Analysis Date2015-01-28 17:47:49
MD5faa609b4db8be29676d9ff54ea3c8de7
SHA1404bae641d30dc9af0c356fcfdbfacb68e074572

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: fc5e3b5cdaeb9a2c631193f879168b03 sha1: 9f15d8bfb484e5b5879d85e342d079fc8e195faa size: 217088
SectionUPX2 md5: 7dbddb691690bc4ff494d5b5ddbc1aa4 sha1: 9cf920030f5bed3fb1eb513fba1440d57ca799af size: 1024
Timestamp2014-10-20 02:01:52
PackerUPX -> www.upx.sourceforge.net
PEhash50fbf3e919e037a8c5e812701d2a590af6221805
IMPhash12949835d0cda9d5836fa2fbd6c55e3c
AV360 Safeno_virus
AVAd-AwareGen:Variant.Symmi.42740
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Gen:Variant.Symmi.42740
AVAuthentiumW32/Trojan.JKTN-3803
AVAvira (antivir)TR/Agent.219136.109
AVBullGuardGen:Variant.Symmi.42740
AVCA (E-Trust Ino)Win32/Oflwr.A!crypt
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Symmi.42740
AVEset (nod32)Win32/Agent.WQL
AVFortinetW32/Agent.WCF!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Symmi.42740
AVGrisoft (avg)Agent5.DGU
AVIkarusTrojan.Win32.Agent
AVK7Trojan ( 0049c9161 )
AVKasperskyTrojan.Win32.Hosts2.gen
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Symmi.42740
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page ➝
http://www.2345.com/?kkkkkkkk2345\\x00
RegistryHKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue ➝
NULL
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\Program Files\Common Files\asdqw_3104-48740.JPG
Creates FileC:\WINDOWS\system32\unrar.dll
Creates FileC:\Program Files\Common Files\shanhu_7654_356.jpg
Winsock URLhttp://cdn.pcbeta.attachment.inimc.com/data/attachment/forum/201409/12/173937imav9yvcycn3akua.jpg
Winsock URLhttp://d3.freep.cn/3tb_1410151734454411539918.jpg
Winsock URLhttp://d3.freep.cn/3tb_140923192942q71f538987.jpg

Network Details:

DNSwebmirror.pcbeta.com
Type: A
113.107.42.25
DNSimg.freep.cn
Type: A
221.234.36.242
DNScdn.pcbeta.attachment.inimc.com
Type: A
DNSd3.freep.cn
Type: A
HTTP GEThttp://cdn.pcbeta.attachment.inimc.com/data/attachment/forum/201409/12/173937imav9yvcycn3akua.jpg
User-Agent:
HTTP GEThttp://d3.freep.cn/3tb_140923192942q71f538987.jpg
User-Agent:
HTTP GEThttp://d3.freep.cn/3tb_1410151734454411539918.jpg
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 113.107.42.25:80
Flows TCP192.168.1.1:1032 ➝ 221.234.36.242:80
Flows TCP192.168.1.1:1033 ➝ 221.234.36.242:80

Raw Pcap
0x00000000 (00000)   47455420 2f646174 612f6174 74616368   GET /data/attach
0x00000010 (00016)   6d656e74 2f666f72 756d2f32 30313430   ment/forum/20140
0x00000020 (00032)   392f3132 2f313733 39333769 6d617639   9/12/173937imav9
0x00000030 (00048)   79766379 636e3361 6b75612e 6a706720   yvcycn3akua.jpg 
0x00000040 (00064)   48545450 2f312e31 0d0a486f 73743a20   HTTP/1.1..Host: 
0x00000050 (00080)   63646e2e 70636265 74612e61 74746163   cdn.pcbeta.attac
0x00000060 (00096)   686d656e 742e696e 696d632e 636f6d0d   hment.inimc.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f337462 5f313430 39323331   GET /3tb_1409231
0x00000010 (00016)   39323934 32713731 66353338 3938372e   92942q71f538987.
