Analysis Date2015-05-29 01:53:06
MD5349d4723c7a325321d64927123166e2d
SHA17cd3ad6f7040a3d9ae1482230ae3ebb484ea1ef3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 06face0152257364f5863c4273ba48e3 sha1: 6c1add6fe041731a8f146a9f932db26cc19143d1 size: 108032
Section.rsrc md5: 5fa20aa4577b06e5b0753dbb90e13212 sha1: 195ae8657fada546746c168672ae3e4244b56cf3 size: 1024
Timestamp2014-12-18 07:56:57
PackerUPX -> www.upx.sourceforge.net
PEhash9879ec61c0834468137521f48bb9107f2315e8ef
IMPhash503f02da89c6b927a686865f0547a297

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ruyczu cigaktee\ReleiceName ➝
Cydess cafcea\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cydess cafcea\ConnectGroup ➝
\\xc4\\xac\\xc8\\xcf\\xb7\\xd6\\xd7\\xe9\\x00
Creates FileC:\WINDOWS\Aogcwso.exe
Creates ServiceMtuulv cngyacyv - C:\WINDOWS\Aogcwso.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1856

Process
↳ Pid 1140

Process
↳ C:\WINDOWS\Aogcwso.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates Filepipe\net\NtControlPipe10
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\LocalService\Cookies\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat
Creates MutexWininetConnectionMutex
Winsock DNSuser.qzone.qq.com

Network Details:

DNSyemo123.f3322.net
Type: A
115.208.53.63
DNSa1574.b.akamai.net
Type: A
96.17.10.98
DNSa1574.b.akamai.net
Type: A
96.17.10.82
DNSuser.qzone.qq.com
Type: A
HTTP GEThttp://user.qzone.qq.com/123456789
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 115.208.53.63:2014
Flows TCP192.168.1.1:1033 ➝ 96.17.10.98:80

Raw Pcap
0x00000000 (00000)   3701                                  7.

0x00000000 (00000)   47455420 2f313233 34353637 38392048   GET /123456789 H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20757365 722e717a 6f6e652e   ost: user.qzone.
0x00000090 (00144)   71712e63 6f6d0d0a 436f6e6e 65637469   qq.com..Connecti
0x000000a0 (00160)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x000000b0 (00176)   0d0af7f4 d37531b6 34367461 2006d403   .....u1.46ta ...
0x000000c0 (00192)   f1477f08 bb4e1de8 cf784353 03532323   .G...N...xCS.S##
0x000000d0 (00208)   863f47cb 41feaa88 06b9d90b 2cefcde0   .?G.A.......,...
0x000000e0 (00224)   ca10c4e0 07247d18 8c81aed0 634861c8   .....$}.....cHa.
0x000000f0 (00240)   61303230 34d53530 d535b250 3032b632   a0204.50.5.P02.2
0x00000100 (00256)   b2206ce7 913527ce 6fbf76fd 25510e04   . l..5'.o.v.%Q..
0x00000110 (00272)   0383336f 0c4e6d34 dc7e0d2e b2         ..3o.Nm4.~...


