Analysis Date2015-01-16 06:24:02
MD57d4dae24baf7a70a92112fbdbabe1031
SHA11aedceaad8d6211a4821bef981e8ed844308fd91

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5169f71757bf78df3f0e888bd01897e7 sha1: 8d69779d1f74dd881f5dd098595a7a9fa1453936 size: 106496
Section.rdata md5: 0c460ad4794449afe0aa9fe925c07ce2 sha1: ab7d6cdd84f77af079d87397658ac4e15169d00c size: 20480
Section.data md5: b8538501c041bd4e57e0a6cfa5db39ed sha1: 4277b39bfaac8c6adf0abb1a2b236c06934d215f size: 12288
Section.rsrc md5: b345b043185ea954ee10c617a6b41200 sha1: b7f6340e51118089f9568519c0f31a4a498d638d size: 4096
Timestamp2014-11-21 11:59:52
VersionLegalCopyright: Copyright (C) 2014
InternalName: Server
FileVersion: 1, 0, 0, 1
ProductName: Server 应用程序
ProductVersion: 1, 0, 0, 1
FileDescription: Server 应用程序
OriginalFilename: Server.exe
PackerMicrosoft Visual C++ ?.?
PEhash70601e09904998fa4d2fc44b5710178b675d6bb9
IMPhashb4027399928538a78465a7050a6a89d7
AV360 Safeno_virus
AVAd-AwareGen:Variant.Graftor.165312
AVAlwil (avast)Dropper-gen [Drp]
AVArcabit (arcavir)Gen:Variant.Graftor.165312
AVAuthentiumno_virus
AVAvira (antivir)no_virus
AVBullGuardGen:Variant.Graftor.165312
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Graftor.165312
AVEset (nod32)Win32/ServStart.HX
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Graftor.165312
AVGrisoft (avg)Win32/DH{gRKBEwNnJ4EQNlCBEQogJCI}
AVIkarusno_virus
AVK7Unwanted-Program ( 004a8e8a1 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojan:Win32/ServStart.gen!A
AVMicroWorld (escan)Gen:Variant.Graftor.165312
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)BScope.Trojan.Win32.Inject.2

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\trfghdfsgfdhgfcgd\Description ➝
utyrfdzvbbxzxd
Creates FileC:\WINDOWS\system32\AliveService.exe
Creates ProcessC:\WINDOWS\system32\cmd.exe /c del C:\1AEDCE~1.EXE > nul
Creates Servicewerferyhjngf - C:\WINDOWS\system32\AliveService.exe

Process
↳ C:\WINDOWS\system32\cmd.exe /c del C:\1AEDCE~1.EXE > nul

Creates Filenul
Deletes FileC:\malware.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1868

Process
↳ Pid 1152

Process
↳ C:\WINDOWS\system32\AliveService.exe

Creates Filepipe\net\NtControlPipe10
Creates File\Device\Afd\Endpoint
Creates Mutextrfghdfsgfdhgfcgd

Network Details:

DNSwww.yxp80.com
Type: A
61.155.149.84
DNSwww.yxp80.com
Type: A
61.155.149.85
DNSwww.yxp80.com
Type: A
222.216.190.69
DNSwww.yxp80.com
Type: A
222.216.190.68
Flows TCP192.168.1.1:1031 ➝ 61.155.149.84:8000
Flows TCP192.168.1.1:1032 ➝ 61.155.149.84:8000
Flows TCP192.168.1.1:1033 ➝ 61.155.149.84:8000
Flows TCP192.168.1.1:1034 ➝ 222.216.190.69:8000
Flows TCP192.168.1.1:1035 ➝ 222.216.190.69:8000
Flows TCP192.168.1.1:1036 ➝ 222.216.190.69:8000

Raw Pcap

Strings
Blac
.
E
.
P
E
..
.E...
urmon.d
URLDownoadToFieA
Winxec
KRNL32.d
KRNL32.d
CatPocA
open
GSysmDicoyAKRNL32.d
CatPocAKRNL32.d
GSsmDicoA
KRNL32.d
.
-E-
-0
-0010+-0
0
-0
CC
00-+ 
.
\
 