0x00000020 (00032)   6a706720 48545450 2f312e31 0d0a486f   jpg HTTP/1.1..Ho
0x00000030 (00048)   73743a20 64332e66 72656570 2e636e0d   st: d3.freep.cn.
0x00000040 (00064)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000050 (00080)   6e6f2d63 61636865 0d0a0d0a 74746163   no-cache....ttac
0x00000060 (00096)   686d656e 742e696e 696d632e 636f6d0d   hment.inimc.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f337462 5f313431 30313531   GET /3tb_1410151
0x00000010 (00016)   37333434 35343431 31353339 3931382e   734454411539918.
0x00000020 (00032)   6a706720 48545450 2f312e31 0d0a486f   jpg HTTP/1.1..Ho
0x00000030 (00048)   73743a20 64332e66 72656570 2e636e0d   st: d3.freep.cn.
0x00000040 (00064)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000050 (00080)   6e6f2d63 61636865 0d0a0d0a 74746163   no-cache....ttac
0x00000060 (00096)   686d656e 742e696e 696d632e 636f6d0d   hment.inimc.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....


Strings
.
!
.
...
.V!0
P
@
.
.
.
C
v(<
.
1
U8C
.
.

>	>">.
 !"#$%&'()*+,-./
0 0&0,025
0+0_%v
010:0G0S0g0m0
<*06<B
 (08@P`p
0Am^7@3
 ,&0@B
0/b/{.B
0#l(Ro
"0oa2o
0oIUxzG
 0@P`jo
0s32fta
 @0Tpk
 0>`*u
]0u|fr
.-0$v)}1
0w@s E%
0xpWmF
;1;?;{;
1 1$1(1
1%1B1U1^1
@1`1d>
193T5f
1c8g8k8o8s8w8{8
<*>1>j>q
1Q!6uvf
1#QNAN
1Q%	R@
:">(1ss
}_>1W-
2*<>|"
`;219.235
21s`fs
227562
(252;2O2
"(2(5H
*?.?2?6?:
) 2Cpk
2DNI @
31o0a2`
32@3L3X:dP
32\taskmgr.exe
3$3(3H
35138b9a-+6
(>->3>8>Y>w>
3\:PI=1
3x $HZ
40%C @
4463<tT[
4-48740.I
456789abcdef
465p5X7
4,84<4\4`
4"'AFfm&
4b}B.S
4$,C4Q4a4p4
$,4<D 
4\<`<d<h
4~f9.u
\4h5M p
'4{OX{v
/4s\Blu)
4X)H`<
517xky.
538f494a2afdb0c
5(54~H5h
<5@5DC
"57-1546-4
<58=4f
58<Vb=
5A'O)t
5d9fbd-8
5PVHUP
5v7mX,
	5YfF-
`60[awbwf4
647X7`
654<56]/d3.
6!6(6/6N6U6\6c6
6,686<
6"7-7Q
6AXRZe
6ho&Bh
6h;=x}W!
6k>o>s
6#/Rni
<6Z2ea7be1
7$:(:,
73937Zav9yvcycn3aku
75f06e
77>7E7L
7/7Sr"818;9X9
7)8j<A=X=u=
7DWORD4
+7Fl|<
7=f;*Y.
7Gj"NY
7hl-sms=
7K8\8j8
7.mpGpM
7$s/z \
&%7UqU
7V;,0,27
7Xt+DPI7^c`>JC
\.'8<,
,&80$a
8273I3
<840,(4
8"8(8.848:ZF
-8au'ruf
8B0 4`
<8C8J8Q8X8_8f8
8@GAtbjOF
8iIkg}
(8l@03
8(^L3p
8MZPH<
#8UP*$JB
8xZKTm\
`8Z8d8
900FB7
942q71fU`(
959@9y9
96>NH9NvZ>
98:T:\:d:u:
\=9!~a
&9"!*C2
9D3.,@@
*-9$D]qQ
@9h595b64144ccf1
	9h<R-
9`:i:r:~:
="=9=J=
9J:n:t:z:
9O-PKc
$9_Pt?
