Analysis Date2013-09-17 04:30:35
MD51fa144014ce281e2fdbb351094cb6361
SHA18bc3af84d24423f55e3be450e365086319f8e12d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: bcefd13d879b5aa1628d5731462b1935 sha1: 5e05fbf6b8bf012397b847cd5d10aee153dc895d size: 75264
Section.data md5: 0eb9af4768d13f3fe805922a21fcbf55 sha1: 9665ae9e81ee6c6c0d2193973be588eb90aa031c size: 2560
Section.idata md5: 7f9440e32acb299f3bda96288136b63a sha1: 1d51ab1fb34c6b541f544524a63c3d9d73f566f9 size: 4096
Section.rsrc md5: 39614af278e0bc2e9c04f423abaf5e8b sha1: 34aeeb974d5cf9f2cd2bbea8a4392831cc019409 size: 15360
Timestamp2005-06-26 09:05:32
PackerRAR SFX
PEhashc5fd06a3fbc6fe41f3cbcc286bb95acd1b5e78e0
AVavgDropper.Generic2.EJJ
AVmsseTrojan:Win32/Provis!rts
AVaviraw <<< TR/Spy.Gen

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilewinIogon.exe
Creates Processc:\windows\winIogon.exe

Process
↳ "C:\WINDOWS\system32\winIogon.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates File\Device\Netbios
Creates FileC:\WINDOWS\system32\iexpIore.exe
Deletes Filec:\windows\winIogon.exe
Deletes FileC:\WINDOWS\system32\syswindows.ini
Creates Process"C:\WINDOWS\system32\iexpIore.exe"
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates ServiceWindows Update System - C:\WINDOWS\system32\winIogon.exe
Winsock DNSwww.for-pc.com

Process
↳ c:\windows\winIogon.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\WINDOWS\system32\winIogon.exe
Creates FileC:\WINDOWS\system32\syswindows.ini
Creates Process"C:\WINDOWS\system32\winIogon.exe"

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 840

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1092

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ Pid 1852

Process
↳ Pid 976

Process
↳ "C:\WINDOWS\system32\iexpIore.exe"

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFF681.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Netbios
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ip138[1].htm
Creates MutexWininetConnectionMutex

Network Details:

DNSwww.for-pc.com
Type: A
203.189.109.241
DNSyd.ecoma.glb0.lxdns.com
Type: A
218.92.221.55
DNSyd.ecoma.glb0.lxdns.com
Type: A
218.92.221.58
DNSyd.ecoma.glb0.lxdns.com
Type: A
218.92.221.56
DNSyd.ecoma.glb0.lxdns.com
Type: A
218.92.221.57
DNSwww.ip138.cn
Type: A
218.133.22.66
DNSwww.ip138.com
Type: A
HTTP GEThttp://www.for-pc.com/Count.aspx?mac=00-00-00-00-00-00
User-Agent: MyAgent
HTTP GEThttp://www.ip138.com/ips.asp
User-Agent: MyAgent
HTTP GEThttp://www.ip138.cn/
User-Agent: MyAgent
HTTP GEThttp://www.for-pc.com/Version.txt
User-Agent: MyAgent
HTTP GEThttp://www.for-pc.com/GetDate.aspx?ip=127.0.0.1&mac=00-00-00-00-00-00&ver=1.3.0
User-Agent: MyAgent
Flows TCP192.168.1.1:1031 ➝ 203.189.109.241:80
Flows TCP192.168.1.1:1032 ➝ 218.92.221.55:80
Flows TCP192.168.1.1:1033 ➝ 218.133.22.66:80
Flows TCP192.168.1.1:1034 ➝ 203.189.109.241:80
Flows TCP192.168.1.1:1035 ➝ 203.189.109.241:80

