Analysis Date2013-09-15 19:08:09
MD5eb5c89d64e20795299e26366eb14f134
SHA15ea9e3fbfd0c787c2d0932f16cda86a798cbeef7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ec0ffbe62e29bafee8228c9e0b66738c sha1: e2f5a8384e815720173911eb37d462c167794540 size: 81920
Section.rsrc md5: df617f4bc0e9eb1172e1788e941a6741 sha1: b3c18eae7a896c1cd55cb1a74d27bfe7d388d8a8 size: 16384
Timestamp2011-05-31 14:30:24
PackerMicrosoft Visual Basic v5.0
PEhash0ca1eb38f7b870934c9cb8406268dbe12414711f
AVavgGeneric22.CDHU
AVaviraTR/Dropper.Gen
AVmsseTrojan:Win32/Msposer.A

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\{FCO94F32-9210-4A7D-AAE8-BB0320CB1D10}\ ➝
{6DCB487C-0DFA-48C2-ABDC-296BBD892262}
RegistryHKEY_CLASSES_ROOT\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ ➝
ShellExt\\x00
RegistryHKEY_CLASSES_ROOT\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\ ➝
pIContextMenu.ShellExt\\x00
RegistryHKEY_CLASSES_ROOT\pIContextMenu.ShellExt\ ➝
pIContextMenu.ShellExt\\x00
RegistryHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{FCO94F32-9210-4A7D-AAE8-BB0320CB1D10}\ ➝
{6DCB487C-0DFA-48C2-ABDC-296BBD892262}
RegistryHKEY_CURRENT_USER\Control Panel\International\nTimes ➝
66
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFBA8.tmp
Creates FileC:\WINDOWS\system32\hugprd.dll
Creates FileC:\setup.ad
Creates FileC:\setup1.ad
Creates FileC:\WINDOWS\system32\setup.ad
Creates FileC:\_ze2j.bat
Deletes FileC:\setup.ad
Deletes FileC:\setup1.ad
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe http://u.9lwan.com/cj/direct/628546.html
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe http://u.9lwan.com/cj/direct/628546.html
Creates ProcessC:\_ze2j.bat
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe http://u.9lwan.com/cj/direct/628635.html
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe http://u.9lwan.com/cj/direct/628635.html

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe http://u.9lwan.com/cj/direct/628546.html

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Process
↳ C:\_ze2j.bat

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe http://u.9lwan.com/cj/direct/628635.html

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B45FF030-4447-11D2-85DE-00C04FA35C89}\iexplore\Type ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Type ➝
4
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links\Order ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Type ➝
3
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Type ➝
4
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexShell.CMruPidlList
Winsock DNSu.9lwan.com

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe http://u.9lwan.com/cj/direct/628546.html

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe http://u.9lwan.com/cj/direct/628635.html

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Network Details:

DNSu.9lwan.com
Type: A
60.28.214.9
HTTP GEThttp://u.9lwan.com/cj/direct/628635.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 60.28.214.9:80

Raw Pcap
0x00000000 (00000)   47455420 2f636a2f 64697265 63742f36   GET /cj/direct/6
0x00000010 (00016)   32383633 352e6874 6d6c2048 5454502f   28635.html HTTP/
0x00000020 (00032)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x00000030 (00048)   0d0a4163 63657074 2d4c616e 67756167   ..Accept-Languag
0x00000040 (00064)   653a2065 6e2d7573 0d0a4163 63657074   e: en-us..Accept
0x00000050 (00080)   2d456e63 6f64696e 673a2067 7a69702c   -Encoding: gzip,
0x00000060 (00096)   20646566 6c617465 0d0a5573 65722d41    deflate..User-A
0x00000070 (00112)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000080 (00128)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000090 (00144)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x000000a0 (00160)   204e5420 352e313b 20535631 3b202e4e    NT 5.1; SV1; .N
0x000000b0 (00176)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x000000c0 (00192)   290d0a48 6f73743a 20752e39 6c77616e   )..Host: u.9lwan
0x000000d0 (00208)   2e636f6d 0d0a436f 6e6e6563 74696f6e   .com..Connection
0x000000e0 (00224)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000f0 (00240)                                         


