Analysis Date | 2014-09-05 04:58:59 |
---|---|
MD5 | e9c63465608700df31b88d0f88ba6bbc |
SHA1 | 7fb11c2e7ab64c65c689c545900581c61b82eedf |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 20124dbbec7fcf4073772f92f41d5ea3 sha1: 1c20e111e2ff17fc00c4a3baa0d9e7d5508dd335 size: 168960 | |
Section | .rsrc md5: 52d24e8180add54b444a2585cfa8a26c sha1: 04e4e190705c6826b94ec8163360ec3653396860 size: 17408 | |
Timestamp | 2008-07-29 22:55:23 | |
Version | LegalCopyright: Copyright (C) 2003-2008 InternalName: Freegate FileVersion: 0, 0, 0, 0 CompanyName: PrivateBuild: LegalTrademarks: Comments: ProductName: Freegate Application SpecialBuild: ProductVersion: 0, 0, 0, 0 FileDescription: Freegate Application OriginalFilename: freegate.EXE | |
Packer | PECompact 2.0x Heuristic Mode -> Jeremy Collake | |
PEhash | c9e05db3e7cbf7ab41ac0aab31baa29136a7a5d7 | |
IMPhash | 09d0478591d4f788cb3e5ea416c25237 |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
---|---|
Registry | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Dgdebdtf ➝ 5120 |
Creates File | C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat |
Creates File | C:\Documents and Settings\Administrator\Cookies\index.dat |
Creates File | PhysicalDrive0 |
Creates File | PIPE\lsarpc |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
Creates Mutex | c:!documents and settings!administrator!local settings!history!history.ie5! |
Creates Mutex | WininetConnectionMutex |
Creates Mutex | c:!documents and settings!administrator!cookies! |
Creates Mutex | c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! |
Network Details:
DNS | w62.ziyoulonglive.com Type: A |
---|---|
DNS | w63.ziyoulonglive.com Type: A |
DNS | w64.ziyoulonglive.com Type: A |
DNS | w65.ziyoulonglive.com Type: A |
DNS | w61.ziyoulonglive.com Type: A |
DNS | c46d1784c30f9fd769e668e77a40cd118f9ea9dc.bb76d8278c7d0834304c0ada5bf5ca3b8eb7df55.4.ziyouforever.com Type: MX |
DNS | b5d47698ce9e3dae1cbd76dd6b1aecb4fe27c8c0.b6e77a5ef926160e21162b7f5e1b2b133564a516.4.ziyouforever.com Type: MX |
DNS | 1f9f3a999a08f88dbc47cdf95addb4fb546c84c1.e271bf7d59dcad2a10d17330f442d8510984564d.4.ziyouforever.com Type: MX |
DNS | e1cbb3c6c587e0d0ba385b623326ab2baa380d9e.bdfea7205fa33bb1792a6ce06d3efe44b7ca3829.4.ziyouforever.com Type: MX |
DNS | a13f671aba616f55d5db0dd68b467501eaccd942.c21828a530406d05c14ab2cabdedc50607ca792d.4.ziyouforever.com Type: MX |
DNS | eb2c9e4dc8b6c4dc2cd8a1d6ec4090aba0df2015.b0cf832cc943c105a64c57609524732675615547.4.ziyouforever.com Type: MX |
DNS | fa96d577fb9ec614bc3eb2486ce1ab47b1656b2f.83e781e459a5d29b26ed6c8c5f54c557b4a9690e.4.ziyouforever.com Type: MX |
DNS | 5180c990a032e522d24afb9337c187e61a7377c8.d84ba2d237d19b407dcd402d3ec13076d55ab712.4.ziyouforever.com Type: MX |
