Analysis Date2014-09-09 10:16:16
MD56d7ffe5bf55978274f6768f5aae3b5a6
SHA190d1f9d6cf74e893029294440fb944e1513723bd

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 2cd9b81697eadbcb6244a89629f0e4a5 sha1: fb7b4c43a759163ac1e7be41fad5ae7a11eaa095 size: 44544
SectionUPX2 md5: 6ee1402edcc0ca9f30a6db475299a62e sha1: c6c8b065e8a85868c3ec701a5b359eaaebbd2acc size: 512
Timestamp2004-03-19 08:58:54
PackerUPX -> www.upx.sourceforge.net
PEhash8d05c2cd1acabbc4a48d568ba8752fadbf8359a4
IMPhashc7ecd1a0a4200634e300116dcad86d0d

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\msgfixed.exe
Creates ProcessC:\WINDOWS\system32\msgfixed.exe
Creates Mutexjop

Process
↳ C:\WINDOWS\system32\msgfixed.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Msg Fixage ➝
msgfixed.exe\\x00\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Msg Fixage ➝
msgfixed.exe\\x00\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Msg Fixage ➝
msgfixed.exe\\x00\\x00
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutexjop

Network Details:

DNSirc.abjects.net
Type: A
94.23.42.81
DNSirc.abjects.net
Type: A
192.186.136.206
DNSirc.abjects.net
Type: A
192.241.89.206
DNSirc.abjects.net
Type: A
195.154.6.113
DNSirc.abjects.net
Type: A
37.59.41.117
DNSirc.abjects.net
Type: A
37.59.60.133
DNSirc.abjects.net
Type: A
62.210.211.122
DNSirc.abjects.net
Type: A
91.217.189.77
DNSr0x.myvnc.com
Type: A
DNSirc.freshirc.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 94.23.42.81:6667
Flows TCP192.168.1.1:1033 ➝ 94.23.42.81:6667
Flows TCP192.168.1.1:1034 ➝ 94.23.42.81:6667
Flows TCP192.168.1.1:1035 ➝ 94.23.42.81:6667
Flows TCP192.168.1.1:1036 ➝ 94.23.42.81:6667
Flows TCP192.168.1.1:1037 ➝ 94.23.42.81:6667
Flows TCP192.168.1.1:1038 ➝ 94.23.42.81:6667
Flows TCP192.168.1.1:1039 ➝ 94.23.42.81:6667
Flows TCP192.168.1.1:1040 ➝ 94.23.42.81:6667
Flows TCP192.168.1.1:1041 ➝ 94.23.42.81:6667
Flows TCP192.168.1.1:1042 ➝ 94.23.42.81:6667
Flows TCP192.168.1.1:1044 ➝ 94.23.42.81:6667
Flows TCP192.168.1.1:1045 ➝ 94.23.42.81:6667

