C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat" > nul 2> nul
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ "C:\WINDOWS\system32\cmd.exe" /q /c "C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat" > nul 2> nul

Creates Filenul
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat
Deletes FileC:\malware.exe

Network Details:

DNSrepubblica.it
Type: A
213.92.16.101
DNSseesaa.net
Type: A
59.106.28.139
DNSseesaa.net
Type: A
59.106.98.139
DNSyelp.com
Type: A
198.51.132.60
DNSyelp.com
Type: A
198.51.132.160
DNSflipdog.in
Type: A
DNSgrindbuzzchat.in
Type: A

Raw Pcap

Strings
.....
.
.v...1]#a.r....
.

{|1~
. 3R
admparse.dll
$e`L
Ew C
h8q#
H"fC
{_J|
k"5{
k9g=
kernel32.dll
lhlb
NY	Z
N'Z 
oga{t
O^U7
pOPA
(~W 
]@Z@
(=_______=)
0)1b3g3m3s3y3
1e4815cb
'3~&&&
3&3.363>3F3N3V3^3f3n3v3~3
=!='=-=3=9=?=E=K=Q=W=]=c=i=
4l.KL;	
=%=,=4=;=P=w=~=
736545033
9o:v:1;8;
AbortPrinter
ActivateActCtx
  </application> 
  <application> 
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Windows - Setup UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
CE]DHL
</compatibility> 
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
CopyFileExA
CreateHardLinkW
DeleteFiber
DeletePortW
<>@>D>H>L>P>T>X>d>h>l>
.edata
EnumJobsW
ExcludeUpdateRgn
FA Y)5
FindCloseChangeNotification
"Fucking leechers and ripers SUCK!
GetDlgItem
GetExitCodeThread
GetLocaleInfoA
GetOverlappedResult
GetPrinterDataW
GetProcAddress
GetScrollPos
GetWindowContextHelpId
GlobalAlloc
GlobalFree
=h2~)t
.idata
j2hL0@
>/>J>W>i>u>F?M?
kernel32.dll
LoadLibraryW
O@JYY]
PeekMessageW
P.reloc
P.rsrc
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
      </security>
      <security>
SetKeyboardState
SetThreadPriority
SetWindowsHookA
shlwapi.dll
SHRegDeleteUSValueA
SHRegEnumUSKeyW
SHRegQueryInfoUSKeyW
SplDriverUnloadComplete
StrCpyNW
StrFormatByteSize64A
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> 
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
    <!--The ID below indicates application support for Windows 7 --> 
    <!--The ID below indicates application support for Windows Vista --> 
This program must be run under Win32
TlsAlloc
ToAsciiEx
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
)uc%&&&
user32.dll
VirtualAllocEx
winspool.drv
xmax.exe
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>