Flows UDP | 192.168.1.1:1031 ➝ 38.99.76.229:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.35.193.158:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.65.238.191:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.121.7.4:53 |
Flows UDP | 192.168.1.1:1031 ➝ 88.85.74.8:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.52.86.4:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.90.52.20:53 |
Flows UDP | 192.168.1.1:1031 ➝ 211.115.66.121:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.8.89.139:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.229.52.56:53 |
Flows UDP | 192.168.1.1:1031 ➝ 192.88.195.10:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.124.246.93:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.169.113.191:53 |
Flows UDP | 192.168.1.1:1031 ➝ 202.27.17.253:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.255.164.59:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.154.10.26:53 |
Flows UDP | 192.168.1.1:1031 ➝ 63.90.67.11:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.187.73.55:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.31.161.238:53 |
Flows UDP | 192.168.1.1:1031 ➝ 209.191.16.131:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.108.170.121:53 |
Flows UDP | 192.168.1.1:1031 ➝ 143.166.82.252:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.155.32.47:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.133.71.220:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.188.56.178:53 |
Flows UDP | 192.168.1.1:1031 ➝ 38.99.76.229:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.210.125.75:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.211.181.4:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.104.12.145:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.227.90.71:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.189.151.150:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.148.218.131:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.33.166.85:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.41.255.155:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.181.225.55:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.64.8.106:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.244.140.201:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.138.151.88:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.27.124.220:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.48.17.114:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.45.90.86:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.60.92.227:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.190.71.167:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.204.197.183:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.205.131.63:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.151.54.94:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.129.129.247:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.25.142.242:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.14.38.100:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.2.148.17:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.78.223.129:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.209.105.242:53 |
