Analysis Date2013-08-19 09:06:16
MD52dc70bcf3eee72c1c4ce994ed6044424
SHA1913f6e7bb0ac9a73102ed876432cee0c5dc124c9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a46f20c0e3e77b46557274672e1bffd9 sha1: 54621ca63037db772b17e5302e9e3b9c23a68c1d size: 40960
Section.data md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.rsrc md5: 84dd2237b31ce90af42b86783be88e44 sha1: e82fb37b88c89044d48ed0c4705cef673c2653ab size: 348160
Timestamp2010-01-25 08:37:37
VersionInternalName: Advert
FileVersion: 2.00
CompanyName: none
ProductName: Starter
ProductVersion: 2.00
OriginalFilename: Advert.exe
PackerMicrosoft Visual Basic v5.0
PEhashdc814a6b31c920ef42493c9d1654359a7dc804ef
AVclamavTrojan.VB-42849

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\K_O_G2\KMIN\ByUser ➝
Administrator\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\K_O_G2\KMFIX\Tstadmn ➝
\\x00
Creates FileC:\WINDOWS\system32\oobe\Dis.dll
Creates FileC:\WINDOWS\system32\oobe\speed.dll
Creates FileC:\WINDOWS\system32\oobe\Drvn.dll
Creates FileC:\WINDOWS\system32\core.dll
Creates FileC:\WINDOWS\system32\oobe\rule\files\smss.exe
Creates FileC:\WINDOWS\system32\oobe\rule\desktop.ini
Creates Processcmd /c %Windir%\system32\oobe\rule\files\smss.exe&exit
Creates Processexplorer.exe C:
Creates Mutexkog2.jpg

Process
↳ cmd /c %Windir%\system32\oobe\rule\files\smss.exe&exit

Creates ProcessC:\WINDOWS\system32\oobe\rule\files\smss.exe

Process
↳ explorer.exe C:

Process
↳ C:\WINDOWS\system32\oobe\rule\files\smss.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\K_O_G2\KMFItemp\key ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\K_O_G2\KMCounter\Value ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\K_O_G2\KMDest\I ➝
<None>
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\K_O_G2\KMIN\restart ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KM_Path4 ➝
%SystemRoot%\system32\oobe\rule\files\smss.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun ➝
3486769
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\K_O_G2\KMFIX\Tstadmn ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\K_O_G2\KMSEC\Value ➝
2D3A42554B1158393D574655
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\whatismyipaddress[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\doniablog.wordpress[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\WINDOWS\system32\restore\ranback.dll
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\oobe\rule\files\Base.inf
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\oobe\page
Creates FileC:\WINDOWS\system32\oobe\p1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\kogpage.blogspot[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\kog6.blogspot[1].htm
Creates FileC:\WINDOWS\system32\oobe\nl.lnk
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFA309.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ip2location[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\ip-adress[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\cmyip[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\sender1.blogspot[1].htm
Deletes FileC:\WINDOWS\system32\oobe\page
Deletes FileC:\WINDOWS\system32\oobe\p1
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\whatismyipaddress[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\doniablog.wordpress[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\kogpage.blogspot[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\kog6.blogspot[1].htm
Deletes FileC:\WINDOWS\system32\oobe\nl.lnk
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ip2location[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\ip-adress[1].htm
Deletes FileC:\WINDOWS\system32\oobe\rule\files\Base.inf
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\cmyip[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\sender1.blogspot[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexcsrss.exe
Winsock DNSwww.yahoo.com
Winsock DNSwww.kog6.blogspot.com
Winsock DNSwww.kogpage.blogspot.com
Winsock DNSwww.cmyip.com
Winsock DNSsender1.blogspot.com
Winsock DNSdoniablog.wordpress.com
Winsock DNSwww.ip-adress.com
Winsock DNSwww.ip2location.com
Winsock DNSwhatismyipaddress.com

Network Details:

