Analysis Date2014-01-23 01:31:57
MD57e579276d2bdf541bfc5c0d8579486a4
SHA171c3e2ca941f3671cf575102c6658c9ff698652b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: f2c87102c4ad50cd87d7f3fe974dabde sha1: c707a88f3d04e35d2ce12c0b9065524df58d43b2 size: 177664
Section.rsrc md5: 5b4c3abbdcfae02002406760c7432712 sha1: 8ceea88dae426aec5b1a86aef27c99b9938923a5 size: 512
Timestamp2012-04-04 03:32:42
PackerUPX -> www.upx.sourceforge.net
PEhashc8e405e2d686d79a0eae5d14f513ee30b06c1213
AVavgWorm/Generic2.BLRH
AVaviraTR/Spy.Gen
AVmcafeeW32/Generic.worm!p2p
AVmsseWorm:Win32/Ainslot.A

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\Windows Defender ➝
C:\Documents and Settings\Administrator\Application Data\UK3YTJJK9T.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E7BDBDB9-EBF6-B3FC-92EA-8FBEAA2D9FEF}\StubPath ➝
C:\Documents and Settings\Administrator\Application Data\UK3YTJJK9T.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender ➝
C:\Documents and Settings\Administrator\Application Data\UK3YTJJK9T.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\INSTALL\DATE\IPT7AW2NX8 ➝
January 23, 2014\\x00
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{E7BDBDB9-EBF6-B3FC-92EA-8FBEAA2D9FEF}\StubPath ➝
C:\Documents and Settings\Administrator\Application Data\UK3YTJJK9T.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID\ID\IPT7AW2NX8 ➝
13's Bot\\x00
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender ➝
C:\Documents and Settings\Administrator\Application Data\UK3YTJJK9T.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\13
Creates File\Device\Afd\AsyncSelectHlp
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\UK3YTJJK9T.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\UK3YTJJK9T.exe:*:Enabled:Windows Messanger" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f
Creates MutexIPT7AW2NX8

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions ➝
NULL

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions ➝
NULL

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\\malware.exe ➝
C:\\malware.exe:*:Enabled:Windows Messanger\\x00

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\UK3YTJJK9T.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\UK3YTJJK9T.exe:*:Enabled:Windows Messanger" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Application Data\UK3YTJJK9T.exe ➝
C:\Documents and Settings\Administrator\Application Data\UK3YTJJK9T.exe:*:Enabled:Windows Messanger\\x00

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\UK3YTJJK9T.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\UK3YTJJK9T.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Application Data\UK3YTJJK9T.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Application Data\UK3YTJJK9T.exe:*:Enabled:Windows Messanger" /f

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network Details:

DNS123.no-ip.info
Type: A
127.0.0.1
DNS1123.no-ip.info
Type: A
76.18.250.212
Flows TCP192.168.1.1:1036 ➝ 76.18.250.212:3128

