Analysis Date2015-05-29 13:32:27
MD5a0ab4fcc8a475c75ecfb7040f5c69076
SHA13dfb9c24ec22a8b526e4905f17d4d933ed5fbce8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0a6f861a3e54e209c31541e4616bb58a sha1: afb471c67ce0082cc07004d4dab77ef446ec3b9a size: 28672
Section.rdata md5: e26ef5fb8e3647a34ee6ef0634e3d8f0 sha1: abe1f7c35c60b6eb37ab4102032cfdf9088fe4d2 size: 8192
Section.data md5: b3f3a0cd890f60f59035be68d7ccdeb3 sha1: bd21b33c13beb635078ade8d670f7010adc579b6 size: 8192
Section.rsrc md5: 5d2c89dfb85ff9299d7691b40bf702ae sha1: d286e0c64d72d4ee2062677e89e19f0c47f35da1 size: 16384
Timestamp2014-07-06 18:22:51
Pdb path@
VersionLegalCopyright: (c) 2000-2014 Martin Prikryl
InternalName: winscp
FileVersion: 5.5.3.4214
CompanyName: Martin Prikryl
ReleaseType: stable
WWW: http://winscp.net/
ProductName: WinSCP
ProductVersion: 5.5.3.0
FileDescription: WinSCP: SFTP, FTP and SCP client
OriginalFilename: winscp.exe
PackerMicrosoft Visual C++ v6.0
PEhashb9b132903273ea607d1ae50d04759b983cbbc5bb
IMPhashaaabdb0b1d057b2e282f353b3720fdf4

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.Net CLR\Description ➝
Microsoft .NET COM+ Integration with SOAP
Creates FileC:\WINDOWS\imvvsm.exe
Creates ProcessC:\WINDOWS\system32\cmd.exe /c del C:\3DFB9C~1.EXE > nul
Creates MutexC:\malware.exe
Creates ServiceMicrosoft .Net Framework COM+ Support - C:\WINDOWS\imvvsm.exe

Process
↳ C:\WINDOWS\system32\cmd.exe /c del C:\3DFB9C~1.EXE > nul

Creates Filenul
Deletes FileC:\malware.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\Prefetch\3DFB9C24EC22A8B526E4905F17D4D-33256ACE.pf
Creates FileC:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Creates FileC:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\IMVVSM.EXE-33549431.pf
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ Pid 1108

Process
↳ Pid 1204

Process
↳ Pid 1328

Process
↳ Pid 1856

Process
↳ Pid 908

Process
↳ C:\WINDOWS\imvvsm.exe

Creates Filepipe\net\NtControlPipe10
Creates File\Device\Afd\Endpoint
Creates MutexC:\WINDOWS\imvvsm.exe
Creates Mutex.Net CLR
Creates MutexDBWinMutex

Network Details:

DNSlinfeng.sytes.net
Type: A
Flows TCP192.168.1.1:1031 ➝ 142.4.38.44:8080
Flows TCP192.168.1.1:1031 ➝ 142.4.38.44:8080
Flows TCP192.168.1.1:1039 ➝ 142.4.38.44:8080
Flows TCP192.168.1.1:1047 ➝ 142.4.38.44:8080
Flows TCP192.168.1.1:1056 ➝ 142.4.38.44:8080
Flows TCP192.168.1.1:1064 ➝ 142.4.38.44:8080
Flows TCP192.168.1.1:1072 ➝ 142.4.38.44:8080
Flows TCP192.168.1.1:1080 ➝ 142.4.38.44:8080
Flows TCP192.168.1.1:1089 ➝ 142.4.38.44:8080
Flows TCP192.168.1.1:1098 ➝ 142.4.38.44:8080
Flows TCP192.168.1.1:1106 ➝ 142.4.38.44:8080
Flows TCP192.168.1.1:1115 ➝ 142.4.38.44:8080
Flows TCP192.168.1.1:1125 ➝ 142.4.38.44:8080

Raw Pcap
0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .


