Analysis Date2014-01-03 14:43:46
MD5904608391ab8aa33a2625b687c2a0a74
SHA12252edb2d6872f3a2b41f428c2446cf1eea562db

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 0fdb251af5eded9900b462067c4c0bf0 sha1: 7964a23a115c8f19e31b2ce702a74a102c0caed5 size: 214016
SectionDATA md5: 3a3b4244f961f3d2c584b06e2328e69b sha1: 557571915560c9107ad4308b9a1b216ece377674 size: 10240
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 8e79e2ab114f48c961b5429920445b9f sha1: 9b2baa2d091951d1bb1cb92699e47fd087a4051c size: 4096
Section.tls md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rdata md5: d4ab8e9732c580317d948f4937bc9621 sha1: f8c0d51b493c2bc8285b634dd65e590ca0f48835 size: 512
Section.reloc md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 76b4517fc3cf7f9d1a8aba3e9a9f95ce sha1: 0da8ce09f5423d0cd34849964ac9ed224d876fc2 size: 14336
Section.aspack md5: 565992b24ffe261ae200670b4d8058be sha1: 1d589b1efbe1f5d1e745f1e09cf1d5993d80d655 size: 61952
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp1992-06-19 22:22:17
PackerASPack v2.11
PEhashf90904c1571ea50541f5a24b9824bcff6da24311
AVaviraTR/Downloader.Gen
AVmcafeeGeneric.dc
AVavgGeneric.FFO

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SystemIdle ➝
C:\malware.exe\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\ ➝
\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSany-rc.a01.yahoodns.net
Type: A
68.180.206.184
DNSwww.yahoo.co.kr
Type: A

Raw Pcap

Strings
DRAGCOPY
DVCLAL
MAINICON
PACKAGEINFO
TAUAUTOUPGRADERPASSWORDFORM!TAUAUTOUPGRADERUPGRADEMESSAGEFORM
TAUAUTOUPGRADERWIZARDFORM	TMAINFORM
 (08@P`p
[`0_?cF
0DDD<*
+0E:+B
0[g].(
0(giiM
0M\OB&
0on>0o
;0+P444
0^V*E{
0v?,UaN[?n\
)0ynKC9
-15;^O
1b*NIj
1;erwR
1go*A_)
%1	JW-
1kNEGJ
<1*pA4-a444
"_1seg+
1WFf>@
1W.UtDF
}1')]zC
1zq=l|/
2Ec]F@
"`2Mg0
2t1,f{
3#5!&"
$35nUp
^35T}T
3:'a@j
&~3f`9#n
3|fkJV/
^=3*[g
3nmF]{
3pY1rV
3Z)p^{
!41U^U)k
.*(~444)
4441444
4441444gR_a
4441Tim
4442444
4443444
%! 4444
|444$444
444`444 
444^444
444^444 
444~444/
444<444
444=444
444>444
444|444*
444_444(
444_444#
444-444
444;444
444?444
444.444
444)444
444[444#
444[444%
444]444#
444{444-
444{444)
444@444
444*444
444&444
444%444
444+444
444!4440444@444P444d444u444
444`4443444
4444444
444%444,444244464449444;444<444<444;444;444:44474444444/444)444$444
444_444?444'444
444)4444444:444?444@444@444>444:4444444,444"444
444'444.44444448444;444<444<444;444;444944464442444,444&444
444#4444444>444B444A444;4442444%444
444)444>444[444r444
444#444=444_444z444
444%444.4445444:444=444?444?444>444=444:44454440444)444!444
444-444?444P444a444p444~444
444&444;444Y444
444[444C^C6
444(444F444pMWY
444,444G444h444
444(444J444xNZ\
444)444K444}R`b
444~444l444V444@444/444
444}444P444/444
444}444r444f444U444E4449444/444$444
444{444Y444:444#444
4445444
4445N\_~\nr
4446444h444
4446JX[}[nr
4447444
4447KWZyVfi
4447\w}
4448444
4448444i444
4448Qgj
4448Tdg
4449444
444a444
444A444
444a444<444$444
444b444!
444b444A444+444
444c444
444C444
444C444!
444c4442444
444c4447444
444d444
444d444#
444d444<444"444
444d444@444+444
444dgtv
444e444"
444e444#
444E444
444e444-444
444ETim
444f444
444F444
444F444$444
444f4449444
444g444 
444g444!
444g444"
444g444(
444g444I4447444)444
444g444J4444444"444
444h444)
444H444
444h444>444%444
444h444I4442444
444h444M444ZeB3
444i444!
444i444(
444I444
444j444&
444J444"
444k444!
444k4441444
444k444=444
444k444-444
444K444(444
444k444E444(444
444l444,
444L444
444L444"
444L444$
444l444A444&444
444M444
444m444>444"444
444n444#
444N444$
444n444<444 
444n444C444'444
444o444&
444O444
444o4445444
444o444T444:444'444
444o444V444@444/444!444
444p444'
444P444
444P444"
444p444P4441444
444=Pei
444q444$
444q444*
444Q444
444r444(
444R444
444R444#
444r4440
444r444Q4446444!444
444t444(
444T444#
444t4441
444t4444
444U444 
444U444-444
444U444*444
444v444/
444V444
444![w~
444W444!