Strings
(]^_["
0 0$0(0,0004080<0@0D0d0h0l0p0t0
0!0&0-02090>0E0J0T0X0d0
0 0$0,090D0I0d0h0p0}0
000204
: :$:(:,:0:4:
> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;
? ?$?(?,?0?4?8?<?@?D?H?L?P?T?X?\?`?d?h?l?p?t?x?|?
;$<(<0<=<H<M<h<l<t<
:$;(;0;=;H;M;l;p;x;
1"1(1.141:1@1F1L1R1X1^1d1j1p1v1|1
1	1(1,141A1L1Q1p1t1|1
1(1P1l1
1.23282D2I2N2Z2_2d2p2
141<1D1L1d1l1t1|1
2 2%2D2H2P2]2h2m2P3T3\3i3t3y3
3;3;3;0
3`4t4x4
3D3H3d3h3l3
4H4L4T4a4l4q4h8l8
5,50585E5P5U5p5t5|5
5%5*51565@5H5P5X5`5h5p5x5
5 6$6,696D6I6h6l6t6
6 6(60686@6H6P6X6`6h6p6x6
7!7,717P7T7\7i7t7y7
7 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|7
8$8(808=8H8M8l8p8x8
8"8)8.858:8A8F8M8R8Y8^8h8p8t8|8
8Aplicaton er
=8=<=D=Q=\=a=
9$9)9L9P9X9e9p9u9
> >$>,>9>D>I>
_adj_fdiv_m16i
_adj_fdiv_m32
_adj_fdiv_m32i
_adj_fdiv_m64
_adj_fdiv_r
_adj_fdivr_m16i
_adj_fdivr_m32
_adj_fdivr_m32i
_adj_fdivr_m64
_adj_fpatan
_adj_fprem
_adj_fprem1
_adj_fptan
advapi32
advapi32.dll
,al 3Fil
_allmul
Application error
=(=-=<=A=P=U=d=i=t=
:Bsf9Bs{7BsX"Fs
CallWindowProcA
cchMax
_CIatan
_CIcos
_CIexp
_CIlog
_CIsin
_CIsqrt
_CItan
CloseHandle
CLSIDFromProgID
CreateBitmapIndirect
CreateCompatibleDC
CreateICA
`.data
DeleteDC
DeleteObject
DeleteUrlCacheEntryA
< <$<@<D<H<L<P<T<t<x<|<
DllCanUnloadNow
DllFunctionCall
DllGetClassObject
DllRegisterServer
DllUnregisterServer
d:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
DragQueryFileA
duIContextMenu Shell Extension..
Es$FGsj|Gs
es; ICpIContextMenu
=ES|ze
EsZ]FsE`Fs
EVENT_SINK2_AddRef
EVENT_SINK2_Release
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
ExitProcess
FIContextMenu
File=""
File corrupt.
FileTimeToSystemTime
FindResourceA
FIShellExtInit
FreeLibrary
FsC;Bs
General
GetFileInformationByHandle
GetModuleHandleA
GetObjectA
GetProcAddress
GetShortPathNameA
GetSystemDirectoryA
GetTextMetricsA
GetTimeZoneInformation
GetWindowsDirectoryA
hKeyProgID
\HsetGs
^Hs&nGssnGs?|Gs
:<:@:H:U:`:e:
H:\Vista\
H:\WINDOWS\system32\MSVBVM60.DLL\3
IContextMenu
IContextMenu_GetCommandString
IContextMenu_InvokeCommand
IContextMenu_QueryContextMenu
IContextMenu Shell Extension..
IContextMenu_TLB
ICtxMenu.tlbWW
idCmdFirst
idCmdLast
index: %
indexMenu
index: %X checksum: %X
InsertMenuA
irtualFe
IShellExtInit
IShellExtInit_Initialize
kernel32
kernel32.dll
kernl32.d
LoadBitmapA
LoaderStart
LoadLibraryA
LoadResource
lpdobj
lstrcpyA
lstrlenA
MessageBoxA
MethCallEngine
ModifyMenuA
Module1
Module3
MSHTMLDE
MSHTMLDE.DLL
msvbvm
MSVBVM60.DLL
m_szFile
odule3;
OJV9)i
ole32.dll
OpenFile
OpenProcess
OutputDebugStringA
(P#cE0U
$PEC2DbgMs
PEC2DbgMsg: %X: %s
pIContextMenu
pIContextMenuWWW
pidlFolder
ProcCallEngine
pszName
pwReserved
r\0A\,
RegCloseKey
RegCreateKeyA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegisterOcxOrDll
RegOpenKeyA
RegOpenKeyExA
RegQueryValueExA
RegRestoreKeyA
RegSaveKeyA
RegSetValueExA
ReleaseStgMedium
@.reloc
RtlMoveMemory
SDLG.5xd
SelectObject
SetFileTime
SetMenuItemBitmaps
\setup1\ICtxMenu.tlb
setupp
sGskbHs
shell32.dll
Shell_Declares
ShellExecuteA
ShellExt
_ShellExt
_ShellExtWWWd
Shell_Functions
stdole2.tlbWWW
StretchBlt
strFileName
StringFromGUID2
SystemTimeToFileTime
The ordinal %d could not be located in the DLL %s.
The procedure %s could not be located in the DLL %s.
!This program cannot be run in DOS mode.
Timer1
uFlags
URLDownloadToFileA
urlmon
user32
USQWVR
~"#V *
#vb6chs.dll
VBA6.DLL
__vbaAryDestruct
__vbaAryMove
__vbaBoolVarNull
__vbaChkstk
__vbaCopyBytes
__vbaDateR8
__vbaDateVar
__vbaEnd
__vbaErrorOverflow
__vbaExceptHandler
__vbaFileClose
__vbaFileOpen
__vbaFPException
__vbaFpI2
__vbaFPInt
__vbaFreeObj
__vbaFreeObjList
__vbaFreeStr
__vbaFreeStrList
__vbaFreeVar
__vbaFreeVarList
__vbaGetOwner4
__vbaHresultCheckObj
__vbaI2I4
__vbaI2Var
__vbaInStr
__vbaLenBstr
__vbaNameFile
__vbaNew2
__vbaObjSet
__vbaOnError
__vbaPrintFile
__vbaPut3
__vbaPutOwner3
__vbaRedim
__vbaSetSystemError
__vbaStrCat
__vbaStrCmp
__vbaStrCopy
__vbaStrMove
__vbaStrToAnsi
__vbaStrToUnicode
__vbaStrVarCopy
__vbaStrVarMove
__vbaVar2Vec
__vbaVarAdd
__vbaVarCat
__vbaVarCmpEq
__vbaVarCmpNe
__vbaVarDup
__vbaVarMove
__vbaVarOr
VirtualAlloc
VirtualFree
VirtualProtect
wininet
wsprintfA
YYu|9E
Z^_Y[]