Raw Pcap
0x00000000 (00000)   47455420 2f436f75 6e742e61 7370783f   GET /Count.aspx?
0x00000010 (00016)   6d61633d 30302d30 302d3030 2d30302d   mac=00-00-00-00-
0x00000020 (00032)   30302d30 30204854 54502f31 2e310d0a   00-00 HTTP/1.1..
0x00000030 (00048)   55736572 2d416765 6e743a20 4d794167   User-Agent: MyAg
0x00000040 (00064)   656e740d 0a486f73 743a2077 77772e66   ent..Host: www.f
0x00000050 (00080)   6f722d70 632e636f 6d0d0a43 6f6e7465   or-pc.com..Conte
0x00000060 (00096)   6e742d4c 656e6774 683a2032 310d0a43   nt-Length: 21..C
0x00000070 (00112)   61636865 2d436f6e 74726f6c 3a206e6f   ache-Control: no
0x00000080 (00128)   2d636163 68650d0a 0d0a6d61 633d3030   -cache....mac=00
0x00000090 (00144)   2d30302d 30302d30 302d3030 2d3030     -00-00-00-00-00

0x00000000 (00000)   47455420 2f697073 2e617370 20485454   GET /ips.asp HTT
0x00000010 (00016)   502f312e 310d0a55 7365722d 4167656e   P/1.1..User-Agen
0x00000020 (00032)   743a204d 79416765 6e740d0a 486f7374   t: MyAgent..Host
0x00000030 (00048)   3a207777 772e6970 3133382e 636f6d0d   : www.ip138.com.
0x00000040 (00064)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000050 (00080)   6e6f2d63 61636865 0d0a0d0a 6f6e7465   no-cache....onte
0x00000060 (00096)   6e742d4c 656e6774 683a2032 310d0a43   nt-Length: 21..C
0x00000070 (00112)   61636865 2d436f6e 74726f6c 3a206e6f   ache-Control: no
0x00000080 (00128)   2d636163 68650d0a 0d0a6d61 633d3030   -cache....mac=00
0x00000090 (00144)   2d30302d 30302d30 302d3030 2d3030     -00-00-00-00-00

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d794167   User-Agent: MyAg
0x00000020 (00032)   656e740d 0a486f73 743a2077 77772e69   ent..Host: www.i
0x00000030 (00048)   70313338 2e636e0d 0a436163 68652d43   p138.cn..Cache-C
0x00000040 (00064)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x00000050 (00080)   0d0a0d0a 61636865 0d0a0d0a 6f6e7465   ....ache....onte
0x00000060 (00096)   6e742d4c 656e6774 683a2032 310d0a43   nt-Length: 21..C
0x00000070 (00112)   61636865 2d436f6e 74726f6c 3a206e6f   ache-Control: no
0x00000080 (00128)   2d636163 68650d0a 0d0a6d61 633d3030   -cache....mac=00
0x00000090 (00144)   2d30302d 30302d30 302d3030 2d3030     -00-00-00-00-00

0x00000000 (00000)   47455420 2f566572 73696f6e 2e747874   GET /Version.txt
0x00000010 (00016)   20485454 502f312e 310d0a55 7365722d    HTTP/1.1..User-
0x00000020 (00032)   4167656e 743a204d 79416765 6e740d0a   Agent: MyAgent..
0x00000030 (00048)   486f7374 3a207777 772e666f 722d7063   Host: www.for-pc
0x00000040 (00064)   2e636f6d 0d0a4361 6368652d 436f6e74   .com..Cache-Cont
0x00000050 (00080)   726f6c3a 206e6f2d 63616368 650d0a0d   rol: no-cache...
0x00000060 (00096)   0a742d4c 656e6774 683a2032 310d0a43   .t-Length: 21..C
0x00000070 (00112)   61636865 2d436f6e 74726f6c 3a206e6f   ache-Control: no
0x00000080 (00128)   2d636163 68650d0a 0d0a6d61 633d3030   -cache....mac=00
0x00000090 (00144)   2d30302d 30302d30 302d3030 2d3030     -00-00-00-00-00

