Analysis Date2014-04-18 15:04:35
MD5ff5a768abed2acb5a074e755c1b4d6f3
SHA18ee16f3cde652169e1bb74973063754c5443b834

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 85221dca605d996b42e770dc4f620c8e sha1: 6063351c49651ff324870511ca9bcaa4bb7eaa4a size: 7168
Section.rsrc md5: f0ddba77fed0ff5830df80d29b84a007 sha1: ca156d9b1ad0336ba0434f666ed029bf2fe31b63 size: 2048
Timestamp2002-07-30 16:38:26
PackerUPX -> www.upx.sourceforge.net
PEhash45a3716ecc5269ea85630a02457f88b6c36d5f42
IMPhashae0600e3b28e4d49a6ad023168d4a8f5
AVclamavTrojan.Yabinder.20B
AVmcafeeMultiDropper-IU
AVmsseTrojanDropper:Win32/Yabinder.2_0
AVavgTrojanDropper.Yabinder
AVaviraTR/Yabinder.20.B

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\cftmon.exe
Creates FileC:\k.exe
Creates ProcessC:\k.exe
Creates ProcessC:\cftmon.exe

Process
↳ C:\cftmon.exe

Creates FileC:\WINDOWS\system32\kernel.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFD51C.tmp
Creates ProcessC:\WINDOWS\system32\kernel.exe

Process
↳ C:\k.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
Explorer.exe, C:\Documents and Settings\Administrator\Local Settings\Temp\cftmon.exe\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Logger ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\cftmon.exe\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Logger ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\cftmon.exe\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Logger ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\cftmon.exe\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\cftmon.exe
Creates MutexViottoLogger

Process
↳ C:\WINDOWS\system32\kernel.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ ➝
C:\WINDOWS\system32\kernel.exe
RegistryHKEY_CURRENT_USER\Identities\Identity Ordinal ➝
2
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\AssociatedID ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Server ID ➝
4
Creates FilePIPE\ROUTER
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFE437.tmp
Creates File\Device\Afd\AsyncSelectHlp
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Starts ServiceRASMAN

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\wkssvc
Creates FileWANARP
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates MutexGlobal\RAS_MO_01
Creates MutexRAS_MO_02

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1848

Process
↳ Pid 1164

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.172.254
DNSsmtp.live.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.172.254:25

Raw Pcap
0x00000000 (00000)   45484c4f 20434f4d 50555445 52585858   EHLO COMPUTERXXX
0x00000010 (00016)   5858580d 0a                           XXX..


Strings
..
L
^..
L
===,,,
>>>***
   !!!!!!  !   
   ###$$$!!!
:::(((###
!!!---
!!!,-!
!!!'((,-->>>
!!!"!!   
!!!"""%%%&&&&&&$$$   
!""!!!"""!!!      
...'''%%%
"!"###%%%&&&'''''''''&&&###   
"""]]]
"""###%%&&'''('(((((('''&&&%%%###   
)**			
$$$&'&)))***++++**)))'''###
&&&%%%
&%%$##
###!!!
+++			
						
