Analysis Date2015-02-01 02:07:00
MD59b54944da00b9762e21b741c85798a9f
SHA1974fbfeefce02b9c2d58ebebe2a97bf33c1792ec

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0b4fd155cb0204f2ccd6c2a3fd6bd570 sha1: ef8b962cd5a4be67f3fc05023dd92cda60e271e5 size: 114688
Section.rdata md5: 4cd71f38da382894e076b9a55a6637b7 sha1: 627d7780e3ecbe413bf43e647ca2900e2544f0ee size: 20480
Section.data md5: cd97ca9f9a2a56c6717f4aabd5ed048b sha1: 809be1366ef0d3e13f26ea598e03943ec5a044db size: 20480
Timestamp2015-01-22 00:54:51
PackerMicrosoft Visual C++ v6.0
PEhashc1f88087dd604a6b207fa39f6e93a8c6619b0651
IMPhashd46101465d2fed6eaf9ca1f12bde68c4
AV360 Safeno_virus
AVAd-AwareTrojan.GenericKD.2102898
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Trojan.GenericKD.2102898
AVAuthentiumW32/Downloader.EPRM-9372
AVAvira (antivir)TR/Rogue.159744.57
AVBullGuardTrojan.GenericKD.2102898
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.GenericKD.2102898
AVEset (nod32)probably unknown NewHeur_PE virus
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.GenericKD.2102898
AVGrisoft (avg)Win32/DH{IEEiJVdnTg}
AVIkarusTrojan.SuspectCRC
AVK7no_virus
AVKasperskyno_virus
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\2345explorer_k59918823.exe
Creates FileC:\desktool2345_k59918823_desk.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSdownload.2345.com
Type: A
60.191.223.4
DNSdownload.2345.com
Type: A
60.191.223.15
DNSdownload.2345.com
Type: A
61.147.127.202
DNSdownload.2345.com
Type: A
61.147.127.203
DNSdownload.2345.com
Type: A
61.160.245.8
DNSdownload.2345.com
Type: A
61.160.245.11
DNSdownload.2345.com
Type: A
61.160.245.14
DNSdownload.2345.com
Type: A
122.228.248.3
DNSdownload.2345.com
Type: A
218.75.155.244
DNSdownload.2345.com
Type: A
60.191.187.15
DNSdownload.2345.com
Type: A
60.191.223.2
DNSjifendownload.2345.cn
Type: A
HTTP GEThttp://jifendownload.2345.cn/jifen_2345/desktool2345_k59918823_desk.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP GEThttp://jifendownload.2345.cn/jifen_2345/2345explorer_k59918823.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 60.191.223.4:80
Flows TCP192.168.1.1:1032 ➝ 60.191.223.4:80

Raw Pcap
0x00000000 (00000)   47455420 2f6a6966 656e5f32 3334352f   GET /jifen_2345/
0x00000010 (00016)   6465736b 746f6f6c 32333435 5f6b3539   desktool2345_k59
0x00000020 (00032)   39313838 32335f64 65736b2e 65786520   918823_desk.exe 
0x00000030 (00048)   48545450 2f312e31 0d0a5573 65722d41   HTTP/1.1..User-A
0x00000040 (00064)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000050 (00080)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000060 (00096)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000070 (00112)   204e5420 352e3029 0d0a4163 63657074    NT 5.0)..Accept
0x00000080 (00128)   3a202a2f 2a0d0a48 6f73743a 206a6966   : */*..Host: jif
0x00000090 (00144)   656e646f 776e6c6f 61642e32 3334352e   endownload.2345.
0x000000a0 (00160)   636e0d0a 43616368 652d436f 6e74726f   cn..Cache-Contro
0x000000b0 (00176)   6c3a206e 6f2d6361 6368650d 0a0d0a     l: no-cache....

