Analysis | #totalhash

Analysis Date	2015-08-30 10:36:12
MD5	c706818999d4ee58e1a92e861bae4593
SHA1	7a5f1744cb9dc27b25f41f35dfcc7dd9cda8ef94

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: c02003b9f50c63f6a112afcee0c8057e sha1: 7a491315e9fb929b216e9d249e0b05bee0c28465 size: 16384
Section	.data md5: 2395a14b242238675b3a7322d039eb97 sha1: 9221e044437a07c96ff3c8a686e1f031edf554aa size: 4096
Section	.rsrc md5: baabdff38152118699c72fc17e454372 sha1: 519883dd302e18b465fe071e2fb2957501e1d7ad size: 8192
Section	!55u md5: ffccfd36c9221262daf9c80078381cc6 sha1: 7609473bf88e44f5d63c27ecdb506b5d8da32e38 size: 20480
Section	.tc md5: e347d822422ba661f7c3e4bf8a8b7f6f sha1: 6bf1063e8583ccbf180c94472bdff061fe1558a8 size: 28672
Section	W55uj md5: ac24c787a37de1970c6a76cc925d23ae sha1: f9be0490c0e36e40543b7f0a43fc0faf38f3b8fd size: 20480
Timestamp	2001-07-19 19:29:57
Pdb path	pdb
Version	LegalCopyright: Copyright (C) Microsoft Corp. 1981-2000 InternalName: MSNUNIN FileVersion: 6.10.0016.1624 CompanyName: Microsoft Corporation Built by: msnbld ProductName: Microsoft(R) MSN (R) Communications System ProductVersion: 6.10.0016.1624 FileDescription: MSN Uninstall Progman OriginalFilename: MSNUNIN.EXE LegalCopyright: Copyright (C) Microsoft Corp. 1981-2000 InternalName: MSNUNIN FileVersion: 6.10.0016.1624 CompanyName: Microsoft Corporation Built by: msnbld ProductName: Microsoft(R) MSN (R) Communications System ProductVersion: 6.10.0016.1624 FileDescription: MSN Uninstall Progman OriginalFilename: MSNUNIN.EXE
PEhash	1234840ca0de89bfdc80714a9d3a95e2890a2ea7
IMPhash	2a1c59f2822a4b9e0435e5c824306502
AV	Rising	Win32.Roue.a
AV	Mcafee	W32/Kudj
AV	Avira (antivir)	W32/Jadtre.B
AV	Twister	Virus.558BEC81EC@120000#.mg
AV	Ad-Aware	Win32.VJadtre.3
AV	Alwil (avast)	Malware-gen:Viking-CF:Win32:Malware-gen:Win32:Viking-CF
AV	Eset (nod32)	Win32/Wapomi.BA virus
AV	Grisoft (avg)	Win32/Wapomi.I
AV	Symantec	W32.Wapomi.C!inf
AV	Fortinet	W32/Nimnul.F
AV	BitDefender	Win32.VJadtre.3
AV	K7	Virus ( 0040f7441 )
AV	Microsoft Security Essentials	Virus:Win32/Mikcer.B
AV	MicroWorld (escan)	Win32.VJadtre.3
AV	MalwareBytes	no_virus
AV	Authentium	W32/PatchLoad.E
AV	Frisk (f-prot)	W32/PatchLoad.E
AV	Ikarus	Trojan-Downloader.Win32.Small
AV	Emsisoft	Win32.VJadtre.3
AV	Zillya!	Virus.Nimnul.Win32.5
AV	Kaspersky	Virus.Win32.Nimnul.f
AV	Trend Micro	PE_WAPOMI.BM
AV	CAT (quickheal)	W32.Nimnul.F1
AV	VirusBlokAda (vba32)	Virus.Nimnul.19209
AV	Padvish	no_virus
AV	BullGuard	Win32.VJadtre.3
AV	Arcabit (arcavir)	Win32.VJadtre.3
AV	ClamAV	Win.Trojan.Downloader-64296
AV	Dr. Web	BackDoor.Darkshell.246
AV	F-Secure	Win32.VJadtre.3
AV	CA (E-Trust Ino)	Win32/Nimnul.A

