Analysis Date2015-10-10 12:39:02
MD549cd72de7972423ed3653353559e2ef4
SHA120c6414036630033547ac77992519e51ead97321

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.nfJBg86 md5: 9c6aba0e19bf77b4f5e23e3c54631733 sha1: 650795b7a6f22199da4e041cc60ea6886323bf91 size: 512
Section.nfJBg86 md5: 0e2f052d5f2fd7f58250337efc0867d6 sha1: 77d8928aae53eff2ff6e2793ae4903b905edd4be size: 2413470
Timestamp2015-09-23 07:10:04
VersionInternalName: QJSlient.exe
FileVersion: 1.0.0.1
CompanyName: 宁波育人科技
ProductName: QJSlient
ProductVersion: 1.0.0.1
FileDescription: QJSlient安装程序
OriginalFilename: QJSlient.exe
PackerEXECryptor v1.4.0.1
PEhash290c81b17f1984e69b99f73893c283f12f64ac87
IMPhash469b1bae2575baede5bf1f06a01b4767
AVVirusBlokAda (vba32)no_virus
AVMalwareBytesTrojan.Agent
AVAvira (antivir)TR/Rogue.2414494
AVEmsisoftTrojan.GenericKD.2759940
AVBitDefenderTrojan.GenericKD.2759940
AVSymantecBackdoor.Trojan
AVGrisoft (avg)no_virus
AVZillya!Trojan.DipleGenS.Win32.1
AVAd-AwareTrojan.GenericKD.2759940
AVPadvishno_virus
AVRisingno_virus
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVMicrosoft Security Essentialsno_virus
AVF-SecureTrojan.GenericKD.2759940
AVCA (E-Trust Ino)no_virus
AVFrisk (f-prot)no_virus
AVDr. Webno_virus
AVAuthentiumno_virus
AVTrend Microno_virus
AVClamAVno_virus
AVMicroWorld (escan)Trojan.GenericKD.2759940
AVK7no_virus
AVArcabit (arcavir)Trojan.GenericKD.2759940
AVIkarusno_virus
AVFortinetRiskware/Tool
AVKasperskyno_virus
AVEset (nod32)no_virus
AVBullGuardTrojan.GenericKD.2759940
AVTwisterno_virus
AVCAT (quickheal)no_virus
AVMcafeeno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Application Data\athlete.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\athlete1.exe
Deletes FileC:\Documents and Settings\Administrator\Application Data\athlete1.exe
Creates Process"C:\Documents and Settings\Administrator\Application Data\athlete.exe"
Creates MutexslashApp
