Analysis Date2014-06-20 04:27:17
MD5f6934e99353e0b6b9ef6a0099c2b75cb
SHA154fa4c4dfea624c31e29a78db336180febd9d30e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: 3c969f44372ad1d176f8ad94dc797d1a sha1: 4315a109997cde349230099f3c6550e8ac6c0b3a size: 196608
Section.rdata md5: 8499ac67cf91b7e6b6ce34d8cb1097ae sha1: ee4653a62fa541412828347c441314d7d7f4392f size: 2048
Section.data md5: caa940ed8aa75048f45ffa3dc7f55dac sha1: 4a92f5e002717b061134707178c1b61e6c00e9da size: 17920
Section.tls md5: 18a94346bad4067180ab5e8aa30cb3d2 sha1: c59aa79c66803477ba070a65cfa6704001e458ed size: 512
Timestamp2005-11-02 06:43:50
VersionPrivateBuild: 1481
PEhash68af1ded81abf2f2637fd54aa0a79d8dcda03ea8
IMPhash88de8f22bad6132a380a21835cdaa638

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{EEEB680D-AE62-4375-B93E-E9AE5FF585C1}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSpdasoftstorage.com
Winsock DNSfolusho.com
Winsock DNS127.0.0.1
Winsock DNShappyaladdin.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Network Details:

DNSfolusho.com
Type: A
67.222.55.143
DNSzonetf.com
Type: A
208.73.211.174
DNSzonetf.com
Type: A
208.73.211.163
DNSzonetf.com
Type: A
208.73.211.242
DNSzonetf.com
Type: A
208.73.211.193
DNSzonetf.com
Type: A
208.73.211.175
DNSzonetf.com
Type: A
208.73.211.175
DNSzonetf.com
Type: A
208.73.211.174
DNSzonetf.com
Type: A
208.73.211.163
DNSzonetf.com
Type: A
208.73.211.242
DNSzonetf.com
Type: A
208.73.211.193
DNShappyaladdin.com
Type: A
DNSpdasoftstorage.com
Type: A
HTTP GEThttp://folusho.com/wp-content/uploads/2010/09/web-20-what-is-300x251.jpg?v44=63&tq=gKZEtzy4%2FFWpLB%2BVaizxYziCG%2B6QhkqY%2BssB5cCROG%2FhHlKOYpfyHOWTPzoZHqvG%2FLthrPQzDa02pXqLNK4rOihghOm13SMraagtYO5Gkm9S5AmyAwGE0XJTE37K5FKvYAMOKCDy6Vgb%2FHHt7BSmDUYS%2FVvCUrv6Bm5qHS4gNMn7CVUjElj3BCVHcQLESrF0dzwqYng2l2aZMRV8kFBh3IJZhSV35uUGzQ43FpCdJ5%2FdjkTfjJ1KtP7wXAYFSbjWNkZ3W%2Fm%2BD9guQ2U2JYGcq%2Bz0GFZVlb6NxYcUTSU%2FZrE2bujoeb894%2B6N1HiP6VhUoUI1DJVKUr0cL1Fdp5gXd3Wjtu6bYyhR6%2FlCvNwF7k3IqyE9zb5RiQSe3jqhJaAuuC8ifFtaY%2FVi%2BOnxEoPTPyzmZO5JT0JSOEU%2FbaVwxjWTQw2fkJrFsEDjbWv7%2FoBlgu1Ar0uuQ5DBoB6wbmTPBvJ%2BH
User-Agent: mozilla/2.0
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNtX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNtX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJsX%2BSNzVKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 67.222.55.143:80
Flows TCP192.168.1.1:1033 ➝ 208.73.211.174:80
Flows TCP192.168.1.1:1034 ➝ 208.73.211.175:80

Raw Pcap
0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   75706c6f 6164732f 32303130 2f30392f   uploads/2010/09/
0x00000020 (00032)   7765622d 32302d77 6861742d 69732d33   web-20-what-is-3
0x00000030 (00048)   30307832 35312e6a 70673f76 34343d36   00x251.jpg?v44=6
0x00000040 (00064)   33267471 3d674b5a 45747a79 34253246   3&tq=gKZEtzy4%2F
0x00000050 (00080)   4657704c 42253242 5661697a 78597a69   FWpLB%2BVaizxYzi
0x00000060 (00096)   43472532 42365168 6b715925 32427373   CG%2B6QhkqY%2Bss
0x00000070 (00112)   42356343 524f4725 32466848 6c4b4f59   B5cCROG%2FhHlKOY
0x00000080 (00128)   70667948 4f575450 7a6f5a48 71764725   pfyHOWTPzoZHqvG%
0x00000090 (00144)   32464c74 68725051 7a446130 32705871   2FLthrPQzDa02pXq
0x000000a0 (00160)   4c4e4b34 724f6968 67684f6d 3133534d   LNK4rOihghOm13SM
0x000000b0 (00176)   72616167 74594f35 476b6d39 5335416d   raagtYO5Gkm9S5Am
0x000000c0 (00192)   79417747 4530584a 54453337 4b35464b   yAwGE0XJTE37K5FK
0x000000d0 (00208)   7659414d 4f4b4344 79365667 62253246   vYAMOKCDy6Vgb%2F
0x000000e0 (00224)   48487437 42536d44 55595325 32465676   HHt7BSmDUYS%2FVv
0x000000f0 (00240)   43557276 36426d35 71485334 674e4d6e   CUrv6Bm5qHS4gNMn
0x00000100 (00256)   37435655 6a456c6a 33424356 4863514c   7CVUjElj3BCVHcQL
