Analysis Date2013-11-21 20:47:24
MD53cf738df9e377c83440d8c8e22369542
SHA15d3b004d23865669b640f5ed645f811f99dad7e5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 7ccf3202c5571e1f9652bbe703a823ff sha1: ca822d5276a0b7368fcaec6fecfc28058338ae00 size: 177664
Section.rsrc md5: 5b4c3abbdcfae02002406760c7432712 sha1: 8ceea88dae426aec5b1a86aef27c99b9938923a5 size: 512
Timestamp2012-04-04 03:32:42
PackerUPX -> www.upx.sourceforge.net
PEhashc8e405e2d686d79a0eae5d14f513ee30b06c1213
AVavgWorm/Generic2.BLRH
AVaviraBDS/Backdoor.Gen
AVmcafeeW32/Generic.worm!p2p
AVmsseWorm:Win32/Ainslot.A

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\rundll32 ➝
C:\Documents and Settings\Administrator\Application Data\svchost.exe
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{EAFFC9EA-F9BC-CCA6-BE8B-FDCA7EC3CCEE}\StubPath ➝
C:\Documents and Settings\Administrator\Application Data\svchost.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{EAFFC9EA-F9BC-CCA6-BE8B-FDCA7EC3CCEE}\StubPath ➝
C:\Documents and Settings\Administrator\Application Data\svchost.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 ➝
C:\Documents and Settings\Administrator\Application Data\svchost.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\INSTALL\DATE\8OHPQF0HC5 ➝
November 21, 2013\\x00
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID\ID\8OHPQF0HC5 ➝
bshades\\x00
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 ➝
C:\Documents and Settings\Administrator\Application Data\svchost.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\keylog
Creates FileC:\Documents and Settings\Administrator\Application Data\svchost.exe
Creates File\Device\Afd\AsyncSelectHlp
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\svchost.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\svchost.exe:*:Enabled:Windows Messanger" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f
Creates Mutex8OHPQF0HC5

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions ➝
NULL

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\svchost.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\svchost.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\svchost.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\svchost.exe:*:Enabled:Windows Messanger" /f

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\svchost.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\svchost.exe:*:Enabled:Windows Messanger" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Application Data\svchost.exe ➝
C:\Documents and Settings\Administrator\Application Data\svchost.exe:*:Enabled:Windows Messanger\\x00

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\\malware.exe ➝
C:\\malware.exe:*:Enabled:Windows Messanger\\x00

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions ➝
NULL

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Network Details:

DNSmy-pc.myftp.biz
Type: A
94.64.241.97
Flows TCP192.168.1.1:1033 ➝ 94.64.241.97:1611
Flows TCP192.168.1.1:1035 ➝ 94.64.241.97:1611

