Analysis Date2014-11-16 02:07:45
MD5764e434d81b59ed3a68352f5c27ce4a2
SHA18b639b6ef7dcec67ba0a8c3da4c6ea2717d60ccd

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 64523b46cbb1829b84cdf6fabae43382 sha1: 76a71292fe4be2b2879a6ba606b880895c9df6b8 size: 225280
Section.rdata md5: 3a56604e769531722c5ae45ef5a3649e sha1: 7b775acd0346188c18a9cf059fba512804206878 size: 8192
Section.data md5: 2ab7feb7709e3039a920d76d40910c00 sha1: 8d629a3059363eecf911172b5c84fda1484b63f4 size: 69632
Timestamp2014-01-01 06:31:54
PackerMicrosoft Visual C++ v6.0
PEhash3d52a071bf26995d9b5058d992a89530a0291418
IMPhash8beab31aaac19dc05c72af63d7242704
AV360 SafeGen:Variant.Graftor.156551
AVAd-AwareGen:Variant.Graftor.156551
AVAlwil (avast)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Rogue.10418541
AVBullGuardGen:Variant.Graftor.156551
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Win32.Trojan.Hrup.a.3
AVClamAVno_virus
AVDr. WebDLOADER.Trojan
AVEmsisoftGen:Variant.Graftor.156551
AVEset (nod32)no_virus
AVFortinetW32/PWS_y.XO!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Graftor.156551
AVGrisoft (avg)Win32/DH{JwNngRA2gRE}
AVIkarusWin32.SuspectCrc
AVK7no_virus
AVKasperskyHackTool.Win32.FlyStudio.gen
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Graftor.156551
AVNormanGen:Variant.Graftor.156551
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\vm331_sti.exe
Creates Processcmd.exe /c del "C:\malware.exe"
Creates ServiceRemote Procedure Call (RPG) - C:\WINDOWS\vm331_sti.exe -k
Starts ServiceRpcSRPG

Process
↳ cmd.exe /c del "C:\malware.exe"

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1864

Process
↳ Pid 1128

Process
↳ C:\WINDOWS\vm331_sti.exe

Creates Filepipe\net\NtControlPipe10
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\yf.reg
Creates Processregedit /s C:\WINDOWS\yf.reg

Process
↳ regedit /s C:\WINDOWS\yf.reg

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B3560C4803459EE3D32AB888D64BFE0E80CEA4A1\Blob ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\267D63BD925859D98A807B8FF12FA455C5353BA8\Blob ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18066AD1279234118B0BF852322C381F78A21F3B\Blob ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B171301E1AE82B30BA7547922FB656CE3432AF66\Blob ➝
NULL

Network Details:

DNSd96cc5ec7d567cbf.cdn.fhldns.com
Type: A
222.216.190.61
DNSd96cc5ec7d567cbf.cdn.fhldns.com
Type: A
61.155.149.77
DNSwww.a.shifen.com
Type: A
180.76.3.151
DNSd96cc5ec7d567cbf.cdn.fhldns.com
Type: A
61.155.149.77
DNSd96cc5ec7d567cbf.cdn.fhldns.com
Type: A
222.216.190.61
DNSd96cc5ec7d567cbf.cdn.fhldns.com
Type: A
222.216.190.60
DNSd96cc5ec7d567cbf.cdn.fhldns.com
Type: A
61.155.149.76
DNSwww.ewfpay.com
Type: A
DNSwww.baidu.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 222.216.190.61:8000
Flows TCP192.168.1.1:1032 ➝ 222.216.190.61:8000
Flows TCP192.168.1.1:1033 ➝ 222.216.190.61:8000
Flows TCP192.168.1.1:1034 ➝ 222.216.190.61:8000
Flows TCP192.168.1.1:1035 ➝ 222.216.190.61:8000
Flows TCP192.168.1.1:1036 ➝ 61.155.149.77:8000
Flows TCP192.168.1.1:1037 ➝ 222.216.190.60:8000
Flows TCP192.168.1.1:1038 ➝ 222.216.190.60:8000
Flows TCP192.168.1.1:1039 ➝ 222.216.190.60:8000

Raw Pcap

Strings
().
 
