Analysis Date | 2015-08-30 10:36:12 |
---|---|
MD5 | c706818999d4ee58e1a92e861bae4593 |
SHA1 | 7a5f1744cb9dc27b25f41f35dfcc7dd9cda8ef94 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: c02003b9f50c63f6a112afcee0c8057e sha1: 7a491315e9fb929b216e9d249e0b05bee0c28465 size: 16384 | |
Section | .data md5: 2395a14b242238675b3a7322d039eb97 sha1: 9221e044437a07c96ff3c8a686e1f031edf554aa size: 4096 | |
Section | .rsrc md5: baabdff38152118699c72fc17e454372 sha1: 519883dd302e18b465fe071e2fb2957501e1d7ad size: 8192 | |
Section | !55u md5: ffccfd36c9221262daf9c80078381cc6 sha1: 7609473bf88e44f5d63c27ecdb506b5d8da32e38 size: 20480 | |
Section | .tc md5: e347d822422ba661f7c3e4bf8a8b7f6f sha1: 6bf1063e8583ccbf180c94472bdff061fe1558a8 size: 28672 | |
Section | W55uj md5: ac24c787a37de1970c6a76cc925d23ae sha1: f9be0490c0e36e40543b7f0a43fc0faf38f3b8fd size: 20480 | |
Timestamp | 2001-07-19 19:29:57 | |
Pdb path | pdb | |
Version | LegalCopyright: Copyright (C) Microsoft Corp. 1981-2000 InternalName: MSNUNIN FileVersion: 6.10.0016.1624 CompanyName: Microsoft Corporation Built by: msnbld ProductName: Microsoft(R) MSN (R) Communications System ProductVersion: 6.10.0016.1624 FileDescription: MSN Uninstall Progman OriginalFilename: MSNUNIN.EXE LegalCopyright: Copyright (C) Microsoft Corp. 1981-2000 InternalName: MSNUNIN FileVersion: 6.10.0016.1624 CompanyName: Microsoft Corporation Built by: msnbld ProductName: Microsoft(R) MSN (R) Communications System ProductVersion: 6.10.0016.1624 FileDescription: MSN Uninstall Progman OriginalFilename: MSNUNIN.EXE | |
PEhash | 1234840ca0de89bfdc80714a9d3a95e2890a2ea7 | |
IMPhash | 2a1c59f2822a4b9e0435e5c824306502 | |
AV | Rising | Win32.Roue.a |
AV | Mcafee | W32/Kudj |
AV | Avira (antivir) | W32/Jadtre.B |
AV | Twister | Virus.558BEC81EC@120000#.mg |
AV | Ad-Aware | Win32.VJadtre.3 |
AV | Alwil (avast) | Malware-gen:Viking-CF:Win32:Malware-gen:Win32:Viking-CF |
AV | Eset (nod32) | Win32/Wapomi.BA virus |
AV | Grisoft (avg) | Win32/Wapomi.I |
AV | Symantec | W32.Wapomi.C!inf |
AV | Fortinet | W32/Nimnul.F |
AV | BitDefender | Win32.VJadtre.3 |
AV | K7 | Virus ( 0040f7441 ) |
AV | Microsoft Security Essentials | Virus:Win32/Mikcer.B |
AV | MicroWorld (escan) | Win32.VJadtre.3 |
AV | MalwareBytes | no_virus |
AV | Authentium | W32/PatchLoad.E |
AV | Frisk (f-prot) | W32/PatchLoad.E |
AV | Ikarus | Trojan-Downloader.Win32.Small |
AV | Emsisoft | Win32.VJadtre.3 |
AV | Zillya! | Virus.Nimnul.Win32.5 |
AV | Kaspersky | Virus.Win32.Nimnul.f |
AV | Trend Micro | PE_WAPOMI.BM |
AV | CAT (quickheal) | W32.Nimnul.F1 |
AV | VirusBlokAda (vba32) | Virus.Nimnul.19209 |
AV | Padvish | no_virus |
AV | BullGuard | Win32.VJadtre.3 |
AV | Arcabit (arcavir) | Win32.VJadtre.3 |
AV | ClamAV | Win.Trojan.Downloader-64296 |
AV | Dr. Web | BackDoor.Darkshell.246 |
AV | F-Secure | Win32.VJadtre.3 |
AV | CA (E-Trust Ino) | Win32/Nimnul.A |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\cbikpg.exe |
---|---|
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\vnqCGv.exe |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe |
Creates Process | C:\Documents and Settings\Administrator\Local Settings\Temp\vnqCGv.exe |
Creates Process | C:\Documents and Settings\Administrator\Local Settings\Temp\cbikpg.exe |
Creates Process | C:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe |
Process
↳ C:\WINDOWS\system32\cmd.exe
Creates File | C:\WINDOWS\system32\dllcache\lsasvc.dll |
---|---|
Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat |
Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe |
Process
↳ C:\Program Files\Internet Explorer\iexplore.exe http://nbtj.114anhui.com/msn/163.htm?2
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState\Settings ➝ NULL |
---|---|
Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
Registry | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Type ➝ 3 |
Registry | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Type ➝ 4 |
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
Registry | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Type ➝ 4 |
Registry | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝ 1 |
Creates File | C:\Documents and Settings\NetworkService\Favorites\desktop.ini |
Creates File | C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