0x00000110 (00272)   45537246 30647a77 71596e67 326c3261   ESrF0dzwqYng2l2a
0x00000120 (00288)   5a4d5256 386b4642 6833494a 5a685356   ZMRV8kFBh3IJZhSV
0x00000130 (00304)   33357555 477a5134 33467043 644a3525   35uUGzQ43FpCdJ5%
0x00000140 (00320)   3246646a 6b54666a 4a314b74 50377758   2FdjkTfjJ1KtP7wX
0x00000150 (00336)   41594653 626a574e 6b5a3357 2532466d   AYFSbjWNkZ3W%2Fm
0x00000160 (00352)   25324244 39677551 3255324a 59476371   %2BD9guQ2U2JYGcq
0x00000170 (00368)   2532427a 3047465a 566c6236 4e785963   %2Bz0GFZVlb6NxYc
0x00000180 (00384)   55545355 2532465a 72453262 756a6f65   UTSU%2FZrE2bujoe
0x00000190 (00400)   62383934 25324236 4e314869 50365668   b894%2B6N1HiP6Vh
0x000001a0 (00416)   556f5549 31444a56 4b557230 634c3146   UoUI1DJVKUr0cL1F
0x000001b0 (00432)   64703567 58643357 6a747536 62597968   dp5gXd3Wjtu6bYyh
0x000001c0 (00448)   52362532 466c4376 4e774637 6b334971   R6%2FlCvNwF7k3Iq
0x000001d0 (00464)   7945397a 62355269 51536533 6a71684a   yE9zb5RiQSe3jqhJ
0x000001e0 (00480)   61417575 43386966 46746159 25324656   aAuuC8ifFtaY%2FV
0x000001f0 (00496)   69253242 4f6e7845 6f505450 797a6d5a   i%2BOnxEoPTPyzmZ
0x00000200 (00512)   4f354a54 304a534f 45552532 46626156   O5JT0JSOEU%2FbaV
0x00000210 (00528)   77786a57 54517732 666b4a72 46734544   wxjWTQw2fkJrFsED
0x00000220 (00544)   6a625776 37253246 6f426c67 75314172   jbWv7%2FoBlgu1Ar
0x00000230 (00560)   30757551 3544426f 42367762 6d545042   0uuQ5DBoB6wbmTPB
0x00000240 (00576)   764a2532 42482048 5454502f 312e300d   vJ%2BH HTTP/1.0.
0x00000250 (00592)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000260 (00608)   73650d0a 486f7374 3a20666f 6c757368   se..Host: folush
0x00000270 (00624)   6f2e636f 6d0d0a41 63636570 743a202a   o.com..Accept: *
0x00000280 (00640)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x00000290 (00656)   6d6f7a69 6c6c612f 322e300d 0a0d0a     mozilla/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4e745825 32425039 68253242 49307344   NtX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6574 662e636f 6d0d0a55 7365722d   onetf.com..User-
0x000000f0 (00240)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000100 (00256)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000110 (00272)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000120 (00288)   73204e54 20352e31 290d0a43 6f6e7465   s NT 5.1)..Conte
0x00000130 (00304)   6e742d4c 656e6774 683a2030 0d0a436f   nt-Length: 0..Co
0x00000140 (00320)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000150 (00336)   0a0d0a53 626a574e 6b5a3357 2532466d   ...SbjWNkZ3W%2Fm
0x00000160 (00352)   25324244 39677551 3255324a 59476371   %2BD9guQ2U2JYGcq
0x00000170 (00368)   2532427a 3047465a 566c6236 4e785963   %2Bz0GFZVlb6NxYc
0x00000180 (00384)   55545355 2532465a 72453262 756a6f65   UTSU%2FZrE2bujoe
0x00000190 (00400)   62383934 25324236 4e314869 50365668   b894%2B6N1HiP6Vh
0x000001a0 (00416)   556f5549 31444a56 4b557230 634c3146   UoUI1DJVKUr0cL1F
0x000001b0 (00432)   64703567 58643357 6a747536 62597968   dp5gXd3Wjtu6bYyh
0x000001c0 (00448)   52362532 466c4376 4e774637 6b334971   R6%2FlCvNwF7k3Iq
0x000001d0 (00464)   7945397a 62355269 51536533 6a71684a   yE9zb5RiQSe3jqhJ
0x000001e0 (00480)   61417575 43386966 46746159 25324656   aAuuC8ifFtaY%2FV
0x000001f0 (00496)   69253242 4f6e7845 6f505450 797a6d5a   i%2BOnxEoPTPyzmZ
0x00000200 (00512)   4f354a54 304a534f 45552532 46626156   O5JT0JSOEU%2FbaV
0x00000210 (00528)   77786a57 54517732 666b4a72 46734544   wxjWTQw2fkJrFsED
0x00000220 (00544)   6a625776 37253246 6f426c67 75314172   jbWv7%2FoBlgu1Ar
0x00000230 (00560)   30757551 3544426f 42367762 6d545042   0uuQ5DBoB6wbmTPB
0x00000240 (00576)   764a2532 42482048 5454502f 312e300d   vJ%2BH HTTP/1.0.
