Analysis Date2013-12-08 17:33:22
MD51243d25186278a13e3c53281f695657d
SHA19b32d654e5efa832a0d35b6d73a73441c38ee224

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: b68d713dc7ba205561ed6724b597b23e sha1: c3fa4c8bb56007cd35150afcc0691439a651249a size: 163840
Section.rsrc md5: b2f04338d093d8c06a081eb321e43ee9 sha1: 460ee01630d9e4f75753e479e9c0c4c9bbd8d90a size: 5632
Timestamp1992-06-19 22:22:17
PackerUPX -> www.upx.sourceforge.net
PEhash194e4ba1a6009c442b77049488e3caa5f689e57a
AVavgLuhe.Fiha.A
AVaviraTR/Crypt.CFI.Gen
AVmcafeePWS-Banker!cge

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates Processc:\windows\system32\Javaxc.exe
Winsock DNSwww.box.net
Winsock URLhttps://www.box.net/shared/static/gk2hj76884.scr

Process
↳ c:\windows\system32\Javaxc.exe

Network Details:

DNSwww.box.net
Type: A
74.112.185.83
DNSwww.box.net
Type: A
74.112.184.83
Flows TCP192.168.1.1:1032 ➝ 74.112.185.83:443
Flows TCP192.168.1.1:1033 ➝ 74.112.185.83:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings
BBABORT
BBALL
BBCANCEL
BBCLOSE
BBHELP
BBIGNORE
BBNO
BBOK
BBRETRY
BBYES
DLGTEMPLATE
DVCLAL
MAINICON
PACKAGEINFO
PREVIEWGLYPH
TANEXO
08@HP!
0;BR$-
0(Db@]
/0 gUP8
0r=<9w9i
0"	w%9
0Z*;S|
$1:@@&
11----
1234567890ABC
1&&Ax^E
1: doL
1hyL Eb
1I,oet,
1loz8	o
1MQS'9Qfo
1\!O; 
1PixTsPfl
 2001,
22|('h
2C("Ds8
+2i6&a
2 Mik2(ch
2w;;thsz
* (()@-3$-	*-
)32A6Z
35Foto.0108 - 
36oftwareWa5
3f>ntf
3{g7@\
3Viewe
3?vJ"Q
4$$((,
40,(''''$ 
488<<!
]#4a$yWP3<
#@4%c$
4""C['B
>4kA*>D@
@4<S=f
4Tx8TI
4z[Als
5216549.jml_	
5!BSk?%
5=EM-75
<$5FWh
<5''oy
5;WA^k%
658hVR
6eF+2'
6gSilver07
6H7lExxt`k
6po[3i]
6^sX0r
-7*,(-
.7&@^,
@73thWMP!
7DQ^kx
"(7Emptys
7G@\rw
7;P8u+|
7p Xp 
	7Qf! 
~'*;~8
@81Na"
82KLf~
8,fk<d
8m`ydM4
8NNNN40,(NNNN$ 
<(8O{K
8$OQ5L
!9 8dX
9>a%?w
9t;Cpu'
9;wlt4
9xD]b`
abcdefghijklmnopq(
ABIPC	B{
AC_SsI
advapi32.dll
ak	Q':19
Ak?Sl4fGI
'AL4(4
(AL("%s",4),"
aN&_bsfv
ANSI_CHARSET
A,OXR/?(
a(phwx
A~PXVC6NXb
Aqx5<"
ARE\Borland\Delphi\RTL
aR,`SLep
aSh|3t<
at 0>@
AVSBLPv
`aWy8B
*a{[XI
B1a>,ZwEAc
B2!*MV
b]$4Ob
b=}7+z_o>Rc