Creates File | C:\Documents and Settings\NetworkService\Cookies\index.dat |
Creates File | \Device\Afd\AsyncConnectHlp |
Creates File | C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat |
Creates File | C:\Documents and Settings\NetworkService\Favorites\Desktop.ini |
Creates File | PIPE\lsarpc |
Creates File | \Device\Afd\Endpoint |
Creates Mutex | Shell.CMruPidlList |
Winsock DNS | nbtj.114anhui.com |
Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\vnqCGv.exe
Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
---|---|
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
Creates File | C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe |
Creates File | C:\Program Files\MSN\MSNCoreFiles\Install\msnsusii.exe |
Creates File | C:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe |
Creates File | C:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\acroaum.exe |
Creates File | C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\setup.exe |
Creates File | C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe |
Creates File | C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\instmsiw.exe |
Creates File | PIPE\lsarpc |
Creates File | C:\temp\files\vnqCGv.exe |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe |
Creates File | C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe |
Creates File | C:\temp\files\malware.exe |
Winsock DNS | ddos.dnsnb8.net |
Winsock URL | http://ddos.dnsnb8.net:799/cj//k1.rar |
Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe
Creates File | PIPE\SfcApi |
---|---|
Creates File | C:\WINDOWS\system32\qmgr.dll |
Creates File | C:\WINDOWS\system32\mspmsnsv.dll |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat |
Starts Service | WmdmPmSN |
Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\cbikpg.exe
Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
---|---|
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
Creates File | C:\temp\files\AcroRd32.exe |
Creates File | C:\temp\files\AcroRd32Info.exe |
Creates File | C:\temp\files\Expor.exe |
Creates File | C:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe |
Creates File | C:\temp\files\setup.exe |
Creates File | C:\temp\files\instmsiw.exe |
Creates File | C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\setup.exe |
Creates File | C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\instmsiw.exe |
Creates File | C:\temp\files\reader_sl.exe |
Creates File | PIPE\lsarpc |
Creates File | C:\temp\files\Digcore.exe |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\temp\files\malware.exe |
Creates File | C:\temp\files\msnsusii.exe |
Creates File | C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe |
Creates File | C:\temp\files\AdobeUpdateManager.exe |
Creates File | C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe |
Creates File | C:\Program Files\MSN\MSNCoreFiles\Install\msnsusii.exe |
Creates File | C:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\acroaum.exe |
Creates File | C:\temp\files\cbikpg.exe |
Creates File | C:\temp\files\monitor.exe |
Creates File | C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe |
Creates File | C:\temp\files\vnqCGv.exe |
Creates File | C:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe |
Creates File | C:\temp\files\Msncli.exe |
Creates File | C:\temp\files\acroaum.exe |
Winsock DNS | ddos.dnsnb8.net |
Winsock URL | http://ddos.dnsnb8.net:799/cj//k1.rar |
Process
↳ C:\WINDOWS\system32\svchost.exe
Creates File | PIPE\lsarpc |
---|---|
Creates File | \Device\Afd\Endpoint |
Process
↳ Pid 804
Process
↳ Pid 852
Process
↳ C:\WINDOWS\System32\svchost.exe
Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN\Start ➝ 2 |
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝ NULL |
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
Creates File | NtHid |
Creates File | PIPE\lsarpc |
Creates File | C:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\WINDOWS\TEMP\NtHid.sys |
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
Creates File | \Device\Afd\AsyncConnectHlp |
Deletes File | C:\WINDOWS\TEMP\NtHid.sys |
Creates Process | C:\Program Files\Internet Explorer\iexplore.exe http://nbtj.114anhui.com/msn/163.htm?2 |
Creates Service | NtHid - C:\WINDOWS\TEMP\NtHid.sys |
Winsock DNS | 141.8.226.14 |
Winsock DNS | www.490a-B8B5-9B8C1E870B0C.com |
Winsock DNS | www.baidu.com |
