Analysis Date2015-07-06 18:38:01
MD50e2355f89dae63cac8b9ec9de4ee5ec1
SHA1936297bc57c6a457ee76a0987c57e714281421bf

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d23a7295a90405025b94a0efa1a317c3 sha1: 188e4bc20bd61dfc46ba6a471d8377f5d5dec256 size: 610304
Section.rdata md5: 5c12ed09041a08b760dccc7066dcf324 sha1: 7fbc1acd042ef64b530394bbdd4b239b2d400b06 size: 417792
Section.data md5: 60639b7639ab1d76b5e8333df92cf174 sha1: 334ccb20da5fe73e623ad26e18bcaeeccdc588ec size: 77824
Section.rsrc md5: 823a685e24b2381b91fe35d6a69f61ed sha1: bc9d3e8429b055b875e42a3b64408b46a412b4fb size: 32768
Timestamp2015-05-23 12:06:50
VersionLegalCopyright: 作者版权所有 请尊重并使用正版
FileVersion: 1.0.0.0
Comments: 本程序使用易语言编写(http://www.eyuyan.com)
ProductName: 易语言程序
ProductVersion: 1.0.0.0
FileDescription: 易语言程序
PackerMicrosoft Visual C++ v6.0
PEhash833ff2d39db7b0fdaece48109f09de95a9c1f75d
IMPhasha33b2e49bea912457e4eb7a18e092c19
AVRisingno_virus
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Graftor.58247
AVDr. Webno_virus
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Graftor.58247
AVBullGuardGen:Variant.Graftor.58247
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyRiskTool.Win32.FlyStudio.xby
AVZillya!no_virus
AVEmsisoftGen:Variant.Graftor.58247
AVIkarusno_virus
AVFrisk (f-prot)W32/Agent.EW.gen!Eldorado
AVAuthentiumW32/Agent.EW.gen!Eldorado
AVMalwareBytesSpyware.OnlineGames
AVMicroWorld (escan)Gen:Variant.Graftor.58247
AVMicrosoft Security Essentialsno_virus
AVK7Adware ( 004b87311 )
AVBitDefenderGen:Variant.Graftor.58247
AVFortinetW32/Qqpass.A!tr
AVSymantecno_virus
AVGrisoft (avg)no_virus
AVEset (nod32)no_virus
AVAlwil (avast)Evo-gen [Susp]
AVAd-AwareGen:Variant.Graftor.58247
AVTwisterTrojan.33C0C390558BEC@2F.mg
AVAvira (antivir)TR/Graftor.1142784.15
AVMcafeeno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\system32\jf2015.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\logo[1].gif
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\2345[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012015070620150707\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\index.dat
Creates Mutex_!SHMSFTHISTORY!_
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!mshist012015070620150707!
Winsock DNSwww.2345.com

Network Details:

DNSwww.2345.com
Type: A
42.62.30.180
HTTP GEThttp://www.2345.com/?k93327568
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.2345.com/logo.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 42.62.30.180:80
Flows TCP192.168.1.1:1033 ➝ 42.62.30.180:80

Raw Pcap
0x00000000 (00000)   47455420 2f3f6b39 33333237 35363820   GET /?k93327568 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d4c61   : */*..Accept-La
0x00000030 (00048)   6e677561 67653a20 656e2d75 730d0a41   nguage: en-us..A
0x00000040 (00064)   63636570 742d456e 636f6469 6e673a20   ccept-Encoding: 
0x00000050 (00080)   677a6970 2c206465 666c6174 650d0a55   gzip, deflate..U
0x00000060 (00096)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000070 (00112)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000080 (00128)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000090 (00144)   6e646f77 73204e54 20352e31 3b205356   ndows NT 5.1; SV
0x000000a0 (00160)   313b202e 4e455420 434c5220 322e302e   1; .NET CLR 2.0.
0x000000b0 (00176)   35303732 37290d0a 486f7374 3a207777   50727)..Host: ww
0x000000c0 (00192)   772e3233 34352e63 6f6d0d0a 436f6e6e   w.2345.com..Conn
0x000000d0 (00208)   65637469 6f6e3a20 4b656570 2d416c69   ection: Keep-Ali
0x000000e0 (00224)   76650d0a 0d0a                         ve....

0x00000000 (00000)   47455420 2f6c6f67 6f2e6769 66204854   GET /logo.gif HT
0x00000010 (00016)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000020 (00032)   2a2f2a0d 0a526566 65726572 3a206874   */*..Referer: ht
0x00000030 (00048)   74703a2f 2f777777 2e323334 352e636f   tp://www.2345.co
0x00000040 (00064)   6d2f3f6b 39333332 37353638 0d0a4163   m/?k93327568..Ac
0x00000050 (00080)   63657074 2d4c616e 67756167 653a2065   cept-Language: e
0x00000060 (00096)   6e2d7573 0d0a4163 63657074 2d456e63   n-us..Accept-Enc
0x00000070 (00112)   6f64696e 673a2067 7a69702c 20646566   oding: gzip, def
0x00000080 (00128)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000090 (00144)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x000000a0 (00160)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x000000b0 (00176)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x000000c0 (00192)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x000000d0 (00208)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000e0 (00224)   6f73743a 20777777 2e323334 352e636f   ost: www.2345.co
0x000000f0 (00240)   6d0d0a43 6f6e6e65 6374696f 6e3a204b   m..Connection: K
0x00000100 (00256)   6565702d 416c6976 650d0a0d 0a         eep-Alive....


Strings