0x00000000 (00000)   47455420 2f476574 44617465 2e617370   GET /GetDate.asp
0x00000010 (00016)   783f6970 3d313237 2e302e30 2e31266d   x?ip=127.0.0.1&m
0x00000020 (00032)   61633d30 302d3030 2d30302d 30302d30   ac=00-00-00-00-0
0x00000030 (00048)   302d3030 26766572 3d312e33 2e302048   0-00&ver=1.3.0 H
0x00000040 (00064)   5454502f 312e310d 0a557365 722d4167   TTP/1.1..User-Ag
0x00000050 (00080)   656e743a 204d7941 67656e74 0d0a486f   ent: MyAgent..Ho
0x00000060 (00096)   73743a20 7777772e 666f722d 70632e63   st: www.for-pc.c
0x00000070 (00112)   6f6d0d0a 436f6e74 656e742d 4c656e67   om..Content-Leng
0x00000080 (00128)   74683a20 34340d0a 43616368 652d436f   th: 44..Cache-Co
0x00000090 (00144)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x000000a0 (00160)   0a0d0a69 703d3132 372e302e 302e3126   ...ip=127.0.0.1&
0x000000b0 (00176)   6d61633d 30302d30 302d3030 2d30302d   mac=00-00-00-00-
0x000000c0 (00192)   30302d30 30267665 723d312e 332e30     00-00&ver=1.3.0


