Analysis Date2013-10-08 16:43:40
MD55cc51334f9ebfef5a7c4e086e9be6f03
SHA18e6e608beb69239b3d2e6014278e73cd0afeb9ab

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e18df6b009e7bc37618b46b944268728 sha1: e618b4c791f0fa0aac2a988d95c7c911c149cf66 size: 28672
Section.rdata md5: 50bcf7a90d659b511bdc6d826d46cad3 sha1: d04aa7fbc4769ead1da8ee717b52006c76b7d734 size: 8192
Section.data md5: 348971ce6b68de54e4c26b7c695f89f3 sha1: cfb5e0372f779c4aff41321c66276481d9d3dbde size: 176128
Section.rsrc md5: 7dc4661aadd493fc99b2ffa0890bd2ac sha1: deeb789d9ad3c53bd875b48dc660f9a0c143efc3 size: 49152
Timestamp2013-01-10 08:03:04
PackerMicrosoft Visual C++ ?.?
PEhashb54c8af9fd3310cf370e2f7bba4dfba14d18b374
AVavgInject.BXMK
AVaviraTR/Crypt.XPACK.Gen7
AVmsseBackdoor:Win32/Plugx.A

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\CLASSES\FAST\CLSID ➝
NULL
Creates FileC:\Documents and Settings\All Users\Gf\boot.ldr
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\Gf\NvSmartMax.dll
Creates FileC:\Documents and Settings\All Users\Gf\NvSmart.exe
Creates MutexDBWinMutex
Creates MutexStartInstall

Process
↳ "C:\Documents and Settings\All Users\Gf\NvSmart.exe" 100 1108

Creates ServiceGfHttp - C:\Documents and Settings\All Users\Gf\NvSmart.exe 200 0

Process
↳ C:\Documents and Settings\All Users\Gf\NvSmart.exe

Creates ProcessC:\WINDOWS\system32\svchost.exe 201 0

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe 201 0

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates Filepipe\winlogonrpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\WINDOWS\system32\msiexec.exe 209 220
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexDBWinMutex
Winsock DNS127.0.0.1

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates Process

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\malware.exe ➝
C:\malware.exe:*:Disabled:8e6e608beb69239b3d2e6014278e73cd0afeb9ab\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates ProcessC:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\firewall.cpl,ShowNotificationDialog /configure "C:\malware.exe"

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ C:\WINDOWS\System32\alg.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\services.exe

Creates Filepipe\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
Creates FileC:\WINDOWS\Debug\UserMode\userenv.log

Process
↳ C:\WINDOWS\system32\msiexec.exe 209 220

Process
↳ C:\WINDOWS\system32\wbem\wmiprvse.exe

Creates FilePIPE\lsarpc
Creates Process"C:\Documents and Settings\All Users\Gf\NvSmart.exe" 100 1108

Process
↳ C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\firewall.cpl,ShowNotificationDialog /configure "C:\malware.exe"

Network Details:

Flows UDP192.168.1.1:53 ➝ 192.168.1.1:53
Flows UDP192.168.1.1:53 ➝ 192.168.1.1:53

Raw Pcap

Strings
(&A) ...
 (C) 2012
(&F)
                                 H
         (((((                  H
(&H)
         h((((                  H
jjjj
Shell5
SHELL5
Shell5 1.0 
(&X)
|*>\\/@
                          
