Analysis Date2014-01-03 17:59:04
MD5b78f42a0702eef7171882ae140386681
SHA16d2f0d4959c809d2388ba440f2014d848bd1c881

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4b2110683dc2e8383cc7d1e3ac758857 sha1: 9bf9213874c84f959633d12928292ded5033971a size: 16384
Section.rdata md5: befaf25c5848aa388d01f5b3db290635 sha1: 4c9b475bee62fb73ba51c04ac5d88be58f236a14 size: 8192
Section.data md5: 79471f1eae49c6e65c977d2c194e456f sha1: 77fc2529935ed1b198232102a7a3cc4d2cd08994 size: 4096
Section.rsrc md5: 2b201de1d1eedb0cd3ebff325607419d sha1: e8b577f3471bdd14a66aa4c1bf2e743144b33300 size: 4096
Timestamp2003-02-04 06:49:16
VersionLegalCopyright: Copyright (C) 2002
InternalName: winxt
FileVersion: 1, 0, 0, 1
CompanyName:
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: winxt Application
SpecialBuild:
ProductVersion: 1, 0, 0, 1
FileDescription: winxt MFC Application
OriginalFilename: winxt.EXE
PackerMicrosoft Visual C++ v6.0
PEhash3f3a8d4f42df92567aa6331e33920d4d733d5400
AVaviraTR/Homepage.A.3
AVavgGeneric.TDQ
AVmsseTrojan:Win32/Homepage.E
AVmcafeeStartPage-AO

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WINTASK ➝
C:\WINDOWS\winxt.exe\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\6d2f0d4959c809d2388ba440f2014d848bd1c881.INI
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates File\Device\Afd\AsyncSelectHlp
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS38.117.129.33

Network Details:

DNSany-rc.a01.yahoodns.net
Type: A
68.180.206.184
DNSwww.yahoo.co.kr
Type: A
HTTP GEThttp://38.117.129.33/oki/login.asp?login=in
User-Agent: MyTest agent
HTTP GEThttp://38.117.129.33/downloadfiles/display.ini
User-Agent: MyTest agent
HTTP GEThttp://38.117.129.33/downloadfiles/version.ini
User-Agent: MyTest agent
Flows TCP192.168.1.1:1031 ➝ 68.180.206.184:80
Flows TCP192.168.1.1:1032 ➝ 38.117.129.33:80
Flows TCP192.168.1.1:1033 ➝ 68.180.206.184:80
Flows TCP192.168.1.1:1034 ➝ 38.117.129.33:80
Flows TCP192.168.1.1:1035 ➝ 68.180.206.184:80
Flows TCP192.168.1.1:1036 ➝ 38.117.129.33:80

Raw Pcap
0x00000000 (00000)   47455420 2f6f6b69 2f6c6f67 696e2e61   GET /oki/login.a
0x00000010 (00016)   73703f6c 6f67696e 3d696e20 48545450   sp?login=in HTTP
0x00000020 (00032)   2f312e31 0d0a4163 63657074 3a202a2f   /1.1..Accept: */
0x00000030 (00048)   2a0d0a55 7365722d 4167656e 743a204d   *..User-Agent: M
0x00000040 (00064)   79546573 74206167 656e740d 0a486f73   yTest agent..Hos
0x00000050 (00080)   743a2033 382e3131 372e3132 392e3333   t: 38.117.129.33
0x00000060 (00096)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x00000070 (00112)   206e6f2d 63616368 650d0a0d 0a          no-cache....

