Analysis Date2014-01-19 23:21:34
MD5291976ba47cec4b3c0e31cbc50ab1923
SHA138273b08bd046fc29bd777c9dc4a177ae162b5f8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: bca381148d6e3c35e60a62e77084e32a sha1: 970deb5dbb3c9e7170010916e85d91d8d4c6b3e5 size: 17920
Section.rdata md5: 1e6e7831915f766007adcb653b1d94bc sha1: df1fa90ed8f68aa15b5c2cd7fe66b8007f110640 size: 8704
Section.data md5: 3e13dc4805b4df429812b216bfbf1748 sha1: 24a47ed4b62a8d6ee659c06c234ad2e928e430e9 size: 162304
Section.rsrc md5: 787a0f79060fa637e27a4d9d0e721abf sha1: 6caf0a05bbe8cb50cee09aa75681be112ef3fe1f size: 49664
Section.reloc md5: 0122ec98fd65a090a7710b6085ec3843 sha1: 664fe2bb3df86c80839ad4f49a10042ff8c4e60e size: 2560
Timestamp2012-05-21 14:53:55
Pdb pathD:\work\Plug3.0\Shell1\Release\Shell1.pdb
PackerMicrosoft Visual C++ ?.?
PEhash521a475f5670861026c397c1f4daf46873a2cd7d
AVavgGeneric28.CLUU.dropper
AVmcafeeRDN/Generic BackDoor!wo
AVmsseBackdoor:Win32/Plugx.A

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\CLASSES\FAST\CLSID ➝
NULL
Creates FileC:\Documents and Settings\All Users\SxS\bug.log
Creates FileC:\Documents and Settings\All Users\SxS\NvSmart.exe
Creates FileC:\Documents and Settings\All Users\SxS\NvSmartMax.dll
Creates FileC:\Documents and Settings\All Users\SxS\xxx.xxx
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates MutexDoInstPrepare
Creates MutexDBWinMutex

Process
↳ "C:\Documents and Settings\All Users\SxS\NvSmart.exe" 100 1160

Creates FileC:\Documents and Settings\All Users\SxS\bug.log
Deletes FileC:\malware.exe
Creates ServiceSxS - C:\Documents and Settings\All Users\SxS\NvSmart.exe 200 0

Process
↳ C:\Documents and Settings\All Users\SxS\NvSmart.exe

Creates ProcessC:\WINDOWS\system32\svchost.exe 201 0

Process
↳ C:\WINDOWS\system32\svchost.exe 201 0

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\All Users\SxS\bug.log
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\system32\msiexec.exe 209 200
Creates MutexDBWinMutex
Winsock DNSdedydns.ns01.us

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates Process

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Creates FilePIPE\lsarpc

Process
↳ C:\WINDOWS\System32\alg.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\services.exe

Creates Filepipe\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\Debug\UserMode\userenv.log

Process
↳ C:\WINDOWS\system32\msiexec.exe 209 200

Process
↳ C:\WINDOWS\system32\wbem\wmiprvse.exe

Creates FilePIPE\lsarpc
Creates Process"C:\Documents and Settings\All Users\SxS\NvSmart.exe" 100 1160

Network Details:

DNSdedydns.ns01.us
Type: A
103.27.124.5
HTTP POSThttp://dedydns.ns01.us:53/update?id=002f8120
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; SV1)
Flows UDP192.168.1.1:53 ➝ 192.168.1.1:53
Flows TCP192.168.1.1:1032 ➝ 103.27.124.5:53
Flows TCP192.168.1.1:1033 ➝ 103.27.124.5:53
Flows TCP192.168.1.1:1034 ➝ 103.27.124.5:53
Flows UDP192.168.1.1:1035 ➝ 103.27.124.5:53

Raw Pcap
0x00000000 (00000)   fd25213b 95a57bac 5c22eeae e1548904   .%!;..{.\"...T..
0x00000010 (00016)   b2379e52 0e0d9b1a 577d26ae 346ba1fd   .7.R....W}&.4k..
0x00000020 (00032)   f236c52e 30b517                       .6..0..