Flows UDP | 192.168.1.1:1032 ➝ 38.179.244.70:53 |
Flows UDP | 192.168.1.1:1033 ➝ 38.99.76.229:53 |
Flows UDP | 192.168.1.1:1033 ➝ 88.85.74.8:53 |
Flows UDP | 192.168.1.1:1033 ➝ 211.115.66.121:53 |
Flows UDP | 192.168.1.1:1033 ➝ 192.88.195.10:53 |
Flows UDP | 192.168.1.1:1033 ➝ 202.27.17.253:53 |
Flows UDP | 192.168.1.1:1033 ➝ 63.90.67.11:53 |
Flows UDP | 192.168.1.1:1033 ➝ 209.191.16.131:53 |
Flows UDP | 192.168.1.1:1033 ➝ 143.166.82.252:53 |
Raw Pcap
Strings
.@ D.. @... ) . {.&.& . Txl .. / ^. ./.. .... . . =... . ..uX. . U .` .@.R . ...m. ... /. . .. . 0, 0, 0, 0 040904b0 Comments CompanyName Copyright (C) 2003-2008 CorelEM [%d FileDescription FileVersion Freegate Freegate Application freegate.EXE If you InternalName LegalCopyright LegalTrademarks mepag Open H OriginalFilename OT_USED PrivateBuild ProductName ProductVersion Size SpecialBuild StringFileInfo Translation VarFileInfo VS_VERSION_INFO =_-?.&% -}-{|- ;!"[]# )@@*(,( 0: */* 04KA.B 0"?Hgj \$0SQR 123456789abcdef ~188881~ 1edoor 1-.E)] !z 1</h4% 1KZV V 1!}TH 1YWehG ~ 2.` '207.46.18.94 2gE{eT 2|g? WP$ 2\<(-MUUVVVV 2q:"+) 2RPQ.h 2tians =|$(3@ | 3 ' %33+G* 3: appld/x-www-form- 3# C =1 3Script 3too lo 3(VRS]D =4[1Vh 4bbc.co.uk/ 4FgCht 4!f<yp 4i?v5! 4QRhT`_ 4+R%er 523,$,(,DY 5)4B(C3 5-Agent: Mozilla/4.0 ( #5aM2(RQM 5~atible; MSIE 6.0; 5c%s:: 5DfU=J8\ ~5=,PQVj )5S T( 6Mqi(U |6. }x 7.0.0.1:8567 @,,7`7h/; 7!A8gJ ]7B!Px 7BUTTON :"7;h7N 7qxbbs 7SUV]y 7T0!X5/ <7:t ER 7ul8=;" "7$"W2" @7x7`u \80. 4 86N@]g ~8880000/01 '_8'A,,) 8&A9quw +/8brJ 8hdJZ3 8,t-T% 8w5yf 8'`W(XXXkwvw !:8$xj 9!@b g 9;CgEvW$ 9!EVO8 9jjzQf 9<t 7U /)9T;b A" 2C" A3E!wS A,,7@7H/; `aAO`OkOv" A_app_type AbBcCdDeEfFghijklm aboluowang _access =Ad3. AdaptersInfo ADDR_DELETEM19) Ad* Flex DNS "_adjust_fdiv <A|"<F @ag%d is A,,G`Gk/ a%`Hr2 <a hrE Ah;y`Y al//EN"> :alsaha.fareCa.youtub am Ts5ie% AOPCuld a\\.\Phys| A,'P'k Aq B>zM# _a!q"V a-"t:! athFromIDLi ati.dongtai_dweb at memo aveCriticalSecD a)xPPQhW5 /aX[(W <A|(<Z a(z(>(a .a|(<z.l.a B3%m?B B7B&kk[ BAD_DESTINATION BC>-tV %b-%d-%H:%M:%S B{D)u!` ?b?hardcoP B+!;IM B><Lq,p <body |b ,Q, \~b!q(W buggerPres` $Bv:$C .BX8t8 By-lnK B>zQ-Ac;E (C)2002-20087$ _C{3E! >C>@9* Can not download index can obt0cQ< @!c/@B cb.tw/ CD d? <CENTER><h2><a n CE_QUENCH cerout Chenrg %cJ$rE !Clipboard CloseHandle C"OK, no need to re- _controlfp CoUnH@ C:\Progr(X CRO... S (%c) RunMod C+S()} C: Server CurrentTh CursorT __CxxFramhr D (0x%08 d'=2.0Q D$4&>u&5 D5Fgxax D$8;PQh dajiyua DaXue\Cha d bytes of P: D$d^Kt-\ D$dRPC >=Dea92 Decryp Delet* -Desktop0 DeviceIoC dev.no D$:#G D$h222 D #,,HD DI_] dit-inc.u |djl`j __dlloneR