Strings
OpenWriteFileGetTempPathAurlmon.dllURLDownloadToFileAiexplore.exeopenKERNEL32.dllSYSTEM\CurrentControlSet\Services\SYSTEM\CurrentControlSet\Services\39rd5ebd5B3Qytfm0B3d5tdDWriteFileGetTempPathAurlmon.dllURLDownloadToFileASYSTEM\CurrentControlSet\Services\iexplore.exeopenKERNEL32.dllSYSTEM\CurrentControlSet\Services\SizeofResourceSYSTEM\CurrentControlSet\Services\ImagePathKERNEL32.dllGetLastErrorGetCurrentThreadIdCreateMutexAKERNEL32.dllGetLastErrorExitProcessGetCurrentThreadIdCreateMutexASYSTEM\CurrentControlSet\Services\SYSTEM\CurrentControlSet\Services\DescriptionNT2000XP2003Vista200872008R2820128.1WinSPMHzFind CPU Error.1\Pogam Fis\Inn Epo\ipo.
E
..
E.
P
968E
P
E
..KERNEL32.dll
LpkGetTextExtentExPoint
LpkTabbedTextOut
LpkDllInitialize
LpkDrawTextEx
LpkEditControl
LpkExtTextOut
LpkGetCharacterPlacement
LpkInitialize
LpkPSMTextOut
LpkUseGDIWidthCache
ftsWordBreak
lpk.dll
lpk.dll