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\cbikpg.exe
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\vnqCGv.exe
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe
Creates Process	C:\Documents and Settings\Administrator\Local Settings\Temp\vnqCGv.exe
Creates Process	C:\Documents and Settings\Administrator\Local Settings\Temp\cbikpg.exe
Creates Process	C:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates File	C:\WINDOWS\system32\dllcache\lsasvc.dll
Deletes File	C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat
Deletes File	C:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe http://nbtj.114anhui.com/msn/163.htm?2

Registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState\Settings ➝ NULL
Registry	HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL
Registry	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Type ➝ 3
Registry	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Type ➝ 4
Registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1
Registry	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Type ➝ 4
Registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝ 1
Creates File	C:\Documents and Settings\NetworkService\Favorites\desktop.ini
Creates File	C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates File	C:\Documents and Settings\NetworkService\Cookies\index.dat
Creates File	\Device\Afd\AsyncConnectHlp
Creates File	C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat
Creates File	C:\Documents and Settings\NetworkService\Favorites\Desktop.ini
Creates File	PIPE\lsarpc
Creates File	\Device\Afd\Endpoint
Creates Mutex	Shell.CMruPidlList
Winsock DNS	nbtj.114anhui.com

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\vnqCGv.exe

Registry	HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL
Registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1
Creates File	C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Creates File	C:\Program Files\MSN\MSNCoreFiles\Install\msnsusii.exe
Creates File	C:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe
Creates File	C:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\acroaum.exe
Creates File	C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\setup.exe
Creates File	C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Creates File	C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\instmsiw.exe
Creates File	PIPE\lsarpc
Creates File	C:\temp\files\vnqCGv.exe
Creates File	\Device\Afd\Endpoint
Creates File	C:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe
Creates File	C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
Creates File	C:\temp\files\malware.exe
Winsock DNS	ddos.dnsnb8.net
Winsock URL	http://ddos.dnsnb8.net:799/cj//k1.rar

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Creates File	PIPE\SfcApi
Creates File	C:\WINDOWS\system32\qmgr.dll
Creates File	C:\WINDOWS\system32\mspmsnsv.dll
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat
Starts Service	WmdmPmSN

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\cbikpg.exe

Registry	HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL
Registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1
Creates File	C:\temp\files\AcroRd32.exe
Creates File	C:\temp\files\AcroRd32Info.exe
Creates File	C:\temp\files\Expor.exe
Creates File	C:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe
Creates File	C:\temp\files\setup.exe
Creates File	C:\temp\files\instmsiw.exe
Creates File	C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\setup.exe
Creates File	C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\instmsiw.exe
Creates File	C:\temp\files\reader_sl.exe
Creates File	PIPE\lsarpc
Creates File	C:\temp\files\Digcore.exe
Creates File	\Device\Afd\Endpoint
Creates File	C:\temp\files\malware.exe
Creates File	C:\temp\files\msnsusii.exe
Creates File	C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
Creates File	C:\temp\files\AdobeUpdateManager.exe
Creates File	C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Creates File	C:\Program Files\MSN\MSNCoreFiles\Install\msnsusii.exe
Creates File	C:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\acroaum.exe
Creates File	C:\temp\files\cbikpg.exe
Creates File	C:\temp\files\monitor.exe
Creates File	C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Creates File	C:\temp\files\vnqCGv.exe
Creates File	C:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe
Creates File	C:\temp\files\Msncli.exe
Creates File	C:\temp\files\acroaum.exe
Winsock DNS	ddos.dnsnb8.net
Winsock URL	http://ddos.dnsnb8.net:799/cj//k1.rar

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates File	PIPE\lsarpc
Creates File	\Device\Afd\Endpoint