Raw Pcap

Strings
PERS
SETTINGS
00G0rE
02^6 N
08DeJ6/
&]*0DFs:
0fWmZv
? 0-k/
0MQ[dd&
0|@&ph
0r(If8
0T5(%-V	
1234\r
 1aEIo5j
1^D;clz
1DlFunA3
1lf)pP&,.
\1ZE&Dq@z6
2{0<4(
2!<<2!
22A368949C0&
'22I\dq
}2;!C|[U
2>e%Xdq
_2P$0N
2>SvC A
,2-t4H!T
32EDE121D9E2F062D2BD
35;hsI
3]Nmf^F
%&'()*456789:CDEFGHIJSTUVWXYZcd`
,4'!AJN
4[cv4=bGa
>4e=bA
4>FAa;
4H4sg%
4%J|&\
4 .\jF
4/+Q T
4)t	x'kx
{501E:9~
5;4QSRy&
55*237X2
55i<3eX
5Async?f
<5d|lhNG
5qpBOk?x
6	8a!Sv
]6aKz3d(
6C4F5B5C5*14
6#D~7sKW`
~6ENC^fADClifSteam
.6g+kH
6,HK[f.L
6[H/Y"
6jc}2]	9r0(u
	6O_:3-7
6V2Ziz<p]
%6;y;,
7033413A647A4B673931
774NEm
}77PR[B
78jdj33
+7"F3E
7fL'/dO
`.=7Kajt8
7niffOS4\V
7. pct3/
!84u;X
8&##bL
8F91AEE<A
<8HX5n2
8Oq@\AR
96Pk(pI
9)@BxKi
9/lN(0
&9%'$$se\2
a4.U}N
A7O"ilDw.oND
AddMsg
AddRef
AdjuFPjN
>{AFA$
agQuery
AIBS^A
ais{pQ
alUpda
(%AT?I\@Xf2K
AUb9]^9t]:g
Audio.
#]=		(b
B.345B.
b86mswi
B8lTBn\
B$9$xU
<*B <(ao
:*'/bk
Bp%ua-!
bss_ser'
b+tO6h
bu:2d'
by.ToPl
c;,43KB8
<C[7*Bs
;]C9HYH.
Ca]!K`#
CallBa
!CEFajh
C<F6E4ZF7C
CFCQ]>-l
/Chat'
cImage'%cap
<Ciuqa
Cog	b;
Compzb7
+C	=Oo
]`Cpcd
 &Cr2T
cSubClHi
`Cu>@Po
,CWBnxV*
<CWo!WlLp
C )-$z(
d@&' (<
^`D08?f
D5F6_T
DAi#Ied
<dBN2D0E
DDfLRN4
dDG=Bt
\ddTd	
df"FC^YO
+d@Fvg
><#DhDY
dhpBlX*
D(I[6#
dJN2|@:X
dlOU$F(U<
/.D'm!
d$N`l{
d_O@`4
\d(#t\.
/\dT4J%D.0%
|DZPp_|
E^CQpD
ect?TorrentS
E\FwPN
eH91:B
E#ONFt0
EVENT_SINK_Ge.,
'EV?L_]
ExitProcess
f.,00 &Ns0
F0Y)y.
_FACEBOOK_START
"{ff^T($
f_h'n;
 Files (x86)\
$,FLLe
#)$<Fo0
frmMain
Fy.#fbv
.\g)$&
* '^ G
G$7T3N2$$
#(g##;A
gABdG:
gCmp_c
/GdV'b
GetProcAddress
gHija.
gnv#"vL
Gook?RS`curity
_\gwbAuz
gWdglvt
GWSOCK
h#6w	-T
h99yN`
Hd&Bzx\
	,heInvokeM
[heQT%
HErQrL<.
h' #FX
 hGed /X 
hKA{>f.=f
H!OeB8HH
H&PY9J
hQr lJ
hsk_^lU
h(Tn%8
#%hu D
~hunk5G{
H(VZZf
\.i.'[
icalDr
ICK_DELAF
ICk)S%
iFTD4$
iFTr2l%
ifyuw9
IJ!lgp]
iMgi#.
InfoTO
Io6IR1/
IOcm%_
,iP2,nH
iPn"j0/
I@Q*[P
I-=qTM	p
IyAmISGvh
j1gH1j
jC{S2ZG
<jGD}?^-
jHO)Vv;
^j j'P
&"j]KBw
 `)Jp`
Js<t8/
Jvj_Vd
J-xd<H
K]>1h-
K2rT4w
k3;#(DN.
K.678r
kc_13B
]Kd<l0
KERNEL32.DLL
"#kfC#\
@@Kjka)
km^)\<2=[
kO r%9<
_k/ qu
\Ku/?+)
k&UIwI"&=
KuV0v\.i.k1w
|*}<kV