Winsock URLhttp://int.dpool.sina.com.cn/iplookup/iplookup.php?format=json
Winsock URLhttp://count.henanyipeng.com/index.php?gp=Q9825FF712gkQx7OSYYWWYNNW00NPP0WWPllWuulccu33cRR3hhRbbhGGbxxGppxbbpmmbZZmvvZJJvmmJ99mww9PPwXXPBBXllBJJlnnJJJnppJPPpTTPIITwwIYYwzzYYYz00YMM0TTMQQTwwQMMwzzMYYz22YMM2zzMAAzwwAMMwzzMMMz11MNN1DDNddDhhdYYhzzYccz33cOO3TTOkkTyykNNyTTNEET55EZZ5TTZUUTxxUZZxWWZFFWkkFOOkTTOccTzzcMMzjjMEEjmmEbbmWWbMMW99MMM9DDMAADttAMMtEEMEEEttEQQt00QQQ0ttQMMtjjMAAjttARRtTTRYYTttYMMtEEMIIEmmIddmnndMMn99MMM9SSM44Sxx4LLxjjLEEjmmEZZmHHZEEH99EPP9GGPhhG00hbb0WWbwwW++wII+CCIAAC88Aaa8GGaVVGhhVZZhDDZ44Dgg4IIgCCIAACggAPPgHHPRRHppRddpGGdxxGllxPPljjPQQjwwQNNwCCNBBCOOBbbO33bQQ3ggQRRgmmR99m119bb1mmbQQm88QLL833LRR3ppRddpGGdxxGllxPPliiPAAiggAPPgCCP99Coo9ZZoWWZFFWkkFPPkiiPAAiggAPPgGGPJJGvvJZZvHHZkkH++kII+CCIAACggAIIgDDIxxDooxMMoTTM55TOO5bbO33bQQ3ggQRRgmmR99m119bb1mmbQQm88QLL822Lgg2xxgPPxiiPAAiggAIIgCCIAAC88Acc8DDc55DZZ5bbZ33bVV3yyVIIyGGIJJGyyJbby33bdd3zzdZZzXXZIIXggIccg22cVV2uuVdduCCdBBChhBIIhHHIJJHllJcclXXcVVXllVccl33cQQ3ggQddgGGdhhGhhhddhCCdBBC00Baa0GGallGzzlIIzHHINNHllNcclnncZZnllZccliicBBijjBbbj33bVV3ssVZZsCCZBBCuuBbbu33bQQ3ggQddgWWd55Wkk5ZZkXXZJJXzzJddzGGdFFGuuFZZuCCZ44C884LL833LAA3++AII+CCIAACggAIIgDDIxxDwwxPPwkkP55kvv5IIvHHINNH11NYY122Ygg2gggZZgmmZllmsslZZsSSZBBSvvBccviicBBikkBaakXXaJJXllJYYl33YRR3vvRccvnnckknuukPPuCCP99Cww9PPwiiPAAiggAPPgGGPhhGyyhIIyCCI88C++8II+CCIAAC88AYY8WWYRRWkkRcckmmcVVmzzVcczzzc55zNN5aaNWWaNNWyyNbby33bNN3vvNZZvnnZQQnttQSStUUSllUTTlLLTzzLcczuucMMuDDMwwDvvwYYvWWYRRWkkRcckmmcVVmzzVcczzzc44zgg4IIgDDIwwDvvwYYvmmY99mkk9eekTTe44T884LL822Lhh200hbb0WWbwwW++wJJ+nnJNNnkkNPPkSSPZZSvvZccvzzc11zXX1aaXWWa55Wkk5bbk33bdd3zzdIIzFFIhhFQQhKKQDDKMMDyyMKKySSKZZSzzZYYzzzY00zxx0MMxDDMIID00IKK0jjKccj22cOO2CCOZZC00Zbb0TTb00Txx0NNxDDNQQD00QNN0DDNkkD55kNN5TTNQQT11QJJ1mmJttmllteelTTe11Tkk1NNkTTNEET00ENN0WWNQQWyyQYYy22YUU2wwUOOwGGOQQG55QYY5zzYJJziiJNNizzNAAzzzAYYzWWYIIWwwINNwWWNEEWyyENNyzzNccz11cZZ1WWZEEW33EOO3AAO==

