Analysis Date2014-07-02 20:09:07
MD54b497ce9e97da358409a470a661d1b7f
SHA1600888b9024514f5f5817e5412e7b95e8003fba8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section@.Du@ md5: 6cabbde12566ac48fddf0247761b9f42 sha1: 3493626447ac8630da3abefb03ae87b2e7698be8 size: 512
Section@.Du@ md5: 48fc50d967adb2e4e4c1457f06467bdf sha1: b24339356ffb31d311e8cca6f073fe1ed7d6bf3f size: 24557
Section@.Du@ md5: b608d61997f2d0522f00296bcbf47973 sha1: a40ac2ad0c22ddf6df6774b6cdaa88effd6b5465 size: 6656
Section@.Du@ md5: 282aed9e966419fd7d8dd00bf7b7fbe1 sha1: ce4f29cb49a40db6e36cebb59fc322a758894927 size: 512
Timestamp2016-01-04 19:36:07
PackerUPX v0.80 - v0.84
PEhash8893f14e93a526d597e7ae47f0fa87e111687ddb
IMPhash469b1bae2575baede5bf1f06a01b4767
AV360 SafeGen:Trojan.Heur.GM.10008305A1
AVAd-AwareGen:Trojan.Heur.GM.10008305A1
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Packed.Klone.bu
AVAuthentiumno_virus
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.DownLoader10.6042
AVEmsisoftGen:Trojan.Heur.GM.10008305A1
AVEset (nod32)Win32/Alyak.E
AVFortinetW32/FraudPackTM.A!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Trojan.Heur.GM.10008305A1
AVGrisoft (avg)Win32/DH{MYENA2eBEgBdOSAlNlAK}
AVIkarusPacked.Win32.Klone
AVK7Trojan ( 00067a4b1 )
AVKasperskyPacked.Win32.Klone.bu
AVMalwareBytesno_virus
AVMcafeeGeneric BackDoor.aee
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Kanav.C
AVMicroWorld (escan)Gen:Trojan.Heur.GM.10008305A1
AVNormanwin32:win32/SB/Obfuscated_FA
AVRisingTrojan.Win32.Vmtoolsd.a
AVSophosMal/EncPk-ACW
AVSymantecno_virus
AVTrend MicroTROJ_SPNR.16HJ12
AVVirusBlokAda (vba32)TScope.Malware-Cryptor.SB

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{DFB10E96-86B3-4F73-442C-E68279D786EF}\stubpath ➝
%SystemRoot%\system32\vmtoolsd.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\WINDOWS\system32\vmtoolsd.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Processreg delete "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{DFB10E96-86B3-4F73-442C-E68279D786EF}" /f
Creates ProcessC:\WINDOWS\system32\cmd.exe /c del C:\600888~1.EXE > nul
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSgoogleads
Winsock URLhttp://www.issuejeju.com/poll/update.txt
Winsock URLhttp://blog.yahoo.com/naverblog/articles/601941/commentRss

Process
↳ C:\WINDOWS\system32\cmd.exe /c del C:\600888~1.EXE > nul

Creates Filenul
Deletes FileC:\malware.exe

Process
↳ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{DFB10E96-86B3-4F73-442C-E68279D786EF}" /f

Network Details:

DNSwww.issuejeju.com
Type: A
121.78.127.76
DNSany-rc.a01.yahoodns.net
Type: A
98.139.102.145
DNSany-rc.a01.yahoodns.net
Type: A
74.6.50.150
DNSblog.yahoo.com
Type: A
HTTP GEThttp://www.issuejeju.com/poll/update.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
HTTP GEThttp://blog.yahoo.com/naverblog/articles/601941/commentRss
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Flows TCP192.168.1.1:1031 ➝ 121.78.127.76:80
Flows TCP192.168.1.1:1032 ➝ 98.139.102.145:80

Raw Pcap
0x00000000 (00000)   47455420 2f6e6176 6572626c 6f672f61   GET /naverblog/a
0x00000010 (00016)   72746963 6c65732f 36303139 34312f63   rticles/601941/c
0x00000020 (00032)   6f6d6d65 6e745273 73204854 54502f31   ommentRss HTTP/1
0x00000030 (00048)   2e310d0a 55736572 2d416765 6e743a20   .1..User-Agent: 
0x00000040 (00064)   4d6f7a69 6c6c612f 342e3020 28636f6d   Mozilla/4.0 (com
0x00000050 (00080)   70617469 626c653b 204d5349 4520362e   patible; MSIE 6.
0x00000060 (00096)   303b2057 696e646f 7773204e 5420352e   0; Windows NT 5.
0x00000070 (00112)   313b2053 56313b20 2e4e4554 20434c52   1; SV1; .NET CLR
0x00000080 (00128)   20312e31 2e343332 32290d0a 486f7374    1.1.4322)..Host
0x00000090 (00144)   3a20626c 6f672e79 61686f6f 2e636f6d   : blog.yahoo.com
0x000000a0 (00160)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x000000b0 (00176)   206e6f2d 63616368 650d0a0d 0a          no-cache....

