Analysis Date2013-12-14 01:12:25
MD5413d4230ee1bf46b102c356cd07ff627
SHA14b56d7fc5aac103660bc406a02a4659097bac799

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 8c5a25ea321e5a1bfa86d4cb7258e444 sha1: fea830edc74ea47fca79d3f74dc0a57ab997c7f0 size: 177664
Section.rsrc md5: 5b4c3abbdcfae02002406760c7432712 sha1: 8ceea88dae426aec5b1a86aef27c99b9938923a5 size: 512
Timestamp2012-04-04 03:32:42
PackerUPX -> www.upx.sourceforge.net
PEhashc8e405e2d686d79a0eae5d14f513ee30b06c1213
AVavgWorm/Generic2.BLRH
AVaviraBDS/Backdoor.Gen
AVmcafeeW32/Generic.worm!p2p
AVmsseWorm:Win32/Ainslot.A

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\INSTALL\DATE\HCI0ZV6WMI ➝
December 14, 2013\\x00
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID\ID\HCI0ZV6WMI ➝
OwnipNew6\\x00
Creates FileC:\Documents and Settings\Administrator\Application Data\OwnipNew6.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\BlackShades
Creates FilePIPE\lsarpc
Creates File\Device\Afd\AsyncSelectHlp
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\OwnipNew6.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\OwnipNew6.exe:*:Enabled:Windows Messanger" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates MutexHCI0ZV6WMI

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions ➝
NULL

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions ➝
NULL

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\\malware.exe ➝
C:\\malware.exe:*:Enabled:Windows Messanger\\x00

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\OwnipNew6.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\OwnipNew6.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\OwnipNew6.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\OwnipNew6.exe:*:Enabled:Windows Messanger" /f

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\OwnipNew6.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\OwnipNew6.exe:*:Enabled:Windows Messanger" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Application Data\OwnipNew6.exe ➝
C:\Documents and Settings\Administrator\Application Data\OwnipNew6.exe:*:Enabled:Windows Messanger\\x00

Network Details:

Flows TCP192.168.1.1:1032 ➝ 82.173.166.22:4020
Flows TCP192.168.1.1:1032 ➝ 82.173.166.22:4020
Flows TCP192.168.1.1:1035 ➝ 82.173.166.22:4020
Flows TCP192.168.1.1:1036 ➝ 182.173.166.22:4020