00
...........?- 
0
0
0
0
l
u
080404b0
1, 0, 0, 1
bAkA
Copyright (C) 2014
FileDescription
FileVersion
                                 H
         (((((                  H
         h((((                  H
InternalName
jjjj
jjjjj
LegalCopyright
(null)
OriginalFilename
ProductName
ProductVersion
Server
 Server 
Server 
Server.exe
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
                          
								
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0A@@Ju
0SSSSS
1#QNAN
1#SNAN
2If90t
{4_^]3
5OTkq9bV3ZWdq/Ds6s0=
7vHq5uvN
~(9~$u
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-cn
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
ADVAPI32.dll
AliveService.exe
An application has made an attempt to load the C runtime library incorrectly.
Application
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
.?AVbad_alloc@std@@
.?AVbad_exception@std@@
.?AVCBuffer@@
.?AVCClientSocket@@
.?AVCKernelManager@@
.?AVCManager@@
.?AVexception@std@@
.?AVtype_info@@
BackGround switch 1.0
?bad Allocate
bad allocation
bad buffer
bad exception
 Base Class Array'
 Base Class Descriptor at (
__based(
buffer error
Cache-Control: no-cache
CancelIo
__cdecl
 /c del 
ch Disktop Control 1.0
 Class Hierarchy Descriptor'
ClearEventLogA
CloseDesktop
CloseEventLog
CloseHandle
CloseServiceHandle
__clrcall
 Complete Object Locator'
COMSPEC
connect
Connection: Keep-Alive
CONOUT$
`copy constructor closure'
CopyFileA
CorExitProcess
CreateEventA
CreateFileA
CreateMutexA
CreateServiceA
CreateThread
- CRT not initialized
D$0Qhx
D$(8D*
@.data
data error
%d.%d.%d.%d
dddd, MMMM dd, yyyy
December
DecodePointer
`default constructor closure'
 deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly 
 delete
 delete[]
DeleteCriticalSection
DeleteFileA
DeleteService
Description
DOMAIN error
;D$<s!
D$$SUV
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
empty distance tree with lengths
EncodePointer
EnterCriticalSection
ExitProcess
ExitThread
F\=8 B
F9=t?B
__fastcall
Fdf+Fh
February
file error
- floating point not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
Friday
GAIsProcessorFeaturePresent
GDI32.dll
GetACP
GetActiveWindow
GetCommandLineA
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetLocalTime
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetShortPathNameA
GET %s HTTP/1.1
GetStartupInfoA
GetStdHandle
GetStockObject
GetStringTypeA
GetStringTypeW
GetSystemInfo
GetSystemTimeAsFileTime
GetTempPathA
GetThreadDesktop
GetTickCount
GetUserObjectInformationA
GetVersionExA
Global\Black_%d
GlobalMemoryStatus
`h````
HARDWARE\DESCRIPTION\System\CentralProcessor\0
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
`h`hhh
HH:mm:ss
HHt@HHt
Host: %s
|$HPWS
_hypot
incompatible version
incomplete distance tree
incomplete dynamic bit lengths tree
incomplete literal/length tree
incorrect data check
incorrect header check
 inflate 1.1.4 Copyright 1995-2002 Mark Adler 
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
insufficient memory
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
InternetCloseHandle
InternetOpenA
InternetOpenUrlA
InternetReadFile
invalid bit length repeat
invalid block type
invalid distance code
invalid literal/length code
invalid stored block lengths
invalid window size
IsDebuggerPresent
itch Disktop Control 1.0
