Analysis Date2015-09-10 15:20:18
MD5c67cb93abe1756f093e33b4406fbab32
SHA149a7b6c9f8deba3085f364082b912fbf98f25a60

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9e9a05750601cf68fe6bca21ead4f415 sha1: a5819973cdef62395ab4834cd6df29450b127072 size: 188928
Section.rdata md5: 6840e6f20fc63e18ad1326a580df691a sha1: 6661ca95db0769ab90a8b2d46fccb8c303144af0 size: 2048
Section.data md5: 089f04628566b205c233a52f3255ac6f sha1: ccb484baad3c711f75e6a7673c12291de58de7d7 size: 123392
Section.rsrc md5: edacd7f5700365a50b693da3acafab47 sha1: f62171c8b1843fef1bab75c1d2a485b866096982 size: 5120
Timestamp1970-01-05 22:49:42
PEhashc8c8db23c909eff83d72713b361e6741d64cee05
IMPhashb3fb08000bf2c73a4d021514861a66a8
AVAd-AwareGen:Heur.Cridex.2
AVGrisoft (avg)FakeAlert.AAS
AVCAT (quickheal)FraudTool.Security
AVIkarusTrojan.Win32.Pakes
AVAvira (antivir)TR/FakeAV.btxt.7
AVK7Trojan ( 001e60c61 )
AVClamAVno_virus
AVKasperskyHoax.Win32.FlashApp.a
AVArcabit (arcavir)Gen:Heur.Cridex.2
AVMalwareBytesTrojan.Agent
AVDr. WebTrojan.Fakealert.20556
AVMcafeeGeneric FakeAlert.amb
AVBitDefenderGen:Heur.Cridex.2
AVMicrosoft Security EssentialsRogue:Win32/Winwebsec
AVEmsisoftGen:Heur.Cridex.2
AVMicroWorld (escan)Gen:Heur.Cridex.2
AVAlwil (avast)MalOb-FY [Cryp]
AVPadvishno_virus
AVEset (nod32)Win32/Kryptik.MBU
AVRisingTrojan.FakeAV!49B1
AVBullGuardGen:Heur.Cridex.2
AVFortinetW32/FakeAlert.AMB!tr
AVSymantecTrojan.FakeAV!gen39
AVAuthentiumW32/FakeAlert.LY.gen!Eldorado
AVTrend MicroTROJ_FAKEAV.SMID
AVFrisk (f-prot)W32/FakeAlert.LY.gen!Eldorado
AVTwisterTrojan.558BEC81C4@12FFFF.mg
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVVirusBlokAda (vba32)SScope.Malware-Cryptor.Maxplus.0997
AVF-SecureGen:Heur.Cridex.2
AVZillya!Trojan.Kryptik.Win32.278547

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\49a7b6c9f8deba3085f364082b912fbf98f25a60
Creates FileC:\Documents and Settings\All Users\Application Data\iLaClEfJiDi13400\iLaClEfJiDi13400.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\a2E10.tmp
Deletes FileC:\49a7b6c9f8deba3085f364082b912fbf98f25a60
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\aD859.tmp"
Creates Process"C:\Documents and Settings\All Users\Application Data\iLaClEfJiDi13400\iLaClEfJiDi13400.exe" "C:\malware.exe"
Creates MutexDon't stop me! I need some money!

Process
↳ "C:\Documents and Settings\All Users\Application Data\iLaClEfJiDi13400\iLaClEfJiDi13400.exe" "C:\malware.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iLaClEfJiDi13400 ➝
C:\Documents and Settings\All Users\Application Data\iLaClEfJiDi13400\iLaClEfJiDi13400.exe\\x00
Creates FileC:\Documents and Settings\All Users\Application Data\iLaClEfJiDi13400\iLaClEfJiDi13400
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates MutexDon't stop me! I give work and money for you!
Winsock DNS69.50.195.77

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\aD859.tmp"

Network Details:

HTTP GEThttp://194.28.113.214/lurl.php?affid=13400
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB0.0; .NET CLR 1.1.4322)
HTTP POSThttp://69.50.195.77/i.php?affid=13400&v=2
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB0.0; .NET CLR 1.1.4322)
Flows TCP192.168.1.1:1031 ➝ 194.28.113.214:80
Flows TCP192.168.1.1:1031 ➝ 194.28.113.214:80
Flows TCP192.168.1.1:1032 ➝ 69.50.195.77:80

Raw Pcap

Strings