Raw Pcap

Strings
PERS
SETTINGS
>:&<"~
\*	&<.
&.$0$<
0333xphZRJ<
035`7P
 )0+9z
)!0-c@
~0~%D&=
&]*0Db
-0@gAB
0JCa!0JF
0|@&ph
0r(If8
0TP@@:
0{Y2xDNf
15dF8F91A
1c2->~
1`DA-P
1DlFun)h
1EtDt}K
1?e:-VS
1i*S]hPf\X&
1LOiph4H
1v2$&U
1-@y!`
=-= >2
2!<<2!
'22I\dV
27OnQui
]2UiZn
]2X!LS
32EDE121D9E2F062D2BD
368949C0&
3l/AAC
3q~%_d_
3ra`%!$W.
3y\.i.
}4`>@,
4444\r
%&'()*456789:
47G x \r
4%9Mau
4G KTN
4H4sg%
4ulng#
501EA33{:9~
?5274@\
5;4Q`J*
5566\r
5Async?PWs
?5bG`2
5HBITMAP
5:o`?%
/65%Gu.
6ENC^fAD
6[lhe0
6rwt&9
6t\V+M
6V2Ziz<p]
7033413A647A4B6739316C4F5
774NE55*
7777\r
78jdjA
--[7b`
7J:RzE
.=7Kajt8
.,|7VL4c1]
7X*JAO{
8>0$y*
83(9}R@
8(4nOhg
8@d$>	
>.8DkM
8@d[%L.	G
8l>Z'6
8Pdxt>
8thPG2
8UJu;HwQ(k
8Wlp")
'92_pC@
9999\r
+\%],-9b
9\BBN2d
)9(pDn+
&9%'$$se\2
a4.U}N
Acce+_q
ACEBOOK_START
AddMsgd@Nf
AddRef
AdjuFPjN
adyStvie|
afWmZv
Agt&x(&Rp
a%Hpj0
ais{pQ
A^-	|J{
a+#:]{k3
a"l8(qZ
A\L$o?t5
alUpda
"_Am!^8
Aom	}?F
A)ox^=
a`Q6*5
+a:ScanLzU[7
Audio.
awuois=
#]=		(b
<*B <(
B5C5*14
b70&hu
b86mswin ?
B8lTBn\
bCECR@
bcpq4ksxj9
Bd"Cig
BiQ9bG=C
BJ$l#)
:*'/bk
&bRLw7z``
brmm6 
bss_ser'
.B!@${T,
BtKill
bV$wN$N$
B_%y7"
by.ToPlPTP
C3dhgh'4
&c3Q[PIY
C5(IP0plN
;]C9HYH.
CallBaK
%capGp
CDEFGHIJSTUVWXYZcdefg
-CF1Gwk
C<F6E4ZF7C8
cG {Ik
/Chat'?
&`CLA%
ClifSteamGook
Cog	b;
+C	=Oo
C:\Prog
CrypcImage'
cSubClHi
,`Cu>@Po
[cv4=bGa
"D2*M3k
#D~7nn
DAd<m$
dd4418y>
ddTd2!
ddTMs!
d@F08H
df"FC^YO
+d@Fvg
-DG=B \
D(I\ov
d|lhNGZd
,<DLX`
/.D'm!
dmfg(DN.
 D:o 3
 D;OkT
&Dq@GZ
Dr*"9z5
DragQueryA(
\d(#t\.
/\dT4J
d@ttA#/
<DVG2 'C|@H
dWvffn@<,
d@XN\]
E4:|	"=
ect?Torre
EFB$9$x
E\FwPN
E/L7o[K
`=EL`T
elXaX6A
eOc3f=
"EODl@#
EVENT_SINK_Ge
EV?L_]
Exd@f/
ExitProcess
f4rHgA
f84>jd
^>FeFM
F> FDDd
	fh2x!j
f_h'n;
 Files (x86)\Mic*sof
fip4^!
(|f^`l
$,FLLe
#)$<Fo0
f(?|&^P
frame.dl
FrBf>x
frmMain
fS~ijnG8]D
f Sr7X
:Ft]:/
f>wH;&
fz@]y>
/g0D+k
G3#hKX
Ge&_. 
GetProcAddress
ghDCGW
GSdWK>U
gTIOcm%:
GVHN1/
gwbAuz
g!W!C,0
gWdglvt
G(.WGcS
_Gw{.p
(GWSOCK
!gz47j
h7jPEx
h9/U@0
+h#B1d
HD@<84
Hd&Bzx\
heInvokeV
hfUYln_2v1X4L;
h' #FX
H`-G{a
` hGed /X 
/(H@KA
HO^T)M
hr (> 
~hun>x
@HvLD0
#i8ddp
icalDr
]i*cdak
ICK_DELAF
ICk)S%
i.dhpA
\.i.f^
ifhpdc
i", fV
ifyuw96
iIM/Ev
iMgi#.
InfoTO
}j08)A
j61 D 
j72HTG
JaSBlj(
.jaWdv $_
$j$`<M