Strings
.#.. 
5
&3. 
...
_L
.
t.).;
....
W
..#.. 
5
&3. 
...
_L
.
t.).;
....
W
.
 !"#!>
'()*+,<
[\]^_&
<-./01
0a4+.8
@0d@@Vg
0FRreW
 0g++B7#
0HoaZlD
^:0n~"
0SKznVi
1000999i
11421--(.-/+*
12al%uM
12rHZntT
14Muty
`1_@A{B
(1*E,'0R
1GD9Xq
1idowEj
1SACMK
22r.FilN
2345Sy*
2@-AAEX_N@Z
2e-Od 
2rm\ngA
2taLMQ
2$xVHg
3_i jq
3sPkl8
3v69999
%]4\8$
48@P`p
$4bSp 
4 Copyright
@4DB.f
4Exxe(
4gab&CC
.!4|mP
4O8:<R
4P+SZij
"4QPPVhpd 
4wxyz/##
#4"X3PZ
4zc	alPARi
54RZ\=
5[7]H#
 :5>9uU
5eH'{<
#(5K(-p
5s tnog
6S78nl
!6X8~T
$6Xwxs
789ABCy
7a898I
7.dll[
7pi){F
7QlOZ8y
7>SP\lJ
7vWtwr
]7Y4Q-
83s(eh
88HQs8
8`+aSb
8i$BDlC
8NNNN7654\NNN321/p
8U$LaJ
995-2002 Jean-loup Gailly 
9dL@y.
9e,V5S
9m:p;<
9uAx(|
a0\Vfaul
a/4.0 (compZib
a/4.ddJ
A<8?=9>=;746
>?@Aa&B
^_`ab:i
AdjussR
ADVAPI32.dll
a|\FFRCrh
aflgh##
a.gH#z@
>_> AH
AjEUVD
alF2Aw9
^a_l`Faob
a(l)S*+1
A!ModT]
=>?@AO
aPAvdN	os
A<)|&R)9i.
a/St$0u
!a,tF 
ation'`
"aTry>
Atuavr
.?AV_">tPL_)@
A"W	_],
AZT$(0*
b0m%pI
b7Uxrryizc
B.8P[9
b@-C(\
bc1dIN
>'@	B;FHu
}="BfMH0L
\)BghHr
B.hp{9
+;bIW,
bje;8G
bJ)NK%
bj(o8A
bMB"Bl
BPV;,u
BSecXg
B[STll]
[buBcmdHIg
<#bwspr5
B|,y.R
+\c4kIy
c6789T*
cdalR<
cdefghy
[cdXderfPgR9
[\c]iy>
C:'(J`
CjdDE7F
ClxeHa
?cmcCS
) c&O'1
,CoJ,eIA,RoJ,
@ComF&ddnfgA
&ComFFFFpatiB
<Compr<
 CosHb
cOW4#C
$c%p&=%
c+p'''
\`cQkdd
\c_QR+
c~>rr;9
Cry'#'WR
CtOp5F
 D|$"$
D1b><p
|D_B;&
ddd48<
 (ddddcomp
DDGMe<W
dDskt\
deCha*%
{ deflate 1.
Delet{
D#$%&h
 dj]A<
d$-l./
<)d.nc
<=DP4Xr`<
D qYs7()0
d,s.r/
DXitWV+
dy@?$b
 dynamic
EADCC<
eaTabOB
^E`bdf
Ec-4ApQt
*ectOuA
|^eeMm
/eFilaM
EG_BINARY
eHanNldpYWymn;o
e"kcSE=C
\%e&ly
_<?e\M)(
emjpty|
enKgeyMNNNExA
<Eo;pBD
>EQ`(|>/ZwYd3T4E5M
#e$r%&'T*O
Et_0 B
}Event
evkH`teph
ExitProcess
EXPAND9
EyFEGxHA
[F12).
F@8NQV
f&9999
fb u.(,6k
Ff{12S34
FFFFtDisEFFFkFr#OT
fhift 
F'Low$
=F>?m@
Fo..rRi
)fSGI;
+&- G,
<G0VtMs&
g5H2SFr
gcb^\\
`{gcbjq
Ge,7Jm
GetProcAddress
gfDTyTS
GFFg.f
gg&{D|}
gGs\pb
GJN(Sj<
gOO6PpQ
G; pH<
@gP?p'@
GuGpp)[
''''h(
^H8PSQA
\ha2U0G
h(CZ&Z
~HdZ`h
hEij.P	
HG<U,d
hjl	n1pC
	h"lx>e
/h NPKu
HPK-)),*!#'@
HQl4os*
+($hRRPM!
<hvicHoC
HwxDbyu
HZH$B &
i'''')
i6qurstt
iByt(lB
icA.$<Xo
ICSendMessage
iDqlrsR
ieRj5kn
IGwE^um
ihfjk<O/"
	IhQ}5
ijKERNEL
il#!HE
iL,RoJ,RichSoJ,
indC16
InitializeCr
intoFp7
 inWMark Adle
I o!ct
`irtjskilomRy>+nEoxpq
IsWindow
[>IsYS-Po
itForC`
<IV32@MP4Dcvi^l
i$%XYZ
()*+,J
JCDEFG;
jckklm
, jd2R&
#jdowT
JE7	P=@a
JEFGHI
J,-.J)
JK[L,M
jlOpSy.
J$`;nD
jNH4"8
J@roun
Js8<A$r
JtModu
'*juq"
jus####tTok
<JUVnDWXK
\< Jxi
Kazs.32NE
Kdj,uR
KeepRA1x
KERNEL32.DLL
KLiMnN
@k mDi
kpwhT4F`
kWl_ Oh
KZ-<S]
,@l0)$
	l7|LX
<L,8#1
La(*=A
<((=>LdFF
lee"FK
lloDIJ
L.MdNO	
LoadLibraryA
lO&bjD
