Analysis Date2015-10-07 19:43:26
MD52ddaa2174515294a448c0d11b50b8f00
SHA1236f5a32f001a631256cb866caf760aa65f36a23

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c5df2bcf4cb444a9ce3abf40dc2ae79f sha1: a4907e8bccd6f67bdb0155972f3c768d595a0894 size: 79360
Section.data md5: fe3e541d125dbe299f892385c2f9e9c8 sha1: 737956671b1b166bdb9ff564292942bd8910981c size: 2560
Section.idata md5: 37eade5359d82bcd800d9cf089c501ff sha1: cd9308a61c7773c4099742b2acaeca6f5958f417 size: 4096
Section.rsrc md5: d84d3e490e7d040654c1f2eac336090a sha1: d5cafd952c224e5c5b4b0f7712c27f8465fe6b6f size: 15360
Section.tc md5: d4692ff737f5b3c0d0b69fb4db29ea79 sha1: fe8e745e3d479e01113bf913e0ef44a69611e839 size: 26624
Timestamp2007-05-22 04:59:14
PEhash320b1bbb35837c612f7bbfd373d2323216fe60e8
IMPhashbc5ce990cf54f8d435a68eb97512f73e
AVRisingWin32.Agent.hn
AVCA (E-Trust Ino)Win32/Viking.D
AVF-SecureWin32.Viking.AR
AVDr. WebWin32.HLLW.Autoruner.8224
AVClamAVWorm.Fujack-55
AVArcabit (arcavir)Win32.Viking.AR
AVBullGuardWin32.Viking.AR
AVPadvishno_virus
AVVirusBlokAda (vba32)Virus.Win32.Koklek
AVCAT (quickheal)W32.Agent.DP
AVTrend MicroPE_JEEFO.D
AVKasperskyVirus.Win32.Agent.dp
AVZillya!Virus.Agent.Win32.34
AVEmsisoftWin32.Viking.AR
AVIkarusTrojan-Downloader.Win32.Jadtre
AVFrisk (f-prot)W32/Viking.A.gen!Eldorado
AVAuthentiumW32/Viking.A.gen!Eldorado
AVMalwareBytesno_virus
AVMicroWorld (escan)Win32.Viking.AR
AVMicrosoft Security EssentialsVirus:Win32/Viking.NK
AVK7Virus ( 00108a531 )
AVBitDefenderWin32.Viking.AR
AVFortinetW32/Fujacks.BF!tr
AVSymantecW32.Loorp.A!inf
AVGrisoft (avg)Win32/Fujacks.S
AVEset (nod32)Win32/Agent.DP virus
AVAlwil (avast)Viking-CF:Win32:Viking-CF
AVAd-AwareWin32.Viking.AR
AVTwisterSuspicious.000000#0C8B/1.mg
AVAvira (antivir)W32/Fujacks.DR
AVMcafeeW32/Fujacks.ay

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File__tmp_rar_sfx_access_check_85171
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe
Deletes File__tmp_rar_sfx_access_check_85171
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe http://nbtj.114anhui.com/msn/163.htm

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState\Settings ➝
NULL
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Type ➝
3
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Type ➝
4
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Type ➝
4
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\NetworkService\Favorites\desktop.ini
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\NetworkService\Cookies\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\NetworkService\Favorites\Desktop.ini
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates MutexWininetConnectionMutex
Creates MutexShell.CMruPidlList
Winsock DNSnbtj.114anhui.com

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat"

Creates FileC:\WINDOWS\system32\dllcache\lsasvc.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Creates FilePIPE\SfcApi
Creates FilePIPE\wkssvc
Creates FileC:\WINDOWS\system32\qmgr.dll
Creates FileC:\WINDOWS\system32\mspmsnsv.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat"
Starts ServiceWmdmPmSN

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 812

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN\Start ➝
2
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileNtHid
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\TEMP\NtHid.sys
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates File\Device\Afd\AsyncConnectHlp
Deletes FileC:\WINDOWS\TEMP\NtHid.sys
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe http://nbtj.114anhui.com/msn/163.htm
Creates ServiceNtHid - C:\WINDOWS\TEMP\NtHid.sys
Winsock DNS141.8.226.14
Winsock DNSwww.490a-B8B5-9B8C1E870B0C.com
Winsock DNSwww.baidu.com
Winsock DNSpc1.114central.com
Winsock URLhttp://141.8.226.14/nbok01/RXCQTT.exe
Winsock URLhttp://141.8.226.14/nbok01/tlTT.exe
Winsock URLhttp://141.8.226.14/nbok01/dnfTT.exe

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1856

Process
↳ Pid 1140

Network Details:

DNSnbtj.114anhui.com
Type: A
193.166.255.171
DNSwww.a.shifen.com
Type: A
103.235.46.39
DNSpc1.114central.com
Type: A
141.8.226.14
DNSwww.baidu.com
Type: A
DNSwww.490a-B8B5-9B8C1E870B0C.com
Type: A
HTTP GEThttp://141.8.226.14/nbok01/dnfTT.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://nbtj.114anhui.com/msn/163.htm
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://141.8.226.14/nbok01/tlTT.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://141.8.226.14/nbok01/RXCQTT.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://141.8.226.14/nbok01/RXCQTT.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1033 ➝ 141.8.226.14:80
Flows TCP192.168.1.1:1035 ➝ 193.166.255.171:80
Flows TCP192.168.1.1:1036 ➝ 141.8.226.14:80
Flows TCP192.168.1.1:1037 ➝ 141.8.226.14:80
Flows TCP192.168.1.1:1038 ➝ 141.8.226.14:80

Raw Pcap

Strings