Analysis Date2014-06-22 08:27:19
MD582641adc23e8dbbb87235f3649f07597
SHA138e2c801203dbe0310377ecb574b48dc2dd50d4a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 5de09bc097eda3f991e39754c5721eaf sha1: 6e4934e70bae76ff2f56d63801178a42e02cba1d size: 73728
Section.rsrc md5: 11433084e5d739da9853cc7f9fd953f2 sha1: 363637fad481db53ddeb163657e8781eb7603eda size: 151552
Section.reloc md5: 014d9937f09262bfef6d4df1fc5793d4 sha1: 47dd095723b2657f73de1890c9424cb8f7973ce2 size: 512
Timestamp2013-11-15 14:00:06
VersionLegalCopyright: rJxC3eNL6Vd
Assembly Version: 4.2.4.5
InternalName: DOFUS.exe
FileVersion: 4.1.5.​0
CompanyName: rJxC3eNL6Vd
LegalTrademarks: vPBI%fVS(4d
Comments: vPBI%fVS(4d
ProductName: vPBI%fVS(4d
ProductVersion: 4.1.5.​0
FileDescription: rJxC3eNL6Vd
OriginalFilename: DOFUS.exe
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhash546829f1f494a0a117053566171e211832be7182
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Environment\SEE_MASK_NOZONECHECKS ➝
1\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\2daab0d2354fccf9d82b541513a26f9c\US ➝
!\\x00
Creates FileC:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\svchast.exe
Creates FileC:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\svchast.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\svchast.exe"

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\2daab0d2354fccf9d82b541513a26f9c ➝
"C:\Documents and Settings\Administrator\Local Settings\Temp\svchast.exe" ..\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\2daab0d2354fccf9d82b541513a26f9c ➝
"C:\Documents and Settings\Administrator\Local Settings\Temp\svchast.exe" ..\\x00
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\2daab0d2354fccf9d82b541513a26f9c.exe
Creates Processnetsh firewall add allowedprogram "C:\Documents and Settings\Administrator\Local Settings\Temp\svchast.exe" "svchast.exe" ENABLE
Creates Processdw20.exe -x -s 280

Process
↳ netsh firewall add allowedprogram "C:\Documents and Settings\Administrator\Local Settings\Temp\svchast.exe" "svchast.exe" ENABLE

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\FWCFG\EnableFileTracing ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\Temp\svchast.exe ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\svchast.exe:*:Enabled:svchast.exe\\x00
Creates FilePIPE\lsarpc

Process
↳ dw20.exe -x -s 280

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dw.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\1487D.dmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\1487D.dmp
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:


Raw Pcap

Strings
. 
2
R.
000004b0
4.1.5.
4.2.4.5
Assembly Version
Comments
CompanyName
DOFUS.exe
FileDescription
FileVersion
InternalName
"Ldt
LegalCopyright
LegalTrademarks
OriginalFilename
ProductName
ProductVersion
rJxC3eNL6Vd
StringFileInfo
Translation
VarFileInfo
vPBI%fVS(4d
VS_VERSION_INFO
}}}&|||
\\\_###
000wkkk
|/0123456
(0<^"A[
0\H;4k)
\0lo]e
?0_	'z
%<130v
18cA4U
<1=928
]1KgHx
[[[1yyy
-./2123456789:;<=>
244DWW
=2rL W
2==}znn
"""3]]]
333}%%%i$$$]'''W(((M
33x'Ob
(((@...4
4.1.5.
444yvvvJkkk
4.717#z&,??>,"cp
;;;4bbb^
4i+t^G
(4M) qRp
4'W)b,}
4ZgOrZ
#4ZXMc
5bC_1\
5fY[LU
5hxfk !"
5w\6:{	
5$$$W666n***n
5wPF$G
62h)QN
6662{{{
6mlX6K
6'+)W,w
_7EByeR
7nVTVfV
7'#)V,U
83Y/F%
8C6 FCe=
8&`|ZCQ
[[^9```
<9<33s.
9aBq?m
9kpE~9
#a:<"<!
a~8);Vn
!A9OxU
aaa2]]]
aaak...;
ABCFEFGHIJ
add_ResourceResolve
}*aH20`
(AkeCk09
{ak"hW
@A"m6 *(+IJGLMNOPPRSVUVW
AppDomain
Assembly
AssemblyCompanyAttribute
AssemblyCopyrightAttribute
AssemblyDescriptionAttribute
AssemblyFileVersionAttribute
AssemblyProductAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
atttiS
aV-tJh,4
b1ruYG
+b~5%C
B8Z$Vu
.%$	bb
++++BBB
BBB"eee
BBBseee
Bbd}I2
B(!DJ)W
be KN[
bV=1wI
C333B$$$
@_c9kN
cccqGGG
c$cL&SHO
.cctor
&ch;h;!D=
CJIVVV
Ck[n:;
CompilationRelaxationsAttribute
CompressionMode
Concat
ContainsKey
_CorExeMain
C^qO&M
cuuu5KKK	SSS
cXXX`||
<<<d{{{
 D5.~.fa,
DeflateStream
Dictionary`2
Dispose
D,jACAq0
D$&Ng3r
DOFUS.exe
(DS	+E
D*uduu
@DvEdg
e|9z;P5
$eagZvq*
E}ah)sE`
ebbb!mmm
EEEYWWW
}'>)e,i
Encoding
Environment
EO+LQP
Evidence
EWl-AH
ExxxfwwwBttt
	(f^|*!
f3999D
}&\f7N
=>FBRtAa
[-F&d\
Fd&@	E-
_fE8<:";
fff^KKKKCCCGBBBLMMM]
FFF"UUU
fff&VVV
#fg1;w.IPi+
|f=K2/c
Fk!uwr
f[PJ];11
FVOjsP
#G0o|#ft
g3|O1ur
GC7o'O+ 
GetBytes
get_CurrentDomain
GetData
get_Default
get_EntryPoint
get_Evidence
GetExecutingAssembly
GetLength
GetManifestResourceNames
get_Name
GetObject
GetParameters
get_TickCount
GetTypeFromHandle
)GGG\/
GGGO\\\
ggg?QJ
gGpG@I
ggT9cf3
gMta~>
	Gq\gnn
`gScM&
hdddhlllhbb"
HDy]:AX
hfff0;;
HHHIggg
}hhhIsss9
HHH#kkk
===HiKA])
H~nS$#
` HP$a-%'
hqqq*uuu
HUDG[FBN
h|x||\
,I1,af{6
i]3n<l
I6nl{?
Iam5Mm#
i'CCV=
IDAT8W]
IDAT9BI
IDisposable
IeA;*8
III0nnn
III3ooo
III+mmm
InitializeArray
Invoke
"""IQQQ
#,i@%w@
iZd,!u$1
@)(J175
JCuRZ0PZ#1ha#O
jf")eV
"jjj;"""
JJJ1ooo
jjjbmmm
JJJ-ppp
@!_ J"k
JYjY1m
JzqviC
kG_16;
kJXcX~gUV
kkk3sss
KKK%ppp
KKKX222
KLL4f52
Km,#q4xj
KnHfJRHe{
ksP87O
@L1Uy	h
L'JtZvj
LLLOlllv|||
;ln\8Y
LOO?9777
lv2IX7
m1ZC+	B)
;M7 )=Qv
m~dd$8y
MemoryStream
MethodBase
MethodInfo
<m Iu!
&///>===MJJJ5
ML`6oF
MMMaYYY
mnnnB---
MNOpQRSTUVWX
<Module>
Monitor
M+PZXj
+:MSas
mscoree.dll
mscorlib
Mt=,<G
mUsx*;
+M--"	W
MWz[EY
;;;n'''
N_5xSQ
N6'}~~
|NF0tq
n@+*/L;a
.NNbe|
nNB]V$
   !NNN
NNN[1117***
NNNp===vddd
NNN'ZZZ
nomw$gc'z|d+ec.K_B2~{qs9
<nsEAH	
n'W)X,M
{\NXI+
[[[o||
Object
oB\`S-
%OC4q'V
o`| E=b
OeB(f_c
OOO999
OOP'\\\
oW|usmd$Yi~azbrw`:GsdwlhxyO{~DDP
O,#Y2=
Oy.d2\
OZzJ[`
ParameterInfo
P+aZ*F
P[/:(E	
P\!fQ/v
,,,\PJ
;;;?PJ
pK`N`&
( P+"	p
PPPqbbb}
'(P$Q,0
PY&sRc
PYX]~"4LA]G
qaP?>&
QaQjgZ
q+LHi	
QM1Gn"
?%,qq{
[[\-qq
qqqW999
qqq>www
Qx=9tb
`'QYsD
Q?zP"w
,,,r&&&
,*R "?	
R+!~%?
r5oXDy
Random
rCi=	_
ReleaseAllResources
@.reloc
ResolveEventArgs
ResolveEventHandler
ResourceManager
rJxC3eNL6Vd
R,K0)1m
(ro;k#n
ROpHbMO
:!RQ#*`
RRR~III
`.rsrc
RuntimeCompatibilityAttribute
RuntimeFieldHandle
RuntimeHelpers
RuntimeTypeHandle
rydzzz
:'S1-Aj
 !"sa%&k)+*
SetData
set_Item
s=G+`q
@So1<8
SP+D"Q
SQYPY_	]VVS"
___]sss
=+++`SSS
sssm```
SSSSggg
Stream
String
#Strings
SuppressIldasmAttribute
sxV	{s
System
System.Collections.Generic
System.IO
System.IO.Compression
System.Reflection
System.Resources
System.Runtime.CompilerServices
System.Security.Policy
System.Text
System.Threading
>&SZyC
t^/:}| 
T1:<y`
T	-5Ks
T*7OLL|5
t:=>999
;>*tes
!This program cannot be run in DOS mode.
ToArray
_/tooo3
$$$TPPP
`tPU?"%
t}}}v(((Y
t:XYY1
U]3=>f
ul&g7I
/U|m"J
:uNa(>
uuu~kkk]jjj!,,,
v2.0.50727
`v,8fw
ValueType
Vd-96u
v,`G`PE
"vONf0
vPBI%fVS(4d
V!q},M
vvv]555
vvvJzzz
VVXu```
wA_pgC
WaXO=*
~$wkew	
w;KJSJ}
wlll|~~>b
:?wnc'
w@n(mp;k
wOk\e	
]W{p%eJ
WrapNonExceptionThrows
wWNb!T*
X*#5|s
x9K:ax
x_=d!L
/.X_l~i
]]^Xoo~
xX?c5J
^XXHVVV
XXX)iii
XXX#ttt
XXXVzzz
XXZ0bbb
!Y#{\f
'''YIII
'y}@Q|-
Yt\?9H
yUCAZ[[
&[YY	VVVx
]]]'yyy
YYY=||
]YYyxuu
YZ[\]^_`abcdef'hi(klmnopqrstuvwxyz{|}~
z0|zD`
z39I=22B
Z[|]^_babgdefghijolmnopqrsTtvwzyz{|}~|
^Z%bZR
zJk}D)
z\'NC{
Z#sE-&
zuZM4Y
ZZmBc 
ZZZ0www
ZZZ*eee