0x00000000 (00000)   4eb820b5 804f29da 9a61bdb1 9533c7de   N. ..O)..a...3..
0x00000010 (00016)   4a024a1d 1d1256f5 351bdcb1 c351cd7c   J.J...V.5....Q.|
0x00000020 (00032)                                         

0x00000000 (00000)   504f5354 202f7570 64617465 3f69643d   POST /update?id=
0x00000010 (00016)   30303266 38313230 20485454 502f312e   002f8120 HTTP/1.
0x00000020 (00032)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000030 (00048)   582d5365 7373696f 6e3a2030 0d0a582d   X-Session: 0..X-
0x00000040 (00064)   53746174 75733a20 300d0a58 2d53697a   Status: 0..X-Siz
0x00000050 (00080)   653a2036 31343536 0d0a582d 536e3a20   e: 61456..X-Sn: 
0x00000060 (00096)   310d0a55 7365722d 4167656e 743a204d   1..User-Agent: M
0x00000070 (00112)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000080 (00128)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x00000090 (00144)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x000000a0 (00160)   3b202e4e 45542043 4c522032 2e302e35   ; .NET CLR 2.0.5
0x000000b0 (00176)   30373237 3b205356 31290d0a 486f7374   0727; SV1)..Host
0x000000c0 (00192)   3a206465 6479646e 732e6e73 30312e75   : dedydns.ns01.u
0x000000d0 (00208)   733a3533 0d0a436f 6e74656e 742d4c65   s:53..Content-Le
0x000000e0 (00224)   6e677468 3a20300d 0a436f6e 6e656374   ngth: 0..Connect
0x000000f0 (00240)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x00000100 (00256)   0a507261 676d613a 206e6f2d 63616368   .Pragma: no-cach
0x00000110 (00272)   650d0a0d 0a                           e....


Strings
1.0 
(&A) ...
- abort() has been called
April
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
Copyright (C) 2012
- CRT not initialized
dddd, MMMM dd, yyyy
December
DOMAIN error
(&F)
February
- floating point support not loaded
Friday
                                 H
         (((((                  H
(&H)
         h((((                  H
HH:mm:ss
January
jjjj
July
June
KERNEL32.DLL
March
@Microsoft Visual C++ Runtime Library
MM/dd/yy
Monday
mscoree.dll
MS Shell Dlg
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
October
Program: 
<program name unknown>
- pure virtual function call
R6002
R6008
R6009
R6010
R6016
R6017
R6018
R6019
R6024
R6025
R6026
R6027
R6028
R6030
R6031
R6032
R6033
runtime error 
Runtime Error!
Saturday
September
Shell1
 Shell1
SHELL1
SING error
Sunday
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
Thursday
TLOSS error
Tuesday
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
Wednesday
WUSER32.DLL
(&X)
<,=;=~=
                          