JanFebMarAprMayJunJulAugSepOctNovDec
January
j(j ^V
j"^SSSSS
KERNEL32
kernel32.dll
KERNEL32.dll
KERNEL32.DLL
LCMapStringA
LCMapStringW
LeaveCriticalSection
L$LQVS
LoadLibraryA
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
L$,QWV
L$ RUPj
lstrcatA
lstrcpyA
lstrlenA
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
MessageBoxA
Microsoft Visual C++ Runtime Library
MM/dd/yy
Monday
Mozilla/4.0 (compatible)
Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)
mscoree.dll
MultiByteToWideChar
|$$MZu%
need dictionary
NetSubKey
 new[]
New Update
_nextafter
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
 > nul
(null)
October
`omni callsig'
OpenDesktopA
OpenEventA
OpenEventLogA
OpenInputDesktop
OpenMutexA
OpenSCManagerA
OpenServiceA
operator
oversubscribed distance tree
oversubscribed dynamic bit lengths tree
oversubscribed literal/length tree
__pascal
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
POST %s HTTP/1.1
PPPPPPPP
Pragma: no-cache
ProductName
Program: 
<program name unknown>
__ptr64
- pure virtual function call
QQSVWd
QueryPerformanceCounter
RaiseException
`.rdata
Referer: http://%s/
RegCloseKey
RegCreateKeyExA
RegisterClassA
RegisterServiceCtrlHandlerA
RegOpenKeyA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ReleaseMutex
ResetEvent
__restrict
ResumeThread
RtlUnwind
runtime error 
Runtime Error!
Saturday
`scalar deleting destructor'
Security
September
SetErrorMode
SetEvent
SetFileAttributesA
SetFilePointer
SetHandleCount
SetLastError
SetPriorityClass
SetServiceStatus
SetStdHandle
SetThreadDesktop
SetThreadPriority
SetUnhandledExceptionFilter
Shell32.dll
ShellExecuteA
SING error
SOFTWARE\Microsoft\Windows NT\CurrentVersion
s[S;7|G;w
%s%s%s
^SSSSS
StartServiceA
StartServiceCtrlDispatcherA
__stdcall
stream end
stream error
`string'
Sunday
SunMonTueWedThuFriSat
SVhX4B
\syslog.dat
System
SYSTEM\CurrentControlSet\Services\
T+3x%A
t^9(uZ
tD9(u@
T$DPVS
TerminateProcess
TerminateThread
+t HHt
This application has requested the Runtime to terminate it in an unusual way.
__thiscall
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
Thursday
< tK<	tG
TLOSS error
T$LPQR
T$LRWS
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
tNIt?It0It 
too many length or distance symbols
T$,PQh
T$(PQR
tR99u2
trfghdfsgfdhgfcgd
T$$RSSj
T$,RWV
t#SSUP
<+t(<-t$:
t$<"u	3
Tuesday
;t$,v-
t$$VSS
t+WWVPV
 Type Descriptor'
`typeof'
tZ9H tU9H$tP
`udt returning'
|$ u*f
u&f!;f;
- unable to initialize heap
- unable to open console device
__unaligned
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
unknown compression method
Unknown exception
update.exe
UQPXY]Y[
URPQQh
USER32.dll
USER32.DLL
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E)
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.2)
utyrfdzvbbxzxd
`vbase destructor'
`vbtable'
`vcall'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`vftable'
VirtualAlloc
`virtual displacement map'
VirtualFree
v	N+D$
_VVVVV
W(9W$u
WaitForSingleObject
Wednesday
werferyhjngf
WideCharToMultiByte
Win32 ClassCiew
Windows 2000
Windows 2003
Windows 2008
Windows 7
Windows NT
Windows Vista
Windows XP
WININET.dll
WinSta0\Default
WriteConsoleA
WriteConsoleW
WriteFile
WS2_32.dll
WS2_32.DLL
WSAIoctl
WSASocketA
wsprintfA
|$ WUSV
^WWWWW
	X 9} 
xppwpp
xpxxxx
XXXXXXXXXXXXXX
XXXXXXXXXXXXXXX
>=Yt/j
_^][YY
YYu-9D$
YYuTVWh