Analysis Date2014-04-08 18:37:22
MD5a6f8f5f95a2c6ff9fc0ab7ac7e3641e3
SHA14524dc05aea6d750c606da56287835e9522aab51

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2d20dbe5f500aba5668bef9792dc9bff sha1: 107b93ae8860e669738fd7f5ed23634ba10c15d3 size: 16384
Section.rdata md5: 0990f6019bc8b3cbcb691cbcf9666c04 sha1: 20347285f8dcbe0a5f766d51ff2a89601c60a273 size: 4096
Section.data md5: 77d52643d9ff9b42e394e15211382a66 sha1: 3b04d348d1a631384907c7aacb9a72e7375d7a4c size: 4096
Section.rsrc md5: 016c777f6ce73f2b3266622567963fdf sha1: 6b419b7d61c361bbbaeeaee2a9ea2837d112b7b9 size: 4096
Timestamp2011-03-18 01:47:07
PackerMicrosoft Visual C++ v6.0
PEhash6c5d6c0fc78a36428d6b54fa098bf03050f78614
IMPhashe6823135baad6bfbd0a6bcae65f6530a
AVavgDownloader.Generic11.EVQ
AVclamavWin.Trojan.Downloader-3228
AVaviraTR/Dldr.Small.aiina
AVmcafeeDownloader-CMX

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\ASD\STM ➝
1396999404

Network Details:

DNSyahoo.com.cn
Type: A
68.180.206.184
DNSyahoo.com.cn
Type: A
98.139.102.145
DNS8475.770304123.cn
Type: A
HTTP POSThttp://60.217.234.138/pl1.txt
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 60.217.234.138:80

Raw Pcap
0x00000000 (00000)   504f5354 202f706c 312e7478 74204854   POST /pl1.txt HT
0x00000010 (00016)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000020 (00032)   2a2f2a0d 0a486f73 743a2036 302e3231   */*..Host: 60.21
0x00000030 (00048)   372e3233 342e3133 380d0a43 6f6e7465   7.234.138..Conte
0x00000040 (00064)   6e742d4c 656e6774 683a2030 0d0a436f   nt-Length: 0..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a204b65 65702d41   nnection: Keep-A
0x00000060 (00096)   6c697665 0d0a4361 6368652d 436f6e74   live..Cache-Cont
0x00000070 (00112)   726f6c3a 206e6f2d 63616368 650d0a0d   rol: no-cache...
0x00000080 (00128)   0a                                    .


Strings

 (C) 2005
@jjj
jjjjj
msupdate
 msupdate
msupdate 1.0 
 msupdate(&A)...
TODO: 
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z
1=><'>>9:9=8;:'jg
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
234.138/pl
8?:'jfd
9h-l=,
_access
_acmdln
_adjust_fdiv
ADVAPI32.dll
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
bn_&><
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
CloseHandle
_controlfp
?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
CreateEventA
CreateFileMappingA
CreateProcessA
__CxxFrameHandler
d$8Rh8c@
@.data
DDDDDD
DDDDDDDDD@
DDDDDDDDDDDDDD
DDDDDDDDDGpw
DeleteFileA
DeleteUrlCacheEntry
D$HRPj
__dllonexit
D$ UVWj
eoIJs(
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
_except_handler3
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
GDI32.dll
GetDiskFreeSpaceExA
GetLastError
__getmainargs
GetModuleHandleA
GetStartupInfoA
GetTempFileNameA
GetTempPathA
GetTextCharsetInfo
GetVolumeInformationA
GF;W^}
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
!G@*u4
HrCg@b	g 
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z
HTTP/1.0
HTTP/1.1
http://60.
HttpOpenRequestA
HttpQueryInfoA
HttpSendRequestA
InitializeSecurityDescriptor
_initterm
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetOpenA
InternetReadFile
InternetSetFilePointer
IQPh4a@
Iu#h a@
jPh<d@
kdjfir
KERNEL32.dll
kh`m|'jfd
L$<PQR
L$thHa@
L$XQSSP
[main]
memmove
MFC42.DLL
msndown
MSVCP60.dll
MSVCRT.dll
NefkheU<>8HM==1$8O?0$=>m<$HLJ8$M<LH;;:==90K
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
_onexit
OpenMutexA
__p__commode
__p__fmode
phaff'jfd'jg
QVhLa@
`.rdata
RegCloseKey
RegCreateKeyA
RegSetValueExA
__set_app_type
_setmbcp
SetSecurityDescriptorDacl
__setusermatherr
Software\ASD
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
sprintf
%s%s%s%s
strchr
strstr
!This program cannot be run in DOS mode.
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
/?&uid=
UnlockFile
VRQUPS
WaitForSingleObject
WININET.dll
WS2_32.dll
wwwwww
wwwwwwwwwwwwww
_XcptFilter
?_Xlen@std@@YAXXZ
?_Xran@std@@YAXXZ