0"0=0C0P0f0
0,030;0
010W0]0
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0/191d1|1
<0<6<><
0 {<6q
`|0B+JcH
~0.I)*
0l`f3=
'0<,mS
:0P7D+w
1&1E1O1
1#1k1s1
17m5_k;
1d1j1p1
1D:L:T:\:d:l:t:|:
1f7e1O
1GZzOF
1I9@,zd
1*j\gv
1nyrZ_
2/2M2a2g2d3
2.2Q2W2k2p2
27}n.r
2O3^3r3
,2S!R)
|2%\w3$
3(3,3034383<3@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|3
3&3,393C3I3S3u3
3 4&4,4B4Z4
3C1O L
3:c]x;TI2E
:":':3:::D:V:m:{:
3E4J4T4
3U4o4x4
4 4$4(4,4044484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|4
4"4-4h4
46Na)=
4bPz+"P
>"?4?F?X?j?|?
4H5DwQ
4l_|ay
4w%xQ9
515M5V5\5e5j5y5
5#5)5/555<5C5J5Q5X5_5f5n5v5~5
5'5_5g5
5(5L5X5\5`5d5h5
?5'?89
5b;J9,+{
5f/h8\ 
5I^Jdr5+:
[5&L6'$
5m8Qd+3
63[4]5mm]5\]m]mm5\mm5555555\\\5\\\5m\55\\5ed:
6*6/646:6>6D6I6O6T6c6y6
6T6Z6g6m6v6}6
>-711)
727>7Q7n7
748>8d8k8
7/7:7?7Q7[7`7|7
7#7/7f7o7{7
7A8G8h8
[7lKQN
`7	t~N
8<8T8[8c8h8l8p8
8)9/999
8.9H9k9x9
=,?8?>?C?I?
8D9H9h9
8_E}}Z
:8:T:X:x:
8Y9l9~9
]9/[3t9
9_&3u!
9J9P9T9X9\9
9=m+VG
Aac2]y'5#
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
a@B?ICs
aC`+[P6
aEo_aS1
aj"|t#
ajT1	w
aN^-Gu>
,ao.2\
$ar.{af
aR_zf(
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
August
Av7	2n
<$b_`_
B3"*ZW(
b6iHZ 
B"AC?K
`b)C|+
BeginPaint
bF]<x	^
\BkFnA
B/LXV#
br$Nn;)
Bt+CHG
B;\-^w
b\zi\C
%-,(=c
ceg	gD
)cIo`9
:ciojB
C%Iz.Fq{
cl>U>,
CMux5S
CorExitProcess
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
cQ7;gZ
CreateWindowExW
cv]T,J
~ \/d'<
($\'d1
D1H1L1P1
D1]pyy
(d9/Q]yA.
DA~p~|
DA#S8s
@.data
DA;t`r6\td
dC<{uL
dddd, MMMM dd, yyyy
December
DecodePointer
DefWindowProcW
DeleteCriticalSection
DestroyWindow
D>GU`W
d	Hx;&
DialogBoxParamW
DispatchMessageW
 |?d*Jw
*dk$CEf
DMzfd}
<DqNHj
D#Richp
d$-V{q
D:\work\Plug3.0\Shell1\Release\Shell1.pdb
_D>y;>U
e!#?1X
e2|Z69
E{?\6V_
E!,9w	g
E%brx'
<e?K9H
E{K}OnGc
EncodePointer
EndDialog
EndPaint
EnterCriticalSection
(%eOCL~
{Ep:?|4
eUA9qt
ExitProcess
E=\Y~7`mceZ
EY!z<V
{e`\^Z
E&Z,vm
{F-|_;
f5(*bq
F63^+(
Fc=8t=
Fd)dXRL
February
FkSie 
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FreeEnvironmentStringsW
Friday
f}W@X&
	!f[Xi
fZl0}3Z(aF
_g3y{'U
g5%]SM
"g8wr>
GetACP
GetActiveWindow
GetCommandLineW
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetMessageW
GetModuleFileNameW
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessWindowStation
GetStartupInfoW
GetStdHandle
GetStringTypeW
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationW
-gFy_G[
Gg]K'`
'gi^i&O
{g?.kKyl
Hd>@7k
HdHgFt2
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSetInformation
HeapSize
HFm;e3
HG}5~n/q
HH:mm:ss
 HM8OGl
=hMqG79
htAHt#
{H[ub)
huOK?_0;}(
H\]!V%Z
I3')+*+)))*))()*+++,6J!54 CBA
i"4+CEp
i}7UgG
IB 2W7
i@B	gQ
iGxnGu
@IiPU	
i)knOIFs{
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
IRe@_F
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
J3pQ+s
January
JBkjKm
JEEEEEEEEEEFC
JEEEEEEEEEEFD
JEFEEEEEEEEEB
j(ePRV
JHHGGGGGGGGHI
j hPy@
JJIIIIJIIIIJJ
j@j ^V
]:jKj}
j}M8qbkg
@`jN#(
JP:: |4
%\(Jrp
JV{{3]
J}V_Z4
_~Jw^F
jXh0y@
jYPQTVTSkllZTTXRTUiHceWda/
+K5CUV<
}kaV3wN
KERNEL32.dll
'KgaJYC
]KhA8]
K.Iv((
KjLe&.
*,k+lHzE
Kr@]RJq[d
.~/kyLH
|kZY$c
~l0[b{@(
)L4S?,
LBHN3c
LCMapStringW
LeaveCriticalSection
)l`@gn~
Lml815
LoadAcceleratorsW
LoadCursorW
LoadIconW
LoadLibraryW
LoadStringW
LoK;[i
?L?S?`?f?
Lu;RQ{
LxiY,h
|<]}m>
m:2t<y
~[@~ME
MessageBoxA
MessageBoxW
%M\:i/@
/ML>eX
MM/dd/yy
;mM"v	
Monday
MS(Ji;
MultiByteToWideChar
&NA^4I
naR|.U)
ndi"Bb
NH`6JHD
nHlw:d
November
np4/X#'k
#nsk$e
NUZZ*_
Nw~ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt
)O6530./21+*-,4#4PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
O;`[|7
O(@>=77A779?<8;$O' 
o=8o.$J
October
Oi'4b5]F
O%JEEEEEEEEEFFB
ol*L8~;
oS!>gS
O/SnZ8
!`	ox{
P3-]oo
P5;^~!
P72skG
p84z{S
PA<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
~P	@/Fw
p-i+!a
]*PkvgI
^PnGEh#$1
|Pny*Y
PostQuitMessage
PPPPPPPPPPPPPPPPPKMNNNNNNNNNNOLO
^PtN)k
pwwwwwwww
pwwwwwwwwwwwwwwwp
pxDDDDDDDDD@
pxDDDDDDDDDDDDDDpx
pxDDDDDDDDDH
pxDDDDDDpx
Px[@L |
pxwwwwwwpxDDD
pxwwwwwwwwwwwwwxpx
<P=Y=_=
^pZ*.#
q	cj^Yu(
qC;mQ5v
qFI%+[oP
q!gT{'N
QiQ0Fw
q{jG.Nq
<Qnxi%
}>qooggggggg1`_fhsnHK
<qo*Pe
$qpbxg
QQSVWh
qs8XRs
QSp<j*H
QueryPerformanceCounter
Qv3	&wz
QVWj@h
Qw[z5>
][~qz_
`R0RBd
"R{1UEV#.
`.rdata
RegisterClassExW
@.reloc
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
      <requestedPrivileges>
'rM+0DZX
+r%%nG
r\:*]<&p
:R:_:t:
RtlUnwind
>#$R	UZ
rXy -7
<_/s"?
S|(=3gv
S*.8)S
s976qU
*:SA,C
Saturday
sD>@1G
    </security>
    <security>
September
SetHandleCount
SetLastError
SetUnhandledExceptionFilter
ShowWindow
SIB5px
s{k(Aipc'h_.z`
&%s<KM
{sNfQt
'sOK\P
^SSSSS
STDF#K
Sunday
TerminateProcess
T)\F!S
-tG[!C
!This program cannot be run in DOS mode.
Thursday
t	j\Yf
TK6E K7
tk]>ZD
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
t! mvJ
TranslateAcceleratorW
TranslateMessage
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
t"SS9] u
Tuesday
;t$,v-
T}y}%3O
Uc&U(ro"d
u.#dB0
ug7D2 
<U }Kb|
UnhandledExceptionFilter
uN"@Vg
u;>\+)O>
UpdateWindow
u<q8o\
Uq'e\P
UQPXY]Y[
URPQQh
USER32.dll
U+S~)o
uTbS[b
Uw(&Br
V{1g*~
V@8M-k4
v*fw]9^
VirtualAlloc
VirtualProtect
VJI3nb
vQQSij>*(
vswNeM
v+:Y:A
v+y^qf
V`z[j	
W7X`vm
Wednesday
=wE;n ]L<J
WiCSc\0
WideCharToMultiByte
wizJ$sy
w|JQe|
WkV21TSav^8{
w;%lS.
W}Qbi}
WQd(Bjb
WriteFile
W@wjM5
wwwwwwwpx
wwwwwwwwwwwwwwwpx
W*z:LAygs
x0NI[lp
 -#x)(1j
`X34uP
x_7JpB)"
X()B&CwG
#xIO<X<5
$X(Q+R
xRwmpz
x##uKvtM
XVDUi?
X<\*w"
Y3.jLR_
y("c1_'
YDTk.8
Y}]<nE
YnX|^.
ySD[	v>
~}yss>
YTt):yN	
{|yvrrwsqpon
ZBagop
Zg2hsg	
<~zIw?
|\Z":o
zOUQ'r
zRpij:]>
zwz(q: 
}zy|yx~
zz4#@G