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
|!<08qr
"09'i)
0A@@Ju
0,b4=&
0I//B4
0SSSSS
0WWWWW
1o2zrPn
2111](S
26m<`/=1D{
2`]@F-
2kO-cQ
2{LX4d
2MF\_R
2ms)-r
2PP-nXk
2pt?OC
2;Q3]L
2RTFna
3F1jk3#
3*F1Mm
=?3}No(
4|& 2XT
4b2rp>
4~f9.u
$!$,4g^e
4!	NOGC`}Dm*M
<4,QJ`
4$=^u}
53>h!h
",-5d}
5=f`@	
5~`v!S
5ydXQ*
_5!Y_v
63[4]5mm]5\]m]mm5\mm5555555\\\5\\\5m\55\\5ed:
6AE}G`
6*'dD_
6nEK'h5
6@yZv}
71OCoV
=7c3U;
7cja[uP?
>7h)glIk~i
7r&#6V
7rPZyI
7'vqKR
83Pjk|
{8smjW/
)8X:Fr
9]3d-}
9DF{sa
9!gG2v
9_I[Ed
9lo8ap
9[,t%8
(A*2c~
a2&k_K
^A	4X"
A-aQ: [_
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ac5b/{%
al#?O"
An application has made an attempt to load the C runtime library incorrectly.
aNlHh+
Ao@EC0#
aP@79V
ARL	4F
A	!Tt.
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
auV<Ix
ax0AV[
ayv8jb
B@0PbF\
|b3<AW
B*9aw{
BBFFf;
BeginPaint
bkyYUT
|b`LYz
b_P,0:c
>*bV8>d
by1ekDoO
C2@?kp	(
c{2 Tb
C3wtP>N
?&c|Hq/!
C\I 1G
Cj9!V'
c,k\MG&
CorExitProcess
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
^Cq`yX
CreateWindowExW
- CRT not initialized
D$$_^[
&D0Dq2dk
D$8(QC
@.data
dddd, MMMM dd, yyyy
December
DecodePointer
DefWindowProcW
DeleteCriticalSection
DestroyWindow
DialogBoxParamW
DispatchMessageW
_d~}J'
d(+(KQ
DOMAIN error
\dQf	Ex]A
ds!Z5V
d $vaR
DWLYez
#E6yVoc
eA0dO#
;e}!a2
<eK^tK
elZ>z 
EncodePointer
EndDialog
EndPaint
EnterCriticalSection
et4uf&S
ExitProcess
F^(1Vq
@@f98u
Fb)SGZ
February
F>fN>.
!fFOVk
fgu(L9
- floating point not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
`%,[FoAv
(~=FPv
:%FR (/
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
F<Wu8/
	F=Yh,
g2111,
G5) 9y`
g/BsOP
{Ge2Ap+]0
GetACP
GetActiveWindow
GetCommandLineA
GetCommandLineW
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetMessageW
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetStartupInfoA
GetStartupInfoW
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemTime
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
GetVersionExA
GFzXTPC
G=*l|?
Gm+~'Y
/G&OhZ
}GqVKnakbG
gROfyD
g^_sII?P
`g$SU7p
<{G'ta
GV!u[^
H0S/ACd
H	.3.cn
:/H9R<*
h$A9TRo0
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
	hGTAJ
HH:mm:ss
HrCg@b	g 
,HX;HK
H?x	=	I
I3')+*+)))*))()*+++,6J!54 CBA
I4|b=E
I+_93	
i@b9g;7U
I>f)-9
ihi#9V
<ikPx 
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
Ip	;r^
I."s,9
IsDebuggerPresent
'#iXKp
+][iz	97
JanFebMarAprMayJunJulAugSepOctNovDec
January
JcD9?Iu
}jdF/9
jdh(QC
JEEEEEEEEEEFC
JEEEEEEEEEEFD
JEFEEEEEEEEEB
JfNAo!
>J'hGS
JHHGGGGGGGGHI
JJIIIIJIIIIJJ
j(j ^V
j@!P)^
j]:R	!
JudjEH
$JVSPM
jYPQTVTSkllZTTXRTUiHceWda/
JZg_@i
&K4FIs=
k6{pqR6
	KA/^c/%