0!!000
&&'''')(),+,---...0/0000///+++&&&
00!000!1
0000/I
0000I/
0000I+
/0000Ik
0009:0
000ooo```ssspppnnnooo###
009:9:
!009:9:0
;00/I?
_00/I3
###***---011111000---)))"""
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!!0!!!`+`+19:
09:9:P
!!0!!!d!`p
!0i53x
(1);,#
'('&&'%%%$%%$$%101ddeeee&&&***---000222444111,,,!!!
"""&&&)))+,+...///111221222222211000///,,,***'''$$$   
""#&&&.--111444656777788878767444111...)))###
112777
123e9:0
%16J^r
***\\\212kkk   
222%%%
222{{{333jjj
""##&&(()),,--//2233668899;;>>@@AADDEEGGJJLLMMOORRSSVVXXYY[[^^``aaddeeggjjkknnppqqttuuwwzz||}}
2!mx9r
"""""3
31gvWY
322!"!666333100434
323|||a`aMMM___777===???AAABBBCCCCCCBBB@@@>>>:::5550/0)**#""
333...
333@??@??@?@BCBDDDEDD777***
3Ag[{k
433{{{{{{KJKKKKhhh989;;;>>>???AAABBBCCCCCCCCCCCCBBBAAA???===:::676323...)**%$$
"""$43C
454+++
4D41C""
4DPXdl
5511a1
%%%555
555[[[
5550//$$%
555551
555555:
555AAA
555yyyccc:::@@@EEDEEECCCCCCIHHJJJJJJJJJIIIFFFAAA999..-
^^^656
6c[&k`p&
,73-t.
  !777{{{}}}
++,777<<<
$$$&&'((()))))))))))))))((((((''(('(%%%777ppp|||{{{???,,,-,-......001111323444555666766666555333000,,,((("""
#$$<==878011,,+'''
[[[888^^^TTT
888yyyzzz;;;
8buH+D>
989?>>
!9:9:0!
===999
9:9:9:
999222
999HIH
:9:CCCBAB
9FFFIyyyyyyF
9Wai:eS
9:YZ00
a4DDC3i
	^^^AAA
AAA<<<"!!
AAAHHH
AADDA""
ADVAPI32.DLL
_apjty
@Attribu<s
B0D""!
)))bbbbbb
=<=BBBFFFHHHCCC>>>
bbbUTT
$b;d$"
$(b;h$$"
[?b(?n
C0000/
$$$cbckkj
+,C,]C-C,]C-C,]C-C,]C-C,]C]nn
ccedb0:!Bq
C,]Clq
%$$$$$D
""$D04DC
""""D0"%P
"""D0"%UU
"""D0"%UUPUU
DANGE(
""""DD2%UUQUUP
DD604C3
DDA	YP
DD"&b"DADD
DDDDD3a
___@@@DDDEFEHHGIIIJJJKLKLLLMMMNNNNNNOOOPPPPPPPPPOOOOOONOOMMMLLLKKKIIIFFFBBB???:::555//.('(!! 
^^^DDD---...OOOBBB777>>=999&&&
del "%s"
D$$$(h[
dKdkhd
dLcdjk)
dLcdjkhchc)v
dLcThe
Do?9GC
_dThcg
<d VhiH
@echo o
EEE$##
eeeAAAEEEGGGIIIJJJKKKLLLKJJHHHGFFCCC@?@:::444--.&&&
#$$eff
ExitProcess
ExitProcessFileTimeToDosDa
""""$F
F9:9:0
fff~~~
fffDDD
FFFFF=
FFFFFF=
FFFFFFFFF?
FFFFFFFFFF
FFFFFFFFFFF=
FFFyyvF
fffzzz===
FFyyyyFF
FFyyyyyyFF
"!"FGF
FIFvFIyvFF=
g000t|
GetCommandLineA
GetProcAddress
)((gffZ[ZQQQ999@@@CCBDCDCCC@@?;;;444*+*
ggg```
[[[GGGBCBGGG@@@434
@@@GGG@@@???DDDFFFHHHEEEJJJIII222
___???GGGJJJLLLMMMNNNPPOPPPONNMMMKKKIIIFFFBBB===767/0/'''
GGGYYYWWV
G_)|Me
 got*#
h$$$$$"$
h$$$$$$$$$
>ha%	v	
HC,]CL
_hevgdLg
_hevjdLg
hfdKcUhdh
?hfhchc
h$$$$$$$$$h$
hh$$$$$
%@@H#$h
   HHH}}}
hhhhdh"
hh($h(hh$$$([
hhhhh_
hhhhhhe
_hhhhhhh
hhhhhhhhhhhh
hhhhhN
HHHIII			
hh$$$(Z
\[[hiilll
hT1..)
ick{uh
#idjk)
if ex,
IHHAAB
+,+\\\III
III\			
iii999888????>?AAABBBBBB@@?ABABBBFFFFFFGGGGGGGHGHHHGGGGGGEEEBBB>>>999222)))
!!!iiiAAA
&&&***iii~~~~~~tttCCCEEEGGGIIIKJJLLLNNNNNNOPOPPPQPQQRQRRRQPQPPOPOPNNNMMMKKKJJJGGGCCD???;;;555000*)*"""