0x00000000 (00000)   47455420 2f706f6c 6c2f7570 64617465   GET /poll/update
0x00000010 (00016)   2e747874 20485454 502f312e 310d0a55   .txt HTTP/1.1..U
0x00000020 (00032)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000030 (00048)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000040 (00064)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000050 (00080)   6e646f77 73204e54 20352e31 3b205356   ndows NT 5.1; SV
0x00000060 (00096)   313b202e 4e455420 434c5220 312e312e   1; .NET CLR 1.1.
0x00000070 (00112)   34333232 290d0a48 6f73743a 20777777   4322)..Host: www
0x00000080 (00128)   2e697373 75656a65 6a752e63 6f6d0d0a   .issuejeju.com..
0x00000090 (00144)   43616368 652d436f 6e74726f 6c3a206e   Cache-Control: n
0x000000a0 (00160)   6f2d6361 6368650d 0a0d0a              o-cache....


Strings
.
...
...
".:......Q......al................W
.b.
<<<Obsolete>>
030806000000Z
031204000000Z
070615000000Z
081022000000Z
0http://crl.verisign.com/ThawteTimestampingCA.crl0
100928081232Z0#
101123235959Z0
120614235959Z0\1
130805235959Z0U1
131203235959Z0S1
201231235959Z0
_3j}T_[ob
{46165205-3646-9711-424E-41EBA4338966}{F4D82343-F4FC-5C0A-E682-C397B5C29B4D}{DF991D34-95BC-5C2C-207A-4F6B3210F315}
4$hBEc
}5]6"Od
5LOsu7
5tswc|a
6^bMRQ4q
7ga"26w0J
7GF-s6
?7!Op1
;/7^Wy4
+8-fDB
960801000000Z
/B1gwl5r
B61+3t
Beijing1
Beijing1)0'
bpc7lC
	Cape Town1
Certification Services Division1!0
cI@BUK
&*C: z
`@.Du@
Durbanville1
DYkgQ	+t;
e|uovE
_FJ{LK
gcR)^ 
GetModuleHandleA
GetProcAddress
*GS0a@
-http://crl.thawte.com/ThawteCodeSigningCA.crl0
/http://crl.thawte.com/ThawtePremiumServerCA.crl0
"http://crl.verisign.com/tss-ca.crl0
http://ocsp.thawte.com0
http://ocsp.verisign.com0
http://www.360.cn 0
Iijs?V
JcEG.k
/J&!H{
K%&{7Q[
kA&ACT
KbYAOS
kernel32.dll
LoadLibraryA
N/P7ZG@
+NtE^v
]O=3{!
od[oP~
PC]]F :
.,pGv,
premium-server@thawte.com0
PrivateLabel2-1440
PxBOf]b1
 Qizhi Software (beijing) Co. Ltd0
 Qizhi Software (beijing) Co. Ltd1'0%
sAIW2P9E6
]+s{apgE
SECURE APPLICATION DEVELOPMENT1)0'
SM+Pq*
t7&?ft
Thawte1
Thawte Certification1
Thawte Code Signing CA
Thawte Code Signing CA0
Thawte Consulting cc1(0&
Thawte Consulting (Pty) Ltd.1
Thawte Premium Server CA1(0&
Thawte Timestamping CA0
!This program cannot be run in DOS mode.
TSA1-20
TSA2048-1-530
"u"1Kd(
uBGsW3;R
UeOiNC
VeriSign, Inc.1+0)
VeriSign, Inc.1402
"VeriSign Time Stamping Services CA
"VeriSign Time Stamping Services CA0
+VeriSign Time Stamping Services Signer - G20
VirtualAlloc
VirtualFree
VirtualProtect
<v\tHd
wc#lCg
Western Cape1
WlMwG0V
x`^^n7c"w6~
xp28Q,
ZA1%0#
z;(~W+