Analysis Date2013-11-05 08:38:38
MD53c02e510f64f70729f91db79f1116bf2
SHA11cdfe84b12ec08a830704a1bd0e5b4cc18286281

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 31a0135ce13fc87d8241e89632d9c1f6 sha1: 6d714e2134f24c75a3b28b6ac28072f7d61caca2 size: 20480
Section.rsrc md5: f5fd99a0272d5079f8aed8fbd0cbf4ec sha1: 8fad35b5cc441c4b81bb78194239e98b3c164e90 size: 4608
Timestamp2011-07-04 11:16:13
PackerPECompact 2.5x -> Jeremy Collake
PEhash9a4d96b5a74d3cd011b46cff54604a8dfcc2a2b2
AVavgClicker.ARSG.dropper
AVaviraTR/Crypt.XPACK.Gen
AVclamavWin.Trojan.Refroso-2596

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Control Panel\International\nTimes ➝
66
Creates FileC:\setup.ad
Creates FileC:\setup1.ad
Creates FileC:\WINDOWS\system32\gugprd.dll
Creates FileC:\WINDOWS\system32\setup.ad
Deletes FileC:\setup.ad
Deletes FileC:\setup1.ad
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe http://u.9lwan.com/cj/direct/628635.html
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe http://u.9lwan.com/cj/direct/628546.html
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe http://u.9lwan.com/cj/direct/628546.html
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe http://u.9lwan.com/cj/direct/628546.html
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe http://u.9lwan.com/cj/direct/628635.html
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe http://u.9lwan.com/cj/direct/628635.html
Creates MutexDBWinMutex

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe http://u.9lwan.com/cj/direct/628635.html

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FilePIPE\lsarpc
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe http://u.9lwan.com/cj/direct/628546.html

Creates MutexIexplore.XPExceptionFilter

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe http://u.9lwan.com/cj/direct/628546.html

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Type ➝
4
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links\Order ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Type ➝
3
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Type ➝
4
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexShell.CMruPidlList
Winsock DNSu.9lwan.com

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe http://u.9lwan.com/cj/direct/628635.html

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe http://u.9lwan.com/cj/direct/628546.html

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe http://u.9lwan.com/cj/direct/628635.html

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Network Details:

DNSu.9lwan.com
Type: A
60.28.214.9
HTTP GEThttp://u.9lwan.com/cj/direct/628546.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 60.28.214.9:80

Raw Pcap
0x00000000 (00000)   47455420 2f636a2f 64697265 63742f36   GET /cj/direct/6
0x00000010 (00016)   32383534 362e6874 6d6c2048 5454502f   28546.html HTTP/
0x00000020 (00032)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x00000030 (00048)   0d0a4163 63657074 2d4c616e 67756167   ..Accept-Languag
0x00000040 (00064)   653a2065 6e2d7573 0d0a4163 63657074   e: en-us..Accept
0x00000050 (00080)   2d456e63 6f64696e 673a2067 7a69702c   -Encoding: gzip,
0x00000060 (00096)   20646566 6c617465 0d0a5573 65722d41    deflate..User-A
0x00000070 (00112)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000080 (00128)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000090 (00144)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x000000a0 (00160)   204e5420 352e313b 20535631 3b202e4e    NT 5.1; SV1; .N
0x000000b0 (00176)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x000000c0 (00192)   290d0a48 6f73743a 20752e39 6c77616e   )..Host: u.9lwan
0x000000d0 (00208)   2e636f6d 0d0a436f 6e6e6563 74696f6e   .com..Connection
0x000000e0 (00224)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000f0 (00240)                                         


Strings
h7/29/2011 9:23:00 PM
	%4&".(g
5%kVGd%
7Rea#J
(9z	+<
|AX]mD
DW06Ra
f/!2pkQ
f%p|-l
GetProcAddress
-I-@8<
id|SDqL
index: 9%X
j7[=A@
\JLE1}
?$J$Q[
kernel32.dll
.)l[7U0
l*n2&D
LoaderSvt
LoadLibraryA
lPD!k-]
nizXMl?
%!OI\g
PEC2Dbg9Ms
	 p>L$n
	pWa;);
QGC(u0
QRV3 r
%sy5|l
!This program cannot be run in DOS mode.
Ubs=D^*
u"hs}!
USQWVR
VirtualAlloc
VirtualFree
:_?Vlp
wwwwwp
wyMjW+
XHC|NFFtM
xKIay1Z
xnlbN3
xyf	:P
Y 7;Ck1
ZLhl1oM
Z^_Y[]