Analysis Date2013-11-07 13:18:51
MD58b9e66679d1361066044562cb82ccfd2
SHA11bc8c46c53b48fa3eafc0bd58ee714101f996f41

Static Details:

PEhashaa1730887a656d715d5393a9c1d89783163546c6
AVclamavTrojan.Crypt-176
AVaviraTR/Crypt.XPACK.Gen
AVavgPakes.AR

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\frmwrk.exe
Creates ProcessC:\WINDOWS\system32\frmwrk.exe

Process
↳ C:\WINDOWS\system32\frmwrk.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\WINDOWS\system32\uniq.tll
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\WINDOWS\system32\antivirusxp.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSonlinenotify.net
Winsock DNSantivirus-xp-pro2009.com

Process
↳ C:\WINDOWS\system32\antivirusxp.exe

Network Details:

DNSantivirus-xp-pro2009.com
Type: A
82.98.86.174
DNSonlinenotify.net
Type: A
HTTP GEThttp://antivirus-xp-pro2009.com/cgi-bin/download.pl?code=0000825
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 82.98.86.174:80

Raw Pcap
0x00000000 (00000)   47455420 2f636769 2d62696e 2f646f77   GET /cgi-bin/dow
0x00000010 (00016)   6e6c6f61 642e706c 3f636f64 653d3030   nload.pl?code=00
0x00000020 (00032)   30303832 35204854 54502f31 2e310d0a   00825 HTTP/1.1..
0x00000030 (00048)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000040 (00064)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000050 (00080)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000060 (00096)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000070 (00112)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000080 (00128)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000090 (00144)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x000000a0 (00160)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x000000b0 (00176)   37323729 0d0a486f 73743a20 616e7469   727)..Host: anti
0x000000c0 (00192)   76697275 732d7870 2d70726f 32303039   virus-xp-pro2009
0x000000d0 (00208)   2e636f6d 0d0a436f 6e6e6563 74696f6e   .com..Connection
0x000000e0 (00224)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000f0 (00240)                                         


Strings
00000825
!6 n7o
a4JkdVw=#
!aGYhoAl
bqSAuB
c V5i)
!%D#<5
@.data
+D ,+d
~d*/eN
dgz-iN,
e;%`A&
E	dq1|17*
eme27Kl
$Jn`lm
`'kDHa
L-CwC4
LQ;-L*
l*Q+;w
$[-%lYb.Us
mkFJ#(%t
+olXF/
,oZ1B> lDb
PpvLT>
Qbl93z5?^
QzO'sR
`.rdata
Sd1V7a
!This program cannot be run in DOS mode.
TS!(&M>w
VT#^j$
<>&x$&^
Y!<gZz
y|YGky
z[B\IhDy8