0x00000000 (00000)   47455420 2f6a6966 656e5f32 3334352f   GET /jifen_2345/
0x00000010 (00016)   32333435 6578706c 6f726572 5f6b3539   2345explorer_k59
0x00000020 (00032)   39313838 32332e65 78652048 5454502f   918823.exe HTTP/
0x00000030 (00048)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x00000040 (00064)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000050 (00080)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000060 (00096)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000070 (00112)   2e30290d 0a416363 6570743a 202a2f2a   .0)..Accept: */*
0x00000080 (00128)   0d0a486f 73743a20 6a696665 6e646f77   ..Host: jifendow
0x00000090 (00144)   6e6c6f61 642e3233 34352e63 6e0d0a43   nload.2345.cn..C
0x000000a0 (00160)   61636865 2d436f6e 74726f6c 3a206e6f   ache-Control: no
0x000000b0 (00176)   2d636163 68650d0a 0d0a650d 0a0d0a     -cache....e....


Strings
==
...
.
 
% BbmHpAadYySMI \
.00-+ -E-0-0
00...........?-  
0
0 
0
?
 lu
Ajjj
         (((((                  H
(null)
^,_^][
^$_^[]
0B=X7B
1#QNAN
1#SNAN
2345chrome_k59918823.exe
2345explorer_k59918823.exe
2345haozip_k59918823.exe
2345pcsafe_k59918823.exe
2345pic_k59918823.exe
2345pinyin_k59918823.exe
%+.2d%.2d
\$4t|Ht@H
6;5`_B
89=TLC
9^0u/j
_9=lLC
<A|2<Z
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
abnormal program termination
Accept: */*
Accept: */* 
%a, %d %b %Y %H:%M:%S 
AdjustWindowRectEx
ADVAPI32.dll
AfxControlBar42s
AfxFrameOrView42s
AfxMDIFrame42s
AfxOldWndProc423
AfxOleControl42s
AfxWnd42s
.?AUCThreadData@@
August
.?AV_AFX_BASE_MODULE_STATE@@
.?AV_AFX_CTL3D_STATE@@
.?AV_AFX_CTL3D_THREAD@@
.?AVAFX_MODULE_STATE@@
.?AVAFX_MODULE_THREAD_STATE@@
.?AV_AFX_SOCK_STATE@@
.?AV_AFX_THREAD_STATE@@
.?AV_AFX_WIN_STATE@@
.?AVCArchiveException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCriticalSection@@
.?AVCDC@@
.?AVCException@@
.?AVCGdiObject@@
.?AVCHandleMap@@
.?AVCMapPtrToPtr@@
.?AVCMemoryException@@
.?AVCMenu@@
.?AVCNoTrackObject@@
.?AVCNotSupportedException@@
.?AVCObject@@
.?AVCPtrList@@
.?AVCResourceException@@
.?AVCSessionMapPtrToPtr@@
.?AVCSimpleException@@
.?AVCStringArray@@
.?AVCSyncObject@@
.?AVCTempDC@@
.?AVCTempGdiObject@@
.?AVCTempMenu@@
.?AVCTempWnd@@
.?AVCTestCmdUI@@
.?AVCUserException@@
.?AVCWinApp@@
.?AVCWinThread@@
.?AVCWnd@@
.?AVtype_info@@
<A|@<Z
 bbs.125.la
blackmoon
BlackMoon RunTime Error:
BRPj+S
C:\2345chrome_k59918823.exe
C:\2345explorer_k59918823.exe
C:\2345haozip_k59918823.exe
C:\2345pcsafe_k59918823.exe
C:\2345pic_k59918823.exe
C:\2345pinyin_k59918823.exe
C:\2345safe_k59918823.exe
CallNextHookEx
CallWindowProcA
CArchiveException
CCmdTarget
CCriticalSection
Cc: %s
C:\desktool2345_k59918823_desk.exe
CException
CGdiObject
CheckMenuItem
ClientToScreen
CloseHandle
ClosePrinter
CMapPtrToPtr
CMemoryException
CNotSupportedException
CObject
combobox
COMCTL32.dll
COMCTL32.DLL
comdlg32.dll
commctrl_DragListMsg
CompareStringA
CompareStringW
Content-Transfer-Encoding: base64
Content-type: multipart/mixed; boundary="#BOUNDARY#"
Content-type: text/plain; charset="
CopyRect
CPtrList
CreateBitmap
CreateEventA
CreateFileA
CreateToolhelp32Snapshot
CreateWaitableTimerA
CreateWindowExA
CResourceException
CStringArray
CSyncObject
CTempDC
CTempGdiObject
CTempMenu
CTempWnd
CUserException
CWinApp
CWinThread
@.data
Date: %s
dddd, MMMM dd, yyyy
December
DefWindowProcA
DELETE
DeleteCriticalSection
DeleteDC
DeleteObject
DestroyMenu
DestroyWindow
DispatchMessageA
DISPLAY
DLL ERROR
DocumentPropertiesA
DOMAIN error
DrawTextA
D$,WPQR
D$$WPV
D$XQRP
EnableMenuItem
EnableWindow
EnterCriticalSection
EnumDisplayMonitors
EnumWindows
Escape
ExitProcess
ExtTextOutA
F09^4u*j
F49^8u&j
February
F(_+F$^[;E
F$@;F(v
F$@@;F(v
FindWindowExA
- floating point not loaded
FlushFileBuffers
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
Friday
From: %s
GAIsProcessorFeaturePresent
gb2312
=?gb2312?B?