%
%
,,,
/
.
>?
\
.00-+ -E-0-0..
.-
e
 
 00
...........?-  
0
0 
0u
Cjjj
Djjj
         (((((                  H
jjjj
(null)
!<<>>!
!!!!!!!!!!
0000%d
0123456789abcdef
0123456789ABCDEF
01d0a8e3
<0|!<9
\\192.168.0.129\TCP\1037
1#QNAN
1#SNAN
34(0x22), 
\$4UVW
53595354454D5C43757272656E74436F6E74726F6C5365745C436F6E74726F6C5C5465726D696E616C205365727665725C5764735C72647077645C5464735C7463705C506F72744E756D626572
5C465A5A514D44352E6578652E746D70
646166B4F3
766D3333315F7374692E657865
7777772E6577667061792E636F6D
^}%950
9|$$t6
<9vK<-tG<_tC<.t?<:t;</t7
a=Abstract:buffer;
a=ASMRuleBook:string;
a=Author:buffer;
abnormal program termination
Accept: */*
Accept: application/sdp
Accept-Ranges: 
a=control:streamid=
a=Copyright:buffer;
AdjustTokenPrivileges
advapi32.dll
ADVAPI32.dll
ADVAPI32.DLL
a=Flags:integer;
a=length:npt=
a=MaxBitRate:integer;
a=MaxPacketSize:integer;
a=mimetype:string;
anonymous
anonymous@123.com
a=OpaqueData:buffer;
a=Preroll:integer;
asf 2.0 header
a=StartTime:integer;
a=StreamCount:integer;
a=StreamName:string;
a=Title:buffer;
audio conceal none
audio media
audio spread
August
Author: %s
avicap32.dll
B3CCD0F2B8FCD0C2
B4B4BDA8D5CABAC5
B4B4BDA8D5CABAC5B3C9B9A621
B4B4BDA8D5CABAC5CAA7B0DC21
B6FEB4CEB7A2CBCD
B7A2CBCDCDEAB1CF
B7A2CBCDCEC4BCFE
B9DBB2ECD7C0C3E6
Bandwidth
Bandwidth: %u
BDF8B3CCC1D0B1ED
bitrate mutual exclusion
blackmoon
BlackMoonPing
BlackMoon RunTime Error:
btHHt.
C9CFB4ABCEC4BCFE
Cache-Control: no-cache
capGetDriverDescriptionA
CEC4BCFEB4C5C5CC
CEC4BCFECFC2D4D8
CEC4BCFEE4AFC0C0
Challenge1: %s
ChangeServiceConfig2A
ChangeServiceConfigA
ClientChallenge: 9e26d33f2984236010ef6253fb1887f7
ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586
CloseHandle
CloseServiceHandle
cmd.exe /c del "
codec comment1 header
codec index >= number of codecs. %i %i
codec list
command media
CompanyID: KnKV4M4I/B2FjJ1TToLycw==
CompareStringA
CompareStringW
Connection: 
Connection: close
content description
Content-disposition: 
Content-Disposition: 
Content-length
Content-length: 
Content-Length: 
Content-range: 
Content-Range: 
Content-type: 
Content-Type: 
ControlService
COOKIE
Cookie: %s
CopyFileA
Copyright: %s
CPhDWD
C(PhptD
C$Ph|tD
C<PQWR
CreateFileA
CreateFileMappingA
CreateProcessA
CreateServiceA
CreateThread
CreateToolhelp32Snapshot
CreateWaitableTimerA
CSeq: 1
Cseq: %u
CSeq: %u
D$ _^]
D$,_^][
D0DEB8C4B1B8D7A2
D0DEB8C4B6CBBFDA
D0DEB8C4B6CBBFDAB3C9B9A621
D0DEB8C4B6CBBFDACAA7B0DC21
D$0PUVh
D$0vT2
D4B6B3CCB6CBBFDA
D4D9B4CEB7A2CBCD
D$4RPU
D5CABAC5C8A8CFDE
D6D5D6B9BDF8B3CC
D6F7BBFAC9CFCFDF
D$8h$jD
D$8htvD
D$8t!j
@.data
dddd, MMMM dd, yyyy
D$DRPUV
D$DRPUVQ
D$"EAB
December
Del %0
DeleteCriticalSection
DeleteFileA
DeleteService
DESCRIBE
D$ h$jD
D$(h$jD
D$$h$jD
D$HRhlwD
DispatchMessageA
DLL ERROR
DOMAIN error
D$ PhlyD
D$$PQVS
D,@,QE
D$ QSRPU
D$(RPU
D$(RPVU
|$DRWVU
%d, %s
D$$SWVURP
D$,VPS
D$,WPQR
D$,WPS
D$(WPS
D$$WPV
D$XQRP
@echo off
E:\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp
EnterCriticalSection
EnumServicesStatusA
error correction
.exe|.rar|.zip|.gif|.jpg|.mp3|.rm
ExitProcess
ExitThread
extended content description
extended content encryption
FD_ISSET 
February
@ffffff
filename=
file properties
FindClose
FindFirstFileA
FindNextFileA
- floating point not loaded
FlushFileBuffers