Process
↳ "C:\Documents and Settings\Administrator\Application Data\athlete.exe"

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\\\xb4\\xab\\xc6\\xe6\\xb0\\xd4\\xd2\\xb5\DisplayName ➝
\\xb4\\xab\\xc6\\xe6\\xb0\\xd4\\xd2\\xb5\\x00
Creates FileC:\Documents and Settings\Administrator\Application Data\cqby\cqby\lander.ini
Creates FileC:\Documents and Settings\Administrator\Desktop\\\xc2\\xb4\\xc2\\xab\\xc3\\x86\\xc3\\xa6\\xc2\\xb0\\xc3\\x94\\xc3\\x92\\xc2\\xb5.lnk
Creates FilePIPE\srvsvc
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\\\xc2\\xb4\\xc2\\xab\\xc3\\x86\\xc3\\xa6\\xc2\\xb0\\xc3\\x94\\xc3\\x92\\xc2\\xb5.lnk
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsh3.tmp\System.dll
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\\\xc3\\x8d\\xc3\\xb8\\xc3\\x92\\xc2\\xb3\\xc3\\x93\\xc3\\x8e\\xc3\\x8f\\xc2\\xb7\\\xc2\\xb4\\xc2\\xab\\xc3\\x86\\xc3\\xa6\\xc2\\xb0\\xc3\\x94\\xc3\\x92\\xc2\\xb5\\\xc3\\x90\\xc2\\xb6\\xc3\\x94\\xc3\\x98\\xc2\\xb4\\xc2\\xab\\xc3\\x86\\xc3\\xa6\\xc2\\xb0\\xc3\\x94\\xc3\\x92\\xc2\\xb5.lnk
Creates FileC:\Documents and Settings\Administrator\Application Data\cqby\cqby\uninst.exe
Creates FilePIPE\wkssvc
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\\\xc3\\x8d\\xc3\\xb8\\xc3\\x92\\xc2\\xb3\\xc3\\x93\\xc3\\x8e\\xc3\\x8f\\xc2\\xb7\\\xc2\\xb4\\xc2\\xab\\xc3\\x86\\xc3\\xa6\\xc2\\xb0\\xc3\\x94\\xc3\\x92\\xc2\\xb5\\\xc2\\xb4\\xc2\\xab\\xc3\\x86\\xc3\\xa6\\xc2\\xb0\\xc3\\x94\\xc3\\x92\\xc2\\xb5.lnk
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsh3.tmp\FindProcDLL.dll
Creates FileC:\Documents and Settings\Administrator\Application Data\cqby\cqby\cqby.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsm2.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsh3.tmp\System.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsh3.tmp\FindProcDLL.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsh3.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsr1.tmp
Creates Process"C:\Documents and Settings\Administrator\Application Data\cqby\cqby\cqby.exe" /ShowDeskTop
Creates Process"C:\Documents and Settings\Administrator\Application Data\cqby\cqby\cqby.exe" /setupsucc
Creates ProcessC:\Documents and Settings\Administrator\Application Data\cqby\cqby\iconTips.exe
Creates Process"C:\Documents and Settings\Administrator\Application Data\cqby\cqby\cqby.exe" /autorun /setuprun

Process
↳ "C:\Documents and Settings\Administrator\Application Data\cqby\cqby\cqby.exe" /autorun /setuprun

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Application Data\cqby\cqby\Lander.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSgameapp.37.com

Process
↳ "C:\Documents and Settings\Administrator\Application Data\cqby\cqby\cqby.exe" /ShowDeskTop

Creates FileC:\Documents and Settings\Administrator\Application Data\cqby\cqby\Lander.ini

Process
↳ "C:\Documents and Settings\Administrator\Application Data\cqby\cqby\cqby.exe" /setupsucc

Creates FileC:\Documents and Settings\Administrator\Application Data\cqby\cqby\Lander.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePhysicalDrive0
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat

Process
↳ C:\Documents and Settings\Administrator\Application Data\cqby\cqby\iconTips.exe

Network Details:

DNSint.dpool.sina.com.cn
Type: A
180.149.136.219
DNScount.henanyipeng.com
Type: A
222.186.129.195
DNSa.clickdata.37wan.com
Type: A
122.226.199.215
DNSa.clickdata.37wan.com
Type: A
113.107.101.168
DNSnewgameapp.37.com
Type: A
14.18.237.129
DNSnewgameapp.37.com
Type: A
121.201.25.129
DNSgameapp.37.com
Type: A
HTTP GEThttp://int.dpool.sina.com.cn/iplookup/iplookup.php?format=json
User-Agent: 20c6414036630033547ac77992519e51ead97321
HTTP GEThttp://count.henanyipeng.com/index.php?gp=Q9825FF712gkQx7OSYYWWYNNW00NPP0WWPllWuulccu33cRR3hhRbbhGGbxxGppxbbpmmbZZmvvZJJvmmJ99mww9PPwXXPBBXllBJJlnnJJJnppJPPpTTPIITwwIYYwzzYYYz00YMM0TTMQQTwwQMMwzzMYYz22YMM2zzMAAzwwAMMwzzMMMz11MNN1DDNddDhhdYYhzzYccz33cOO3TTOkkTyykNNyTTNEET55EZZ5TTZUUTxxUZZxWWZFFWkkFOOkTTOccTzzcMMzjjMEEjmmEbbmWWbMMW99MMM9DDMAADttAMMtEEMEEEttEQQt00QQQ0ttQMMtjjMAAjttARRtTTRYYTttYMMtEEMIIEmmIddmnndMMn99MMM9SSM44Sxx4LLxjjLEEjmmEZZmHHZEEH99EPP9GGPhhG00hbb0WWbwwW++wII+CCIAAC88Aaa8GGaVVGhhVZZhDDZ44Dgg4IIgCCIAACggAPPgHHPRRHppRddpGGdxxGllxPPljjPQQjwwQNNwCCNBBCOOBbbO33bQQ3ggQRRgmmR99m119bb1mmbQQm88QLL833LRR3ppRddpGGdxxGllxPPliiPAAiggAPPgCCP99Coo9ZZoWWZFFWkkFPPkiiPAAiggAPPgGGPJJGvvJZZvHHZkkH++kII+CCIAACggAIIgDDIxxDooxMMoTTM55TOO5bbO33bQQ3ggQRRgmmR99m119bb1mmbQQm88QLL822Lgg2xxgPPxiiPAAiggAIIgCCIAAC88Acc8DDc55DZZ5bbZ33bVV3yyVIIyGGIJJGyyJbby33bdd3zzdZZzXXZIIXggIccg22cVV2uuVdduCCdBBChhBIIhHHIJJHllJcclXXcVVXllVccl33cQQ3ggQddgGGdhhGhhhddhCCdBBC00Baa0GGallGzzlIIzHHINNHllNcclnncZZnllZccliicBBijjBbbj33bVV3ssVZZsCCZBBCuuBbbu33bQQ3ggQddgWWd55Wkk5ZZkXXZJJXzzJddzGGdFFGuuFZZuCCZ44C884LL833LAA3++AII+CCIAACggAIIgDDIxxDwwxPPwkkP55kvv5IIvHHINNH11NYY122Ygg2gggZZgmmZllmsslZZsSSZBBSvvBccviicBBikkBaakXXaJJXllJYYl33YRR3vvRccvnnckknuukPPuCCP99Cww9PPwiiPAAiggAPPgGGPhhGyyhIIyCCI88C++8II+CCIAAC88AYY8WWYRRWkkRcckmmcVVmzzVcczzzc55zNN5aaNWWaNNWyyNbby33bNN3vvNZZvnnZQQnttQSStUUSllUTTlLLTzzLcczuucMMuDDMwwDvvwYYvWWYRRWkkRcckmmcVVmzzVcczzzc44zgg4IIgDDIwwDvvwYYvmmY99mkk9eekTTe44T884LL822Lhh200hbb0WWbwwW++wJJ+nnJNNnkkNPPkSSPZZSvvZccvzzc11zXX1aaXWWa55Wkk5bbk33bdd3zzdIIzFFIhhFQQhKKQDDKMMDyyMKKySSKZZSzzZYYzzzY00zxx0MMxDDMIID00IKK0jjKccj22cOO2CCOZZC00Zbb0TTb00Txx0NNxDDNQQD00QNN0DDNkkD55kNN5TTNQQT11QJJ1mmJttmllteelTTe11Tkk1NNkTTNEET00ENN0WWNQQWyyQYYy22YUU2wwUOOwGGOQQG55QYY5zzYJJziiJNNizzNAAzzzAYYzWWYIIWwwINNwWWNEEWyyENNyzzNccz11cZZ1WWZEEW33EOO3AAO==
User-Agent: Http
HTTP GEThttp://a.clickdata.37wan.com/controller/istat.controller.php?item=8133tay6p9&platform=37wan&game_id=275&ext_1=2&ext_2=feitian_wd&ext_3=904576&ext_4=831BA43E80FD4E85A0FC8178FC815003&ext_5=69aa97a078124a9f4d00be45d724e48b&ext_6=2&browser_type=3102
User-Agent: HTTPDownloader
HTTP GEThttp://gameapp.37.com/controller/client.php?game_id=275&tpl_type=game1&refer=feitian_wd&uid=904576&version=3102&installtime=20151010&runcount=1&curtime=20151010115242&showlogintype=3&regtimes=1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 180.149.136.219:80
Flows TCP192.168.1.1:1032 ➝ 222.186.129.195:80
Flows TCP192.168.1.1:1035 ➝ 122.226.199.215:80
Flows TCP192.168.1.1:1036 ➝ 14.18.237.129:80

Raw Pcap

Strings