l;<<2!
L2 ' (
&l6P|`
l8){)`I|
laj"-9Ka
!l(aL.
Lau&hF
LD'0/w(
L&d/O<=
"LDpOO^<
^lfff^
lflE.@]
LHD@<8M
L$KDQH
Lla+(B
L:lng#
lLr p#
l.mptj
l-n/on
l&N(q6
LoadLibraryA
lobalAl
loseHandJ
loUn@cvssPATH_WINLOGON
L~'(P~=
Lus:1]K_
lw"[tBm
/`L*#X
L)^Y"aA
l/$yEz
M1/T64
m7_Gw`
m7&I;rT
M83$- 
$MCiaf
m>>F0XO6>
*>mh` 
Mi|7uJ
Mic*soft Visual Stz\
_^Mkok$P
mlTa#w
mm9UCn
mml5Gk
	mMl%6`
mnK{Vf
modFucrons
MS SaX
\msvbvm60
MSVBVM60
MSVBVM60.DLL
m@/SW7HKh
M_SY)`pi
M ?t?T
M&Xu%:]
MY=NG 
MZ?N:	
N~0~%D&
@n0Nu&
"N2]F|
N2 #`h 
n4:TPs
N99yFD
N<dp>hu .
*#&'..Nf
Ng(TopX
nivnG|G
nL2 o(
N&LCcR 
npa:M5
nsh](7
NTDLLJT}
$nUHVS
Nvbjd[Ab
N``w8!
NxZdN_
o0  Pl
"o2&A9
O`~6G$
*O8^.N
OafoPx0z
-obh.&
oCHAT	O
Od;4oa
Of')9%
^O,Ml(
>OPx6xQ
os#+Om
ovbv)#mHj
oWaiqS
owIIn:
 @P`@`
*(?|&^P
-<{P2ao
p5HBITMAP
P|	8 a
<P8D"Q
P.99yN	
pA([N(
*P@ddY
p*<#GN
(_P^h^
picThumb
piRSipIn
PIW\q\
p..j"nW
@PKm.,
PRINT_
p> *s|4!
pxQ?|PC
pz7\X5U
QA*OUu
)=Qeyy
!Q[PI5
%q`sLY
"@queezer
>\QValu
(q,>,xQ
q'yN R
"\$r/ 
;R$9gi.
R"a;#)<
raTagd`'
Rd:\SysWOW64\	
r)}G*Q4
rh$X}=	
r%Lor 
rP.vqA
rQ0d*oT_
Ru\v5[
,(r%'y
rYZl,&
S0	u~pM
s2r@!$
S73&97:SW
:ScanL
s_CD1Z
sciid@n
_?SCManPr
s:.cpV
Screensho
s;!`Di
Sd@N.P
~SER_FB77b
SF6I zg=
SG8	c|`;
S@hlEng
s/JoP7a)
s'MNE!
so@a#t
Socket
 ?@SPO!
SrJ,pxr]
s the p@
STRUCTIO
stV&y<
s@#U@32
sWB-_%
SZoM7Pn`
T#0(8;/
T0'H|R
t1L2 #\d
:t3YTP
T4gzF>0,g
t)5H%a"
T_ADDMSG
TaenmP!M
T&dl\l
TEgw *
tg@JN2|
!This program cannot be run in DOS mode.
Tim[?S
:;tkEe}
tmrLivLogg+
],t~ n
(tnP_P
TO8!S2
`tPp=+7Z
TPUV[n`L?6
_tpWR@
tQ`/@`
($tSdyN
?tU+yF
twB7z 
tw<Rr@M<7
t:XZ0*g
U."^#-
.&u^8uF
UM	Q\cH
$ $upVr#'
UrlCache
URLDVnl
 usiid
UYl1X4L;
]V0jx</
V!4@f1
V&7o<c
v.Bf&|
vBIV9*O
vf`M1P
vf'$sT
vieframe.dl
VirtualAlloc
VirtualFree
VirtualProtect
v$qTh_=[
vs(>*1
vS/k	\
VtHTL5P
VUc!V_0
VVwCtl~ebBrow
VV_\X~
v #@XN\
$VY4U84b
(v+Y!JT
W']7CN_
WbJ`[b
_WebHide
~w<e/SrcLef]
 WK>`E
-_WMqo
^)w*n]
WN2 #X`$W
wN$N$7
woXCCdC3
>wP;&U
`W%T)4
w:\	X'
X;b8x3 L,
}\xEm>
xh	W$7L
X'j'b3
xlh^NJ
xphZRJ
XPTPSW
 `\XTY
xu5sx4
\\X.W{
@Y'a6t
yGrabbOg	V
 y*(j"a 
yp/g0D+L
YX"")fv
YXF?xw
#z+A-P
@Z?kZ%
ZR5A30
Z"SS=#
Z$}tw3