0x00000250 (00592)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000260 (00608)   73650d0a 486f7374 3a20666f 6c757368   se..Host: folush
0x00000270 (00624)   6f2e636f 6d0d0a41 63636570 743a202a   o.com..Accept: *
0x00000280 (00640)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x00000290 (00656)   6d6f7a69 6c6c612f 322e300d 0a0d0a     mozilla/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4e745825 32425039 68253242 49307344   NtX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a73   OhLgjh8sG%2BcoJs
0x000000c0 (00192)   58253242 534e7a56 4b763937 35586c6d   X%2BSNzVKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6574 662e636f 6d0d0a55   t: zonetf.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a3c 6872202f 3e0a2020   ose....<hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
.
sWU
C.U..;
W..+.ka.
3...}
...(
@....M..l...u^.v...0g..|z...
q..P...;@('
... `.....
 
?.
....
........
>.w
.....
2a.f
..
.
.
v.P .3..;L 
BV......9K7
j
.SH..o.
~....*.
/...Z
.-.k..0^..y4.
vq
.R..+U~r.-
..L..[.....M.c...l
.
.
040904b0
1481
PrivateBuild
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
>>0W	{>j7
2/*Y&?VL
4tyIo	<	
$53J&{1
5HpW/f
5n<w: 
akJkYc
BeginPaint
;#bq\ZW%s
CallWindowProcA
CharNextA
CM_Get_DevNode_Status
CMP_WaitNoPendingInstallEvents
CreateFiber
CreateWindowExA
@.data
DefWindowProcA
DestroyWindow
dHmj%,
EndPaint
EnumResourceNamesA
EqualRect
ExitProcess
eZBuyO
f4|<6?
Fm}>4U
GetACP
GetClassInfoExA
GetClientRect
GetCommandLineA
GetFocus
GetKeyState
GetLocaleInfoA
GetParent
GetProcAddress
GetSystemInfo
GetWindowLongA
HeapAlloc
HeapCreate
HeapDestroy
HeapReAlloc
HeapSize
/HO*Xp
h:pF/;
im5)Lv 
InterlockedCompareExchange
IntersectRect
InvalidateRect
IsChild
IsDebuggerPresent
IsProcessorFeaturePresent
IsWindow
Jhz|[p
jK}LH_
Jn~H] 
KERNEL32.dll
KhLz86
K(	vHN
kWN.aO
LoadCursorA
LoadLibraryA
lXNU_i
 MS)pf{
:N?iN?k
N>x@	.
OffsetRect
ORP7nq9
@PT:4b
PtInRect
qK__bh
`.rdata
RealGetWindowClassA
RegisterClassExA
ReleaseDC
ResumeThread
Rich`x
RtlUnwind
SetFocus
SetThreadPriority
SetUnhandledExceptionFilter
SETUPAPI.dll
SetupDiGetDeviceRegistryPropertyW
SetWindowLongA
SetWindowPos
SetWindowRgn
sEuw6v
ShowWindow
/SV5./D
TerminateProcess
!This program cannot be run in DOS mode.
T-ixzq
TTNNzl
U&ME$%'
UnhandledExceptionFilter
UnionRect
UnregisterClassA
UO,Y.T
USER32.dll
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
Vj5ZO.
vn~Ufs
Vo68x8
V|/x_e
W6]`8xJ
wJ?~L<
W()k4Y8
W=oI6a
WriteFile
wsprintfA
|./Xw3
})	y_~
)yyK/q