9w3B(l
_9~X~B
9y`8;q
a,\(24
A#3D=H)X
a'A{@}]
AAp]ZX
a* )Augus
)Ab7HK
/:;<=>?@ABCDE
A.bpke
accbYpi
a&(|De
ADVAPI
ADVAPI32.dll
aFi(]~
AFX_x_ST
ai7DFl
ais#"T
-a,IVX
alo$/yW
and Object
aq@8VfB
aQl@9,!cA
Array<char>
`>{aSQ
ATL.DLL
/A,TrK
AVM_%4
#B59pe
 @B8tXLH
::bad_a
}BbS	<
**BCCxh1
%`@bCryptKeyCacheI
b.fdf4
b<F<H4
BfJcG!
?B?F?J?N?R?V?Z?^?b?
BF!p2|6
^bHEF@
b/ibbq
BiFaJ8
BitBlt
bJblfL
BjP AR
B(j=S7
:B>n9<
b{<Q%Jr
$bqRN(
B#R2aM
!bt'$"
Buff#Uppw
BWideC
,"C87;
CAuto=1
ceLu?v/
%ch$R[
%;/CJG$
clB127.0
ClosePrinter
 (/clr<
\CLSID
CmdTar*t
cn/bbsz!c
COMCTL32.dll
CONOUT$L
CPPZbugHook
}cripth.
c?THREAD@
curityP
cWH)?pO
D0J0P0V0\
[:d0x|
d1.0">
'd&3.Z
D7m7y7
"D9Dz[
>>+D-A)
DBCp1j
DBu.hX3
dc71cb684l
 Dd$`/
`dDJ"S[
DefaultI0nB,,j
d%er:g
dfBl/`*\
DFh>Ch)
d(i*BEb{J&
di}sjxun9
&D~j2H
"d>L>l>p>
D)Me7+
D"nUYe
DragFinish
D\Ut5E
<D>V7:
dX\`d7`
d 	xKO
dXP^D@<y
<DxpS8p
+dxu2Z
e$1CUR
E4SCQD
Eb-&ie
eB;u{L
))EE	F
_e?Fl$
`eh %V
Elehmd
	~em$qqri18
EnumDisplay/L
:EP_	ECq3b
EPtSx^
_;er 8^D
ER)i!\{
.$e&>rjP{HC
E\SOFTWAR
ES_ROOT
ET?OU<
EVAMt/
ewU"w!Gj
e>X86"6
ExitProcess
eXP#14
\ExplO
Eyy7R5^=
f00004CTL0
f1r3|3v3
f7j7w7
ffL2g^;
FG-PGS8
?'fg?t
FH^0-:R0
f?j?n?r?v?z?~?
FKl\3`
Fm6Ir5_vl..1
]F}mp*L@
FO{FD@
/Format
[#fP $
FR^Li8mb
F$WRkE
f*x.85
&,fZ:8L
F?+__Zj
>/>?;g
g 2%,G&
g7H %s
G@ACL@TM
gbR@<@u
GDI32.dll
~GetM i
GetProcAddress
GF,Hh.P
gH i$j
gHPDHL
__GLOBAL_HEAP_SEL
Go@i=hz-
GRyx,dd
G?U[pP
Gv<v)3
$	gxJv)
%GxTFMY@g
G'y@h?6t44
GZ",^+
[}]h;/
| H	`-
h.0b2f
h4aRxy-
h6l Dlg
HaoZip
/h%H:%M
HIf)[_
HKEY_LOC
HNLBnew_9
:(HOOK
<*:H\r
hS2"so
!(H(T}
H~tB+<9
hu1Q_7
hUwxLH
^h)ZU9,
i32HuH
I@72'L=
i&8$U 
iB(~ j
I~;Bo_
icFM#G
ID!	: \?
