Analysis Date2014-12-14 12:53:49
MD57e35e1423e4a8bc0242e06d912c2e4af
SHA13bec17aeae4ec63d5eac755dcbb97a1491cc778d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a27efdec742a15b499a96cbbab4952bf sha1: a0abf958b2ab7db54151226fd440fd43a5ab1385 size: 14336
Section.rdata md5: c08508492157a1207cedc9042b4b317c sha1: d8a02f2dca0265e74dc0781cb37adf742fdc4b84 size: 512
Section.data md5: 8229e8776f5103cb43eb9de4a81856de sha1: 95c2b726de20747c788f6d2d1473bf781b51dedf size: 198144
Section.rsrc md5: f720d8740956f72237059088c934ac39 sha1: ed92471c791ac876713d4e3739dfcf39529a2edb size: 5120
Timestamp2009-10-23 22:25:04
VersionLegalCopyright: Copyright © 2010 Setup Technologies l
InternalName: set_up D
FileVersion: 4.1.0.0
CompanyName: Jordan Russell
LegalTrademarks:
Comments:
ProductName: y Internet Security u
ProductVersion: 4.1.0.0
FileDescription: Setup Self-Extractor
OriginalFilename: set_up D
PEhashee8755182a2ff5d69758a092a9b3c231823dec4b
IMPhash212adf75ecfc3f7822966a6ae78c2d7c
AV360 SafeGen:Heur.FKP.1
AVAd-AwareGen:Heur.FKP.1
AVAlwil (avast)MalOb-IJ [Cryp]
AVArcabit (arcavir)Gen:Heur.FKP.1
AVAuthentiumW32/FakeAlert.KN.gen!Eldorado
AVAvira (antivir)TR/Diple.kajn
AVBullGuardGen:Heur.FKP.1
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVno_virus
AVDr. WebTrojan.Siggen2.25917
AVEmsisoftGen:Heur.FKP.1
AVEset (nod32)Win32/Kryptik.AEUK
AVFortinetW32/Diple.IZ!tr
AVFrisk (f-prot)W32/FakeAlert.KN.gen!Eldorado
AVF-SecureGen:Heur.FKP.1
AVGrisoft (avg)Win32/Cryptor
AVIkarusTrojan.Win32.Diple
AVK7Unwanted-Program ( 004a8e8a1 )
AVKasperskyTrojan.Win32.Diple.kjn
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ai
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.NS
AVMicroWorld (escan)Gen:Heur.FKP.1
AVRisingTrojan.Win32.Generic.1285079C
AVSophosMal/FakeAV-IZ
AVSymantecTrojan.FakeAV!gen52
AVTrend MicroTROJ_FAKEAV.SM95
AVVirusBlokAda (vba32)Trojan.Diple

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs ➝
NULL
Creates FileC:\WINDOWS\system32\sshnas21.dll
Creates Processrundll32.exe C:\WINDOWS\system32\sshnas21.dll,GetHandle
Creates ServiceSSHNAS - %SystemRoot%\system32\svchost.exe -k netsvcs

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1876

Process
↳ Pid 1128

Process
↳ rundll32.exe C:\WINDOWS\system32\sshnas21.dll,GetHandle

Creates MutexGlobal\{02ACCAA4-D375-440f-9261-58B7221B7317}

Network Details:

