Analysis Date2014-02-10 22:28:09
MD55e24e048ae7047eebde2ae54a05549f2
SHA162714a8831b765a5e5a5477b06dc51f3ba0beeac

Static Details:

File typePE32 executable for MS Windows (console) Intel 80386 32-bit
Section.text md5: 39204c3136e19e64423bc92c6f65d49e sha1: 0d1f5c97f958c3a935775156d3d0396e4a7bcfcc size: 49152
Section.rdata md5: f6d36c364dcad153273074e2e2141462 sha1: fe29f70bd9f7de42a8610963acd0b03b412efc8a size: 4096
Section.data md5: 1c861a79a23310a5f37fc66fff01cad2 sha1: c5052f8f5a266ba965f88d15392803e205e2fcbd size: 4096
Section.rsrc md5: 23ed285ab1fd58715c0ed2fd31614fad sha1: a2f208ac96e5e358d0fb26f1f3edaa0403f403ce size: 4096
Timestamp2011-11-24 00:41:46
PackerMicrosoft Visual C++ v6.0
PEhashe48242021a5ad0d8202b42e578ce631502cd770f
AVclamavWin.Trojan.Firewallbypass-63

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ztmp\tmp2487.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ztmp\tmp5418.bat
Creates ProcessC:\WINDOWS\system32\cmd.exe /c if exist "C:\Documents and Settings\Administrator\Local Settings\Temp\ztmp\tmp2487.exe" del "C:\Documents and Settings\Administrator\Local Settings\Temp\ztmp\tmp2487.exe"
Creates ProcessC:\WINDOWS\system32\cmd.exe /c C:\Documents and Settings\Administrator\Local Settings\Temp\ztmp\tmp5418.bat
Creates ProcessC:\WINDOWS\system32\cmd.exe /c attrib +h C:\Documents and Settings\Administrator\Local Settings\Temp\ztmp
Creates ProcessC:\WINDOWS\system32\cmd.exe /c if not exist "C:\Documents and Settings\Administrator\Local Settings\Temp\ztmp" mkdir "C:\Documents and Settings\Administrator\Local Settings\Temp\ztmp"
Creates ProcessC:\WINDOWS\system32\cmd.exe /c if not exist "C:\Documents and Settings\Administrator\Local Settings\Temp\afolder" mkdir "C:\Documents and Settings\Administrator\Local Settings\Temp\afolder"
Creates ProcessC:\WINDOWS\system32\cmd.exe /c if exist "C:\Documents and Settings\Administrator\Local Settings\Temp\ztmp\tmp5418.bat" del "C:\Documents and Settings\Administrator\Local Settings\Temp\ztmp\tmp5418.bat"

Process
↳ C:\WINDOWS\system32\cmd.exe /c C:\Documents and Settings\Administrator\Local Settings\Temp\ztmp\tmp5418.bat

Process
↳ C:\WINDOWS\system32\cmd.exe /c if exist "C:\Documents and Settings\Administrator\Local Settings\Temp\ztmp\tmp5418.bat" del "C:\Documents and Settings\Administrator\Local Settings\Temp\ztmp\tmp5418.bat"

Process
↳ C:\WINDOWS\system32\cmd.exe /c if not exist "C:\Documents and Settings\Administrator\Local Settings\Temp\afolder" mkdir "C:\Documents and Settings\Administrator\Local Settings\Temp\afolder"

Process
↳ C:\WINDOWS\system32\cmd.exe /c attrib +h C:\Documents and Settings\Administrator\Local Settings\Temp\ztmp

Creates Processattrib +h C:\Documents and Settings\Administrator\Local Settings\Temp\ztmp

Process
↳ C:\WINDOWS\system32\cmd.exe /c if not exist "C:\Documents and Settings\Administrator\Local Settings\Temp\ztmp" mkdir "C:\Documents and Settings\Administrator\Local Settings\Temp\ztmp"

Process
↳ C:\WINDOWS\system32\cmd.exe /c if exist "C:\Documents and Settings\Administrator\Local Settings\Temp\ztmp\tmp2487.exe" del "C:\Documents and Settings\Administrator\Local Settings\Temp\ztmp\tmp2487.exe"

Process
↳ attrib +h C:\Documents and Settings\Administrator\Local Settings\Temp\ztmp

Network Details:


Raw Pcap

Strings
""
00-+ 
.
-E-0-0
\
  
.00 ...........?-  
0
0 
0u
102(
         (((((                  H
(null)
||||||
% .16g
1!6WS<
1FM<&4A=
1-HQDD
1LE= /=>'!6DDJ
1MQ<'#NC.(>LM
1#QNAN
1#SNAN
2?B'*6@D
2!dL84E<
33lHDRH
#+\3;A*
!!!!&4
!!!4Z:;><OP
|||||5
6;*#=V
7@C#(KP
=&-7KD
8?0'69
<:8?CKYg
8&#DC4)
!!!!8r;88:D?CKYX
^}%95\
98 /DI4
9DI'!8P''J
9K6$2KA
9NI3(>KF
.!?9OI#'N;+'1
9V@"2=L
abnormal program termination
A<OI#'8
attrib +h 
\a.txt
/B@*#6AHD
B@*#6AHD
btHHt.
 bytes
CCC\\\
)#CCH>)2==#
CloseHandle
cmd.exe
command.com
CompareStringA
CompareStringW
COMSPEC
CreateFileA
CreateProcessA
@.data
DFDHERGDCV
DFDHERGGZV
DI&/NF#*:I
DOMAIN error
DSUVWh
@echo off
EON;)+?C
EON>&!IO
Error #bdembed1 -- Quiting
ExitProcess
!'#!_f899;
=F#'ELM
- floating point not loaded
FlushFileBuffers
FreeEnvironmentStringsA
FreeEnvironmentStringsW
$Fymhj
G!*8J0#<O@D'
GAIsProcessorFeaturePresent
GBR8&)
GetACP
GetActiveWindow
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetEnvironmentStrings
GetEnvironmentStringsW
GetExitCodeProcess
GetFileAttributesA
GetFileType
GetLastActivePopup
GetLastError
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetTempPathA
GetTickCount
GetVersion
!!+\:;>G<HD#'2^
#&GLQC
GLU8")
??G\O[\
GONI %R?*
`h````
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HHtpHHtl
HLEK+!N?
)H?LN!
if exist 
if not exist 
igbffffffgg7
@I@;")I
J0#<O@D)
J(2KD#
J#5>I0-
JF"&EA3&6@D
J'#%iH^
$JPS@(
J!!V;,
,KB-*6KD
#KBQ<")
K@$ D>C@!!C?1
KDI(%?
KERNEL32
KERNEL32.dll
+KJ'&DS@E
!@L#'6OH
L'"AF1
L'"AL1
/LC0)?F
LCMapStringA
LCMapStringW
LI"$DONM
lkTKKkROZ
"#@LM:
LoadLibraryA
l\R[G\
LU<&4A
MessageBoxA
M.)HQDE
Microsoft Visual C++ Runtime Library
 mkdir 
MultiByteToWideChar
*%NC$-GLTK
NL[pspw"
@"%NN#
NONL()JA
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
(null)
NYYYYYYYYYYYVlZ
OA?NNQ"
O)#C@DK
-*:ODE
'":OS<
oW@NIBM
oW@UTNK
oW@VFIIO
oW@WKJF\
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADJ
P#&>CXI#5PC,
ppxxxx
Program: 
<program name unknown>
  >PSI
- pure virtual function call
'/Q<-&N
QQSVW3
`.rdata
ReadFile
RG)3P?,
RK&/F?
RR9!7I
RtlUnwind
runtime error 
Runtime Error!
SetConsoleCursorInfo
SetConsoleCursorPosition
SetConsoleTextAttribute
SetEndOfFile
SetEnvironmentVariableA
SetFilePointer
SetHandleCount
SetStdHandle
SING error
%s%s%s
%s%s%s%s
SS@SSPVSS
%s%s%s%s%s
%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s%s%s%s
TB#.?C2
TerminateProcess
!This program cannot be run in DOS mode.
t-Ht!Ht
timeGetTime
TLOSS error
t#SSUP
+ttHHtd
t.;t$$t(
Turn off the television as it is only a flashing box distraction from life! Interact
t$$VSS
t/WWUPj
U<&)BS0#JQHE
&UL-)IFM>
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UP!!V;,-
user32.dll
VC20XC00U
VirtualAlloc
VirtualFree
V;*#=LU8")
;VQF)4EH%
VWuBhD
WaitForSingleObject
WideCharToMultiByte
WINMM.dll
WriteFile
WWRO4!!#49O*
Y8 /DI4
_^][YY