Raw Pcap

Strings
PERS
SETTINGS
%&'()*
00G0rE
023VBW
>02]	9r0(p
062D2BD
0%capG
&]*0DX$t
0`H>8C
"'0*Rz
0sL*#X
0SuwhO
0T r%9<
0/w(%{
',",0ZO<
15dF8F91AEE<A
1XGv/if"
20C<|0d
22A368949C0&
27OnQui
2!CH8HHK
+2;J+8
2.jD`#
32BH&hQ
32EDE121D9E2Fk
$345H1
\3ap#e
 3gp$d
}[>3/H
3#hh+#a-a(
.3l/A,7
3or+oM)
3oy.i~
3X!wD`
,4'1$H
456789:CDEFGHIJSTUVWXYZcdefg/
46[7Dw."F
\4a`Qw
4[cv4=bGa
4 .\e'jWjF
4>FA9|x7
4H4sg%
4##TTD
(4wOVl
4XMAuk
4Zp~qH+L
501E:9~
\567rp\r89
5Async?PWs
5D;uO+
5[#.j=`8
#:=5oWaiqS
,5t)eb
6ENC^f<
.6g+kH
6iH(b"
6n1?e:-VS
6T3>>F0'
6V2Ziz<p]
6WWH^)\<
7.0(0<
7033413A647k
733jhd>
7;471A
7b8x3 L
$7$dL5
.=7Kajt
7Lk82t
7o<V@`Ec7y
7PRfTkK
7S^ONv
7Z$_\WF
8|+4!>0$
<840,6q
&84az2
8@d*ar!	G2 '
8d!R8Km
8g,9-,
8	,g?h41{
{8hGFJ
(8Hht{
8_O6F6
-8|Qx2#%
9dy)}G
9g%J|i.
9l8;8L
9@NDVGI
_9R?I/p
A4B6739316C4F5B5C5*14
a4.U}N
$Aac!TI
aAliy8ek
AD'1vb 1
ADClifSteamGooko
AddRef
AdjuFPj
adyStv_q
ais{pQ
Aj'NTe
;AK,2R
alUpda
A)ox^=
AprUo'
Audio.
au&hF/
awuois=
!;Ax`.
azJiph4Hw
B2 9`f\&
B.345B.
B""7^Lz
b86mswinO
b!BUnh
b(KNsf
~Blink
b\`mMW;
+$]bQp
bss_ser'
BtKill
b+tO6h
b"XLCWB
by.ToY
c0dt&Le?
=c_6/	
;]C9HYH.
CallBaK
C	B~S-K
<Ciuqa
c]J?oH
Cog	b;
Compzb7_
+C	=Oo
',CPffK~P
CpPOO&
C:\Prog
cpy2 #
{CROL<
CrypcImage'
=CS2ZG 
cSubClHi
~CuCeG!
`Cu>@Po
@cvssPATH_WINLOGON
^C`Y`N
CZ@^O7
!d	'^ 
D0X wD
--d`1L
D5F6_S}
D6@X?O
!dDEF5
ddliWGr
df"FC^YO
^dIOu,!N
_DIP,p}
dJ	K	p
dJN2|@:X
d|lh	'
dl'vq2
/d@N:/
doIP"8
:`dp`3
DragQueB	d
\d(#t\.
dT4XNy
dWr[{C
([E0#(
E4:|	"=
<e4ym5
E4ZF7C8
E9Rl*|
~ebBrow
ect?Tor
EFB$9$xU
E\FwPN
ehk$Bj
':eIJZ
E	<ip$
E/L7wW
)Empty
EngheiZ
eOre|Fn
Ep 1?1\
EVENT_SINK_Ge
'EV?L_]
ExitProcess
E/$yEz
f4rHgAq
FACEBOOK_START
FB77EL
F> FDD
ffJB:,v
ffjfXB
.f_h'n;
 Files (x86)\Mic
:<F(:,k
$,FLLe
#)$<Fo0
F?o`?n
-f)pP&	
frmMain
fS~ijn
fuT#&D
Fz'$V#
<g0D+k
G1GWSOCK
#(g##;A
Gas@hkn
gcmdJjm=tf
gcV.on
GetProcAddress
	gG%_L2 
ghDCGUjk
GhS9 x
g`IV)g
gk(X[pm5O
G!oZ$O
GPT*|a
@GuH~i=
_\gwbAuz
G_wI^r
h0Le$`
\^,h1.
h5%LZR
h7BnV7E`r
[heQT%
h' #FX
*hg	aa
HH'--\9
HkaQCP
h}Ki{)
HOc3fg
H#pdp8
HSDuQT
HTO?lr
@HvLD0
hx`e$L
.hXfX8
\.i.<\
,I,4!'
iB6oU&
icalDr
ICK_DELAFm
ICk)S%
IE0\`S
ieframe.dl
/iJd@Nf
iMBd"C
InfoTO
InvokeV
ioZ%=40
/(IP,6