DNSlivedoor.com
Type: A
125.6.149.67
DNSyieldmanager.com
Type: A
208.67.66.24

Raw Pcap

Strings
E.
X
..'
.
V
..^A.<.\
.oT....a
...
y.F
..
.
..
f@
0 a..l
3
}

040904E4
 2010  Setup Technologies l
4.1.0.0
BBABORT
Cannot open file "%s". %s
Comments
CompanyName
Copyright 
DVCLAL
Error reading %s%s%s: %s
Failed to get data for '%s'
FileDescription
FileVersion
InternalName
Invalid argument to date encode
Invalid argument to time encode
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid property element: %s
Invalid property path
Invalid property type: %s
Invalid property value
Invalid stream format$''%s'' is not a valid component name
Jordan Russell
LegalCopyright
LegalTrademarks
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
MS Sans Serif
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters!'%s' is not a valid integer value('%s' is not a valid floating point value
OriginalFilename
Out of memory
ProductName
ProductVersion
Property is read-only
Property %s does not exist
Resource %s not found
rjftF
 set_up D
 Setup Self-Extractor 
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Stream read error
Stream write error
StringFileInfo
TEXTFILEDLG
Translation
uzwM
VarFileInfo
VS_VERSION_INFO
y Internet Security u
-,+*)(
0$3+u\
(086HAXWh]xjxwx
0?F	K're
?0k`xc3
#$&0o6c<gB{H
0PFZtE
0QeEF;
0v2hwewI
0v|@chdtmg
1gqB'HI]K
1 K-?C;
1RUKIKkl
1-/-xme
1;YKoh
2TK]\%
2YyKCT
33333333?333333
333333333333333333
3333333333333338
3333339
333338
33333833
333838
-+3C7i
3cagTwX
3 i8Yu
3+%jUG
3@*K#}k
_3qZOjOz15LGM
3=Z/sH
5oW9asI2nR8
6jGbMzYrcrhrsr
 6RJEOKo
|6(`'x)>
6/Zrkz
,7%5|k
7"?/7K
7HrFkx
,,7LElKlVlml
<(7OWA
(%80H8X=hIxVx\xbxixrxxx~x
%8,5O#g
86e@&D
(#8)H3YEB
8 H+X5h;yGB
8 H%X+m
)8JDKlw
?8JPFU
8&o,c5gD{J
8w5NIown
8wRE@1s
8XPRkw
~99Kxx
@9D~Mo|
=<;:9K
9*q'4]
9zCrHrSrgrrr{r
ADdw+e
_aM5R5xFh@16
AmfRHx
.APRpx
atqd2kR
aUKc4g
-@Aw1Z
_B5V'k@
<B8@p4
.B$aT(i
BA=Y}b
B$)KN+
BLQoeYqw
#bN4V2
bopkxitk
_BskKsa
bV1GyO
B@&{w^
B%,w/G
BxGxOxYx_xexjxoxtx
c)$25~
C42.DL
C5+ZDPT
c8gK{V
CRh?=`w
csrU6Tak
CV~*pJ
,D9tAd\
+D\(AL
@.data
^DdDiDuD
D=k_op
d@MkD(
dPqu3{iw
DR"< 6
DrawMenuBar
DtTOyLu@24
:'D-u?
D@|:u%
dW5elbS
Dy%";c
E1Ka/r
e2RyqNM
e9(D0`x
/eC+9!Ympiv
\eHlEx
E>K&P.
ELTCb5
^:?eQDwu
ergu2kk
es3MWD
	E[;sb
^e{Sc}
ExitProcess
f93_}=
