Analysis Date2015-05-14 11:35:19
MD588b5f635ac9031bcdeda1f751952f966
SHA12dd9ca54c0ee0b96dfef90a1143c0611aab62ae0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1de221daa1ea4d761fed45590a9acbe4 sha1: a4464c49c44692038532a621d944248ce1ee29f8 size: 7680
Section.rdata md5: 83bb9c2ee689b5ff5bba523f998d51b6 sha1: 1e8cbf22ccf9b11eeca72cb3242bf07451f67d86 size: 2560
Section.data md5: b3c46dfd952105c972e59c8b62d2bdcb sha1: 784034540fb48bd92ce6cd86f75b419d1b563f57 size: 2560
Section.rsrc md5: 07e200a84d20ca73afa78cc19ea3a9b7 sha1: 3a2898471b1d256e539197f1b2b6f932bfda850a size: 1024
Timestamp2011-08-09 02:14:33
VersionLegalCopyright: Copyright Adobe Systems Incorporated 2004
FileVersion: 8, 0, 0, 0
CompanyName: Adobe Systems Incorporated
Comments:
ProductName: Adobe Acrobat
ProductVersion: 8, 0, 0, 0
FileDescription: Adobe Acrobat SpeedLauncher
OriginalFilename: AcroSpeedLaunch.exe
PackerMicrosoft Visual C++ v6.0
PEhashabbf95b664af2641ef5b61720a2bfafd3172e2c9
IMPhash56408b0f42c280a7f09796e19612f1de

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates MutexGlobal\AdobeReaderX

Network Details:

DNSflash.usnewssite.com
Type: A
69.195.129.70
Flows TCP192.168.1.1:1031 ➝ 69.195.129.70:443
Flows TCP192.168.1.1:1032 ➝ 69.195.129.70:443
Flows TCP192.168.1.1:1033 ➝ 69.195.129.70:443
Flows TCP192.168.1.1:1034 ➝ 69.195.129.70:443
Flows TCP192.168.1.1:1035 ➝ 69.195.129.70:443
Flows TCP192.168.1.1:1036 ➝ 69.195.129.70:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings
/A/
040904e4
8, 0, 0, 0
AcroSpeedLaunch.exe
Adobe Acrobat
Adobe Acrobat SpeedLauncher
Adobe Systems Incorporated
Comments
CompanyName
Copyright Adobe Systems Incorporated 2004
FileDescription
FileVersion
LegalCopyright
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
090205
%-24s %s
%-26s %5d
??2@YAPAXI@Z
??3@YAXPAX@Z
Accept:*/*
_acmdln
add "HKEY_CURRENT_USER\%s" /v "%s" /d "%s" /f
_adjust_fdiv
Adobe Reader Speed Launcher
ADVAPI32.dll
AllocConsole
 and the PID is %d
Cache-Control:max-age=0
Cache-Control:no-cache
CD-ROM		
CloseHandle
CloseServiceHandle
\cmd.exe
CmdPath=
Computer:
%ComSpec%
CONIN$
Content-Length: %d
_controlfp
ControlService
ControlService failed!
Create failed with %d!
CreateFileA
CreateMutexA
CreatePipe
CreateProcessA
CreateProcessAsUserA
CreateProcess failed!
CreateThread
CreateToolhelp32Snapshot
__CxxFrameHandler
@.data
delete "HKEY_CURRENT_USER\%s" /v "%s"  /f
EnumServicesStatusExA
_except_handler3
ExpandEnvironmentStringsA
Failed!
Failed with %d!
FileSize:	%d
Fixed		
GetComputerNameA
GetConsoleDisplayMode
GetCurrentProcess
GetDriveTypeA
GetExitCodeProcess
GetFileAttributesA
GetFileAttributes Error code: %d
GetFileSize
GetLastError
GetLogicalDrives
__getmainargs
GetModuleFileNameA
GetModuleHandleA
GetStartupInfoA
GetSystemDirectoryA
geturl
GetUserNameExA
GetVolumeInformationA
GetWindowsDirectoryA
Global\AdobeReaderX
<h1>Bad Request (Invalid Hostname)</h1>
HttpAddRequestHeadersA
HttpOpenRequestA
HttpSendRequestA
_initterm
/install
InternetCloseHandle
InternetConnectA
InternetOpenA
InternetQueryOptionA
InternetReadFile
InternetSetOptionA
Invalid		
J|Rich"
KERNEL32.dll
list process failed!
list service failed!
lstrcatA
memset
Mozilla/5.0
MSVCRT.dll
OpenP failed with %d!
OpenProcess
OpenProcessToken
OpenSCManagerA
OpenSCManager failed!
OpenServiceA
OpenService failed!
OpenT failed with %d!
__p__commode
PeekNamedPipe
__p__fmode
pidrun
Pragma:no-cache
Process32First
Process32Next
Process cmd.exe exited!
Program started!
Proxy-Connection:Keep-Alive
PVVVWV
QVVVPVV
Ramdisk		
`.rdata
ReadFile
reg.exe
Remote		
Removeable		
%*[^/]%*[/]%*[^/]%s
%s Connected!
Secur32.dll
Service does not exist!
Service doesn't start!
Service is running already!
Service started!
Service still running!
Service stopped!
Service stop pending!
__set_app_type
SetCurrentDirectoryA
SetStdHandle
__setusermatherr
SHELL32.dll
ShellExecuteA
Shell started fail!
Shell started successfully!
Shell started,wait to terminate it.....
Sleep Time:
Software\Microsoft\Windows\CurrentVersion\Run
So long!
sprintf
sscanf
Started already,
StartServiceA
StartService failed!
Start shell first.
strcat
_strcmpi
strcpy
strlen
strrchr
Syntax error!
Syntax error!	Usage:	getf/putf FileName <N>
Syntax error!	Usage:	GetUrl URL FileName
Syntax error!	Usage:	kill </p|/s> <pid|ServiceName>
Syntax error!	Usage:	list </p|/s|/d>
Syntax error!	Usage:	start </p|/s> <filename|ServiceName>
t4j SV3
\tasks
TerminateProcess
!This program cannot be run in DOS mode.
t<Ht2Ht(Ht
t:hXE@
Totally %d volumes found.
/uninstall
Unkown		
URLDownloadToFileA
urlmon.dll
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
Volume on this computer:
Volume	Type		Volume Name
W95hH@
WaitForSingleObject
whoami
WININET.dll
WPhpB@
WriteConsoleInputA
WriteFile
_XcptFilter
YYh<E@
YYSSSSS
YYt5j\