FormatMessageA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
Friday
Ft_^][
<fu&8M
GAIsProcessorFeaturePresent
GDI32.dll
GDI32.DLL
GetACP
GetActiveWindow
GetCommandLineA
GetCPInfo
GetCurrentDirectoryA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileSize
GetFileType
gethostbyname
GetInputState
GetLastActivePopup
GetLastError
GetLocalTime
GetLogicalDriveStringsA
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetPrivateProfileStringA
GetProcAddress
GetProcessHeap
GET %s HTTP/1.1
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemDirectoryA
GetSystemInfo
GetSystemTime
GetSystemWow64DirectoryA
GetTickCount
GetTimeZoneInformation
GetUserNameA
GetVersion
GetVersionExA
GetWindowsDirectoryA
__GLOBAL_HEAP_SELECTED
GlobalMemoryStatusEx
GUID: 00000000-0000-0000-0000-000000000000
GUUUVj
`h````
hash input: %x %x %x %x
hash output: %x %x %x %x
hash parameter:
header
header extension
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HHtpHHtl
H:mm:ss
Host: %s
HSVHWtgHHtF
http://
HTTP/1.0
HTTP/1.1
_hypot
IcmpCloseHandle
IcmpCreateFile
icmp.dll
IcmpSendEcho
IDQWWPR
If-Match: %s
Illegal character '%c' in input.
InitializeCriticalSection
InterlockedDecrement
InterlockedIncrement
IsBadCodePtr
IsBadReadPtr
IsBadWritePtr
JanFebMarAprMayJunJulAugSepOctNovDec
January
kernel32
KERNEL32
kernel32.dll
KERNEL32.dll
KERNEL32.DLL
KillTimer
L$0_^]
L$0PQhPjD
L$0RPVQ
L$49l$4}
L$8h`vD
L$8PQSU
L$8RPVQ
L$<9\$<}
Language: en-US
Last-Modified: 
LCMapStringA
LCMapStringW
L$DQRPUV
L$DQUR
L$DWQV
LeaveCriticalSection
L$ hpoD
LoadLibraryA
LocalFree
Location
Location: 
LookupPrivilegeValueA
L$|PQh
L$$PQh
L$$PQj
L$$QQP
L$<RPQ
lstrcpyn
\$LUVW
MapViewOfFile
marker
MbP?RTSP/1.0
M/d/yy
MessageBoxA
Microsoft Visual C++ Runtime Library
mlti_data_size: %i
MLTI tag not detected, copying data
Module32First
Monday
MoveFileA
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
MPR.DLL
</Msg0000>
<Msg0000>
<Msg%s>%ld</Msg%s>
MsgWaitForMultipleObjects
__MSVCRT_HEAP_SELECT
MultiByteToWideChar
mutex bitrate
mutex unknown
no error correction
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
not verified: ! (i < 56)
not verified: (len << 3) > a true
not verified:  while ( d < len )
November
NSPlayer/9.0.0.2980; {%s}; Host: %s
(null)
October
OldPNMPlayer
OpenProcess
OpenProcessToken
OpenSCManagerA
OpenServiceA
OPTIONS
padding
PASS ******
PASS %s
PathFileExistsA
PeekMessageA
ping -n 2 127.0.0.1>nul
PlayerStarttime: [28/03/2003:22:50:23 00:00]
PPPPPPPP
ppxxxx
PQh4|D
PQh<{D
PQhp|D
Pragma: no-cache
Process32First
Process32Next
Program: 
program internal error number is %d. 
<program name unknown>
Proxy-Connection: Keep-Alive
PSh8XD
PShhXD
- pure virtual function call
PVhTYD
PVh|zD
PWh8XD
PWhLXD
}\PWVQ
QQSUVWj
QQSVW3
QQSVWd
QQSVWj
QRh\|D
QRhT{D
QShdtD
QShTYD
QueryPerformanceCounter
QueryPerformanceFrequency
QueryServiceConfig2A
QueryServiceConfigA
QueryServiceStatus
QVhhXD
QVh$XD
QWhhXD
RaiseException
Range: bytes=%s-
Range: npt=%s-
`.rdata
ReadFile
RealChallenge1
RealChallenge2: %s, sd=%s
real: Content-length for description too big (> %uMB)!
real: got message from server:
real: got no Content-length!
real: got no ETag!
Recv Packet (%s)...
Recv Sub Packet(%s)..
Referer: %s
RegCloseKey
RegCreateKeyA
RegCreateKeyExA