dlpd/dldPU DOCTYPE HTML PUBLIC "-//W3C//DTD %dOEMF d"}P}_g D$@Pj D$|PQh( '<dQUj4 ds.adb} Dt 888 D$TSvY $DtT$0R! dtwip001@g DU l$8 |e`4_^ >E>6Eq 'e'['A ealloc :@earth eas websi "eA)sz E:B1[" _e\c"G E{^daI eD$ hD ED_REASS!4s ed UDP & TCP Node ef="#howto" eForFolderA &EgA2' eHr,gX[eQ Ej}XPQ Enable@ EnhMeta -equiv=" 'E'R_9= Establ es via eWWqOiJ _except_h #ExKal- ) Explorer ext/<; ch _ezWl, $F)]@! %f1 (P FangWangZaiShoPfwz /favicon.ico FC42.DLL fC%ul#DH fghelp_farsB finish /Firs0WININETn f$ jB4P `forum Forwar F`PhPx {~FPJ0 FreeLib F,t/2 7 fT$Hh\ fUfoll`G fwrite (=#\G \g2K*+ G@3P::AcaNew G''+9T gate u GBase64De5' @GC=Du G;C+O4 get MAC __getmainargs GetNetworkParams GetProcAddress GetSystemDefaultLCID gFgFar ghui.org/dl/getlinks.aspx? G^I3V{ GlobalUnl gpair=en|zh-CN&u= ,,,GPGXGc?n#V G,'p'WP' gQ+!0! g,sans-serif | Guide </ G[z+aaaA h0`_9U H?9B'O HaaaaG 'Half+B !hc&pl ]h+C"x hdjXxO hdWTZis "~HE;. HeadersA h}eSI] hEvent hfIQfq ]HG+B# HG[cw[Y hGElHt.Hb H$#GOs hi]t<0 H]MIso :hoswIEProx ://hothu'X hour ol hP8DX} H/S_PORT_UNREACHABL @@Ht H hT=hTm Ht?Hu1 http://media3.min$ H`TVW@ hUgUou hunQTransfer-E hv/CpMa~5 Hw8R:U HWq\_E hWSDB? hw=-W_ i6in blank e (i7I") I,' ';8'@3 i{8$)U I90Qw ial Numb @\&ices\Tcpip\ /IcmeEcho ICMP O ideChar IEFRAME IE. If you IeJe0; \,IEXPLORE.EX i_GLW$s IkrAWl images img.epoch inExec Initializ _initO inOKBh in send InsertMenuA InternetGetConnectedStateEx InvaliM* i"o big IoGzB5 ionPage ion~s() i@@@,-P IP() FAIL iphlpapi.dll IP_HW_ERP IP (%s) IP_UNLOAD (11022) IQV_OD\>X I/S@/0/88 isalph (ispMSVCR isxdigit ItemID IXH~?b i@;ZYd {_jB\5lBf JBHy(* +j"^D$ !jd'G; [j DsjE ^Je_/*_ JE\Locale JGProduct Jh,|$4 jHHi_E J HP,~ ;.jPVT jRSTUVW{ J!uOW) j W,iD +j$wT$ -/k??* *K+:_$5 kDSSL/q(U- kernel32.dll KERNEL7 kforev ;DNSRR l K@Kd-Z KL$|Qh( KMDriveTypeA :(KR(| kS$pFU &ksW7jT5 KUC>}N Kv?t%dV K!werw> kW'wE( L3-3ktb L4 F|[ LastError late_p?hl=en&lanV< L.DLL! =%ldms TTL|Y lEh_Qc9} =|LhB* \libssl Licens likely b LL1?H?d L$L+;$G LmH`!J L$<^]O< LoadLibraryA /loc/subscribe . L$P^;i]t; L$Pk_[ l$PVWk $L@Qho l] SZ_ LTLj P lverDlg s l@VSkype lWjJtx L$X2jy @lx@a4 "&l=%xb*B $ ^|M, MABCDEFGHIJKLMNOPQXYZ manywayOpub.c MapDialog mBhq;g+_ _mbsAC memmove Messag methods: :MFontInd m.FS:: !mgq}. MHHongF mhzb_fuk MingHui mjUj8j _mkdir M_}L$` MLKDc: M::Newn Q m }p,y m/tx7' MultiByteToW M%XTT^ N34;2# n*@8x; n-analyticB #`nAurl= N-Authoriz }%net-ad-vantag,) ng. After %+N,Kn "nl68X nnel-4.00.exe [NoKeyNoVer() noprstuvwxyz =NOTCONNECTED ?;?NQJ nRW#Hg (N(S$S NT 5.1; SV1) ntdtv! N(U77?kg nual In $Num[%d] NUOO2$W N,w]KL ( o3 oA o O85OF5O &[o(+B 'o] !E og.txt OHE9UM oh/s@/ "O%JuQ Ok+HTTP+SeEz #olume O=OaD7 Oocket(),Ano #o_Ohh (O o] ok oy oP+"B2 OrM.2'?q or unsuppo ?O+s9? OS: %d.%d Plat OSet B0 OutputK &,oX-PYed-ByQV + @Oz P&#- - p0rn P1C between @P2u`eA? P`5rfa/zmail PACKET #pagead2.googlesyndic Pa}Rh0 ParseMXReply: dat *pBd __p__commode? <*Pd3- PdauthenxT PdtdL$ PEC2_IsPack PEC2=O PECompact2 P/E,)Xp/x& pf+%s al |(Pg0 $,>Ph\ Pha<$xh : PHP/4.3.4 "PJ($ ply,Tra= P_MTU_CH ]pnew FGo P`!