Analysis Date2015-07-02 10:24:47
MD53b526a6f420037a323e9dbd04ade1d9f
SHA1660db67d120e18eb7a25f4e67f4901771024b3b8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 36711609dadf65fb264d0080fd11fde7 sha1: d56bc446f7097cab4ba68056162ce344e9d7830c size: 606208
Section.rdata md5: d9db998ca88e8e90d32b63cf491c2c17 sha1: ac4253aa93a4f973797e8122cee85bb3372e18bd size: 876544
Section.data md5: 3b726ae3448ae6f7efb1e8d209dc4e0e sha1: e4490db6bcaa74c2edb1a21e004385ef8ec4f82d size: 77824
Section.rsrc md5: 99ba34aa89a5acba66a5831113e8bedf sha1: 82b90ff469028e7c2b030024c7580b32c6d56617 size: 32768
Timestamp2015-05-25 04:27:33
VersionLegalCopyright: 作者版权所有 请尊重并使用正版
FileVersion: 1.0.0.0
Comments: 免费刷枪
ProductName: 易语言程序
ProductVersion: 1.0.0.0
FileDescription: 免费刷枪
PackerMicrosoft Visual C++ v6.0
PEhasha23403f96e07da1346eb9337a618eb5cdff904db
IMPhasha33b2e49bea912457e4eb7a18e092c19
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Graftor.58247
AVDr. Webno_virus
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Graftor.58247
AVBullGuardGen:Variant.Graftor.58247
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyno_virus
AVZillya!no_virus
AVEmsisoftGen:Variant.Graftor.58247
AVIkarusno_virus
AVFrisk (f-prot)W32/Agent.EW.gen!Eldorado
AVAuthentiumW32/Agent.EW.gen!Eldorado
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Variant.Graftor.58247
AVMicrosoft Security Essentialsno_virus
AVK7no_virus
AVBitDefenderGen:Variant.Graftor.58247
AVFortinetno_virus
AVSymantecno_virus
AVGrisoft (avg)no_virus
AVEset (nod32)no_virus
AVAlwil (avast)Evo-gen [Susp]
AVAd-AwareGen:Variant.Graftor.58247
AVTwisterTrojan.33C0C390558BEC@13.mg
AVAvira (antivir)no_virus
AVMcafeeno_virus
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\system32\jf2015.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012015070220150703\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\logo[1].gif
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\2345[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\index.dat
Creates Mutex_!SHMSFTHISTORY!_
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!mshist012015070220150703!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSwww.2345.com

Network Details:

DNSwww.2345.com
Type: A
42.62.30.180
HTTP GEThttp://www.2345.com/?k93327568
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.2345.com/logo.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 42.62.30.180:80
Flows TCP192.168.1.1:1033 ➝ 42.62.30.180:80

Raw Pcap

Strings