fd`re2
fI'b~n
FIzxUKE
fJbrD]S
f,JfUk3
F,LLRlXm^Swjwpwvw|w
f&p77d
FrCYDG
<f"#Rh
?Fvz*Pk
fw9RQz
g58wIa
G987654
getl|iE
GetMenu
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetWindowTextLengthA
G L0W@\Pa`npxx
>?G;Me
G*SCxZ
_h24c3xdz@20
H3E5ft
h5j2w?[
hF`vPwD4u0u,u(u$u u
h$nK=6s
hphR.u[Te
H,PL[l`lflklpl|l
hU5yZH
hvU&4K
)h:z^L=[
I7!{cQ
IC4\[8)
iCuvU_x
iDhgkf
IJ8|pxptppplrhdv`v\vXvTvPvLvH
I*LV)c
imU?!||
imZ#)D"
(I.r3w~
iS1kp2
IsDlgButtonChecked
IsMenu
Iu"sJt
IwOwUwZwi
/$j6E^
j86oL1z7
J9R|z<
`[Ja!h:
Jj6Hcv
(jl[?X
/&j@oD
/J>Qg\
jrcFjgGU
J}SB]V
^Js@@=D
jT+dD8P
$JuM3J
jV\ak&
;^K4{K
K9u?[C
%KCyk 
kernel32.dll
KERNmL
kg,1N*d
#KHyTok&
K}$lSQ
kNDWk%
k!P9ip
kPYw[?;U
KQZ^&_
KrQrWrgr}r
KRxN{0
KSUdh;
K%/	Uk
kvr}K"
KX%D(<
/;K:,xM
#%/*+lAh
Lc<['>
lFlOlclul
l]h{3l
lhp.3^w<
LoadLibraryA
@LptTCD
lqcJnUDJg
lr~`DR;
l|X|L|@
lXPknpw2xt9L
M4T$`@\
 M7<ze
_m9OtFLnx@12
mDuD|@
*ME+}^
MfB$*_9
|MHGXT,%g
m[-N.gjg
MSVCRT.8
M?T;`'
=M_Wc]k
my%gCJc
N4_D}w
N7pshlwapi
'N8Dx@/
	nablY
N;ajf#m/
NL8Gcs
Nqe3#^eE)p+
NsTwZw`wfwlwrwxw~w
N&V@;~
&".(o,
o0uC{3
O4N4M4L4K4J
O#e^y.
OIV_}7
o,(l8EHOX[hjxpxvx
Pa.sn_
P~e{g8kBk4zKbW
$pfu+:
PO!yn$g
Pr[rerrr|r
P?U;Ze]
PwUw`wtwyw
_qbXNRSE
QJWm63
|qkG,5
_QnyL30PJGfk@4
;Q"[o#
QqjVp5
qsESgu
_=Q<Skt
QszCGA
^.rBy[~
`.rdata
ReWK4oE
r]F/o@R
RLKEF"
rlWOY3z
RtTpTlThDd`d\dXdTdPdLgH}@u<u8u4u0u,J
_rua8chKaN@12
rvBJC[
rWeFkcG
R?X;^'e#
S4^S&Z
S7fDlT
s8kvknkMkH
S9+; Em
_sdw{w
SDYD_]
 set_up D
+SExBD
sFkf.?
sion="1.
SjBJfK-
s	ker$
,	`#Sl\
+^S)p|
sTruQu
Sw'/}X
!\$+T`
t1AVitS
t4+Lp+/ml
T^?{	A
-t",_@B
#T%@Ea
This program must be run under Win32
Tr`rjrp
'?tUed
Twk5IP
tYE~,{
)u}4(gU
ub9]yl
ud#nyj
[@>U&e9m
uefmiv
<UgT@n
Uh1[V%
UKnBHvL
uMjScY,
UmklfF
UO(B/5
u~ps1s~
uq.Ksn
USER32.DLL
uSU+CW
uTFK^W
uTji}_
uvFSR9oG
UydY_kMPM@20
U'YM}g
Uy?:${u
;uztX?hHxRxlx{x
v|[[4sls
V7d${Q
V,cLmlrlwl
v*`FZ4
VirtualAllocEx
V"st@}
Vs\wbwhwnwtwzvI
w+@32q/Q]O
w3KSjk1
w6kMprVlJG5y@20
:wFwM9
-\wfwpww9
wI&BP1s
WkdgwC
`wrwww
W`Vpar
.WYBvE
W#;z<M
X{2TJCA
XcpHFPlm
xgk1KU
^xH!_+
xItjK^
xKB9wYhk24K
XkS5Du7
X Kx,\
X;[@&M
?xml ver
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
Xpv53WJ
xVhH4IY
x(x8xHx`{|
x(x@xPz`p
Xz3}Ko
XZXLfFM
_y[e]B
y`h(4k
yI7fCG
yi=M/}
yiQ8+*5
YLkijB
Yl^lonz
y?+P\IZ
Y+sUR],
yy6eB.
yyXeKJu
ZH	!JmK
:zNr]rirqrwr}r
Z(R-j3
ZUeNe|
zXAoNS#