Analysis Date2014-09-06 19:49:07
MD58fd8f6cdb8d3595af2657a010f954611
SHA149e6a375e077c50c5be106d6b3e18c434940c5fa

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 2cd9b81697eadbcb6244a89629f0e4a5 sha1: fb7b4c43a759163ac1e7be41fad5ae7a11eaa095 size: 44544
SectionUPX2 md5: 6ee1402edcc0ca9f30a6db475299a62e sha1: c6c8b065e8a85868c3ec701a5b359eaaebbd2acc size: 512
Timestamp2004-03-19 08:58:54
PackerUPX -> www.upx.sourceforge.net
PEhash8d05c2cd1acabbc4a48d568ba8752fadbf8359a4
IMPhashc7ecd1a0a4200634e300116dcad86d0d

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\msgfixed.exe
Creates ProcessC:\WINDOWS\system32\msgfixed.exe
Creates Mutexjop

Process
↳ C:\WINDOWS\system32\msgfixed.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Msg Fixage ➝
msgfixed.exe\\x00\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Msg Fixage ➝
msgfixed.exe\\x00\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Msg Fixage ➝
msgfixed.exe\\x00\\x00
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutexjop

Network Details:

DNSirc.abjects.net
Type: A
195.154.6.113
DNSirc.abjects.net
Type: A
37.59.41.117
DNSirc.abjects.net
Type: A
37.59.60.133
DNSirc.abjects.net
Type: A
62.210.211.122
DNSirc.abjects.net
Type: A
91.217.189.77
DNSirc.abjects.net
Type: A
94.23.42.81
DNSirc.abjects.net
Type: A
192.186.136.206
DNSirc.abjects.net
Type: A
192.241.89.206
DNSr0x.myvnc.com
Type: A
DNSirc.freshirc.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 195.154.6.113:6667
Flows TCP192.168.1.1:1033 ➝ 195.154.6.113:6667
Flows TCP192.168.1.1:1034 ➝ 195.154.6.113:6667
Flows TCP192.168.1.1:1035 ➝ 195.154.6.113:6667
Flows TCP192.168.1.1:1036 ➝ 195.154.6.113:6667
Flows TCP192.168.1.1:1037 ➝ 195.154.6.113:6667
Flows TCP192.168.1.1:1038 ➝ 195.154.6.113:6667
Flows TCP192.168.1.1:1039 ➝ 195.154.6.113:6667
Flows TCP192.168.1.1:1040 ➝ 195.154.6.113:6667
Flows TCP192.168.1.1:1041 ➝ 195.154.6.113:6667
Flows TCP192.168.1.1:1042 ➝ 195.154.6.113:6667
Flows TCP192.168.1.1:1044 ➝ 195.154.6.113:6667
Flows TCP192.168.1.1:1045 ➝ 195.154.6.113:6667