0x00000000 (00000)   47455420 2f646f77 6e6c6f61 6466696c   GET /downloadfil
0x00000010 (00016)   65732f64 6973706c 61792e69 6e692048   es/display.ini H
0x00000020 (00032)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000030 (00048)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000040 (00064)   3a204d79 54657374 20616765 6e740d0a   : MyTest agent..
0x00000050 (00080)   486f7374 3a203338 2e313137 2e313239   Host: 38.117.129
0x00000060 (00096)   2e33330d 0a436163 68652d43 6f6e7472   .33..Cache-Contr
0x00000070 (00112)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000080 (00128)   4d540d0a 0d0a3c68 746d6c3e 0a20203c   MT....<html>.  <
0x00000090 (00144)   68656164 3e0a2020 20203c74 69746c65   head>.    <title
0x000000a0 (00160)   3e343034 204e6f74 20466f75 6e643c2f   >404 Not Found</
0x000000b0 (00176)   7469746c 653e0a20 203c2f68 6561643e   title>.  </head>
0x000000c0 (00192)   0a20203c 626f6479 3e0a2020 20203c68   .  <body>.    <h
0x000000d0 (00208)   313e4e6f 7420466f 756e643c 2f68313e   1>Not Found</h1>
0x000000e0 (00224)   0a202020 203c703e 596f7572 2062726f   .    <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f646f77 6e6c6f61 6466696c   GET /downloadfil
0x00000010 (00016)   65732f76 65727369 6f6e2e69 6e692048   es/version.ini H
0x00000020 (00032)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000030 (00048)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000040 (00064)   3a204d79 54657374 20616765 6e740d0a   : MyTest agent..
0x00000050 (00080)   486f7374 3a203338 2e313137 2e313239   Host: 38.117.129
0x00000060 (00096)   2e33330d 0a436163 68652d43 6f6e7472   .33..Cache-Contr
0x00000070 (00112)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000080 (00128)   4d540d0a 0d0a3c68 746d6c3e 0a20203c   MT....<html>.  <
0x00000090 (00144)   68656164 3e0a2020 20203c74 69746c65   head>.    <title
0x000000a0 (00160)   3e343034 204e6f74 20466f75 6e643c2f   >404 Not Found</
0x000000b0 (00176)   7469746c 653e0a20 203c2f68 6561643e   title>.  </head>
0x000000c0 (00192)   0a20203c 626f6479 3e0a2020 20203c68   .  <body>.    <h
0x000000d0 (00208)   313e4e6f 7420466f 756e643c 2f68313e   1>Not Found</h1>
0x000000e0 (00224)   0a202020 203c703e 596f7572 2062726f   .    <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
040904b0
1, 0, 0, 1
Arial
Comments
CompanyName
Copyright (C) 2002
FileDescription
FileVersion
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
System Robot
Translation
VarFileInfo
VS_VERSION_INFO
winxt
winxt Application
winxt.EXE
winxt MFC Application
??1type_info@@UAE@XZ
Accept: */*
_acmdln
_adjust_fdiv
||Adult||
ADVAPI32.dll
.?AVtype_info@@
_controlfp
CURRENT_VER
__CxxFrameHandler
@.data
DeleteFileA
__dllonexit
D$ PSj
DrawIcon
EnableWindow
_except_handler3
FindWindowA
GetClientRect
GetDesktopWindow
__getmainargs
GetModuleHandleA
GetStartupInfoA
GetSystemMetrics
GetTickCount
GetTopWindow
GetWindow
GetWindowsDirectoryA
GetWindowTextA
http://38.117.129.33/downloadfiles/display.ini
http://38.117.129.33/downloadfiles/systemadv.exe
http://38.117.129.33/downloadfiles/version.ini
http://38.117.129.33/oki/
_initterm
Internet
IsIconic
jPh@p@
KERNEL32.dll
KillTimer
L$|_^]
L$$jdQ
LoadIconA
lstrcpyA
lstrlenA
\maildata.ini
\mailsend.ini
MFC42.DLL
MSVCRT.dll
MyTest agent
ole32.dll
_onexit
.PAVCInternetException@@
__p__commode
__p__fmode
PROGINFO
`.rdata
RegOpenKeyExA
RegSetValueExA
SendMessageA
__set_app_type
SetFileAttributesA
_setmbcp
SetTimer
__setusermatherr
SHELL32.dll
ShellExecuteA
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SSh$q@
\system32
\systemadv.ini
\system\systemadv.exe
!This program cannot be run in DOS mode.
USER32.dll
\winbooter.exe
\winbooter.ini
WINTASK
\winxt.exe
\winxt.ini
www.yahoo.co.kr
_XcptFilter