444W444)444
444X444/444
444x444^444G4442444 444
444(\y
444y444(
444y444)
444Y444(
444y444<444
444y444n444d444U444E4449444-444 444
444z444/
444z444)
444z444*
444Z444
444Z444 
444Z444"
444z444j444W444B4443444%444
"*4GA@
]?4h#F
%4JUGl
4x[&E4
4(/zT-@
|5]!4N
@5B=Bgdq
+5Lg'i
%5M)tbv
5sNr3z
5\ ,SUu_
6BxzQ8
=6Iv^V
6#NA,)}
:6_ &R
79fej7
	7bIbT
}7D:eU
7)eofm
7JO>]{
7mv:)`
7N:Bz#
/	~8{8
8,>f"]
8N!C'"
_8o(_2
~8r~W&
8\:Sud
8T?`~g\
=8wca44
96d3:K	
9`c	ff
9 <gT{
9LQ5]x~
9:OO"x?
~9'=SC
9.)T444
/9xZ7g
a@1{^<-
a$3,'U
a456\{
A5ND9!
aB.1uUD
aC:;t)
Ad2JOJ
[a;D-|cx
advapi32.dll
a?+EnN=
ai.jDA
aLPkQUe
AmZvyZH
aNs;YB
$aPV'HAzbw
aruI|ma
=A'ryy
.aspack
ATi]K)
aU]$BMI
auxTX)l
AXdacM
aZ0hF'
A''}Zl~8
B&3F{?
B3i4H*
@b3qB*
.b9AQpa
='BAgQD
BDrh_Ib
(beBv(v
be\=;g
B~f3#kc
Bf\.~b
BGcU.BPh
'/BJdx4}
+ BKr+
blE& H)@)D
*BO21l
[B'WgF
BWq/P7
,bY	te
bZWf $
[&;#,c
c29#MS
c	9;"-
c9yO]*
":CAx^t
CBI+"H
(cC#'Ff?#
=cfs@j
"CF%"zQ/z
c+Gqlc
`cK=L+a
clr[1'
C-NW6y
CoInternetCreateZoneManager
comctl32.dll
>+=c{P
C'QD6pg
CreateStreamOnHGlobal
%c:#S?cNb
CTX[Tlp
%cV7w[
CVQn%S
C} W*E?v`!:
d5amB!p
D.#5g.
Dcy-bzN
%DDF5d9
=DE[)r
d^gJ\_
dN)m<Caj
-&#E444
ECRj7*
:ed+B1
e!GT4F
/E^Hxma
"%E|l(A
Eo1vS~
EPyyliX
]_EQfM
Esvo;u
eThL*U
Ev@XM@
ExitProcess
ey~e~tk
EyUZTY
EZfI<Y
$F3q}&
f5eiF5
*;F 7|iU
f8<Hkf
FBKI^I
/ff/uCZ
FgQDf8
{F:gYi
[FhWw 
f$HXO:C
fi	z:X
[/F'M9
f%NJG&
FOsv~t
f%q	OZ!q
FxE4(,
FXVFJS
`/'! g
G0V7~F
}#g92k:%
GA7GxP(
gdi32.dll
gEn^x1
GetErrorInfo
GetKeyboardType
GetModuleHandleA
GetProcAddress
GJ%YZZJ
G#l?%S
*Gu[ih
 GU~ii
gv9hk=
"gxY ;
<g&&z8
h$}^=\#
h'*(56
H	;66c
,^Ha0j
heepn[
$&h?IB
<<HKPw
HlL'puk
H]Roeg
h~Scg:
h.Sm58
H]t_iy
hTp"PB
Hw=q'Ve
*Hx ),
)>i'{/
I29p"Fd
I4#[`!
i!4IzB
i4XZ^c
i7u7h@
;I83-j
|i|8c"e
i|A38?
IA:x444 444
^ibUUK
.idata
-i=Do*[y
I._FGi
if$ry5
I~=%gg
Ihck#m
]ilx[__i
ImageList_SetIconSize
InternetReadFile
#=IOh:
#@I)=qwp
;it&)R
#i""XxCru'
IyEK/^
Iyz411sw
J9bQQ7n
jAOcPDy{
jcMR-;)l
J+dNteB{
JI2b<B
>}jiGN
@JJ{444/444
JlNPO`
[J^MuH
j`pq3D
,	Jpv-
j	`;P;x;
j~]t!"
jt)HO`L
%@JxsR
k5pmP2_&e
Kce:&#(
kernel32.dll
}k'f\uD8
(|K	hn
KiDC^$F
ki.+<`Ve
KKIi.Om
K)[Y4G
l"?_@$
%#"L444
l4UDu-1U
$l 6."