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Registry	HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL
Registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN\Start ➝ 2
Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝ NULL
Registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1
Creates File	NtHid
Creates File	PIPE\lsarpc
Creates File	C:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates File	\Device\Afd\Endpoint
Creates File	C:\WINDOWS\TEMP\NtHid.sys
Creates File	C:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates File	\Device\Afd\AsyncConnectHlp
Deletes File	C:\WINDOWS\TEMP\NtHid.sys
Creates Process	C:\Program Files\Internet Explorer\iexplore.exe http://nbtj.114anhui.com/msn/163.htm?2
Creates Service	NtHid - C:\WINDOWS\TEMP\NtHid.sys
Winsock DNS	141.8.226.14
Winsock DNS	www.490a-B8B5-9B8C1E870B0C.com
Winsock DNS	www.baidu.com
Winsock DNS	pc1.114central.com
Winsock URL	http://141.8.226.14/ko/03.exe
Winsock URL	http://141.8.226.14/ko/02.exe
Winsock URL	http://141.8.226.14/ko/01.exe

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL
Registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7
Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL
Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates File	WMIDataDevice

Process
↳ Pid 1856

Process
↳ Pid 1168

Network Details:

DNS	nbtj.114anhui.com Type: A 193.166.255.171
DNS	www.a.shifen.com Type: A 103.235.46.39
DNS	pc1.114central.com Type: A 141.8.226.14
DNS	ddos.dnsnb8.net Type: A
DNS	www.baidu.com Type: A
DNS	www.490a-B8B5-9B8C1E870B0C.com Type: A
HTTP GET	http://141.8.226.14/ko/01.exe User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GET	http://nbtj.114anhui.com/msn/163.htm?2 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GET	http://141.8.226.14/ko/02.exe User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GET	http://141.8.226.14/ko/03.exe User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP	192.168.1.1:1036 ➝ 141.8.226.14:80
Flows TCP	192.168.1.1:1038 ➝ 193.166.255.171:80
Flows TCP	192.168.1.1:1039 ➝ 141.8.226.14:80
Flows TCP	192.168.1.1:1040 ➝ 141.8.226.14:80

Raw Pcap

0x00000000 (00000)   47455420 2f6b6f2f 30312e65 78652048   GET /ko/01.exe H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20313431 2e382e32 32362e31   ost: 141.8.226.1
0x00000090 (00144)   340d0a43 6f6e6e65 6374696f 6e3a204b   4..Connection: K
0x000000a0 (00160)   6565702d 416c6976 650d0a0d 0a         eep-Alive....

0x00000000 (00000)   47455420 2f6d736e 2f313633 2e68746d   GET /msn/163.htm
0x00000010 (00016)   3f322048 5454502f 312e300d 0a416363   ?2 HTTP/1.0..Acc
0x00000020 (00032)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x00000030 (00048)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000040 (00064)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000050 (00080)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000060 (00096)   204e5420 352e313b 20535631 3b202e4e    NT 5.1; SV1; .N
0x00000070 (00112)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x00000080 (00128)   290d0a48 6f73743a 206e6274 6a2e3131   )..Host: nbtj.11
0x00000090 (00144)   34616e68 75692e63 6f6d0d0a 436f6e6e   4anhui.com..Conn
0x000000a0 (00160)   65637469 6f6e3a20 4b656570 2d416c69   ection: Keep-Ali
0x000000b0 (00176)   76650d0a 0d0a                         ve....

0x00000000 (00000)   47455420 2f6b6f2f 30322e65 78652048   GET /ko/02.exe H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20313431 2e382e32 32362e31   ost: 141.8.226.1
0x00000090 (00144)   340d0a43 6f6e6e65 6374696f 6e3a204b   4..Connection: K
0x000000a0 (00160)   6565702d 416c6976 650d0a0d 0a416c69   eep-Alive....Ali
0x000000b0 (00176)   76650d0a 0d0a                         ve....

0x00000000 (00000)   47455420 2f6b6f2f 30332e65 78652048   GET /ko/03.exe H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20313431 2e382e32 32362e31   ost: 141.8.226.1
0x00000090 (00144)   340d0a43 6f6e6e65 6374696f 6e3a204b   4..Connection: K
0x000000a0 (00160)   6565702d 416c6976 650d0a0d 0a416c69   eep-Alive....Ali
0x000000b0 (00176)   76650d0a 0d0a                         ve....

Strings