kb\~U5
 KC[=N
kernel32.dll
KERNEL32.dll
KERNEL32.DLL
k=={#L
K>]q9C
=:kwvvU
}./.l!%
LCMapStringA
LCMapStringW
LeaveCriticalSection
"lnV'g
l+NynmB5
LoadAcceleratorsW
LoadCursorW
LoadIconW
LoadLibraryA
LoadStringW
&l!RN5
Lsyq,g
LYml%8
M9k(a6
MessageBoxA
Microsoft Visual C++ Runtime Library
&;mkux]
MM/dd/yy
Monday
mscoree.dll
mte3m{@
MultiByteToWideChar
M$V&Kv
+mxfgM
Mzcn)V
n0B	.2
N8.pwK$5^A
NdEFeL
\NJ#&C
NM8]i6
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
NrnLRv
nsbn6rio!
Nw~ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt
O3p?}#
)O6530./21+*-,4#4PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
O(@>=77A779?<8;$O' 
O)7uLq
|OB:>-WH
October
O%JEEEEEEEEEFFB
 OL=Ej
O=ne%#
;>O&Qm
Otf(3mL
o+xD(	
?O'xi7
oYM;=(
o#ypq-H
OYX	Km
P1111	
p7ii9[=
p9|Y_$
|P,"a_
pc6(u9
&PcF3-
pe;+a~
PF<*;B,
PgYI/0U
Pj-$5w
Please contact the application's support team for more information.
]?pM&}q
PostQuitMessage
PPPPPPPP
PPPPPPPPPPPPPPPPPKMNNNNNNNNNNOLO
Program: 
<program name unknown>
- pure virtual function call
pwwwwwwww
pwwwwwwwwwwwwwwwp
pxDDDDDDDDD@
pxDDDDDDDDDDDDDDpx
pxDDDDDDDDDH
pxDDDDDDpx
P_XFS8
pxwwwwwwpxDDD
pxwwwwwwwwwwwwwxpx
q6%Wqe
QJV24`%
}>qooggggggg1`_fhsnHK
"q pj,h
QQSVWh
qtSCe_YR
QueryPerformanceCounter
R0*9;?
r~>4]0
R=aeh>
r.a-gA
rD2~0XAr
`.rdata
r}DT<y
RegisterClassExW
RH3$uL
)rO2hG$x
rtJS6/KA
RtlUnwind
runtime error 
Runtime Error!
r"VD48
s6&a^D
Saturday
sdATJM'c{
September
SetHandleCount
SetLastError
SetUnhandledExceptionFilter
ShowWindow
SING error
Sk95G	
s`\mv6
$SOi|L
sQO3So@<K
%S]RknT
Sunday
SunMonTueWedThuFriSat
Sv9T(U
t^9(uZ
TB[k%_S
.%Tcul
tD9(u@
TerminateProcess
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
Thursday
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
tm i7l
TMuK%_
TranslateAcceleratorW
TranslateMessage
TSML9b
Tuesday
;t$,v-
t+WWVPV
:tY-,o
t%zCP?H0
u2>TM{w
U6/u._
ub>I?V
ud,x+i
u/	F^#i
uG.awYI
uHzcSW
uL9=lPC
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
u#nfm$
UnhandledExceptionFilter
u;OkFA
UpdateWindow
U:PPB}P:xts"=U
UQPXY]Y[
URPQQhlS@
USER32.dll
USER32.DLL
UU`hy:
u/`xjo
-v4~Z\h
v6jwV)T
VirtualAlloc
VirtualFree
vNc*@<|
v	N+D$
VN@YJ<Nr
@VRLmkT
-VT[BI
@vu(e+
.w1fy0
{w)1MFC
w5w7CW
 w">7o
Wednesday
WideCharToMultiByte
<`{wJg
WkV21TSav^8{
wMMp~B
w\&mu@
wO{'Kc
wpo?5<0
:"~W'R
WriteFile
wwwwwwwpx
wwwwwwwwwwwwwwwpx
.wyq?\
wyT}wP
x1I(t~B
)X.!:B
x{@Cru
x<|#en&
xg?Jzm
X".?!hX2
Xj]{]I.
>,Xl,B
:xO>OS
x-#qQ,t=
X~R%S?|
xTAEk'_ZG
y6AZG?
Y[6q`1
yLfu@7
%+yn.U[
|Y(Nvo
yoZTfr	'r
<YP_8H
YqK`jI
>=Yt/j
Y%vMy2?3B
{|yvrrwsqpon
ywaJ:Hr
)!~*yX
YYu-9D$
YYuTVWh
zezb`'
Z.n"^W
Z!o\b(qUQ
zQ8vrL
Z\*-tF
<;zv>'
@Zy=<|wj7
}zy|yx~