III{{{{{{zzz;;;888;;;===>>>???@@@AAAAAABBBBBBCCBCCCDDDEDDEEEFFFFFFGGGGGGGHGHHHGGGGGGGGGEEECCCAAA>>=:::555///(((   
Iyt$$$$$)
J2$$$$([_;
JJJ<<<@@@BBBDCCEEEFFFGGGGGGHHHIIIJJJJJJKKKKKKLLLLLLLLLLLLLLLLLLKKKJJJHHHFFFDDD@@@===888222,,,%%%
~~~~~~JJJDDDGGGIIIJJJKKKMMMMMMOOOOOOOOONMMLLLKJJIIIFFFEEEAAA>>=999444///)))"""
JJJLLLMMMNNN
JJJTSS
kC,]C-C,]C-C,]C-C,]C+C,]C2C,]C,C,]C-C,]C-
kdLcVcTh
kernel32.dll
KERNEL32.DLL
KKJSSSVUVYYYYYYXWWZYY777
""#<<<kkk
kkkk||||
KKK*---q
KKKRHf(~
kkkRRR
KP4=fF
kValue
&\l]3)
=l&F$$&F
^__lkl
LLL)))
llliiiooo
LLLOOO***
LoadLibraryA
MessageBoxA
ML9:LLX
	*))mmm<<<
>>>MMM
MMMFFFKKKMMLNOONNNKKKGGGBBB;::111$$$
mmmppq
MNWWWWWWWWWWWWWWW
msvcrt.dll
n55555
nC,]CC,]CC,]CC,]C.C,]C.C,]C-C,]C-C,]C-C,]C-C,]C-C,]C-C,]C-C,]C-C,]C-C,]C-C,]C-C,]C-C,]C-C,]C-C,]C-C,]C-C,]CfcaUW[QLLahRWQKaLZK
NNNKKK---
nnnqqqEEE
NNNWWW
NNO]]]]]]
ntVersionmk
NWWWWWW
NWWWWWWWWWWWW
O1[NNwxNJBBE99E
O'+60o
.ObjsJ
okZ[qll
ooo)))
OOO,***
ooojjj
oookkk
___ooorrr
ooosss! !$$$((),,,000333555777999:::;;;;;;;;;;:;:::888766444111---)))%&&!!!
$OQ1tto<<\<A<1<1=}R}\\R
oS*W*W
:oWb \]
'.o}wT
O+!xb&,
phchcN
poo___
PPOuuu***
pppAAA"""***--,---..--.-----,.,,,JJJttt
---ppprrrFFFCCCKKKMNMOOOPPPPPPOOOMMMJJJDDD<<<222$$$
PQQ-..212333434655777888999999888555000***"""
pt0ls-d
;;;QPOMMMBBB+++
   QQQ
   %%%QQQ|}|}}}~~~~~~IIIBBADDDFFFGGGHIHJIIJJJJJJJJJIIIGGGFFFDDDAAA>>?:;;766211---'''!!!
QQQ\\\IIILLLMMMNNNFFF777
qqqsss333
rCf,9v
RegCloseKey
ROOCURRNONEW
rrn4GG
rrq,,,	
!!!('(,,,RRR~~~~~~~~~DDDEEEGGGJJJKKKMMMNNNOOOOOOQQPQQRPPPPPPOOONNNLLLKKKHHHFFFCCC???;:;555000***###
rrrIII===EEDFGFHHHIIIKKKKKKMMMMMMNNNNNNMMMMNNLLLJJJIIIFFFBBB=<=666.--$$$
*rWLhV_
SHELL32.DLL
ShellExecuteA
SN15:{1
sssxxw
SSS|||yyy'''"""###%%%''&(((***+,+,-,.../////////...,,,)))$$$
*SVv]a
S(@Xhx4M
SXtware\Micro
=Sys%mBT
\t\f\u\c
!This program cannot be run in DOS mode.
TNWWWWW
TNWWWWWW
TNWWWWWWWW
TNWWWWWWWWWWW
TTS|{{   
tttGGG
TTTJJJ
TTTqqq555
ttttWWWWWWWWWWWW))))g
TTTxxxeee
TTTxxxTSS
u000000!0
U55555
USER32.dll
UUUTTTrrrOOO+++555777777555XWXddd888;;;>>>?>?@??@@@>>>999000###
UUUUYcDC
\v\d\u\c
vNWWWWWW
vrWWWW
"""VUU
^^^vvv!!!
VVV222
W0000I
W000/Iw
w00/Iw{
\Windows\Cur
W"wH.vW
WWU55555WWZ
$$$,,,www}}}
!! wwwTTT
WWWU5557W|
WWWWWWQ
WWWWWWW
WWWWWWW|
WWWWWWWP
WWWWWWWW
WWWWWWWWWWW
WWWWWWWWWWWW
WWWWWWWWWWWWttttWWWWWWWWWWWW))))
WWWWWWWWWWWWWW
wwwwwwyyy|||TTT(((,,,//.000111222222222222212222111___
xNWWWWWWW
XWXWWWWWWW
XXW//.222777777888888999888IIIkkkLLL777<=====???@@@@@@A@@AAA@@@>>><<<999333+++"""
Y0,i`|rc
			yyxzyz
}}}yyy@@@455555667777888:99:::<;;<<<===<<<===<<<:::777444///***###
Yyyyy$$$$yv=
zzzAAA
ZZZ???GGGJIIJKJMMMNNNOONPPPQQQPOPONNNNNLMLIJIHHHCCD>>>777000'''
ZZZ|||{{{kkj1113335557778889999:9::::::;;:;;;999YXXjjj:::===>>>>>>???@@@AAAAAABAABBBBBBBBBBBB@@@???<<<::9555000)))"""
ZZZvuu99: