Analysis Date2014-11-20 20:20:24
MD5d8b882157d32c32f87031f4a2cd6b5ce
SHA15afd7878db6255b70f0e3dc9625cc2f10cf67938

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f1605875a8fb31103d0c63c83a3aa9d2 sha1: e5579b330f35d86f14168cf8ca5341a485b9ab8f size: 15360
Section.rdata md5: 10d6d2d2f28abfe460e187b917525c70 sha1: b049ad53859ae5743a436f6054d0e547ba17faf1 size: 1024
Section.data md5: f96ea6bf39b1002826fa946514f320ee sha1: 16a69d0cf45ddd82877a8799926048d92ea812cb size: 112128
Section.rsrc md5: 470af309cfee90669e377adf73d95a31 sha1: 75a75b92f76a5e890c2576612a61e0eef660a1e2 size: 5120
Timestamp2009-04-27 14:52:34
VersionLegalCopyright: Copyright © 2010 Setup Technologies
InternalName: set_up js
FileVersion: 4.1.0.0
CompanyName: Jordan Russell
LegalTrademarks:
Comments:
ProductName: Internet Security b
ProductVersion: 4.1.0.0
FileDescription: O Setup Self-Extractor
OriginalFilename: set_up js
PEhash8b3d84e7641c5bf6e2d67f04d294d7db5c5fbe45
IMPhash6c2bef51a0b0bc172bdfc218dc11217f
AV360 SafeGen:Heur.FKP.1
AVAd-AwareGen:Heur.FKP.1
AVAlwil (avast)MalOb-IJ [Cryp]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/FakeAlert.KN.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVBullGuardGen:Heur.FKP.1
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVTrojan.Jorik-45
AVDr. WebTrojan.Siggen2.26013
AVEmsisoftGen:Heur.FKP.1
AVEset (nod32)Win32/TrojanDownloader.FakeAlert.BGV
AVFortinetW32/Krypt.QKV!tr
AVFrisk (f-prot)W32/FakeAlert.KN.gen!Eldorado
AVF-SecureGen:Heur.FKP.1
AVGrisoft (avg)Win32/Cryptor
AVIkarusTrojan-Downloader.SuspectCRC
AVK7Trojan-Downloader ( 001359961 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ai
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.LX
AVMicroWorld (escan)Gen:Heur.FKP.1
AVNormanGen:Heur.FKP.1
AVRisingTrojan.Win32.Generic.1285170F
AVSophosMal/FakeAV-IZ
AVSymantecno_virus
AVTrend MicroTROJ_RENOS.SMRK
AVVirusBlokAda (vba32)BScope.Trojan.Zbot.11521

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\W5E7SH31DG ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\W5E7SH31DG\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNSberndkoop.com
Winsock DNShopvariety.com

Network Details:

DNSwsj.com
Type: A
205.203.132.65
DNSwsj.com
Type: A
205.203.140.1
DNSwsj.com
Type: A
205.203.140.65
DNSwsj.com
Type: A
205.203.132.1
DNSfastclick.com
Type: A
64.156.167.84
DNSnifty.com
Type: A
210.131.4.217
DNShopvariety.com
Type: A
DNSberndkoop.com
Type: A
DNSmyreposite.com
Type: A
DNSmykdirect.com
Type: A

Raw Pcap

Strings
V
.
.
O
.
.F.j...