040904E4
080404b0
1, 0, 0, 1
5.5.3.0
5.5.3.4214
(c) 2000-2014 Martin Prikryl
(C) 2014
china
china QQ
Comments
CompanyName
FileDescription
FileVersion
http://winscp.net/
InternalName
jjjjj
jjjjjj
LegalCopyright
LegalTrademarks
Martin Prikryl
OriginalFilename
PrivateBuild
ProductName
ProductVersion
ReleaseType
SpecialBuild
stable
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
winscp
WinSCP
winscp.exe
WinSCP: SFTP, FTP and SCP client
0.0.0.0
"0,0V0l0
%04d%02d%02d
0/5=5K5_5x5
123456
12345678
1314520
??1type_info@@UAE@XZ
2%2/2T2g2w2
=2=7=D=M=Z=w=~=
??2@YAPAXI@Z
3T3^3h3r3
??3@YAXPAX@Z
5201314
5)5K5m5
?.?5?V?i?
6@6J6Q6^6e6~6
6)707=7D7y7
686R6Y6
:&:.:6:>:F:O:
7+7E7L7P7T7X7\7`7d7h7
7*858P8W8\8`8d8
9.9I9Q9Y9b9k9
9J9P9T9X9\9
abc123
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Accept-Encoding: gzip, deflate
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: zh-cn
Accept: text/html, */*
_acmdln
_adjust_fdiv
admin$\
administrator
ADVAPI32.dll
asdfgh
at \\%s %d:%d %s
.?AVtype_info@@
bbbbbb
BeginUpdateResourceA
bRich+
BRich[
Cache-Control: no-cache
caonima
%c%c%c%c%c%c.exe
%c%c%c%c%ccn.exe
/c del 
C:\Documents and Settings\Administrator\
C:\g1fd.exe
ChangeServiceConfig2A
CloseHandle
CloseServiceHandle
closesocket
COMSPEC
Connection: Close
Connection: Keep-Alive
Content-Type: text/html
_controlfp
CopyFileA
CreateEventA
CreateFileA
CreateMutexA
CreateProcessA
CreateServiceA
CreateThread
CreateWindowExA
__CxxFrameHandler
_CxxThrowException
@.data
%d.%d.%d.%d
DefWindowProcA
DeleteService
D:\g1fd.exe
DisableThreadLibraryCalls
DispatchMessageA
__dllonexit
D$ RPj
D$tj R
%d*%u%s
D$xj(P
E:\g1fd.exe
EhcRHRcdEAsdFxcJCxMLE0M=
EndUpdateResourceA
EnumResourceNamesA
_except_handler3
ExitProcess
ExitThread
F:\g1fd.exe
FindClose
FindFirstFileA
FindNextFileA
FindResourceA
FreeLibrary
ftsWordBreak
GetAdaptersInfo
GetCurrentProcess
GetCurrentThread
GetDesktopWindow
GetEnvironmentVariableA
GetExitCodeProcess
GetFileAttributesA
GetFileSize
gethostbyname
gethostname
GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm
GetIfTable
GetLastError
GetLocalTime
GetLogicalDrives
__getmainargs
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetShortPathNameA
GET %s HTTP/1.1
GetStartupInfoA
GetSystemDefaultUILanguage
GetSystemDirectoryA
GetSystemInfo
GetTempFileNameA
GetTempPathA
GetTickCount
GetVersionExA
GetWindowsDirectoryA
GlobalAlloc
GlobalFree
GlobalMemoryStatusEx
Hack95Class
HARDWARE\DESCRIPTION\System\CentralProcessor\0
Host: %s
Host: %s:%d
HrCg@b	g(
HtGHHu4j
_initterm
iphlpapi.dll
KERNEL32.dll
\King\Release\coco.pdb
L$DPhl
L$`j3QR
LoadCursorA
LoadIconA
LoadLibraryA
LoadResource
localtime
LockResource
LockServiceDatabase
lpk.attack
LpkDllInitialize
LpkDrawTextEx
LpkEditControl
LpkExtTextOut
LpkGetCharacterPlacement
LpkGetTextExtentExPoint
LpkInitialize
LpkPSMTextOut
LpkTabbedTextOut
LpkUseGDIWidthCache
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpyA
lstrcpynA
lstrlenA
malloc
memcpy
memory
memset
Microsoft .NET COM+ Integration with SOAP
Microsoft .Net Framework COM+ Support
mm%u.dll
mpr.dll
MSVCRT.dll
.Net CLR
 > nul
_onexit
OpenMutexA
OpenSCManagerA
OpenServiceA
OutputDebugStringA
P0Z0a0n0u0
password
PathAppendA
PathFindExtensionA
PathFindFileNameA
__p__commode
__p__fmode
qwerty
`.rdata
ReadFile
realloc
Referer: http://%s:80/http://%s
RegCloseKey
RegisterClassExA
RegisterServiceCtrlHandlerA
RegOpenKeyA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ReleaseMutex
@.reloc
ResumeThread
\\%s\admin$\g1fd.exe
\\%s\C$\NewArean.exe
\\%s\D$\g1fd.exe
\\%s\E$\g1fd.exe
__set_app_type
SetEvent
SetFileAttributesA
SetFilePointer
SetPriorityClass
SetServiceStatus
setsockopt
SetThreadPriority
__setusermatherr
\\%s\F$\g1fd.exe
SHChangeNotify
SHDeleteKeyA
SHELL32.dll
ShellExecuteA
ShellExecuteExA
SHLWAPI.dll
ShowWindow
\\%s\ipc$
SizeofResource
sprintf
%s %s%s
%s %s %s%d
StartServiceA
StartServiceCtrlDispatcherA
strcat
strchr
strcmp
strcpy
strcspn
strlen
strncmp
strncpy
strstr
TerminateProcess
TerminateThread
!This program cannot be run in DOS mode.
T$ @j|P
T$|j(RP
tOHt>Ht#
TranslateMessage
txHtnHtaHtTHtG
<=<u<|<
%u Gbps
%u Mbps
UnlockServiceDatabase
UpdateResourceA
UpdateWindow
USER32.dll
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0
WaitForMultipleObjects
WaitForSingleObject
WinExec
WNetAddConnection2A
woaini
WriteFile
WS2_32.dll
WSAIoctl
WSASocketA
WSAStartup
wsprintfA
WWWhG2@
_XcptFilter
xpuser
Y~2VVVh