Analysis Date2014-10-06 08:17:38
MD5d4f2465ae7f75d6588f7d558e90e9b95
SHA137a9e2e1c9ed53368fd5671ccae427c2e54a4419

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5703380073829692d58f7eb540d137b7 sha1: e7ddfead3358aa2a1119f29c41d11921e70d375a size: 5120
Section.rdata md5: 7df3680b978d4ebd318a51119a596f0d sha1: 7d0df28fb8514782668c91cf0318926e63a5fb56 size: 6144
Section.data md5: 0adc5de9a2dafa7ea8d7c18bc7590cbe sha1: fa981345f0d724c362e1b971e933d9dc9f79f2a7 size: 2560
Section.rsrc md5: c24b87ae0f022669fdd612d41949f308 sha1: b59670684189fad359626e75da53095b9d77ca0a size: 8192
Timestamp2014-05-08 05:57:35
PackerMicrosoft Visual C++ 5.0
PEhashfff98b13c5775fd5b9db9a49be78e3e55cd5b4ad
IMPhash677e4cf676403d2b76c5adbd88df5afd

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\aiapdf.exe
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\aiapdf.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\aiapdf.exe"

Network Details:


Raw Pcap

Strings
@

&About
C:\1cf794660f31442a8b98f1bdd618280d255ad8acb401cc9f8b1fb6dccd8bfb5a
C:\2M0PEj44.exe
C:\3b0abb7ab0fde03e9d7ded45f8ca6528d414fc2546e9c243d70c38566c87be51
C:\3b6ME9Jx.exe
C:\435bd92863a09ef0fe85e5edbc047e99f3f4d29aa28f768ddd56ae20bf10ec7a
C:\469d0ed55cb4921df82a3f9b31c920aad1bd1392746bb1a0c651dc45ac856b48
C:\5eO9yylx.exe
C:\5kQ0Wz3X.exe
C:\61bc20a95c9762301293180b9a9e3b1584f1562b66e436c11dce1cfd97c17b98
C:\661b9734c7ee5722758efb0b7c74b08ec6167a75ff5bdec20aca42c7c3ead995
C:\681059cd683c98761907d9ad89f84aab1b6bf546d92c3abab6edd9a018ca29c3
C:\6ymLuSAw.exe
C:\75ebb0d33ae020adc5c026d3430179b5ce81ff5a7f8fb3633aeff1fdc852b5b7
C:\76f2da7068a1921022924b89d4300a840a096616a17b9a601a1ca3c4f9017c57
C:\8724249a80424f633637a9e45a9cc6d328047b4d8c11a695d7df5380b25be0b3
C:\99ce2abef7cdc4cb0124d211554f72c6e469a4cfc567c47361deb4eb94b1405a
C:\a5d95b89f69c6784e65bfe271e2c3519a7321b5f248b50661a8f7df89bff3849
C:\aef0ef8158eb8de6f59e84485c169c93d61d2a57bc72432170d84aa35cbfc263
C:\BJaRb2lN.exe
C:\BjdxBXtT.exe
C:\BLbPC3_N.exe
C:\c607f9815e0a260b05e9bbf678381d57024fdd8219b5f907e91c7e90fd57a80f
C:\CkFkaGEx.exe
C:\d444bb1ec9568401d611d64c82539b39a7aa089bce5bc075c88bc63c50d55a2c
C:\d530924b6bd33e0569d7ed6080ba16255cd8f629d4d50abf5f7087d6da699739
C:\defa7a135f26b7a35b7924a17892d39c5f6180032bcbae2899112b3cf0e8fd22
C:\EbZq4YpX.exe
C:\eXlYH3zX.exe
C:\fxLxBqCo.exe
C:\GWMYyMLz.exe
C:\hbzr9Qtg.exe
C:\hMOkaX2v.exe
C:\i8z4iawH.exe
C:\J1vH3aG2.exe
C:\jr99IzdS.exe
C:\Kkp0cHmB.exe
C:\kq_15fZN.exe
C:\mO0bt8Cz.exe
C:\nNeQCTI9.exe
C:\oIPKhlgb.exe
C:\p6cXhW_K.exe
C:\r30e3mrU.exe
C:\Snr_PrHJ.exe
C:\SzvnjJTv.exe
C:\wFhQfD5R.exe
C:\wfwuoiiy.exe
C:\Wqxlr8YX.exe
C:\wuWY_XnN.exe
C:\yXhTrDwp.exe
E:\User\Desktop\Fax\FAX825214.scr
&Help
IDD_DLG1
IDD_DLG2
License Info
Microsoft Sans Serif
292-R46
54\daRC
_adjust_fdiv
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDE
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
CloseHandle
CoCreateInstance
CoInitializeEx
_controlfp
CreateFileW
@.data
DecodePointer
DeleteCriticalSection
E5>5h4~
EncodePointer
EnterCriticalSection
_except_handler3
ExitProcess
FlushFileBuffers
FreeEnvironmentStringsW
GetACP
GetCommandLineW
GetConsoleCP
GetConsoleMode
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStringsW
GetFileType
GetLastError
GetModuleFileNameW
GetModuleHandleExW
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessHeap
GetStartupInfoW
GetStdHandle
GetStringTypeW
GetSystemTimeAsFileTime
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
InitializeCriticalSectionAndSpinCount
_initterm
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
KERNEL32.dll
*L2GK2]
LCMapStringW
LeaveCriticalSection
LoadLibraryExW
LoadMenuW
MSVCRT.dll
MultiByteToWideChar
ole32.dll
OutputDebugStringW
__p__commode
__p__fmode
QueryPerformanceCounter
`.rdata
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
      <requestedPrivileges>
r_ -|r_ 
RtlUnwind
    </security>
    <security>
__set_app_type
SetFilePointerEx
SetLastError
SetStdHandle
SetUnhandledExceptionFilter
__setusermatherr
SIuppq
StcstriyWo
TerminateProcess
!This program cannot be run in DOS mode.
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
UH@wsp
UnhandledExceptionFilter
USER32.dll
_wcmdln
__wgetmainargs
WideCharToMultiByte
WriteConsoleW
WriteFile
_XcptFilter