regedit /s 
regedit /s "
RegEnumValueA
RegionData: 0
RegisterServiceCtrlHandlerA
RegOpenKeyA
RegQueryValueExA
RegSetValueExA
Remote Procedure Call (RPG) 
ren FZZQMD5.exe.tmp "
Require: com.real.retain-entity-for-setup
reserved_1
reserved marker
reserved script command
REST 0
REST 100
restart
Restart
rmff_fix_header: assuming data.num_packets=%i
rmff_fix_header: assuming data.size=%i
rmff_fix_header: assuming prop.num_packets=%i
rmff_fix_header: correcting prop.num_streams from %i to %i
rmff_fix_header: correcting prop.size from %i to %i
rmff_fix_header: fatal: no header given.
rmff_fix_header: no DATA chunk, creating one
rmff_fix_header: no fileheader, creating one
rmff_fix_header: setting num_headers from %i to %i
rmff_fix_header: setting prop.data_offset from %i to %i
rmff_fix_header: warning: no CONT chunk.
rmff_fix_header: warning: no MDPR chunks
rmff_fix_header: warning: no PROP chunk.
RpcSRPG
RPhh{D
RPhH|D
RPWWWj
RQPj3V
RQWPUV
RSh$XD
RtlMoveMemory
RtlUnwind
rtsp://
RTSP/1.0 200 OK
RTSP/1.0 451 Parameter Not Understood
rtsp://%s:%i
rtsp://%s:%i/%s
runtime error 
Runtime Error!
RVh4oD
RVh8XD
RWh$XD
:"%s".
Saturday
script command
 [%s:%d]
 [%s:%d] 
[%s:%d]
sdpplin: no m= found.
SeDebugPrivilege
SELECT
 sendto 
September
Server
Server:
Server: 
Session:
Session: %s
Set-cookie: 
Set-Cookie: 
SetEndOfFile
SetEnvironmentVariableA
SetFileAttributesA
SetFilePointer
SetHandleCount
SetLastError
 SetlD
SET_PARAMETER
SetServiceStatusu
SetStdHandle
SetTimer
SetUnhandledExceptionFilter
SetWaitableTimer
SHELL32.DLL
shlwapi.dll
SHLWAPI.dll
simple index
SING error
SIZE %s
sO;>|C;~
SOCKET
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%*s %s
%s %s %s
SS@SSPVSS
%s/streamid=0
%s/streamid=1
start 
StartServiceA
StartServiceCtrlDispatcherA
stream bitrate properties
Stream description size: %i
stream header
Streams: %i
stream=%u;rule=%u,
%*s %u
Subscribe: 
Sunday
SunMonTueWedThuFriSat
SupportsMaximumASMBandwidth: 1
<SUVW3
SUVWh4
SUVWh8
SUVWjH
SUVWjp
\sx.xp
SystemRoot
\SystemRoot
^t_^][
T$0hMMS R
t@_^]3
T$4h(wD
T$4PQR
t8j\h0
T$8QRP
T$8QRV
T$8RPQ
T$8VRS
t'9|$pt
Taskkill /f /im 
tC9{dt
T$DSRWQh
TerminateProcess
TerminateThread
<]t_G<-uA
TheCodeMadeByZPCCZQ
!This program cannot be run in DOS mode.
T$HQRP
t+Ht$Ht
Thursday
Title: %s
t:It-P
TLOSS error
TlsAlloc
TlsGetValue
TlsSetValue
T$LURV
T$Phd[D
T$@PQRUV
T$ PSQRU
T$ QRP
T$,QRP
T$ QRSU
T$(QRSU
T$(QRU
TranslateMessage
Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play
T$$RPWUV
t#SSUP
+ttHHtd
t.;t$$t(
Tuesday
t$(<"uI
tvOt:Ot
t$$VSS
T$,WQR
T$,WRS
T$$WRV
t/WWUPj
TYPE A
TYPE I
uAUUUUj
>:u#FV
u,h|cD
u&h$jD
u#h$jD
u,hXmD
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
>:uNFV
UnhandledExceptionFilter
unknown
UnmapViewOfFile
update.bat
uRFGHt
U\Rh({D
user32
user32.dll
USER32.dll
USER32.DLL
User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)
User-Agent: %s
USER %s
u|VhD[D
\$(UVW
UVWh0hD
VC20XC00U
video media
VirtualAlloc
VirtualFree
VWhTmD
VWuBht
|$$~@W
WaitForSingleObject
Wednesday
WideCharToMultiByte
WINMM.DLL
WPh`rD
WriteFile
WritePrivateProfileStringA
ws2_32.dll
WS2_32.dll
 WSACancelBlockingCall 
 WSAStartup
 WSAStartup 
wsprintfA
\$(WUS
WwktZ=
www.baidu.com
:www.itx86.com QQ:664330793)
\yf.reg
\yf.reg"
_^][YY
 yyyy = mmm 
<zv[<Ar
<ZvS<0r