Analysis Date2014-09-15 10:44:33
MD5a1f4568278f4ff7d14cdbaa2f5c94d66
SHA15759dbdcb6c6bfba690aca1767be4334c9ad6377

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 6ec6dd5c749a597ed2bc9ed55e594f9f sha1: ed9bd0938d1349e04287e0dd37510525f4c8389c size: 1024
Section.rdata md5: a2feaf3ba629027ed0b7b0663a4836e0 sha1: 3b0ef5c293336d1f6446110672af463e64f55392 size: 512
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 75ac89e12c6ff94d61865e19eff6b521 sha1: c1c5ce2b61615e69711a5ab3fd288a995cf1426c size: 37888
Timestamp2007-03-27 17:12:03
VersionLegalCopyright: Copyright (C) 2000
InternalName: MPIRing
FileVersion: 1, 0, 0, 1
CompanyName:
LegalTrademarks:
ProductName: MPIRing Application
ProductVersion: 1, 0, 0, 1
FileDescription: MPIRing MFC Application
OriginalFilename: MPIRing.EXE
PEhashbf471dc64704c73f2e726b42040b59207263ad33
IMPhash8aa48b00dd80d2085cbbd81726a688be

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\vodatbyshafe ➝
C:\Documents and Settings\Administrator\vodatbyshafe.exe
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\vodatbyshafe.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexvodatbyshafe

Network Details:

DNSeircom.net
Type: A
86.43.38.8
DNSwww.optonline.net
Type: A
66.54.17.31
DNSoakland.edu
Type: A
141.210.5.100
DNSv6v4.portal-standard.aol.akadns.net
Type: A
205.188.19.16
DNSv6v4.portal-standard.aol.akadns.net
Type: A
64.12.21.3
DNSv6v4.portal-standard.aol.akadns.net
Type: A
64.12.107.131
DNSv6v4.portal-standard.aol.akadns.net
Type: A
205.188.18.208
DNSbackpacker.com
Type: A
50.19.110.79
DNSsuscom.net
Type: A
66.179.151.52
DNSunivision.com
Type: A
64.14.58.197
DNScwnet.com
Type: A
38.102.40.244
DNSwww.aol.com
Type: A
DNSwww.optonline.com
Type: A
Flows TCP192.168.1.1:1037 ➝ 64.14.58.197:25
Flows TCP192.168.1.1:1039 ➝ 66.54.17.31:25
Flows TCP192.168.1.1:1038 ➝ 141.210.5.100:25
Flows TCP192.168.1.1:1040 ➝ 205.188.19.16:25
Flows TCP192.168.1.1:1043 ➝ 86.43.38.8:25
Flows TCP192.168.1.1:1041 ➝ 50.19.110.79:25
Flows TCP192.168.1.1:1042 ➝ 66.179.151.52:25
Flows TCP192.168.1.1:1044 ➝ 38.102.40.244:25

Raw Pcap

Strings
..
040904B0
1, 0, 0, 1
About4Quit the application; prompts to save documents
&About MPIRing...
About MPIRing
Account:
Account & Password
&Arrange Icons
Cancel
&Cascade
Close
&Close
Close the active document
CompanyName
&Copy	Ctrl+C
Copyright (C) 2000
Create a new document
Cu&t	Ctrl+X
?Display program information, version number and copyright
&Edit
Enter
Exit
E&xit
&File
FileDescription
FileVersion
Find
&Help
InternalName
LegalCopyright
LegalTrademarks
Make Ring
MPD Ring
MPIRin
MPIRin Document
MPIRing
MPIRing1
MPIRing Application
MPIRing.Document
MPIRing.EXE
MPIRing MFC Application
MPIRing Version 1.0
MS Sans Serif
&New	Ctrl+N
&New Window
Open
Open an existing document
&Open...	Ctrl+O
OriginalFilename
Password:
&Paste	Ctrl+V
Please enter an account to run the mpd's under.  All spawned processes will launch in this context:
ProductName
ProductVersion
Quit
Ready
Refresh
Save0Save the active document with a new name
Save As
Save &As...
&Save	Ctrl+S
Save the active document
SCRL
StringFileInfo
TEXTINCLUDE
&Tile
Translation
&Undo	Ctrl+Z
VarFileInfo
VS_VERSION_INFO
&Window
%${0.w^
1TD$<N
<5WzL 
?-7D+O
[7}r	?
9!{;4.
9=&P+O:
BA0J74Z*C
@[<Bk%s
B&,Li`x`N6
>]b#Lk
"B?\^s
C>"@:!
c4oY5q<_
C_f#(y
<C[k|,u
CrH{<rK
CZK9>+
@.data
#define _AFX_NO_OLE_RESOURCES
#define _AFX_NO_PROPERTY_RESOURCES
#define _AFX_NO_SPLITTER_RESOURCES
#define _AFX_NO_TRACKER_RESOURCES
_d|fnD
e3>_;'n
]e5POQ
%ecse*
#endif
#endif //_WIN32
FTKL.:
GA`	,O
gdi32.dll
GetModuleHandleA
GetObjectW
GetProcAddress
G%N@AN
~"g~v!1
h?J.wc_U
%H,.PN0
.hyb4vv
#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU)
#ifdef _WIN32
#include "afxres.h"
#include "afxres.rc"         // Standard components
#include "res\MPIRing.rc2"  // non-Microsoft Visual C++ edited resources
K2I?e6#
kernel32.dll
l3h-pI6
LANGUAGE 9, 1
LoadImageA
lxKmzO
MessageBoxW
N:I:8tu
{~N{m>
oM{7dy
!oNo_G
#pragma code_page(1252)
qj6az_TL
 rAHq*g
`.rdata
resource.h
rE ) %z
roL^8.[
s,a4dHJ
S<|bt"=j
!This program cannot be run in DOS mode.
Tm9JwvB
T[ :Ub
user32.dll
^.'`WH
Wv@$cuuS
X0b8s1
~xO%j@"
"X sQz~Q8
x.v'YnUoh
Y3	C\"ie
Y.b/fa
~ZAlVv
._%Z_o