Raw Pcap
0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d363036   NICK [KuanG]-606
0x00000010 (00016)   34333131 33390d0a 55534552 205b4b75   431139..USER [Ku
0x00000020 (00032)   616e475d 2d373039 31333633 32302030   anG]-709136320 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 36303634    0 :[KuanG]-6064
0x00000040 (00064)   33313133 390d0a                       31139..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d323530   NICK [KuanG]-250
0x00000010 (00016)   37333738 38330d0a 55534552 205b4b75   737883..USER [Ku
0x00000020 (00032)   616e475d 2d343934 34373931 30342030   anG]-494479104 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 32353037    0 :[KuanG]-2507
0x00000040 (00064)   33373838 330d0a                       37883..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d373531   NICK [KuanG]-751
0x00000010 (00016)   36393134 33350d0a 55534552 205b4b75   691435..USER [Ku
0x00000020 (00032)   616e475d 2d393934 32323335 34382030   anG]-994223548 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 37353136    0 :[KuanG]-7516
0x00000040 (00064)   39313433 350d0a                       91435..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d313530   NICK [KuanG]-150
0x00000010 (00016)   34363530 38390d0a 55534552 205b4b75   465089..USER [Ku
0x00000020 (00032)   616e475d 2d313530 34363530 38392030   anG]-150465089 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 31353034    0 :[KuanG]-1504
0x00000040 (00064)   36353038 390d0a                       65089..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d373133   NICK [KuanG]-713
0x00000010 (00016)   30353435 34320d0a 55534552 205b4b75   054542..USER [Ku
0x00000020 (00032)   616e475d 2d373133 30353435 34322030   anG]-713054542 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 37313330    0 :[KuanG]-7130
0x00000040 (00064)   35343534 320d0a                       54542..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d313132   NICK [KuanG]-112
0x00000010 (00016)   38333831 39360d0a 55534552 205b4b75   838196..USER [Ku
0x00000020 (00032)   616e475d 2d313132 38333831 39362030   anG]-112838196 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 31313238    0 :[KuanG]-1128
0x00000040 (00064)   33383139 360d0a                       38196..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d383237   NICK [KuanG]-827
0x00000010 (00016)   31353930 36310d0a 55534552 205b4b75   159061..USER [Ku
0x00000020 (00032)   616e475d 2d383237 31353930 36312030   anG]-827159061 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 38323731    0 :[KuanG]-8271
0x00000040 (00064)   35393036 310d0a                       59061..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d313734   NICK [KuanG]-174
0x00000010 (00016)   33393235 30320d0a 55534552 205b4b75   392502..USER [Ku
0x00000020 (00032)   616e475d 2d333238 38323336 31332030   anG]-328823613 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 31373433    0 :[KuanG]-1743
0x00000040 (00064)   39323530 320d0a                       92502..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d353735   NICK [KuanG]-575
0x00000010 (00016)   31373639 35360d0a 55534552 205b4b75   176956..USER [Ku
0x00000020 (00032)   616e475d 2d373237 36303832 36372030   anG]-727608267 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 35373531    0 :[KuanG]-5751
0x00000040 (00064)   37363935 360d0a                       76956..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d323136   NICK [KuanG]-216
0x00000010 (00016)   36313334 34380d0a 55534552 205b4b75   613448..USER [Ku
0x00000020 (00032)   616e475d 2d353630 31363535 35392030   anG]-560165559 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 32313636    0 :[KuanG]-2166
0x00000040 (00064)   31333434 380d0a                       13448..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d393031   NICK [KuanG]-901
0x00000010 (00016)   37353432 31340d0a 55534552 205b4b75   754214..USER [Ku
0x00000020 (00032)   616e475d 2d393031 37353432 31342030   anG]-901754214 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 39303137    0 :[KuanG]-9017
0x00000040 (00064)   35343231 340d0a                       54214..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d333232   NICK [KuanG]-322
0x00000010 (00016)   36323836 36360d0a 55534552 205b4b75   628666..USER [Ku
0x00000020 (00032)   616e475d 2d353737 31353030 38372030   anG]-577150087 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 33323236    0 :[KuanG]-3226
0x00000040 (00064)   32383636 360d0a                       28666..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d313736   NICK [KuanG]-176
0x00000010 (00016)   31313436 33300d0a 55534552 205b4b75   114630..USER [Ku
0x00000020 (00032)   616e475d 2d323739 38333038 31312030   anG]-279830811 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 31373631    0 :[KuanG]-1761
0x00000040 (00064)   31343633 300d0a                       14630..


Strings
..
W
.zc1
..
W
.zc1

1jjl_8
!1Uqio
(3|$~[r
@4gbc|C2
4Z^{gB{
5MnIH|#
9KW6.'m
9l$\w_
ADVAPI32.dll
aFiC	=
ap#dQ;
?.Bgp\JR
\<#>BM
bo#az)1
<BY	-%
cFY	5G
C+Qa'6
.)D$H)
D$t+D$\
D$t#D$h
Ee;j<2
&eFKKb
+ekq=-
ExitProcess
FFShnW
FindWindowA
FK'T1D
 G8i!:
GetProcAddress
Gr(t,g
h)akOE
IJ4KAy
InternetOpenA
J,[ I.D
Jyp8 V
	<k1nt
KERNEL32.DLL
L7R`c}
lA^Q;]]G
|`l}@d
~lk+9b7
LoadLibraryA
LpGrr7
/lu.XA{
M,f|)<
M#FcF|
mlIiSO
MPR.dll
%(N**5q
nCK(b$
-Pc^&-w
)"$*p<Z
qL<A<""
QU)K3u7cE
_R(2c- 
RegCloseKey
{RhF7W
S1n^Pa
s3nFlzC
SHELL32.dll
ShellExecuteA
s`)L$4
SZE:1i_
!This program cannot be run in DOS mode.
^.TIE93
{TnAf`
t$t#t$l
,	&[`U
USER32.dll
Uw\f9AYO
?{V8=q
VirtualAlloc
VirtualFree
VirtualProtect
vksH#$
%VmR|x
v,SG9It
WININET.dll
Wi	*;_w
wiX0&P
WNetAddConnection2A
WQg<AY
wroe"e/
WS2_32.dll
X_gw5;
XPTPSW
Y4Xce/
Yl>9Zq
/;|yq*
yWw3(2
Z&a\k-
z,B]R$
Zn4'h]