JQ:[pva
JS<t8/H)
JUpK'|
Jw/UB8
jx(V%M
J:'Z9%
K]>1h-
`(]!Kb
KERNEL32.DLL
}Kf'd|[U
k+i."#k
@@Kjka)
kkW\8fI
kNi0h D
@:kR/E
\Ku/?+)
|*}<kV
kx3 L,
Kyr2;J
l;<<2!
 L<550C
L5DDHLX
[l/5GkD
&l6P|`
LD'0/w(
lE.4TM83
LGVB0C
:lkj;V
l=n"j0
l-n/on
LoadLibraryA
lobalAl
loseHand 
Lp-&&/
Lus:1]K_
l&XTCI
Lyv(BU
(L>Zero
m6w	-T}P
,'M.9z
maxL8&
 MBWhn
!!m"\D*
MDgBvty\
^mh2ZG
m)h.=f
^__^Mkok$P
mm9UCn
	mMl%6`
mnK{Vf
modFuc
mr{0/_.
m?RS`curity
MSP@dd
MS SaX
\msvbvm6
MSVBVM60
MSVBVM60.DLL
|m{UN	
:\.)mV6
mVBA6T
M&Xu%:]
@n0Nu&pp
N' 2*:
"N2]F|
n4!KKO
N99yFD
N9Wbo@i
na+,{qi
nCeOTok
niffOS4
n+PS*/T
NSREjZ
NTDLL>
N&u^8uFWM
N:'`XSrJ
$N{ZdT
*O8^.N
OafoPx0z
-obh.&
O,BUnh
oCHAT_ADDMSG<R%<
#od^>_
O@:<F(4
ofO8V\
$O(jX$
O(M2G#2
$$$##ONn
Oo'fB'
<ooJ)ZEkwVD[
{#OPHD
os#+Om
=O\TL>`
ovbv)#v"
oW.TB-0W
^&OX	`
 @P`@``
P/~4`h
]pA(la
?(pbCX
pb>Mkb
P-_d/^
picThumb
^;'PN&
PnXhY9]
)pP&,.
pp0Mj*In
PRINT_
&PYp!G
pz7\X5U
pzb7_F
QabIjc
":=~qH
q$%:%m
$`$~QM
q$nUHVS
\@Q*[P
queezer
Q<vJr0
!#R_`"
`r4B`h
R?4'%j
raTagd`'
rAUb9]^9t]:
r!C2@@@
RC EwF
rI/lN(0
rIsR$9g%
rJvj_V
RK-ew11
R#ONFX
;Rq1?Da
rR5xE=C@
'rr/p!
 R;Wyw
,(r%'y
RyppT0~T
S73&93u
]s 8^Zh
scii'hd
SCMand
s:.cpV
Screensho
sEPP*/F
SER_FB
`?S&g{
SHDVVwCtlm
\sh\ner
.s/JoPMX
s'MDD@
Socket
>spu"G
/SrcLef]
="SsOS
STRUCTIO
stV&y<
:\SysWOW64\
!t=;[?
T4gzF>
TaenmP(
tB?Empty
,TbrhtP+
@>TBy)
t[d/O<p
TEgw *
tgd@n_f
!This program cannot be run in DOS mode.
tHMt(-
tjfbbl
:;tkEe}
tmrLivLogg+
],t~ n
t@''#O
`tPp=+7Z
*t\\rm
':'tThK
T'uVtH
t Visual Stz\\98X
t<#X6[k
uC#;j"R
Ud4mFL
U$F(U<s
#U|iWk
UrlCache
>URLDVnl
 usiid
VarP/*S
__vba4[
v.Bf&|
vBIV9*O
vbjd^k+H
vF`l<8
vf`M1P
VirtualAlloc
VirtualFree
VirtualProtect
voG2Ap
v$qTh_N
Vr ]&Y
vssPATH_WINLOGON
VUc!V_0
VV_\X~
+?vWJ.
w&0"48
W-#2 '
W5'4G?
w /8Jr
W9j`#>
wapMo~#
wCzk_G
W~ebBrow
_WebHide
wflX[}
wIo6IR1/
":Wk_U
^)w*n]
Wo!{$p#sD
,w Px"'
w suZM
(w*t.,
WWQwpi4rO
wYDXt\
\ ^>'X
@:~X0J
X2:Y ,
X7}k%F
x&a_ew
XCCdC3
}\xEm>
-xF6I zg
XGW5,bk
/X#'ht
X'j'b3
XJB:^j:
<x$J{f
XL2 'ltd
xlh^NJ5
XPTPSW
`\XT,0
xt.&l&N(qw
XT,P6`8
xu5sx4
XW"w!#
.`XXd`
_Y>0;_
!Y3ZV5|
Y4U84Q
+"yAmIi
Y?*]GP
yGrabbOg	V
Y@J\cD.l
YP+:S@X
yrrrt@
y($tSd #
-+Y-V/
yW@- G!0
YX"")fv.
YXF?xw
Z2EQ #
z2**Nx
Z|+:4	
ZCP+LP
Z.@g)h
<@Z?kZ
z) Q5d
zTim[?Sh
Z$}tw3
.Z_/x|x