GDI32.dll
GetACP
GetActiveWindow
GetCapture
GetClassInfoA
GetClassLongA
GetClassNameA
GetClientRect
GetClipBox
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetCursorPos
GetDesktopWindow
GetDeviceCaps
GetDlgCtrlID
GetDlgItem
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileType
GetFocus
GetForegroundWindow
GetKeyState
GetLastActivePopup
GetLastError
GetLocalTime
GetMenu
GetMenuCheckMarkDimensions
GetMenuItemCount
GetMenuItemID
GetMenuState
GetMessageA
GetMessagePos
GetMessageTime
GetModuleFileNameA
GetModuleHandleA
GetMonitorInfoA
GetNextDlgTabItem
GetObjectA
GetOEMCP
GetParent
GetProcAddress
GetProcessHeap
GetProcessVersion
GetPropA
GetStartupInfoA
GetStdHandle
GetStockObject
GetStringTypeA
GetStringTypeW
GetSubMenu
GetSysColor
GetSysColorBrush
GetSystemMetrics
GetSystemTime
GetTickCount
GetTimeZoneInformation
GetTopWindow
GetVersion
GetVersionExA
GetWindow
GetWindowLongA
GetWindowPlacement
GetWindowRect
GetWindowTextA
GetWindowThreadProcessId
GlobalAddAtomA
GlobalAlloc
GlobalDeleteAtom
GlobalFindAtomA
GlobalFlags
GlobalFree
GlobalGetAtomNameA
GlobalHandle
__GLOBAL_HEAP_SELECTED
GlobalLock
GlobalReAlloc
GlobalUnlock
GrayStringA
`h````
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
HHtiHtGH
HHtpHHtl
H:mm:ss
HSVHWtgHHtF
HtHHt(
HtOHt)H
HtTHtFHt8Ht*Ht
HTTP/1.0
http://jifendownload.2345.cn/jifen_2345/2345chrome_k59918823.exe
http://jifendownload.2345.cn/jifen_2345/2345explorer_k59918823.exe
http://jifendownload.2345.cn/jifen_2345/2345haozip_k59918823.exe
http://jifendownload.2345.cn/jifen_2345/2345pcsafe_k59918823.exe
http://jifendownload.2345.cn/jifen_2345/2345pic_k59918823.exe
http://jifendownload.2345.cn/jifen_2345/2345pinyin_k59918823.exe
http://jifendownload.2345.cn/jifen_2345/2345safe_k59918823.exe
http://jifendownload.2345.cn/jifen_2345/desktool2345_k59918823_desk.exe
HttpOpenRequestA
HttpQueryInfoA
HttpSendRequestA
hWj@_;
_hypot
InitCommonControlsEx
InitializeCriticalSection
InterlockedDecrement
InterlockedIncrement
InternetCanonicalizeUrlA
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetOpenA
InternetReadFile
InternetSetOptionA
IQhT-B
IsBadCodePtr
IsBadReadPtr
IsBadWritePtr
IsIconic
IsWindowEnabled
IsWindowVisible
JanFebMarAprMayJunJulAugSepOctNovDec
January
j\hPhB
kernel32
KERNEL32
kernel32.dll
KERNEL32.dll
LCMapStringA
LCMapStringW
LeaveCriticalSection
L$@h$/B
LoadBitmapA
LoadCursorA
LoadIconA
LoadLibraryA
LoadStringA
LocalAlloc
LocalFree
LocalReAlloc
L$<RPQ
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpyA
lstrcpynA
lstrlenA
MapWindowPoints
M/d/yy
MessageBoxA
Microsoft Visual C++ Runtime Library
MIME-Version: 1.0
ModifyMenuA
Monday
MonitorFromPoint
MonitorFromRect
MonitorFromWindow
MoveWindow
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
MsgWaitForMultipleObjects
__MSVCRT_HEAP_SELECT
MultiByteToWideChar
n0SSSSU
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
nt2Ht#Ht
(null)
October
OffsetViewportOrgEx
O h(,C
ole32.dll
OLEAUT32.dll
OpenEventA
OpenPrinterA
OpenProcess
.PAVCArchiveException@@
.PAVCException@@
.PAVCMemoryException@@
.PAVCObject@@
.PAVCSimpleException@@
PeekMessageA
Ph_^][Y
PostMessageA
PostQuitMessage
PPPPPPPP
ppxxxx
PreviewPages
Process32First
Process32Next
Program: 
program internal error number is %d. 
<program name unknown>
PtInRect
PtVisible
- pure virtual function call
@PVj,S
PWVWWW
QQSVW3
QQSVWd
QQSVWj
QRWhx-B
QSUVWj
RaiseException
RASAPI32.dll
RasGetConnectStatusA
RasHangUpA
`.rdata
RectVisible
RegCloseKey
RegCreateKeyExA
RegisterClassA
RegisterWindowMessageA
RegOpenKeyExA
RegSetValueExA
ReleaseDC
RemovePropA
Reply-To: %s
RestoreDC
RtlUnwind
runtime error 
Runtime Error!
:"%s".
Saturday
SaveDC
ScaleViewportExtEx
ScaleWindowExtEx
SelectObject
SendMessageA
September
SetBkColor
SetCursor
SetEnvironmentVariableA
SetErrorMode
SetFilePointer
SetFocus
SetForegroundWindow
SetHandleCount
SetLastError
SetMapMode
SetMenuItemBitmaps
SetPropA
SetStdHandle
SetTextColor
Settings
SetUnhandledExceptionFilter
SetViewportExtEx
SetViewportOrgEx
SetWaitableTimer
SetWindowExtEx
SetWindowLongA
SetWindowPos
SetWindowsHookExA
SetWindowTextA
SHELL32.dll
ShellExecuteA
ShowWindow
SING error
sO;>|C;~
software
sPRich{
%s <%s>
SS@SSPVSS
_SSSSU
Subject: %s
Sunday
SunMonTueWedThuFriSat
SystemParametersInfoA
t@_^]3
T$8h</B
t8j\hPhB
t	9p$u
TabbedTextOutA
tD9_Pt?
TerminateProcess
TextOutA
!This program cannot be run in DOS mode.
t>Ht Ht
Thursday
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
tn<%t2
To: %s
T$ QRP
TranslateMessage
t#SSUP
+ttHHtd
t.;t$$t(
Tuesday
t$$VSS
T$$WRV
t/WWUPj
uA;5d_B
uf9=TNC
>:u#FV
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
>:uNFV
UnhandledExceptionFilter
UnhookWindowsHookEx
UNLINK
UnregisterClassA
uRFGHt
us-ascii
user32
USER32
user32.dll
USER32.dll
ValidateRect
VC20XC00U
VirtualAlloc
VirtualFree
VWtp9E
VWuBh$
WaitForSingleObject
wAKernel32.dll
Wednesday
WideCharToMultiByte
WinHelpA
WININET.dll
WINSPOOL.DRV
wO;5(gB
(wqt\HHtS
WriteFile
WritePrivateProfileStringA
WSOCK32.dll
wsprintfA
"WWSh8
Y;5D?B
_^][YY