IJKLMNO
ileNameW
I[.lhH
iNSqP W
InternetOpenA
`I+!S	 
I`:s1'
 @ise,rp
ISPLAY&m|rl_D
|iv2tR
I\v]<Y
]i:Y`Gvb
j(0lJU
}j4Ni?
japoO7not
J )d[4" 
JD<4,T
`jd@w0
;;j`h8N
JK8arg
^J@][N
J@nMrW
Jol)!r
J:Pu\Di
jr\Adv
juHX!R
jW!A'WClose
 JyO$|
$^K(CR
kcWMG="
kd	wVJ
KERNEL32.DLL
;k=o=s=w
`'kp7qO
k@PUY^
+_KryZ
k Source D
kWwktZ%
l1v`KAt
L6d6h6
la/4.0 (G
LASS F7
L,aVP8
_lcl':N$
LD<4,!`
L*.DLL
/LfarV
l])g~8
L=H 4B.
(`;l&I
;#<l<-<=<J
! ljX8
l/mV p
.lnkwu@Syp
LoadLibraryA
Lo$upYC
LpKLt&
l%p$q1
\.LPTX.
l^RF8&
l%;R*k
LT#8JW
-lt_[y
L\vJb\0
Lv"W@O
L=WbZr
,<L<X<x<
l.yi85
|l^Z|[
M0s041<1
!,,! m2%
m*|;2*
m2c4511da95:8642fc
M2>xTQ\X
M4s+^,Z
!m'4\v
m 6j5h
M:	7e%mpK
{mbA91kdFQ
MEfd{g
?-mEpg8l
MhcwFKh
MiscSt
;mJ-%$J
[\%M \K
mm{tFazpiW0gS
=MODULE_?
moMA(+i
}&``MQ%3
M'Qh=F
mra^r 
{*m>r[sK6l
m	uBN#
MULATE_TLS: 
:mV0Z/7
Myo;P|
,>N>.*
|nC,\~
NcQ!S])d
NDh&%X
NgpsBk
NH-6>Y
Nh[>Ip
N}>m+L
No such.
NotSupp
n ]QU;)
#nrO-uID
%} NT 
ntf :Fx
nUZ\PT
n _vec
n%w*J#;
^nx|zu
/O09/12n
~O4n4v4
<O 6Lbx
oa+mnc
OF@@~@~
OFree3pv5Re
O&HP*p{!
O\HZ,$%TO
oi(8PX
OiQIYI\Qiyi
OldhProc423' 
ole32.dll
OLEAUT32.dll
oledlg.dll
OLEPRO
OleRun
omPoizo'R0
Oo!+Bt
oOlMKD
op9p`t
o/posi+xf
opyright 19
 OQ2]V&
oub4v#
OW_of@
OX<7PU
/p3_k}8nj
(P43yd
P6 wG8
PathMatchSpecA
PBL"PT
pC`v#V
	, PF[!
Pf>?77=
p"H;3s
Pibly.ie'b
PKhcdw
#PL-(;=
#PL)xI
P	#NX}
>PPADD
pP.nns
PreviewPages4
{+p*ta
|PtEVU
ptfV?7
\ptx|\.
~pu1Pm
Pu(2,$5rH
^pup_b
pVAd@~/
pVN:]V	
_[q@*	
Q0H0AMGK
Qc4 f	f
,Qdt&3Q
Q#,GEQ
&Qh(sv
q`iaK,
/*QjDU+
Ql])ToQp
Q=M7j[
	Q)n/B
qoAJW:
q.(tl~
  qui*
.%Qwe@
Q --wj-la
q/>zw.