BAlCAt9
BCcI`G[
`bdTo`
bEH4zNKrnpUNDqPMqpCbnkT7PaRIvbU6p
B+eZy8%
(bin'O
BKb`(h
BkP1Cp
BmU1v`
&	+b,N
#BnIfPp
Boolean
\%&BRM4
BUTTON
bv><z>Y'l
[Bw];~
&bWjEd
B_xR5b
ByWl'Word
(c$ ''''
C(0>w'
c2W9N'
(:C_2}z
C3l;FM4
C|7'#D
cales27
c:\Arqujos 
{	CbP7
(cBT)B
c[%;ca
!Cc{BM<
CCx3p"
cD#+"d
CH3%DLLF
ChrTyp|
cioj/F
@CIOtq
ciP_UY
clMaroon+
#c;L!N+s
-Cl(y=
C_MACW
comcte
comctl32.dll
cPtr%.8X
C_;RD) 
CrPkI}7
Currenc
;C<xDf
cX^mbAx
~c=	YQ
d1'i=W
D/BtnFU
DHDXq9
+dHHHC
~dhx`P-
&Disabl
d/$IWe
dk/W['@
d)lq<9
<DLT\d
Doub0X
DpOuE3GkSF
dsYcb3i
Dvfrkk
_d?Virtc
 d, Wn2ms
DxCqgres
EASTROPE
eBfgKw
EDivByZero
eftJhify
EhCbHl
E http:
 E>jlA
e:K8t2S
Enum.lay
EOutOfMemory
Er80<r
ETNNNn
!@et!v
	Exception
ExitProcess
"EXPLORE.
eZ6~p	
F!a!"4C
fax o u
f}%!$$C2$5	
Fc$o1ga0
|FDiag
f);"Dr
FFAVi 
@!fgCm
F(i#mJfh
?foBh'
FocusDefaultPHotLigh
f+PTmY(M
FPUMaskVa
Fp`URD
Ft?Htb
fWU`K`4 
FX~D=s
G8D4#4
'g8|XF
g9 'z?
GB2312
g$bap_/	+#
gdi32.dll
G(eNerH
GetProcAddress
gGroup
@>GHP9 6
(gJumpID
_GpfSLq
GREEK#
:gr[hu.v
GTarget
Gt;(TQ
	gX7PX
G [	XM
G%$y(?
H@&0s&
/h2~"t
H@3H@H
_H<9p$z
HD@''''<840
h)db1@ZM
;h^`d.DA`3
+HD%N\
:	Hegul6
h`!E%l!ED
HFCXHD
.hh\@"
hhRP[`pu
HIFTJIS
HIh;Jp
",H;It
hNameA'o
h*rf/x
'HSplitV0
HTrV{GG}
Huf*F	k
+HxAr(
$I3X]4
iacJ#WmpG
i>A>DA
iClose!
icobmp
;IcqIs
Id'cZ)
IDlgR3
IF@PTd{
iiGLL"
iJx(C{t
ImageList_Add
IMjN]\
[+In:D-
Integer
Inverf
IO\=S!,Z
ipboxX
ipyO4NnSX{
>ISPLAY
ive>NoAcc
ivod_nOr
J0p |i(
J##1<d
J?.DD@
jgF?`{
jgT-%m
jINFNAN
.jJBVp
" JK13.,|
JlssagU
?Jo1lScjr
JO Bay
jQ,C:4li
J[SP+/
JsxFDu
'J^thd
jUuU,Y
jX!,W&
K0DN ^O
k8rbTBw
KERNEL32.DLL
kernel32.dll_GetLongPatB
keysK<
KF.f;PMn=uO
kFreeSp
#k(lF8
.KMjt Exp
koHP@.
k;^`u0p
K"W8A1
k`.x-br.
~KxI[)
K&yEbOeg
kyFovd
l^,|<|
 !"#$%L
'L3'L3'
L+8'( 
>LaQN9bOsbl&5j&vqRoukBXt
LayouA
_LeftB.
LIENTpA^	
li$R),
L'L'M'=
Lnh~`U
LoadLibraryA
lpeh=hh
LqOCL1
l<T}N8[
!l]UG;%(!
 lusfWB
l=v.vT
(>L,|W
lyTznsp
m1g+x 
Magel` MSWHEEL
mdlgF&
M&FLPpIC/d_
]m~\IB(/
Middle
Mky;Ji{ B
M]p8CD
N|*(}&
n7LZEg
/,n"8,
n8S6t>
n,9/`o
nC4C4K!
ND_k15i
NE"BIG5
N.@g~W:K
n,_hp 
n\jF?v
NN|X,!
