Analysis Date2015-01-26 23:58:22
MD54b46a9492c7cca3db76ae9442689c3dd
SHA17856d06d56e75b727e5a2a82e96fa2d5e0048e92

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2b6c5e4eaa353e62510f221c1be5629d sha1: c9a85755bae6a4ec8cf2f43952d00a6213b362c0 size: 274432
Section.init md5: d1f6e2163def41190bc283253ec84c03 sha1: 16ea6f96e460dc0e6a040da8039c57c0f6850ffa size: 512
Section.data md5: 19f8380be60e4b040e2916f13de27ca5 sha1: 063a6d178001569c0a223397c8de977cf969e04f size: 105472
Section.rsrc md5: 363a83314edcf5671956bd3cf56deb32 sha1: cf4b70932682c13a19071e7eeb9bee7192665f82 size: 6656
Timestamp1970-01-01 05:39:35
PEhashcca7d95b126df28aebdd31810e797b9877f624d0
IMPhash2c44b6a31ebe9506b1dc60cd7d29f3f4
AV360 Safeno_virus
AVAd-AwareGen:Variant.Kazy.8433
AVAlwil (avast)MalOb-EY [Cryp]
AVArcabit (arcavir)Gen:Variant.Kazy.8433
AVAuthentiumW32/FakeAlert.JW.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardGen:Variant.Kazy.8433
AVCA (E-Trust Ino)Win32/FakeSpypro.B!generic
AVCAT (quickheal)FraudTool.Security
AVClamAVTrojan.Fakesec-309
AVDr. WebTrojan.Fakealert.19937
AVEmsisoftGen:Variant.Kazy.8433
AVEset (nod32)Win32/Kryptik.JSH
AVFortinetW32/FakeAV.PACK!tr
AVFrisk (f-prot)W32/FakeAlert.JW.gen!Eldorado
AVF-SecureTrojan-Downloader:W32/Agent.DQKV
AVGrisoft (avg)FakeAlert.XE
AVIkarusTrojan.Win32.Winwebsec
AVK7Trojan ( 001f4c421 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.FakeAlert
AVMcafeeGeneric FakeAlert.amb
AVMicrosoft Security EssentialsRogue:Win32/Winwebsec
AVMicroWorld (escan)Gen:Variant.Kazy.8433
AVRisingno_virus
AVSophosMal/FakeAV-DO
AVSymantecVirusDoctor!gen1
AVTrend MicroTROJ_FAKEAV.SMID
AVVirusBlokAda (vba32)Trojan.FakeAV.0997

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\All Users\Application Data\nApFg01803\nApFg01803.exe
Creates FileC:\7856d06d56e75b727e5a2a82e96fa2d5e0048e92
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\a41D6.tmp
Deletes FileC:\7856d06d56e75b727e5a2a82e96fa2d5e0048e92
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\aCF22.tmp"
Creates Process"C:\Documents and Settings\All Users\Application Data\nApFg01803\nApFg01803.exe" "C:\malware.exe"

Process
↳ "C:\Documents and Settings\All Users\Application Data\nApFg01803\nApFg01803.exe" "C:\malware.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nApFg01803 ➝
C:\Documents and Settings\All Users\Application Data\nApFg01803\nApFg01803.exe\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\Application Data\nApFg01803\nApFg01803
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates MutexMicrosoft Compatible 1001
Winsock DNS91.193.194.40

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\aCF22.tmp"

Network Details:

HTTP GEThttp://91.193.194.40/lurl.php?affid=01803
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB0.0; .NET CLR 1.1.4322)
HTTP GEThttp://91.193.194.40/install.php?affid=01803
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB0.0; .NET CLR 1.1.4322)
Flows TCP192.168.1.1:1031 ➝ 91.193.194.40:80
Flows TCP192.168.1.1:1031 ➝ 91.193.194.40:80
Flows TCP192.168.1.1:1032 ➝ 91.193.194.40:80