Strings
?*<>|"
 (08@P`p
=;?/1%>
2&?Pk@
2s%,"!y
33!D	3
+-3#4"
3Af0Vt
3i~V0l}
4Y_cOW
4Y_cOW	
%6[TW=
6z$F$NH
&,#7g29
7W>Rv3
%9)IFJ
9VzS|W
]a3QB^
AdjustTokenPrivileges
ADVAPI32.DLL
apu;W	H
AQRPhD
ASKNEXTVOL
@b	gck(W
^bs]5A
C,;C$s/
ceQ&^	gdk
CharToOemBuffA
CharUpperA
CloseHandle
CLSIDFromString
CMT	U]
CoCreateInstance
COMCTL32.DLL
COMDLG32.DLL
CommDlgExtendedError
CompareStringA
CopyRect
CreateDirectoryA
CreateDirectoryW
CreateFileA
CreateFileW
CreateStreamOnHGlobal
CreateWindowExA
CvCl-P
|$|;|$d
D$0+D$<
(d23RU
d5#jDhG\
`.data
D$`;D$\}
D$,;D$0u	
&;D$Dr
D$`;D$T
D$`;D$T|
DefWindowProcA
Delete
DeleteFileA
DeleteFileW
DeleteObject
DestroyIcon
DestroyWindow
DialogBoxParamA
DispatchMessageA
&;D$Lw
DosDateTimeToFileTime
	dQjH$
&dSF)H
D$T;D$\|
;D$Tt\
E;AJ&V
E/FO"+
em3H+=X
EnableWindow
EndDialog
#@EQIc
eR=Gf[
ERpy}Z
ExitProcess
ExpandEnvironmentStringsA
ExtSign
fbc:N:
FFF))EE	FFFF))))))
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
FindResourceA
FindWindowExA
FreeLibrary
g33WwQ
GDI32.DLL
GetClassNameA
GetClientRect
GetCommandLineA
GetCPInfo
GetCurrentDirectoryA
GetCurrentProcess
GetDateFormatA
GetDlgItem
GetDlgItemTextA
GetFileAttributesA
GetFileAttributesW
GetFileType
GetFullPathNameA
GetLastError
GetLocaleInfoA
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetNumberFormatA
GetOpenFileNameA
GetParent
GETPASSWORD1
GetProcAddress
GetProcessHeap
GetStdHandle
GetSysColor
GetSystemMetrics
GetTempPathA
GetTickCount
GetTimeFormatA
GetVersionExA
GetWindow
GetWindowLongA
GetWindowRect
GetWindowTextA
GlobalAlloc
_g?(>O
gwS3	3
gwS37%w`	
GX6t^ 
<head><meta http-equiv="content-type" content="text/html; charset=
HeapAlloc
HeapFree
HeapReAlloc
	hK"@%q*
hK"@%q*
+`H;rm6
H^,RtW
+}ht0"
</html>
<html>
HWwJf!
.idata
,!]I=I
IkHxx|
!-IlKr\
InitCommonControlsEx
Install
.IpKr[
&	.IR:#
IsDBCSLeadByte
IsWindow
IsWindowVisible
)jH-q-
jiG]2n	
JpTR]\n
K8s3Fr
KERNEL32.DLL
);l$8u
License
LICENSEDLG
lK,;%9
L$\)L$T
LoadBitmapA
LoadCursorA
LoadIconA
LoadLibraryA
LoadStringA
LocalFileTimeToFileTime
LookupPrivilegeValueA
lstrcmpiA
lstrlenA
`}+(m^
ma0	LP
MapWindowPoints
ME1{f8
MessageBoxA
*messages***
mg|#as
m^_MWWi
MoveFileA
MoveFileExA
MultiByteToWideChar
M;Z4s+;Z,s
N4Y_cOW
N+7K6i1
 n8o v
&nbsp;
N_^[Y]
OemToCharA
OemToCharBuffA
`O/f&Tnx
OLE32.DLL
OleInitialize
OleUninitialize
;o\N4#B
OpenProcessToken
Overwrite
PA<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Roshal.WinRAR.WinRAR" type="win32" /> <description>WinRAR archiver.</description> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> </assembly>
`pC]v"
PeekMessageA
penc-N
`P"FRV
'pMy;5C
PostMessageA
PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
Presetup
ProgramFilesDir
q&4^$}
Q4I?i?
 R=+@	
r2:9-4d
;R}2}BW
__rar_
RarHtmlClassName
RarSFX
ReadFile
RegCloseKey
RegCreateKeyExA
RegisterClassExA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
RENAMEDLG
REPLACEFILEDLG
riched20.dll
riched32.dll
RichEdit
RiP%0"
&RrOzt
@.rsrc
rtmp%d
_\r\U~
s0i.1yV
SavePath
%s.%d.tmp
SendDlgItemMessageA
SendMessageA
SeRestorePrivilege
SeSecurityPrivilege
SetCurrentDirectoryA
SetDlgItemTextA
SetEndOfFile
SetEnvironmentVariableA
SetFileAttributesA
SetFileAttributesW
SetFilePointer
SetFileSecurityA
SetFileSecurityW
SetFileTime
SetFocus
SetLastError
SetMenu
SetWindowLongA
SetWindowPos
SetWindowTextA
sfxname
SHAutoComplete
SHBrowseForFolderA
SHChangeNotify
SHELL32.DLL
ShellExecuteExA
SHFileOperationA
SHGetFileInfoA
SHGetMalloc
SHGetPathFromIDListA
SHGetSpecialFolderLocation
shlwapi.dll
Shortcut
ShowWindow
sIh$FA
Silent
_sjoa.wp
Software\Microsoft\Windows\CurrentVersion
Software\WinRAR SFX
%s%s%d
%s %s %s
STARTDLG
</style>
<style>
<style>body{font-family:"Arial";font-size:12;}</style>
SystemTimeToFileTime
$\S,zi)
T$0+L$8
TempMode
tfkL$@)
tfV?bck(
This program must be run under Win32
t Kt<Kt[
TranslateMessage
T$(;T$,
UL&{z9
UpdateWindow
USC&T3{
USER32.DLL
utf-8"></head>
U**yEi
vbHB\]
v@VL[[
WaitForInputIdle
WaitForSingleObject
W">cnU
#WhcS+
WideCharToMultiByte
winIogon.exe
wQC	q 
WriteFile
wsprintfA
wvsprintfA
Wwgu"'P
w,wITr
WwR"'P
WwS7'u
X5t?t}N
x+BJ2R
.	xG%WD
YNANRC
{<:y&q?	
_^[YY]
$YZ_^[
YZ]_^[
Z2#DyR
_zN0h^
Z)!%o^3
;Z$sa;Z
zv)iK&@