040904E4
 2010  Setup Technologies 
4.1.0.0
BBABORT
bpoP
Cannot open file "%s". %s
Comments
CompanyName
Copyright 
D64A
DVCLAL
Error reading %s%s%s: %s
Failed to get data for '%s'
FileDescription
FileVersion
InternalName
 Internet Security b
Invalid argument to date encode
Invalid argument to time encode
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid property element: %s
Invalid property path
Invalid property type: %s
Invalid property value
Invalid stream format$''%s'' is not a valid component name
Jordan Russell
LegalCopyright
LegalTrademarks
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
MS Sans Serif
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters!'%s' is not a valid integer value('%s' is not a valid floating point value
OriginalFilename
O Setup Self-Extractor 
Out of memory
ProductName
ProductVersion
Property is read-only
Property %s does not exist
Resource %s not found
	rqa
RyGB
 set_up js
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Stream read error
Stream write error
StringFileInfo
TEXTFILEDLG
Translation
VarFileInfo
VS_VERSION_INFO
*/(< ,
#\?	].
0*8L@H
0bAL9M
0*DLPd
0*HLT\
0vX;5}D
,:|13V
16:130
2EFlf6t
2h'fXK*{
2LP/ZjY
2W3`PD
>2^w+i
2X~i!g
33333333?333333
333333333333333333
3333333333333338
3333339
333338
33333833
333838
3)f)Xl
4BczqdUz
4+DCK&
4N4)B;
_-=4xpl
'/^4Z}
>5(:E	eCAx
5h8ao2
_5HDN1oszO40WcB
5V!xIljXT
654I,:\=D?X
]^6\jW6` 
6*(L8H
(6S_k#
6@V K6
6XADJk
75seg2
7`c*8X.
=7:|]g
7'_R9r
"888\<
8*HL`l
8l4z<#l
8y$lFz7
(95@YIM
"9tF@P
AE~8\HM
AQPTSR
a-Q:st_-M
_a;u')
AuV!1~;
aw@LWQ
_^:|#b
B6eGPb
B8Y9mVW:
bAby2E
B@DgU*
bE9KtWrieL@4
BEIPODF
')bq#AJi1
br:Zy)
BX"Cv0P[
%=C~! &
_CaULr
cH!  l
c`_|k\
?CljZGi
#@CM-E
CuA)Bh
cX?)'f
cxR^BW^
@.data
D)a[x4
DfkptipLy
DK^HKu
dKixzV
dLi69A
D*% ,$P
D*PL\h
e+a/PL
eJ1gg!p
[ e.Vy
ExitProcess
e*ZHa[
_F_2x2tG0Rd0oLS@20
fA]Sa:t
faulfL
<[]_/g
g7A2_s
~g,B4>
GetMenu
 GhftKERN
gmRWy]k3
gOVvaqu
GtKFil 
@~)(Gy@S
#H8QPD 
h9p4tJ
>hA9`*
Hh9^\~
h#HHP$
Hi9zt2P&
HJ-PVf`CA
@*HL\d
?`h|me5=4f
H*PLX`
^HzPH"
i1PH5	q
i1t%$a-!
i8ByRToW
IFK<0Yu
iFrK],B
+i`H^K`)
iIGFnL
IsDlgButtonChecked
i.XxPM
J5h!FQM|
J9;No ~
j=ADe?
_jC93XKuS@24
\j/(Dx
(?J(*,F
JfC>QZ'9W
JHlq41
j_M?9E
`jMa*9b
<Jm)	L
Jn@I9WH
J;npJ 
JoG0i)E
jq,+=&
jVgTEwexIkj5H
j%W@)4
K0253EG
K:&ar8k|=
|kd0}k
kE*%@(
'K;=]E
kernel32.dll
_keSBp
|k`F}k
{kHI|kM
/ "KL~
{k_pCh
KPPWdCeM@16
{k_re0O
KU3+)h
K xJ@)(
kYulX5
Kzk_ <
l2Pyk0
L$<3^O
L8Hf+h
L8")<Y@
lb'^* I\P
<LD*L! 
l(DQ6wIK3
lf((SHLW
L%gV\}>[D?d>
 /l	hy
liS)"B
<l@?`lH?`lP:L
LoadLibraryA
LocalAlloc
L=QP79
 L@U,`
lwPHel
 l$X	!,8l
lXi>8[O )G
l$XP!-
_M2NYRjw8o@4
M*9N,}
maQ.aub#]S
mc7x\%
Mh}A%dH
MoveFileExA
Mr7/Y]
MulDiv
mWnas[s
.^N	(}
*n[1HX
nf Nn]
nfpqjP0n
nisapuw
NnnPFa
nSPe5[[ZYI
nXoYEG
o8xQfk
OA*JL	S
Og	mM-
Oi"m&01
o{k_rBp
OLEAUT
+orokM
OuSuXZ
ovw<[6^
PE`{OS
Procfd1&s
.,!)Pu
pUE3vrJl
),py`RX
^-QLk{@
^QlTAS:(]Z
^-Q),P'
Q(qZRN!S\
qVCTpTz3MI
Q.W*4	
Q_@$W/M
Qz06Q2
R11FIi
`.rdat
`.rdata
Ri1{Ssi
^_R$Jy
RQPWja
r&vM,'M
rwhbu:
R>ygMl9
RZ'Mh2Q
._S@31
_S9jl_
s?9U*6
SCLN2BPs
 set_up js
SetWindowsHookExA
SetWindowTextA
ShowOwnedPopups
sia;pD9}s
]SL^@S
S`R#hb8`
SWCezt
s-wM`:
sXjIc7
sxp[otN6,3.
SYzV6"
T4k9~0#
T|ADkM
tDC+Ml|1
(`t{%Gu
T*=HG>
This program must be run under Win32
,*TLXl
}]t#p[
>tPRW^
tQ6`y>
tQwmN	
:TvpXP
t>XLKZ
<^tZF%
u]AFIM
uD'5Nb
uL,m	Q#
Ulw$g	EP
u|m|J,
user32.dll
UyEuJ~
V2_Bxw
*V2mf'
vcrypt32
V_DA,WP
vDR}xw
v)F(B./]8
VirtualAlloc
: ?vK 
V@l^Z+
+\}V;T
w_6AqR
[W'_&7qR
W!(BHK
wIb@n(
Wj\J*u
[w|!oD
WP3swmcWvx2
w~Sd~W
Wxp'_&
!=x;8~AQLP
x$H(Ns
^XLdR2Z
XML` OD
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
XmQWMZ
y?{1.$b
Y5-L>f
Y|"i{o
ytp7eC
Y=Vfmv
z6LjCm
Z/{ 8F
Zd5XPC
ZI|9Zn
&z?<|Q
#ZS2=LI
Z.Zy:S