DNSds-eu-fp3.wa1.b.yahoo.com
Type: A
87.248.112.181
DNSds-eu-fp3.wa1.b.yahoo.com
Type: A
87.248.122.122
DNSblogspot.l.googleusercontent.com
Type: A
173.194.78.132
DNSlb.wordpress.com
Type: A
76.74.254.120
DNSlb.wordpress.com
Type: A
66.155.11.238
DNSlb.wordpress.com
Type: A
72.233.69.6
DNSlb.wordpress.com
Type: A
76.74.254.123
DNSlb.wordpress.com
Type: A
72.233.2.58
DNSlb.wordpress.com
Type: A
66.155.9.238
DNSblogspot.l.googleusercontent.com
Type: A
173.194.78.132
DNSblogspot.l.googleusercontent.com
Type: A
173.194.78.132
DNSip2location.com
Type: A
174.129.0.77
DNSwww.ip-adress.com
Type: A
64.34.169.244
DNSwhatismyipaddress.com
Type: A
67.203.139.148
DNSwhatismyipaddress.com
Type: A
66.80.82.69
DNScmyip.com
Type: A
198.100.149.221
DNSwww.yahoo.com
Type: A
DNSsender1.blogspot.com
Type: A
DNSdoniablog.wordpress.com
Type: A
DNSwww.kogpage.blogspot.com
Type: A
DNSwww.kog6.blogspot.com
Type: A
DNSwww.ip2location.com
Type: A
DNSwww.cmyip.com
Type: A
HTTP GEThttp://sender1.blogspot.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://doniablog.wordpress.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.kogpage.blogspot.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.kog6.blogspot.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.ip2location.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.ip-adress.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://whatismyipaddress.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.cmyip.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 87.248.112.181:80
Flows TCP192.168.1.1:1033 ➝ 173.194.78.132:80
Flows TCP192.168.1.1:1034 ➝ 76.74.254.120:80
Flows TCP192.168.1.1:1035 ➝ 173.194.78.132:80
Flows TCP192.168.1.1:1036 ➝ 173.194.78.132:80
Flows TCP192.168.1.1:1037 ➝ 174.129.0.77:80
Flows TCP192.168.1.1:1038 ➝ 64.34.169.244:80
Flows TCP192.168.1.1:1039 ➝ 67.203.139.148:80
Flows TCP192.168.1.1:1040 ➝ 198.100.149.221:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000020 (00032)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000030 (00048)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000040 (00064)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000050 (00080)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000060 (00096)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000070 (00112)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x00000080 (00128)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x00000090 (00144)   37323729 0d0a486f 73743a20 73656e64   727)..Host: send
0x000000a0 (00160)   6572312e 626c6f67 73706f74 2e636f6d   er1.blogspot.com
0x000000b0 (00176)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x000000c0 (00192)   65702d41 6c697665 0d0a0d0a            ep-Alive....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000020 (00032)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000030 (00048)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000040 (00064)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000050 (00080)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000060 (00096)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000070 (00112)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x00000080 (00128)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x00000090 (00144)   37323729 0d0a486f 73743a20 646f6e69   727)..Host: doni
0x000000a0 (00160)   61626c6f 672e776f 72647072 6573732e   ablog.wordpress.
0x000000b0 (00176)   636f6d0d 0a436f6e 6e656374 696f6e3a   com..Connection:
0x000000c0 (00192)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000020 (00032)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000030 (00048)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000040 (00064)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000050 (00080)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000060 (00096)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000070 (00112)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x00000080 (00128)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x00000090 (00144)   37323729 0d0a486f 73743a20 7777772e   727)..Host: www.
0x000000a0 (00160)   6b6f6770 6167652e 626c6f67 73706f74   kogpage.blogspot
0x000000b0 (00176)   2e636f6d 0d0a436f 6e6e6563 74696f6e   .com..Connection
0x000000c0 (00192)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000d0 (00208)                                         

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000020 (00032)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000030 (00048)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000040 (00064)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000050 (00080)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000060 (00096)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000070 (00112)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x00000080 (00128)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x00000090 (00144)   37323729 0d0a486f 73743a20 7777772e   727)..Host: www.
0x000000a0 (00160)   6b6f6736 2e626c6f 6773706f 742e636f   kog6.blogspot.co
0x000000b0 (00176)   6d0d0a43 6f6e6e65 6374696f 6e3a204b   m..Connection: K
0x000000c0 (00192)   6565702d 416c6976 650d0a0d 0a0a0d0a   eep-Alive.......
0x000000d0 (00208)                                         

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000020 (00032)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000030 (00048)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000040 (00064)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000050 (00080)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000060 (00096)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000070 (00112)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x00000080 (00128)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x00000090 (00144)   37323729 0d0a486f 73743a20 7777772e   727)..Host: www.
0x000000a0 (00160)   6970326c 6f636174 696f6e2e 636f6d0d   ip2location.com.
0x000000b0 (00176)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x000000c0 (00192)   702d416c 6976650d 0a0d0a0d 0a0a0d0a   p-Alive.........
0x000000d0 (00208)                                         

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000020 (00032)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000030 (00048)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000040 (00064)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000050 (00080)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000060 (00096)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000070 (00112)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x00000080 (00128)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x00000090 (00144)   37323729 0d0a486f 73743a20 7777772e   727)..Host: www.
0x000000a0 (00160)   69702d61 64726573 732e636f 6d0d0a43   ip-adress.com..C
0x000000b0 (00176)   6f6e6e65 6374696f 6e3a204b 6565702d   onnection: Keep-
0x000000c0 (00192)   416c6976 650d0a0d 0a0d0a0d 0a0a0d0a   Alive...........
0x000000d0 (00208)                                         

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000020 (00032)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000030 (00048)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000040 (00064)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000050 (00080)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000060 (00096)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000070 (00112)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x00000080 (00128)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x00000090 (00144)   37323729 0d0a486f 73743a20 77686174   727)..Host: what
0x000000a0 (00160)   69736d79 69706164 64726573 732e636f   ismyipaddress.co
0x000000b0 (00176)   6d0d0a43 6f6e6e65 6374696f 6e3a204b   m..Connection: K
0x000000c0 (00192)   6565702d 416c6976 650d0a0d 0a0a0d0a   eep-Alive.......
0x000000d0 (00208)                                         

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000020 (00032)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000030 (00048)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000040 (00064)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000050 (00080)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000060 (00096)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000070 (00112)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x00000080 (00128)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x00000090 (00144)   37323729 0d0a486f 73743a20 7777772e   727)..Host: www.
0x000000a0 (00160)   636d7969 702e636f 6d0d0a43 6f6e6e65   cmyip.com..Conne
0x000000b0 (00176)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x000000c0 (00192)   650d0a0d 0a6c6976 650d0a0d 0a0a0d0a   e....live.......
0x000000d0 (00208)                                         


Strings