Analysis Date2013-08-07 02:39:28
MD5f333693b77843abeefed9f2715af61d1
SHA1844cc6f5f8f52d2048d4834e31c6f2ce4e0febff

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Sectionu0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Sectionu1 md5: 6ae6c15e256a5546f9e9b51c8245a0cd sha1: 7bec29b741af3abea2b1f446259330db5803a679 size: 795136
Timestamp2011-05-28 22:30:59
PackerNsPack V1.4 -> LiuXingPing
PEhash846c349693e5cc3dd2b899e37b62384a365bdbbc
AVclamavWorm.Mytob.IS

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\9173dnf[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\3284_appcompat.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013080720130808\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\index.dat
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 348
Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 1104 -e 280 -g
Creates Mutex_!SHMSFTHISTORY!_
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!mshist012013080720130808!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSwww.9173dnf.com

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 348

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 1104 -e 280 -g

Network Details:

DNSwww.9173dnf.com
Type: A
69.43.161.169
HTTP GEThttp://www.9173dnf.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 69.43.161.169:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000020 (00032)   6570742d 4c616e67 75616765 3a20656e   ept-Language: en
0x00000030 (00048)   2d75730d 0a416363 6570742d 456e636f   -us..Accept-Enco
0x00000040 (00064)   64696e67 3a20677a 69702c20 6465666c   ding: gzip, defl
0x00000050 (00080)   6174650d 0a557365 722d4167 656e743a   ate..User-Agent:
0x00000060 (00096)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000070 (00112)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000080 (00128)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000090 (00144)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x000000a0 (00160)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x000000b0 (00176)   73743a20 7777772e 39313733 646e662e   st: www.9173dnf.
0x000000c0 (00192)   636f6d0d 0a436f6e 6e656374 696f6e3a   com..Connection:
0x000000d0 (00208)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....


Strings