_^p PQhD7D PQh<OC( PQUh|qYM prefer pr@?gunexpoGh PrivateProfileStringA _PROBLEM ProcAddr ps awab pubic /public/atom _purecal put J>:AIE Detec; P-@U@VAVX &PVhx/6 PVQVS~ /P/w/J; /P/X|( _P_X_c_q /P/Z/k Q1a"Exit"D Q<{2d.7L Q!|BAo _QB"Oh qDPWQh4 Qd sec Q\ET$( QG1(8! Qh*$,_ Qh8OvG /QHRPhh QNAME nLen < 0 QPh}%s .\qpo/V QrI#UG QRu94*` QSRPWU>? .)Q!u{ QUq,5f( QWRUl; qxdaily QX]kfmgzC QXXinW[ ,|Q|YQ [R_^]\ <r$8t2 *RE37? Re-9nR ReadFile RedrawT RegisterHotKey rEHO!M Releas re\$\$\Main renminba ]respons7+co R]fg12 R +g 1X-. "Rh4;d Rh4sD/<AR right riginal ~RIL)= RoutineT rQ;B-S r<,t\=\ rWGGlG rynet_002@ %s%02d: ?}S_=9Y ?S(b u' {%s=ce +Scsi%d: SCSIDISK|E S de:f%s %d5 %s (e search ... secretchin( Security Alert Select SendRequest SetOptionA .Settings /?Setup!">h __setusermatherr~ }!sG?N s: Good SHBrows %s&hint=%x-%s- [%s] id=[% SIn)L!{5 SizeofResource S_Notify SOCKS5, soft!:443/8.86.218.110 SoftwaO SOFTWARE S:okieA S;-+P5** sprintf S(q,{0 s\Ro%/ SSSSVh` !;STATUS_BAS strchr Str:ftotal _strnicmp succeede `SuKPUL surfsbl /%s/?v=%s +%s^wrong md5s SysTab SYSTEM \$'T\$@ T$ \][ (T5Ob5 t5tMSN T75H_5 Talk i tartupfA \tech] !TempPathA ?terminate@@YAXXZ &tfGV! ._t=F/s T$<gM? !This program cannot be run in DOS mode. TianXia3gtx;MHHuaBa 'TickCou _TIMED_OUE <TITLE> <\t j\ /'tjM(1 tkGF<tL T$LxM# t More Fake IPU T$ &mY @tM_zJ tnh@;R; t one funa _TOO_BIG T$p$>/ TRANSIT TTL_EXPIRp ttps:/ t#UO[k tVhK^P tX?BM: TyGs s(; UEsOo_V uex MHZongGuan u(FUhX{G UGQgd. uMModulfNam umxxmu unk J, soNalsoP UnrCCCCa uNSOjF uO:r;A u!-oWE` UpgradeFG(): up IE pMjd OK UrlCache urs.micro$ uS6m.M "use"></ay< ;Use choose use o User define ho us.i1.y USQWVR usually Ut@-B = UTF-8Tt Uv~6~ UVVVWX UWQhTxu uXa'@'h'`$ V0QPUe v(5H7N {{v8ju vadmin/bip ^v;CzQ v~!;D$ verisig# VersionExA Vh(ESA Vh<VDE |view82f=15 VirtualAlloc VirtualFree vjBI\B voanewTq VOForeg vO/Sd_ vVD$0QSRh V whH VWhh<E !V Wj?R {VWPQU VWu#h# VXX/X/P/h#baa/ w0Technology (DIT) Inc (W0W@W W2#Classic% w61.ziyoulongliv w&?_/_a w, *again0/+ WaitForSingleObj R6 WcsN]M `WCtrl-Alt-Z weed.xr %w'_fAf W</h3V64>1.1@a `w: HDSN=0x%x WPID= Wh(l<. :.W!=I) WIAsRe- w/iDNSq -Windo winio.sy with bad >w'jb WLogTraffic/]F worldips $WP5uP WPR3p-k\@G| WQ:SQ vR WS2_32> wsDirecto w\Winhlp32#uw www.kanzhongguo. / /+ |(X/ *?!*(X @,)X/0 X:2A8~ X9X!yh# _XcptFilter xDBQ/S x,,,,G xH0(0T x?`?hbI #XiangQX! xinshijue XnhPQs x) Nogr X-Pad0 XP%gC7k x+QRh` )x=R t X`'S@E x?U?M{ xU=%s&num=-/ X_V ^P / /+XXR XX/`'W xyh)Jz Xz'M^Vq @y.ConfigUrlS&Resto /y exists yieldmanager%/ yk+z(=fK You may visit an YPhXV(<^W"v2 $yQUWV Y/s1/adf2 />Y"T7 yTHuy#!) yX'`H! YYu|9E Zc+: 4j ze sp.length zGateSheet =ZH-CN style='font-family: /zhengjianO +zj+MHJueXing zj\O75 zjweekl ZJZhouKa zR7jsq:: z=$S8w ZXXXX' Z^_Y[] z_zu F