^ Lock
].loPrss
<lOrbb
^LORER
}LpqHA
l$q4K?C
?#LQA.
L)S\|g
]l S)I,#
L*st;Z=
LTL`Nc
lwLxoica
M3qSW.
MA,PoJ,
'mbr9v
MLHTTP
[ML]jYF;F
Monm#q
MOOkbiO	
mStra 
MSVCP60.dll
MSVCRT.dll
MSVFW32.dll
MULTI_S
)n*+4r
Na4H]|
,nC(W#
ndClos
nETJFf=
NFN@AB9\0
NGPhPrWe
n_:Js-
nlimcnkoCpoI
nliojk.
\NLpoca
nockS(Z
NOPQ[ 8C
NOPQRSti
NOPQRSy
{n_PoiV
npw(SQ
nr,HEKLA
]NRworkV8n
nsdlayW
nt2!##SiA
[n ux8o
+nv7Ou
=Nw&)L8
NxH0;\
.o/0;2
ob+Ezn1ce
<objc0SZ
ocs&dd
'(ocsJ
Od7B;6
 ODba6r
<+OfPQ
!OGBN>
oGCMFq5
`og.P-
o@gS0XVGP
O+(IDV
ole32.dll
OLEAUT32.dll
OleRun
on6VirtuFree
=O;O$0
+oo2222kupP2222riviy
OP,Pr%9
OPQR"B
orp #kn
ose<G8yCi
)O|T+54
O;;<<Z
ozKLMN 
@+P1BS
\p 4HrR
pacPNscC,
pAh|s|
pA,NoJ,
PC`("0u
(p	(D7vZ
PDEAFh
p DYaoB
pe3eAX`(%
pe!n22
~p@F$O
&"PHVA
pi7ADVAPI
pnUrl>e`
PonL_N
pPGvvP*
PRi.M@
pROTCM
PRUMHOHJIKIE@GG@
Pt 9g6
PTI''''ON\Sd
p@,voJ,
P}YSTEM
_Q6`uab4o
$q)aKu(G
q-eM	'
"qIz'd
qK[y'F
QRSHi,(
QRSTrr
<qrstu
[@^Q>t7QK
r-AgP: Moz
rcd`Ve
rddtio
:rDhd\
RegCloseKey
RegQuyVal
R- fdW
rFFFFdDatTk@B
RFGHIJ{
!rF"i#$
,RFjEA`
rHidFi
R@iACy
RjSUi"Gx
RKBnJy
RlepZ-
r` LpU
.RN023C*
Rn+hvSD
}RnPdF`div%i
?;rodu
/<rQRoM5YHE3
rrH"$S}
rrr!a!
rrrrg'
rsFi$OX
&=RSozTr
 rtSr9y
%rtThrL
ruDtuly
R/~vh\JhL
S08M263
/S09ng<O:
s3HanB
S4GlR[X
sD,WoJ,<p@,XoJ,<pN,VoJ,<pA,RoJ,SoK,
&S/$Et
sh6HARDb
SidToStrX
[\]S+k
Snapsho
SOFTWARE\M
,soft\Windows NT\Curr
SoJ,SoJ,SoJ,
So#wc(q 
spirstF5
'_Spl^kS
SPu\LQ
S@Q$2X
srtucv
SrTUcV
..std+
s |tRb
S-T%URy
stuvwxy
st^VKW
)@\suh
SV/`I<
 sVlW+
S?W_C$
SW(,(nV`H
s@-XXao
Systm>
T*,-.+
}+t;0SIE 6*
T899yS|<
t;a,7a?&
taskkR /f
tBLocW
$t%&ch'Wy>
|tEvnth
T*ghijd\
tGu.vt
!This program cannot be run in DOS mode.
Ti%%IS3
T*indFS
t`jdSj
tJQCRrST
tk'jhc+
T*OABCDE
tplhd`
TPQ=kM
|TpUaVW!
TpxAD}
+tqx#$
~tr"hBFvc-
T$%'*U
T|UyVW
t]VTEC]
tvwqtxmjhd
;T	V'X
T*'$%&' WC
+T*yztPoDZ
>ua>d?a]9]
u[G+n&_
<.\uHY
u	j$<K
uMZu@ 
UrmtvxC
USER32.dll
<UtLocal4
UVLYog[:
U#VmWXprr2YZ[\y
uYe'oddgQu>
.UZlQ/
V8WX4Y
VdF<fn.*2
v^Dp|JR%t|
Vg^Sa*
vicA`hE
VirtualAlloc
VirtualFree
VirtualProtect
vJGW(9J
VlXX.I
VnputD 
V-!o$\
vo>'7G
vOZw3[
VQi?d|P
V(qm$_k
vV+|&1|g
VW|uHfhoP
w4]\Rf
waveInOpen
W'EGSi
wGFFFsh=c
w	GyRFH
WINMM.dll
$w+(IP
WLCharToM
wmZ<=!
wNus7Alttr
WS2_32.dll
WVG0AYh
wVWX9NB
w.~xDQR
]WyN!";#
x=%d, y
X=~hmJ9
x[kk/"a
'xmov`
xMR	=[.
X>PA/6
&xPa"ms
XPTPSW
?_Xran@std@@YAXXZ
XrsrP`
|xtplhy
X.X]6rSoK
Xy&01c
x;YA%C@
xzsup|qv
'y()*+
y5?$88
^yC7Tim_
~Y^D 4
yDEFGH
yd`\XT$
yFfil2
YH*L~>
yicVkog
yijklm
y$kedEx
ylDriL
yliy$E
ypA6al
;yrchrso
y#R(nSKT4O
yTUVWX
YUWVWR
yV@eaflgA
[y>wexyS&zp
Y.*WXYw
Y)yl9M!
yZ'tory
z4y;c	#
>z8U(h
Z9H tU
ZAJ@bP~0	L
'zcMnq
ZdQ&h-
zetLasA
ZhocsP@
znGT	T
Zpqrst
Z[QG#@6|
ZT^tp:
zvx}yy{