Analysis Date2014-04-20 09:36:39
MD54b319c99ba6954280b741830378af775
SHA162ed8fca321a83a3a9c15e7bdbc3ffb3726a90a0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2c4bb8b47014fe10fbae81b647765b05 sha1: b378ef284a7c046ccb55e46ecdddc5dfd59238c6 size: 5632
Section.rdata md5: ebe999101d1e5a1ab2c332f860d9c199 sha1: 37f7d0894dfd74d5fec54df6a019acaf936c13f4 size: 1024
Section.data md5: dc00dd20968de0aa2519f2fcd477b95e sha1: 1dfbf0a9d682b5da59140721025be4ff32398f0d size: 1024
Section.rsrc md5: 1c7896859b5566ee4e2237a91914be19 sha1: 170e4dbc2699ca0aaf7480b1b9d4a3862a7554e5 size: 10752
Timestamp2011-08-03 14:49:31
PEhash76e28bf0069368042bd630b914b62129cf7795f7
IMPhashca493c3ccf68b676fe34cfa87494e1a8
AVavgGeneric_s.DBS
AVmcafeeDownloader-FSH!4B319C99BA69

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dafon.exe
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\dafon.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\dafon.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSpremiercrufinewine.co.uk

Network Details:

DNSpremiercrufinewine.co.uk
Type: A
188.65.114.122
Flows TCP192.168.1.1:1031 ➝ 188.65.114.122:80

Raw Pcap

Strings
About
C:\DOCUME~1\MSHAHR~1.SOU\LOCALS~1\Temp\Temporary Directory 1 for CH_Case_3654421.zip\CH_Case_21032014.scr
@jjj
LOAD
Microsoft Sans Serif
MS Sans Serif
SAVE
seconddial
ter version.
Text
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details. 
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA
0E$CP&
0$H5$%
$0PPu$
0uP3E0
$2qIE<X
$30$3$$
330H&$
%$33C$%
3$5uHuC00
3&HPPE5C$%
3uP$C5
53E3$H$&3CP
53&H5u&
$5H3H3H
AWVAf9
&CE00u3%HC3VWS
CharLowerA
CloseHandle
COMCTL32.dll
C%%%P%
CreateDirectoryA
@.data
DestroyCursor
DestroyMenu
DialogBoxParamA
diminutiveness
DispatchMessageA
E&0u3H
EE0$E&
EEH3&%HC
EndDialog
$E%PPH
Eu&H%3%3&33Pu00&
GDI32.dll
GetDlgItem
GetMessageA
GetModuleHandleA
GetStartupInfoA
GetTextExtentPoint32A
GetTickCount
KERNEL32.dll
KXG[O_^
MessageBoxA
&P$&%00
P%$&0555
$P5CHP
%PE$5&C
&PH3HHEH
$P%%H$53&
%%PH%C&
PostMessageA
`.rdata
Rich)t1
ScrollWindow
SendMessageA
SetScrollInfo
SetWindowTextA
ShowCursor
!This program cannot be run in DOS mode.
TranslateMessage
u35&$u
uE&u%5
uHE3H0&&E0E3&$
USER32.dll
%uuu$0