L<8h<A	
LbNy%C
{LEPD:
~Li}gn8]
lIwTYG
`~l$nN
LOADER ERROR
LoadLibraryA
L.P+P^
LSr*%`
=lToGd%
l(u/e\~7
LV;8ir^
M	4~D|
m6\l!O%]c$|
MC+IB%
MessageBoxA
M^*FCP
MFwdT'
M\La7O
M~o25 
)%mO]r
-=mSzNbg
MvhQGl
mV)T&5e
MZBBfb
 MZgou
mz[nlk
&:/n_3
"^N-6B
NEts(M
N%>hr!
NMiXJk
N\$-.ok
"nSLn0
+NTVFY
NuknZ-
O2sun"	
O6*mV9)
o:7Sl+
O8+{}Q;
OC[/O]Tx
`Ol~+6
ole32.dll
oleaut32.dll
O{l-lVr]77
>!	Ona
OR tFj
OryfuXF
o)Ut@-
;|oy_d3
;P20gs
P6/+2GeL
P6.qJ7
pA.Irp
P:DzON
pE^'{d-
+$Pl8Z>5X
p+MY&XP
>P+:nJp
p:QQS:
P?Q(,z
pR|KoqA
P:(]sA
pSNCa`
pvU?3%
_pzBk`
Q1DL"&1L%
.q2;J7
q#4@ w
Q}7E/o 
	Qb+~G
Qc%[zSY
Q,[ Hz
/QK;a!7
Qx9eSv
Q?XYyz
qY2=nI
QZZqhvw
R13dL.
r444"444
R" 8NXjp
r8]s`8
>\rax*^
rBg {_
[/RBW>
.rdata
RegQueryValueExA
RegSetValueExA
.reloc
R+eMGr
.!r`G/
R KAAs
rqQYuL/a$
R;VH2y
!ry=~A
/?:S	;
$	<-S^
!S2"g7H
/S7j+d>
>sASIpx
se\g:)RJ
shell32.dll
ShellExecuteExA
/sHG*	
SHGetMalloc
	s-jBW
s;oxJ*:
	{sQhM
SR9\fUm
s]SA;MD
St5'9$\
?SW8_w{
 SYq'kv
sYUcohp
*%%t<~2
T3#Q^=-
$#"t444(
$"!T444 
ta{<F)
tc|oN1
TdD*FP
tE$uVtH
T(gli<
The ordinal %u could not be located in the dynamic link library %s
The procedure entry point %s could not be located in the dynamic link library %s
This program must be run under Win32
Tj#OjP
,tn<?\5{
t<NG!{yI
Tp0Z"'
Tp_m=7y*
t rQh/,
T#]VS}
twavnU'i!
TWuKiP
TywhYN
/\{}<U.
?@=u444'
U6!\_2
^Ub($bT
.u@dP[hw
Uf&\6p
uf&8X&1
U%G(SA
Uhli444#
ULshakZ2uC
UnrealizeObject
}u;-%p
Upe%6k
u^>Q}}
urlmon.dll
user32.dll
u~t@^@/
uT'S(Zw
/(UvH0gJ
v3e_*x
'%#v444'
($"v444+
V-5fGY
VariantChangeTypeEx
VbI<"W
v/BR}H
Vb	vMq
VCV3_(
VDV"$ff
v[$&eG
vH]6EPr
VirtualAlloc
VirtualFree
vkqe%eBZ
VL)s\\
Vm]$vVM
|VOhsy
V:#{R>
v\]s0ew
vS;2fL?
V:t?k<
VU4#<wD=T
%VUp%U
vX'5N>
%vz'$r7Pn
W3n33i
w|6\R95
W75mP*
WindowFromPoint
wininet.dll
Wk?1T@q
W$K3vx`]c4
*WkNE3
WSACleanup
ws:\e)ON
wsock32.dll
wsprintfA
W_Ut^+s
WW$}@3
&W X-9d
"w	xQF
WZC[I&
:X,$;1,U
])@X_2
X=_"3I
]x}}444$
;X53WF
X5#?gA0
xBpvG?
XcYvYt
XD`%`u
XFsBV4
XFUYw1
=xH3,>
X]j:2=
XJBL	@
XKM2N3
x+KRp-b@
xmLv8)
X-O-N-M-La
XWbNXlV
.`xWLc
\xw*sE
X==X%T
='<]^Y]
Y7vXY@P7
Y?/A<0+p444
/ye,&e
Y$=EnA
ye~ S_
yf_@^<d
Y(\h%Z
YJ: Lk
	yk>Hmk
yMQp'y
YotJ444
_Y+p%n
ypZ"fn
[yRL2i
Y_t33m
Yu*2cF9
~*y-UA
?YV;}X
YXCe|_
Z)0&RE
Z4^>;L
Z>5"aO
:z9hDo
Z	a)	0%
zA|CBK=
ZB(tTH
z<C$^9
Zd9F6_
zDw)?E
zFAl },
!zfqyT
|zfZjYH
zG;T]dT&
Zq[%8h3
-{ZRnk
Z]s\}U
Z+T+U+V+W+X+Y*
>zW Pk
Z>yHZ7