Analysis Date2014-12-19 06:03:54
MD5a99df24cd5871a6c8558e12a9af63d5a
SHA17859c20ab8c4b3b80874fa6ead79dc959a5f7aca

Static Details:

File typeUTF-8 Unicode (with BOM) HTML document text, with very long lines
AV360 Safeno_virus
AVAd-Awareno_virus
AVAlwil (avast)Includer-BCE [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)no_virus
AVBullGuardno_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)JS/Redirector.NB
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftno_virus
AVEset (nod32)no_virus
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)JS/Exploit
AVIkarusno_virus
AVK7no_virus
AVKasperskyTrojan.Script.Generic
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojan:JS/Redirector.NT
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosTroj/JSRedir-NZ
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus
AVCA (E-Trust Ino)no_virus
AVF-Secureno_virus
AVDr. Webno_virus
AVClamAVno_virus
AVArcabit (arcavir)no_virus
AVBullGuardno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)JS/Redirector.NB
AVSophosTroj/JSRedir-NZ
AVTrend Microno_virus
AVZillya!no_virus
AVEmsisoftno_virus
AVIkarusno_virus
AVFrisk (f-prot)no_virus
AVAuthentiumno_virus
AVMalwareBytesno_virus
AVMicroWorld (escan)no_virus
AVMicrosoft Security EssentialsTrojan:JS/Redirector.NT
AVKasperskyTrojan.Script.Generic
AVK7no_virus
AVFortinetno_virus
AVSymantecno_virus
AVGrisoft (avg)JS/Exploit
AVEset (nod32)no_virus
AVAlwil (avast)Includer-BCE [Trj]
AV360 Safeno_virus
AVAd-Awareno_virus
AVAvira (antivir)no_virus
AVMcafeeno_virus
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.html

Creates ProcessC:\malware.html

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Type ➝
4
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links\Order ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Type ➝
3
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Type ➝
4
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012014121920141220\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\index.dat
Creates Mutex_!SHMSFTHISTORY!_
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexMSIMGSIZECacheMutex
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!mshist012014121920141220!
Creates MutexShell.CMruPidlList
Winsock DNSobh2408.com
Winsock DNSlife-point.eu

Process
↳ C:\malware.html

Network Details:

DNSobh2408.com
Type: A
216.185.34.6
DNSlife-point.eu
Type: A
81.169.145.163
HTTP GEThttp://obh2408.com/swfobject.js
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://obh2408.com/EMAIL-LOGO.jpg
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 216.185.34.6:80
Flows TCP192.168.1.1:1033 ➝ 216.185.34.6:80
Flows TCP192.168.1.1:1034 ➝ 81.169.145.163:80

Raw Pcap
0x00000000 (00000)   47455420 2f737766 6f626a65 63742e6a   GET /swfobject.j
0x00000010 (00016)   73204854 54502f31 2e310d0a 41636365   s HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a416363 6570742d   pt: */*..Accept-
0x00000030 (00048)   4c616e67 75616765 3a20656e 2d75730d   Language: en-us.
0x00000040 (00064)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000050 (00080)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000060 (00096)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000070 (00112)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000080 (00128)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000090 (00144)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x000000a0 (00160)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000b0 (00176)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000c0 (00192)   6f626832 3430382e 636f6d0d 0a436f6e   obh2408.com..Con
0x000000d0 (00208)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x000000e0 (00224)   6976650d 0a0d0a                       ive....

0x00000000 (00000)   47455420 2f454d41 494c2d4c 4f474f2e   GET /EMAIL-LOGO.
0x00000010 (00016)   6a706720 48545450 2f312e31 0d0a4163   jpg HTTP/1.1..Ac
0x00000020 (00032)   63657074 3a202a2f 2a0d0a41 63636570   cept: */*..Accep
0x00000030 (00048)   742d4c61 6e677561 67653a20 656e2d75   t-Language: en-u
0x00000040 (00064)   730d0a41 63636570 742d456e 636f6469   s..Accept-Encodi
0x00000050 (00080)   6e673a20 677a6970 2c206465 666c6174   ng: gzip, deflat
0x00000060 (00096)   650d0a55 7365722d 4167656e 743a204d   e..User-Agent: M
0x00000070 (00112)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000080 (00128)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x00000090 (00144)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x000000a0 (00160)   3b205356 313b202e 4e455420 434c5220   ; SV1; .NET CLR 
0x000000b0 (00176)   322e302e 35303732 37290d0a 486f7374   2.0.50727)..Host
0x000000c0 (00192)   3a206f62 68323430 382e636f 6d0d0a43   : obh2408.com..C
0x000000d0 (00208)   6f6e6e65 6374696f 6e3a204b 6565702d   onnection: Keep-
0x000000e0 (00224)   416c6976 650d0a0d 0a                  Alive....


Strings