Raw Pcap
0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d383438   NICK [KuanG]-848
0x00000010 (00016)   39363332 35300d0a 55534552 205b4b75   963250..USER [Ku
0x00000020 (00032)   616e475d 2d313635 37383436 32312030   anG]-165784621 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 38343839    0 :[KuanG]-8489
0x00000040 (00064)   36333235 300d0a                       63250..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d353038   NICK [KuanG]-508
0x00000010 (00016)   33363333 38350d0a 55534552 205b4b75   363385..USER [Ku
0x00000020 (00032)   616e475d 2d343636 34353832 37352030   anG]-466458275 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 35303833    0 :[KuanG]-5083
0x00000040 (00064)   36333338 350d0a                       63385..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d313237   NICK [KuanG]-127
0x00000010 (00016)   30343737 33380d0a 55534552 205b4b75   047738..USER [Ku
0x00000020 (00032)   616e475d 2d333632 37373931 35392030   anG]-362779159 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 31323730    0 :[KuanG]-1270
0x00000040 (00064)   34373733 380d0a                       47738..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d343238   NICK [KuanG]-428
0x00000010 (00016)   38313133 38300d0a 55534552 205b4b75   811380..USER [Ku
0x00000020 (00032)   616e475d 2d343238 38313133 38302030   anG]-428811380 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 34323838    0 :[KuanG]-4288
0x00000040 (00064)   31313338 300d0a                       11380..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d333033   NICK [KuanG]-303
0x00000010 (00016)   31333432 36360d0a 55534552 205b4b75   134266..USER [Ku
0x00000020 (00032)   616e475d 2d323732 33323733 32362030   anG]-272327326 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 33303331    0 :[KuanG]-3031
0x00000040 (00064)   33343236 360d0a                       34266..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d373333   NICK [KuanG]-733
0x00000010 (00016)   39313838 30390d0a 55534552 205b4b75   918809..USER [Ku
0x00000020 (00032)   616e475d 2d363933 30303139 37392030   anG]-693001979 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 37333339    0 :[KuanG]-7339
0x00000040 (00064)   31383830 390d0a                       18809..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d303334   NICK [KuanG]-034
0x00000010 (00016)   38383334 35310d0a 55534552 205b4b75   883451..USER [Ku
0x00000020 (00032)   616e475d 2d323738 33323437 35352030   anG]-278324755 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 30333438    0 :[KuanG]-0348
0x00000040 (00064)   38333435 310d0a                       83451..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d383738   NICK [KuanG]-878
0x00000010 (00016)   33393831 30370d0a 55534552 205b4b75   398107..USER [Ku
0x00000020 (00032)   616e475d 2d383738 33393831 30372030   anG]-878398107 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 38373833    0 :[KuanG]-8783
0x00000040 (00064)   39383130 370d0a                       98107..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d323330   NICK [KuanG]-230
0x00000010 (00016)   39383838 36300d0a 55534552 205b4b75   988860..USER [Ku
0x00000020 (00032)   616e475d 2d313039 31373337 35392030   anG]-109173759 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 32333039    0 :[KuanG]-2309
0x00000040 (00064)   38383836 300d0a                       88860..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d373030   NICK [KuanG]-700
0x00000010 (00016)   38343733 30320d0a 55534552 205b4b75   847302..USER [Ku
0x00000020 (00032)   616e475d 2d393433 35373836 39332030   anG]-943578693 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 37303038    0 :[KuanG]-7008
0x00000040 (00064)   34373330 320d0a                       47302..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d343832   NICK [KuanG]-482
0x00000010 (00016)   31303737 30360d0a 55534552 205b4b75   107706..USER [Ku
0x00000020 (00032)   616e475d 2d333431 33383236 39352030   anG]-341382695 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 34383231    0 :[KuanG]-4821
0x00000040 (00064)   30373730 360d0a                       07706..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d383832   NICK [KuanG]-882
0x00000010 (00016)   39373133 35380d0a 55534552 205b4b75   971358..USER [Ku
0x00000020 (00032)   616e475d 2d383832 39373133 35382030   anG]-882971358 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 38383239    0 :[KuanG]-8829
0x00000040 (00064)   37313335 380d0a                       71358..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d333833   NICK [KuanG]-383
0x00000010 (00016)   36343539 30320d0a 55534552 205b4b75   645902..USER [Ku
0x00000020 (00032)   616e475d 2d353437 33383731 32342030   anG]-547387124 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 33383336    0 :[KuanG]-3836
0x00000040 (00064)   34353930 320d0a                       45902..


Strings
..
W
.zc1
..
W
.zc1

1jjl_8
!1Uqio
(3|$~[r
@4gbc|C2
4Z^{gB{
5MnIH|#
9KW6.'m
9l$\w_
ADVAPI32.dll
aFiC	=
ap#dQ;
?.Bgp\JR
\<#>BM
bo#az)1
<BY	-%
cFY	5G
C+Qa'6
.)D$H)
D$t+D$\
D$t#D$h
Ee;j<2
&eFKKb
+ekq=-
ExitProcess
FFShnW
FindWindowA
FK'T1D
 G8i!:
GetProcAddress
Gr(t,g
h)akOE
IJ4KAy
InternetOpenA
J,[ I.D
Jyp8 V
	<k1nt
KERNEL32.DLL
L7R`c}
lA^Q;]]G
|`l}@d
~lk+9b7
LoadLibraryA
LpGrr7
/lu.XA{
M,f|)<
M#FcF|
mlIiSO
MPR.dll
%(N**5q
nCK(b$
-Pc^&-w
)"$*p<Z
qL<A<""
QU)K3u7cE
_R(2c- 
RegCloseKey
{RhF7W
S1n^Pa
s3nFlzC
SHELL32.dll
ShellExecuteA
s`)L$4
SZE:1i_
!This program cannot be run in DOS mode.
^.TIE93
{TnAf`
t$t#t$l
,	&[`U
USER32.dll
Uw\f9AYO
?{V8=q
VirtualAlloc
VirtualFree
VirtualProtect
vksH#$
%VmR|x
v,SG9It
WININET.dll
Wi	*;_w
wiX0&P
WNetAddConnection2A
WQg<AY
wroe"e/
WS2_32.dll
X_gw5;
XPTPSW
Y4Xce/
Yl>9Zq
/;|yq*
yWw3(2
Z&a\k-
z,B]R$
Zn4'h]