Winsock DNS | pc1.114central.com |
Winsock URL | http://141.8.226.14/ko/03.exe |
Winsock URL | http://141.8.226.14/ko/02.exe |
Winsock URL | http://141.8.226.14/ko/01.exe |
Process
↳ Pid 1208
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
Creates File | WMIDataDevice |
Process
↳ Pid 1856
Process
↳ Pid 1168
Network Details:
DNS | nbtj.114anhui.com Type: A 193.166.255.171 |
---|---|
DNS | www.a.shifen.com Type: A 103.235.46.39 |
DNS | pc1.114central.com Type: A 141.8.226.14 |
DNS | ddos.dnsnb8.net Type: A |
DNS | www.baidu.com Type: A |
DNS | www.490a-B8B5-9B8C1E870B0C.com Type: A |
HTTP GET | http://141.8.226.14/ko/01.exe User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP GET | http://nbtj.114anhui.com/msn/163.htm?2 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP GET | http://141.8.226.14/ko/02.exe User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP GET | http://141.8.226.14/ko/03.exe User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
Flows TCP | 192.168.1.1:1036 ➝ 141.8.226.14:80 |
Flows TCP | 192.168.1.1:1038 ➝ 193.166.255.171:80 |
Flows TCP | 192.168.1.1:1039 ➝ 141.8.226.14:80 |
Flows TCP | 192.168.1.1:1040 ➝ 141.8.226.14:80 |
Raw Pcap
0x00000000 (00000) 47455420 2f6b6f2f 30312e65 78652048 GET /ko/01.exe H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a5573 65722d41 67656e74 */*..User-Agent 0x00000030 (00048) 3a204d6f 7a696c6c 612f342e 30202863 : Mozilla/4.0 (c 0x00000040 (00064) 6f6d7061 7469626c 653b204d 53494520 ompatible; MSIE 0x00000050 (00080) 362e303b 2057696e 646f7773 204e5420 6.0; Windows NT 0x00000060 (00096) 352e313b 20535631 3b202e4e 45542043 5.1; SV1; .NET C 0x00000070 (00112) 4c522032 2e302e35 30373237 290d0a48 LR 2.0.50727)..H 0x00000080 (00128) 6f73743a 20313431 2e382e32 32362e31 ost: 141.8.226.1 0x00000090 (00144) 340d0a43 6f6e6e65 6374696f 6e3a204b 4..Connection: K 0x000000a0 (00160) 6565702d 416c6976 650d0a0d 0a eep-Alive.... 0x00000000 (00000) 47455420 2f6d736e 2f313633 2e68746d GET /msn/163.htm 0x00000010 (00016) 3f322048 5454502f 312e300d 0a416363 ?2 HTTP/1.0..Acc 0x00000020 (00032) 6570743a 202a2f2a 0d0a5573 65722d41 ept: */*..User-A 0x00000030 (00048) 67656e74 3a204d6f 7a696c6c 612f342e gent: Mozilla/4. 0x00000040 (00064) 30202863 6f6d7061 7469626c 653b204d 0 (compatible; M 0x00000050 (00080) 53494520 362e303b 2057696e 646f7773 SIE 6.0; Windows 0x00000060 (00096) 204e5420 352e313b 20535631 3b202e4e NT 5.1; SV1; .N 0x00000070 (00112) 45542043 4c522032 2e302e35 30373237 ET CLR 2.0.50727 0x00000080 (00128) 290d0a48 6f73743a 206e6274 6a2e3131 )..Host: nbtj.11 0x00000090 (00144) 34616e68 75692e63 6f6d0d0a 436f6e6e 4anhui.com..Conn 0x000000a0 (00160) 65637469 6f6e3a20 4b656570 2d416c69 ection: Keep-Ali 0x000000b0 (00176) 76650d0a 0d0a ve.... 0x00000000 (00000) 47455420 2f6b6f2f 30322e65 78652048 GET /ko/02.exe H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a5573 65722d41 67656e74 */*..User-Agent 0x00000030 (00048) 3a204d6f 7a696c6c 612f342e 30202863 : Mozilla/4.0 (c 0x00000040 (00064) 6f6d7061 7469626c 653b204d 53494520 ompatible; MSIE 0x00000050 (00080) 362e303b 2057696e 646f7773 204e5420 6.0; Windows NT 0x00000060 (00096) 352e313b 20535631 3b202e4e 45542043 5.1; SV1; .NET C 0x00000070 (00112) 4c522032 2e302e35 30373237 290d0a48 LR 2.0.50727)..H 0x00000080 (00128) 6f73743a 20313431 2e382e32 32362e31 ost: 141.8.226.1 0x00000090 (00144) 340d0a43 6f6e6e65 6374696f 6e3a204b 4..Connection: K 0x000000a0 (00160) 6565702d 416c6976 650d0a0d 0a416c69 eep-Alive....Ali 0x000000b0 (00176) 76650d0a 0d0a ve.... 0x00000000 (00000) 47455420 2f6b6f2f 30332e65 78652048 GET /ko/03.exe H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a5573 65722d41 67656e74 */*..User-Agent 0x00000030 (00048) 3a204d6f 7a696c6c 612f342e 30202863 : Mozilla/4.0 (c 0x00000040 (00064) 6f6d7061 7469626c 653b204d 53494520 ompatible; MSIE 0x00000050 (00080) 362e303b 2057696e 646f7773 204e5420 6.0; Windows NT 0x00000060 (00096) 352e313b 20535631 3b202e4e 45542043 5.1; SV1; .NET C 0x00000070 (00112) 4c522032 2e302e35 30373237 290d0a48 LR 2.0.50727)..H 0x00000080 (00128) 6f73743a 20313431 2e382e32 32362e31 ost: 141.8.226.1 0x00000090 (00144) 340d0a43 6f6e6e65 6374696f 6e3a204b 4..Connection: K 0x000000a0 (00160) 6565702d 416c6976 650d0a0d 0a416c69 eep-Alive....Ali 0x000000b0 (00176) 76650d0a 0d0a ve....
Strings