Analysis Date2014-12-15 18:11:54
MD50c0e627d0e99e6d3efa7be0fab88bea2
SHA11f3447b83410e5192ed15e7354ad9fd8761e27e1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.code md5: d2a70550489de356a2cd6bfc40711204 sha1: 02ec1f60b2e76741dd9848ac432057ff9d58d750 size: 3072
Section.text md5: 09e3e4dcfa8868171ce6d4b368e9779b sha1: 9ff26dd1d886aa39cd3ee07a88c0d2379c9ed91f size: 96768
Section.rsrc md5: a6822b393fc8780213ba6fb114393023 sha1: f99a0d0b8241bbd283e9fd4b13182142cd8476e0 size: 4790
Timestamp2008-09-24 13:45:25
PEhashfab897a2cf7e90efe936c4882a03daee4f802114
IMPhash5ce554e776a4869c65a52caa7722537d
AV360 SafePacker.Malware.NSAnti.1
AVAd-AwarePacker.Malware.NSAnti.1
AVAlwil (avast)Gamona [Trj]
AVArcabit (arcavir)Packer.Malware.NSAnti.1
AVAuthentiumW32/Packed.Krap.A!Eldorado
AVAvira (antivir)TR/Onlinegames.aldv
AVBullGuardPacker.Malware.NSAnti.1
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Win32.Packed.Krap.b.3
AVClamAVTrojan.Magania-8029
AVDr. WebTrojan.PWS.Wsgame.4983
AVEmsisoftPacker.Malware.NSAnti.1
AVEset (nod32)Win32/PSW.OnLineGames.NMY
AVFortinetW32/OnlineGames!tr
AVFrisk (f-prot)W32/Packed.Krap.A!Eldorado
AVF-SecurePacker.Malware.NSAnti.1
AVGrisoft (avg)PSW.OnlineGames_r.X
AVIkarusPacked.Win32.Krap
AVK7Trojan ( 00004eab1 )
AVKasperskyPacked.Win32.Krap.b
AVMalwareBytesno_virus
AVMcafeeGeneric.dx!0C0E627D0E99
AVMicrosoft Security EssentialsWorm:Win32/Taterf.B
AVMicroWorld (escan)Packer.Malware.NSAnti.1
AVRisingTrojan.PSW.Win32.GameOL.yil
AVSophosMal/EncPk-IG
AVSymantecW32.Gammima
AVTrend MicroMal_Nsanti-9
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\KAVsys\Type ➝
1
RegistryHKEY_CURRENT_USER\SoftWare\Microsoft\Windows\CurrentVersion\Run\tasoft ➝
C:\WINDOWS\system32\kxvo.exe
Creates FileC:\WINDOWS\system32\kxvo0.dll
Creates FileC:\WINDOWS\system32\drivers\klif.sys
Creates FileC:\WINDOWS\system32\kxvo.exe
Deletes FileC:\WINDOWS\system32\drivers\klif.sys

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNScsj0o.com
Winsock URLhttp://csj0o.com/xjj/ff1.rar

Process
↳ C:\WINDOWS\Explorer.EXE

Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe

Network Details:

DNScsj0o.com
Type: A

Raw Pcap

Strings
;.
O.b.
b
eI
02FY_Q
04.i} 
&0'<M]?
}0Yx=N
14=7"<
1fgonAy
1}nFY}
2Sa'y3hZ
2U'>xIbf
2v1PDE0
(~2zmBlG
3$Hw:"#pD
!|3"K1
3Prr"S`
{`$4-h
#4 Os:
)4}RI;Z$
5{Bz	`
5DgO.Iu
5q:"7d
5Q8w#(
5_UC\@
@6P8mp
'6|PIW&k
|_70ra[
`7,[9H
7^/{h$Gt?
7-Q:G	
7\%rckM1
8ev}gL
8gcOGz
)8lF3PC
!8+uGw
<&8z%]
%#9{9-
9\/CRm
+9PA%=
}a0/0SB	
 a4c#xt|
A	? eC
akr&	K
A;OwFW
?:aVA;2
a(Yt\(6
	A<z5<	
b5W#u*^
|B7KNW
Bio,0W
'BUY\wqA
bWH>6wy}
.BXRZSS
-b}z4=
c;1NB$
#c\>cA
CdFA-y
CiK")oCB9
CreateEventW
#cR~Q\
!dD\%y
dIsi%A
Do?Qn$'
DuplicateHandle
dW0kQRX
E4c' D
e504~F=:
EnumResourceNamesA
EnumSystemLocalesA
EnumTimeFormatsA
eP2KR{
es-Ysg)W
Eu#][~
ExitVDM
fgji95
FindCloseChangeNotification
FindFirstFileW
FindFirstVolumeW
FlushInstructionCache
FreeEnvironmentStringsA
Fz?t"B
=G0^N3
g2=~ms
GetCommandLineA
GetCurrentDirectoryA
GetCurrentDirectoryW
GetCurrentProcess
GetFileAttributesW
GetPrivateProfileStructA
GHL9v@
gjJ41>~jI
g<jX, 
GlobalFix
GM!?.o
g~ng[XQ
G'R?>&
gR"<iu
gR(:!s
H}&6WB
HbMXvZl
HejdW+-
hiCjW.
hiDoooP
[>{;hj
]%|hs.
i2CNe'
I9PUlh
In8=#kD
>IV4ui
iwK~^}
.`izi"yZ
+iZ`wT
j2S"Sd
jO)x4@
j:WS8"'
^kA1,u
-K(bO'7U
KERNEL32.DLL
Ku\A1W9,X
LoadLibraryA
	loiz]
l*X&1r
/	m3Ha
//M%a_
/Meukz
M#)H7flCy
*[Mi`MK
+MOiF2`qM<
mRWoj}
Ni^+D7
nnQ l)M
ocRk^g
o.EvQB
??okq2
ooedmm
o#{Qv4
owl[|rl
P-$a&yO
pBj6s9
Pr<'d&\
p"-T/k
PU0i}}>Z
QeZg5(L(t
Qoqv6,,Y
qwfZ'S
q,	xUNKK
r2}c@rX
Re@XaC
rG&|'g
R#;kN;
RL:&lA
rpd=`}
rpK^6d
/s@ @[
]	sD_(
S=h"L~>
S_.*I0
S*kV%G	n
.sQB2D
)S[[/t
t}7\!cS
)Ta`V|
!This program cannot be run in DOS mode.
T|:j.@
TN60YU?
%TqFS;
TZ=	Aiy
U55JGtcZ^
U/9LLFT
UAN!~KdsW~
UCH{Fx~j
)udpZI
uEy&0G
ug'tmd
uK+%G4
uT!a=	
uu4	zE
'u'xeUB
[UyTaJMK8
$Uy~u`
v4|O#*
V(ou@D_
v+qD}&
vS$g/N
)<$_VW^
V|w5E\l
^(|%vwY
W4.Z	Gk
wF]H6WT
wmEObN
_.^WV_
WV2Fb*
)_x2 r
x_5*uV"zx@
xhY{$e
xIO17K
%~~(XS?
xv nbr
xzGo]R
y54LBb\
YGa>8k(GbJ
=!ygX|
|yUR3yM
_Z)&``\$
Z#DtBg;
\:zhMk
~!/z[pWb
z!@Rn+e,(t
Z%SfVF
zV>0.CD
zX|*(R.
/zxslF
!!ZzM<