I@Q*[P
Is``h\nSM
@j` 1m
\\)j'4
JCA->$
J:,hu7
jL\Q?;
@jNF_;X
JPk(a0
%&JZ\SB3
K]>1h-
-|K:a<
KERNEL32.DLL
@@Kjka)
KP$PHD>R8
-k$(.S
|*}<kV
Kvk1w\.i.
k,\W+B
:kXpK<
L2  \_
l(4<2r
Lla+(B
l-n/on
LoadLibraryA
lobalAl
L`P*O'
Lr$$&s!
Lu"lgc3
Lus:1]K_
,l[];x
L)^Y"aA
M3 S!h
m	5N{a
MddjBvd`
M/&k0Z
^__^Mkok$
	mMl%6
modFuc(
( M^ol>uklM
MS SaX
MSVBVM60.DLL
mVBA6T
!m@vD#B
M&Xu%:]
MZ?Nzt
N' ~0~%
N0OtBo
"N2]F|
,*n8<g
NB$7Y^)o
\`:\~Nc 
*#&'..Nf
niffOS4
<N.Lx&
&NOkf	Q
NTDLL>
N&u^8U
o6IR1/
*O8^.N
-obh.&
oCHAT_ADD
o?Ged /X 
o	&<Nh
Oo'/NG
os#+Om
OsYl((
oXCCdC
 @P`@`` 
(?|&^P
P0  P3/
p1HSMv`@
p5HBITMAP
|PBGML
pDD@WI
P/\dT4"
P-_d/W
pfU<sl
picThumb
@P? j5,
p#L9.{
pmneh_
->P.Po
PRINT_
p`t uv
'[QJ{z
q%K&yA!
QL'yN W
q$nUHVS
qpk4~w;
qTxqP'D
+queezer
&]^QZ4
"\$r/ 
r!23r!
r4B`(0
r%9Mau<
r*"9z5
rAUb9]^9t]
+Rd:\SysWOW64\:
rh|Dr 
rJE}m@
rJvj_Vd
Rrh_xP9
Rr@M<7
rrmaF^uI
?RS`curity
RsH8g40
RvS| M
rZAkCK
s5&6jwct
:ScanL
s_CD1Z
s:.cpV
Screensho
Sd `\X
s<e/SrcLef]
:#sG$b
sG xI3 W 
SHDVVwCtl[{
s/JoP7a)
SL?@B<
S?l?%J
SL	p&$
SMSVBVM60
Socket
SodZP+
*soft Visual Stz\B\
|Solx!
s.op-<-
SPL2 '
S'P='r 8
>spu"Gm8
("SS=%
s the p@
STRUCTIO
sWB-_%
SZoM7Pn`
t1l"&$
&t1/T6
 -t_;2
T7^5>p0
"t8!M&)
tdby$Ru
TdT4d-b
TEgw *
!This program cannot be run in DOS mode.
Tim[?ShG
<T,iP2
 TKDQH 
:;tkEe}
[T	kT2z
`[TLTQ
TM83$- 
tmrLivLogg+
^T)M_SY4
],t~ n
[Tovbv)$5
TP-705UL?6
`tPp=+7Z
tsLWv(<
TTXW$t
,TWx##0
t:XZ0*g
u72w22\r
`:U/_B
Ud19f!4E
uf>P-T3.
uHR2\?
Un0H&i
URLDVnl
!#U\[S?
!UYl1X4
uYSphL
V00"4g
v774NE55*237X2
vaS M\
v.Bf&|
vBIV9*O
vbvm60
V&d/O<p
vf`M1P
vG=	lgj!
VirtualAlloc
VirtualFree
VirtualProtect
vjtHPgC
@VTLX6
VUc!V_0
V/vld~
VVz|fJ
w?5274
W7@rrx
	#W8d%
,W'9!G
=[_@wa
w{ AEd
W(/$>C
_WebHide
(.WGcS
wH<w<. E
/Wk.Zb
-_WMqo
^)w*n]
W@OkBgi#.
wpxkI.{t;
`wXal!
x0||{A
x3.1w^8=
%X5MS\p
x6&M+wxJ
>xB3n_
}\xEm>
xe<x9u(
xhD#G"&
,XH` n8s
\XJ]fk
x/":`n
 ,'~XN
x@&@NC 
x O  2S
XOlEh8
xphZY/
XPTPSW
xQ?|PC
xRoYlB0g
=xt4CTt
+Xt(D:
xt.&l&N(q
\+XT<LT
xUT&!'
)/X@XNG
~@Y$$|
y.@]2X
}%_%y77P|0"
@Y'a6t
yGrabbOg	V
Y@J\cD.
Yk/ qu	
yN6#HL
yotw{D&
YP+:S@@
;ypTagg
yT :][##
y&X	BO
YX"")fv/
YXF?xw
*=YX^s
Z>*1so+
Z|+:4	
Z'4;mF
%'	\zh
Zh0SQU
~zIOcm%_
{*ZP4rg[
zSBlj(
Z$}tw3
ZV5|@*