Analysis Date2014-09-11 21:50:04
MD5a3826166a33748b3c6d6c3aeb6bc56e0
SHA14a529faae411dacf5601d8f369174aa4ad79447f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 87e6f5297088bee5465900427f008173 sha1: 6db6d347c89e9f11e5b27cf5c53669e0bd0656d4 size: 6144
Section.data md5: f1ab2370a364765cc01820a3d76a41eb sha1: a4d996a9b0fb0dd7596ff39134925b46637b7774 size: 2048
Section.rdata md5: 01462bbaa54d603bfa3454feccb63fd6 sha1: 3644b510638233ef5a7a8412f53612d28c36dd85 size: 2560
Section.idata md5: c172974ed6f2dd740abed3a81271b941 sha1: bdd328d3ed06a1f8139fb1d4caf29c748da1580d size: 1536
Section.rsrc md5: adc39a152be102eb7a041e991a6d202c sha1: 76189e9a0c3b080a0c8dcac8bfa0acf0dcd1001a size: 5120
Timestamp2004-05-20 06:02:07
PEhashab3674385af7a5984f7df04190fe4c06034fcd66
IMPhash641a435995118d1e23b199af0b58ecfd

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe
Creates FilePIPE\wkssvc
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSfindlawenforcement.com
Winsock DNSperfectablets.com

Network Details:

DNSfindlawenforcement.com
Type: A
104.28.16.41
DNSfindlawenforcement.com
Type: A
104.28.17.41
DNSperfectablets.com
Type: A
200.74.243.155
Flows TCP192.168.1.1:1031 ➝ 104.28.16.41:443
Flows TCP192.168.1.1:1032 ➝ 104.28.16.41:443
Flows TCP192.168.1.1:1033 ➝ 104.28.16.41:443
Flows TCP192.168.1.1:1034 ➝ 104.28.16.41:443
Flows TCP192.168.1.1:1035 ➝ 200.74.243.155:443
Flows TCP192.168.1.1:1036 ➝ 200.74.243.155:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings

Cancel
C:\Documents and Settings\cp\Desktop\document\To All Employees 2014.exe
E&xit
&File
&Help
MS Shell Dlg
&New 
~~~~~~~~
*++++++(,-.//,0 1234256++++++78
22222222222222222222222222222222222222222222222222222222222222222222222222222222
-2NO ;;; PQRS
3eLp,lWoN
7oLd7iMrLrdEcA
7oLd.u]sZr,
9T`aaa
9TTTTT
A1d5e#[YGGGGGGfgQ_	
;      (<=>?@<->A@BA@C<     * DE
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
BeginPaint
bGGGGGGHIW^c[Z
BiYmX.OlW
 b +/o
CheckMenuItem
CloseClipboard
CreateCaret
CreateDirectoryW
CreateMenu
DestroyCaret
Eh1^1g
EmptyClipboard
EnableMenuItem
/eQWTnOobP]oNA
ExitProcess
F]ePLTb]a]y
#F=FFFFF
FFFFFFF
FFFF=FFFFFF
FFFFFFFFFF=
FFFFFFFFFFF
FindWindowA
fl?8Z`et
FlashWindow
GetClientRect
GetClipboardData
GetClipboardOwner
GetCursorPos
GetKeyboardLayout
GetKeyboardState
GetMessageA
GetMessageTime
GetModuleHandleA
GetScrollInfo
GetSystemMenu
G;;;;;;HI
GlobalLock
GlobalUnlock
GPt;rZc,dOrPs^
HeapAlloc
HideCaret
HPa[C]eLtP
.idata
iGGGGGUjkXclcVmmnfodpqrUGUGGUfsQtu	
}iiiiiii~
InvalidateRect
IsBadReadPtr
IsWindow
IsZoomed
J1KL-5M@5M
kernel32.dll
LJ fw'
LoadIconA
MessageBoxIndirectA
MsgWaitForMultipleObjects
;o^t<uTt8e^sLgP
PostMessageA
.rdata
RegisterClassA
RegisterClipboardFormatA
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
      <requestedPrivileges>
;R:F?O=
?rLn^lLtPMPs^aRe
.rPa_eBiYdZw0x,
rPcZrO ]eN
ScreenToClient
    </security>
    <security>
SetCaretPos
SetClassLongA
SetClipboardData
SetKeyboardState
SetScrollInfo
SetWindowPos
SetWindowTextA
ShowCaret
S`n>hTnP
!This program cannot be run in DOS mode.
ToAsciiEx
ToUnicodeEx
TrackPopupMenu
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
ttttFFFFFFFFFFFF
	||||	u
U;;;;;;HVW0XYZ0[\]5AX^HO;;;;O;[Q_
user32.dll
VPjkrZ
W'fl:;E`YtU
WinHelpA
wUUUUUUUjxrUrjyyzrrzorUUUUUUUfs{F
XcTSPnOS_rTnRA
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>