Raw Pcap
0x00000000 (00000)   47455420 2f6c7572 6c2e7068 703f6166   GET /lurl.php?af
0x00000010 (00016)   6669643d 30313830 33204854 54502f31   fid=01803 HTTP/1
0x00000020 (00032)   2e310d0a 52656665 7265723a 20687474   .1..Referer: htt
0x00000030 (00048)   703a2f2f 39312e31 39332e31 39342e34   p://91.193.194.4
0x00000040 (00064)   300d0a41 63636570 743a202a 2f2f2a0d   0..Accept: *//*.
0x00000050 (00080)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000060 (00096)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000070 (00112)   69626c65 3b204d53 49452037 2e303b20   ible; MSIE 7.0; 
0x00000080 (00128)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x00000090 (00144)   47544230 2e303b20 2e4e4554 20434c52   GTB0.0; .NET CLR
0x000000a0 (00160)   20312e31 2e343332 32290d0a 486f7374    1.1.4322)..Host
0x000000b0 (00176)   3a203931 2e313933 2e313934 2e34300d   : 91.193.194.40.
0x000000c0 (00192)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x000000d0 (00208)   702d416c 6976650d 0a436163 68652d43   p-Alive..Cache-C
0x000000e0 (00224)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x000000f0 (00240)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e73 74616c6c 2e706870   GET /install.php
0x00000010 (00016)   3f616666 69643d30 31383033 20485454   ?affid=01803 HTT
0x00000020 (00032)   502f312e 310d0a52 65666572 65723a20   P/1.1..Referer: 
0x00000030 (00048)   68747470 3a2f2f39 312e3139 332e3139   http://91.193.19
0x00000040 (00064)   342e3430 0d0a4163 63657074 3a202a2f   4.40..Accept: */
0x00000050 (00080)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x00000060 (00096)   4d6f7a69 6c6c612f 342e3020 28636f6d   Mozilla/4.0 (com
0x00000070 (00112)   70617469 626c653b 204d5349 4520372e   patible; MSIE 7.
0x00000080 (00128)   303b2057 696e646f 7773204e 5420352e   0; Windows NT 5.
0x00000090 (00144)   313b2047 5442302e 303b202e 4e455420   1; GTB0.0; .NET 
0x000000a0 (00160)   434c5220 312e312e 34333232 290d0a48   CLR 1.1.4322)..H
0x000000b0 (00176)   6f73743a 2039312e 3139332e 3139342e   ost: 91.193.194.
0x000000c0 (00192)   34300d0a 436f6e6e 65637469 6f6e3a20   40..Connection: 
0x000000d0 (00208)   4b656570 2d416c69 76650d0a 43616368   Keep-Alive..Cach
0x000000e0 (00224)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x000000f0 (00240)   6368650d 0a0d0a                       che....


Strings
R
.
.
`
.
.
.
D
[
..
.W
K
.
.
F.
o
.0
g.
.

#`bG
ga"a
~/}+	"
0BrB8?<Bl
0\@|d>
0Jm~E<
0^_o&i
0x3,;5765
0:.Yry#
>13"kC25
1;7a]@
[1,/!c
	=1o}n
1Rhlp%
1Z33wG9
-`/;@2
>2Pd{~[
~*2q~7osd
2VxxUmg
2zSWuZ
3Atw**
3pX,'d
{~3v]%
|3Z*%%
4+D1(.
4hLibr.
4hLoad.
4hualP.
4hyEnt.
4km-<e
50.sy#
5,<E>aa
6aX$*da
6vo< lb
6w>?/M
<\75 `
'*7'b(
"7/esO
['/7lg
8*0|w>
8L/]L&
8O)$?5C
8,OkSSjP
8w.	%J
8?[x}<v
9sPUr}+
9U3/8y
ad2|UB
ADVAPI32.dll
&Ai!`]
a _kH^V
an(c26
aPH{5'
A RzG:
</assembly>
  <assemblyIdentity
      <assemblyIdentity
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
AY7sxI
\bA@(c;
BN3PBp
Br'ic4
cFYUQMp
@c/v('
['/{d&
??*D=@
damy2G
@.data
DdeDisconnect
  </dependency>
  <dependency>
    </dependentAssembly>
    <dependentAssembly>
	dHM2d
dInL?Z
~E	,^9@
e AYa.
ec"Y~!
eowvLE
E+#)xw
F4r(hu
%F/*6b[
<Fbdh9E
(=}Fs4
Fv~?i/
=G>7-af
GetModuleHandleW
>GetP.
GetStartupInfoA
GetTickCount
|hc<tc
hData.
HhTEpH
hjSY~_
hlAll.
hmage.
h_.nzD
Hr2a;3
HRmLTI
hryTo.
h{t[I(
hwY84<
iBa'XD
``I|dg
iH^.PZ
I~I];9@
`.init
iNj	RB
IpKNoe
ir/`P`X
:"IsNa
	J3kXs"a
j6/V~j
*J8h~{
J BrSY
j.*e[|
:JR0c+
jX{/uX%o
jy;+5L
K8L*6)1pB
_,>kb$p QW'a
KdeDWa{
KERNEL32.dll
kgO>TS*1
kIKkl{	
>;KOM{
'KqE>.
KR`<ap
	,Ku~Y
k[,yB3Hxz
l4(=?^
L}.5*&
L7y"1$Fa
        language="*"
-L<bBR
          level="asInvoker"
LN-ec$"
lSrHz1=
|ly5vkU6
Lz9J("
_lz*;$H
~/M'?9
[M(auO
~MoZ!B
mx^	!c
&my*:C
n[15z/PyS
-n	792
    name="DelphiApplication"
        name="Microsoft.Windows.Common-Controls"
NHq` 'a}
(n(hqSS
Nwn-v|
)[Nx}=[
>n~Y?q
ODBC32.dll
o=fRNJ\
_Oiz-L
OrZ(rx
[O|tS89
O,TuVT
^OT|V`
OutputDebugStringA
ow|/WQ
~o~~_Y
p4hntdl.
P^65k;(
PCzrZu
pJRin_
\.	Plxz
PnQ1L*
Pp>[hY
        processorArchitecture="*"/>
    processorArchitecture="*"/>
~PTmpr
,PU0Y;H
        publicKeyToken="6595b64144ccf1df"
P(U*;q
PX^1PX
PX^1VX
PX^5RX
PX^5WX
PX^9SX
PX^aSX
PX^AUX
PX^AXX
PX^EPX
PX^eTX
PX^EVX
PX^IRX
PX^iUX
PX^IWX
PX^iXX
PX^mPX
PX^MSX
PX^mVX
PX^	PX
PX^qRX
PX^QTX
PX^qWX
PX^!QX
PX^]RX
PX^%SX
PX^=TX
PX^)TX
PX^uSX
PX^UUX
PX^-UX
PX^}UX
PX^UXX
PX^	VX
PX^!WX
PX^]WX
PX^-XX
PX^}XX
PX^YPX
PX^yTX
PX^YVX
Pyw`@tf
><[_q/]>
Q[)2a$B
=Q aDU
;~QG]M~w
q}\~QMr}:0{
]QrSjR
QueryPerformanceFrequency
qZPa0Z
R	6~7iB
R/6IOe
R8<08pb
RaiseException
RegOpenKeyExA
RegQueryValueExA
        <requestedExecutionLevel
      </requestedPrivileges>
      <requestedPrivileges>
_rijTj3
>rocA.
,RtyZB
RZ%s[B
|_*{S&
S)7H$$
    </security>
    <security>
SFG%g6jq
;S.K @
sl-.*u
S;+n1>
S/nQ/#
snUUU]a
S]p<[6
SQLFreeHandle
[Sx<QB
TA=v5u
	@tB\!ui
>T<(-d
td%fr*R
+tdvw,
.</tE6?.\
&T,gnr
!This program cannot be run in DOS mode.
tHw	$H
~?@T\K
Tnw	s_5
TQ~h]=
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
;TTPrE
twW}EK
tXJ];Z'
        type="win32"
    type="win32"
@)U=5c
Ua}'Xs
U>{DPh
U(hNJC
~	uhYL
          uiAccess="false"/>
/UKnwP
;_u|m8
U(--P_
USER32.dll
u;T7[y
UXWzR"
UyPU? @
V8/Iy}/$l
,Va3qI,w
    version="1.0.0.0"
        version="6.0.0.0"
[vHQ q
<,vJ&2
vkp_lG
Vlw4R|\S2s
~/_vS 
vX'14;
W;|{?_
w16JSx
<w5>$d
(Wd/:a?[
w%H0fL4
WHS<	SS
W_n~P/a
/wO/s#
\Wp?+o
w/pTPs
~{w,Yf
wYFI}[
;_X<9X
XAKoFm
!xAw2sx
/Xl-7y
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
X+v]/p'
xxV4Z.
^xYk7V:
~/|Y*3
y7YPv8(
Yj+o,'
y:<>kb
ymU|ZE
~}y_[U
YvKO	d
{Y;w3u
~/yZcQ
~/-\/z
/Z4t7j
+Z5wnU9
zG|w%>
$Zl1112a$
ZmmNMsv
ZoyQQ\P^
zpoj `
zwY,,DB