N|RGp7
N?RTP01
nuCut0o8%Y
NxZQd4
|NyFx/
@o4Hu6
o;8Aj5-wz$
o&Bgkz
OCnSp`
*+$oht
oleaut32.dll
OlGJ}d
_Olive
omboBoxEdit
?O~&o*<X
OPP`aeiiiied]
ORT_(h
oS@#CEM
%&OsK*
<$_ot5:
otAdd/_
(OTsbkP6ztS
!OuCg\
ov5/#@*|$
[OZa*D
-:P;^;
*%'>"P
^p1Dc/
P6L%,/
P`=9%E6
%~PA6>
')pAex
p+?)],B
PDt1!FW
PE{h)L
pFixup
phaBlhT
 P'ip-
	pJcip
]^	:Pl
pL6U}x
{p_#lb
+PL)DS'
PLp999HD@R
_ppWX2
P^@Qvp
Primary
.PR/Pm
pTh3@H
PTMbB&X|_4q
PurpleGTeal
_Q7HqS7CwBofTjkOczuBcCk
q&A5Pp
<Qa[\U!
[Q&B"Q
Q<`N^h
Q& :"Q
QROHVc(
q<WVnN
qyFf8a3
+~Rangep
RcM!d?
rD(k:x
rd}ttn])
Rebuil
RegCloseKey
ReLmkNI$'GoC
_-Rf;` 
rface+
rfv0idOV 
>R;;'HXD
RhzMxk
rn4:E:
%_ROLL
rr+pxh
rrrrhd
|rrrrx
rrrTPLS
&rSh8|
rstuvwxyz+/
RUSSIAN
r|xtp''''lhd`''''\XTP''''LHD@''''<840'''',($ ''''
Ry"e1#f
_ryZ{Ign@e
S07 Sma
\S5_{, 
_S7d8DZ@
sAdapp
SafecalnS
SaveDC
_.SCK_LINES/
+SD!6.
sHJBqD
ShxVCK8
Sl?Tg?
'S@O`rH
sos#?Wo
SPaadeiiiied]
s!T@7?
S$ @t9
STUVWXYZ
Sub/MulDivId
SYMBOLc
},;=T[
T2vZRsqWPOI1cONfbRcHl86yW
@T3Cum
t6[u&hT"
t7r{'G
TAdxncP
TAlignment
$ t%AR
@T@B8]C
	TBiDi++
TBuQC@!bn
This program must be run under Win32
tHXT6bZBVCcXg
Tj@ul5
t`mckz
|$TMulRj
tnPBrc.#
TObject
TOwnND0wSta
tPitch<0	fpx
tprrrrl
T*ShellAPI&
TThread7
TURKISHk
+t_$xtZX
U6q8"m
?Ueu)f
;^}u[g
uG	Fuchsia
u}$$@H
uh0l=(
Uhi1m{
u"IP]H
uKVVQ*
?UnknowDeci
URLDownloadToFileA
URLMON.DLL
user32.dll
USERjDLL
:uxthemewL
VariantCopy
VbciphS
vclt6Y
\@v;{Du
VerQueryValueA
version.dll
V#FO0>
]vG0;,
!<VgK02
v	i."8
ViA1B$'
VirtualAlloc
VirtualFree
VirtualProtect
V`MO/"0
?vQA8(
@vt2avo
`vTrack	;
V<^'W(
V&ZAh0
vz^$cKp
>W#48tn
W!}aI6
wAM/PM
wAnZr?
}W?BG@
w!?~COu
wDEFAUL
.w)/gg
WhSpoo
Windows
._WINHELP
%!Wi~Z
WSEWEp
w;sXT6
{;w$tBa
	w;tCIXqg
wVarian
?wW6Rg
wzbar=d
<{.(x\
x8TD+B	
x96W/}/
X$'$G5
XGHIJKLMNO
-XHB%k 
$:Xiig
XLu7;Wx
xmNmfny
XorCmp4FromSt*
\&|x_p
XPTPSW
|x''''tplh''''d`\X''''TPLH
''''|xtp''''lhd`''''\XTP''''LHD@''''<840'''',($ 
xU!G$k
xV|Y@ ]
xWRUuI6
xznC#fA
XZXZ>@x
y0()(2)
Yellow
@\yjBV
Y]>jnK
YQ(y[X
yx/Lea
 $(YZ&
Y zj -
,`YzPK
Y>ZYYN
=(+(Z=
Z?;ADtiw
ZC/BALT
ZCi*ut
|Z<D'F
Zt^vnzC{
zW"qEo
Zxg~r~
.ZZZ*-