R`0nBZ
r$\0t	
#R6028
r6!ALK
r8<@DHr
r,9YIQ
R(B&xA
rdi2b.c: L
rE;C*n
RegFlushKey
?Reh>{
reof<8
r	F=Q'
RichEdi
"^(r k
R=	 l)
:#\rlP
,RLPIn
r: m.v1"
R*OoEq
r$P(?9
RPiOfQ
~RQO	]
rri   @*
RrTr  
R=s.`?
rs\etc\ho(s)B7
rwiqab
rXtR99
Ry%,=06
S2F?~&p
S3Y3d3p3
^S704 V
s8(`O4hH	
sctorgk
S_g	SP
shadu0070
SHELL32.dll
SHLWAPI.dll
si!9, %8
slgm q
sO;>|C;
	}s)t&
s}=t`C
-Svc0`Eie
*Sy*o&
s_ZDWQ}3K9
]?!!T_	~>|
-t,0tRC
T2X2h2
T#3b ;R
`t4=Ft
t5[	~`
T5`5l~@6
t8lBar%'
"t^9(uZ
t`['^A
Tab)@*>	O
$Ta#Bud$d
tActP1
.T:a*s>z
tb83oxM
t(bVjl
tCQu.4
.te_oB
')~t$F*E
!This program cannot be run in DOS mode.
Th spa
Th$s'We
t+\"Jj
TK0s(VS
_`_TNg
>=tO7a
>$T@p<
t	PAGX*
TPLD0( 
t*SWp7
ttp://
tUb$W{
TV`\WU
tw\E|"*
?T?X?h?
+u1s,J
ub.ab	f
U+B)W:
uHABSh
U.hU5R
ungpl|n
[=Upde%avmK
$	 UPVQ
UQPXY]
uRFGHt
USER32
USER32.dll
uT8HSE
Utd1KI
uvwxyz
/?U_$W
`Uw=N9
%_u[x4
V0B+C'
v1z1~1
V2LcN<
v44zGa 4
!Value
	v.a&)Z
^v-b4g
 ;$vbZ
`%v%C 
VC20XC00
V|EHVH
vf	_bi+
([V||h
%V{<(I
V^iabS"
'vICA6Z
VirtualAlloc
VirtualFree
VirtualProtect
 VisUC++ R
VJ.QkF/F/
V{oaSSQ
^V~OfU
v`~p,go
,&[vrH
v[^$SUVB<h0
-{$ vt
}.VT<Q
>VUSWY
@W02r221*23
W^2fxh
W 4$8i
w50o0y0
W		  8Q
was about o
WB`%;U
WFVvHe/
w	G5z$
wGP):@
?"WH6mX
<WHg+$$
W^iia$/x
WININET.dll
WINSPOOL.DRV
wLVSPH
	WnLeCJ$
WO`PQ8
 $W &p(
~&WPw	
wQ^6pW^
WRQ7>_
wsgwdnI13
WT8`}<j
~wtJ;8o
W:VJ:%
X`?{|}~
'XA!P;
/Xbdqw_3
X_b!j=
XCbFt+
XD+UPM
XD[X$h
=X@F^L
xiGtt4e
xijklm&pq
xj"	5X
xJPGI#
`XKtU?
xmlns="
x ^N._
x.NQ(L
xoa*iP
XPTPSW
xr@o[a
xt@H6&
X tnj=
|xtplhy
(_]Y`=
y09?EI
y840,(
y$B1ac
yC{8d,
y,Cdtv
yd`\XT
yeS`,M
YhgvN%
y.HLPD
Y:HTTP+
ylAu%y
/YM0p#]g]W#H
 YM[Z]6
 yotW. I
:y&q?	
y(Q50e
;yr1	7c
Yrix#.
YSTEMS
yv,BRP
yx\LH@
;\YY_wk*yX 
Y,ZN0Mt
z9f9l9r9z9
Z)>_(;B
zc:9H8
,Z%cdf5
&zIth<
.ziUPQ
zmJc `
{Zp~d2t