Analysis Date2015-03-09 20:04:20
MD501a89d73ac0c7d6bfbe2a25251971fdc
SHA19b74b1f43169ea25b75392cada09637f5907be43

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5169f71757bf78df3f0e888bd01897e7 sha1: 8d69779d1f74dd881f5dd098595a7a9fa1453936 size: 106496
Section.rdata md5: 0c460ad4794449afe0aa9fe925c07ce2 sha1: ab7d6cdd84f77af079d87397658ac4e15169d00c size: 20480
Section.data md5: 34a1d176c7fb6f3dafcc975361884265 sha1: d1ebf0a8abfcb27de627668ff2e7e0083f9c1394 size: 12288
Section.rsrc md5: b345b043185ea954ee10c617a6b41200 sha1: b7f6340e51118089f9568519c0f31a4a498d638d size: 4096
Timestamp2014-12-22 11:47:07
VersionLegalCopyright: Copyright (C) 2014
InternalName: Server
FileVersion: 1, 0, 0, 1
ProductName: Server 应用程序
ProductVersion: 1, 0, 0, 1
FileDescription: Server 应用程序
OriginalFilename: Server.exe
PackerMicrosoft Visual C++ ?.?
PEhash70601e09904998fa4d2fc44b5710178b675d6bb9
IMPhashb4027399928538a78465a7050a6a89d7
AV360 Safeno_virus
AVAd-AwareGen:Variant.Graftor.165312
AVAlwil (avast)Dropper-gen [Drp]
AVArcabit (arcavir)Gen:Variant.Graftor.165312
AVAuthentiumW32/Backdoor.UICL-0236
AVAvira (antivir)TR/Agent.147456.364
AVBullGuardGen:Variant.Graftor.165312
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Generic.r4
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Graftor.165312
AVEset (nod32)Win32/ServStart.HX
AVFortinetW32/Generic.HX!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Graftor.165312
AVGrisoft (avg)Win32/DH{gRKBEwNnJ4EQNlCBEQogJCI}
AVIkarusTrojan.Win32.ServStart
AVK7Trojan ( 0049ffa41 )
AVKasperskyTrojan.Win32.Generic
AVKaspersky 2015Trojan.Win32.Generic
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojan:Win32/ServStart.gen!A
AVMicroWorld (escan)Gen:Variant.Graftor.165312
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)BScope.Trojan.Win32.Inject.2

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rthrdgfh\Description ➝
ouyfgfMy Test Server 1.0
Creates FileC:\WINDOWS\system32\AliveService.exe
Creates ProcessC:\WINDOWS\system32\cmd.exe /c del C:\9B74B1~1.EXE > nul
Creates ServiceuyerdfdgServer 1.0 - C:\WINDOWS\system32\AliveService.exe

Process
↳ C:\WINDOWS\system32\cmd.exe /c del C:\9B74B1~1.EXE > nul

Creates Filenul
Deletes FileC:\malware.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1112

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1860

Process
↳ Pid 1144

Process
↳ C:\WINDOWS\system32\AliveService.exe

Creates Filepipe\net\NtControlPipe10
Creates File\Device\Afd\Endpoint
Creates Mutexrthrdgfh

Network Details:

DNSwww.yxp80.com
Type: A
117.34.28.98
DNSwww.yxp80.com
Type: A
117.34.28.101
DNSwww.yxp80.com
Type: A
117.34.28.98
DNSwww.yxp80.com
Type: A
117.34.28.101
Flows TCP192.168.1.1:1031 ➝ 117.34.28.98:8000
Flows TCP192.168.1.1:1032 ➝ 117.34.28.98:8000
Flows TCP192.168.1.1:1033 ➝ 117.34.28.98:8000
Flows TCP192.168.1.1:1034 ➝ 117.34.28.98:8000
Flows TCP192.168.1.1:1035 ➝ 117.34.28.98:8000

Raw Pcap
0x00000000 (00000)   426c6163 6bb8                         Black.

0x00000000 (00000)   426c6163 6bb8                         Black.

0x00000000 (00000)   426c6163 6bb8                         Black.

0x00000000 (00000)   426c6163 6bb8                         Black.

0x00000000 (00000)   426c6163 6bb8                         Black.


Strings
Blac
.
E
.
P
E
..
.E...
urmon.d
URLDownoadToFieA
Winxec
KRNL32.d
KRNL32.d
CatPocA
open
GSysmDicoyAKRNL32.d
CatPocAKRNL32.d
GSsmDicoA
KRNL32.d
.
-E-
-0
-0010+-0
0
-0
CC
00-+ 
.
\
 
00
...........?- 
0
0
0
0
l
u
080404b0
1, 0, 0, 1
bAkA
Copyright (C) 2014
FileDescription
FileVersion
                                 H
         (((((                  H
         h((((                  H
InternalName
jjjj
jjjjj
LegalCopyright
(null)
OriginalFilename
ProductName
ProductVersion
Server
 Server 
Server 
Server.exe
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
                          
								
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0A@@Ju
0SSSSS
1#QNAN
1#SNAN
2If90t
{4_^]3
5OTkq9bV3ZWdq/Ds6s0=
7vHq5uvN
~(9~$u
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-cn
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
ADVAPI32.dll
AliveService.exe
An application has made an attempt to load the C runtime library incorrectly.
Application
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
.?AVbad_alloc@std@@
.?AVbad_exception@std@@
.?AVCBuffer@@
.?AVCClientSocket@@
.?AVCKernelManager@@
.?AVCManager@@
.?AVexception@std@@
.?AVtype_info@@
BackGround switch 1.0
?bad Allocate
bad allocation
bad buffer
bad exception
 Base Class Array'
 Base Class Descriptor at (
__based(
buffer error
Cache-Control: no-cache
CancelIo
__cdecl
 /c del 
 Class Hierarchy Descriptor'
ClearEventLogA
CloseDesktop
CloseEventLog
CloseHandle
CloseServiceHandle
__clrcall
 Complete Object Locator'
COMSPEC
connect
Connection: Keep-Alive
CONOUT$
 Control 1.0
`copy constructor closure'
CopyFileA
CorExitProcess
CreateEventA
CreateFileA
CreateMutexA
CreateServiceA
CreateThread
- CRT not initialized
D$0Qhx
D$(8D*
@.data
data error
%d.%d.%d.%d
dddd, MMMM dd, yyyy
December
DecodePointer
`default constructor closure'
 deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly 
 delete
 delete[]
DeleteCriticalSection
DeleteFileA
DeleteService
Description
DOMAIN error
;D$<s!
D$$SUV
d switch 1.0
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
empty distance tree with lengths
EncodePointer
EnterCriticalSection
ExitProcess
ExitThread
F\=8 B
F9=t?B
__fastcall
Fdf+Fh
February
file error
- floating point not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
Friday
GAIsProcessorFeaturePresent
GDI32.dll
GetACP
GetActiveWindow
GetCommandLineA
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetLocalTime
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetShortPathNameA
GET %s HTTP/1.1
GetStartupInfoA
GetStdHandle
GetStockObject
GetStringTypeA
GetStringTypeW
GetSystemInfo
GetSystemTimeAsFileTime
GetTempPathA
GetThreadDesktop
GetTickCount
GetUserObjectInformationA
GetVersionExA
Global\Black_%d
GlobalMemoryStatus
`h````
HARDWARE\DESCRIPTION\System\CentralProcessor\0
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
`h`hhh
HH:mm:ss
HHt@HHt
Host: %s
|$HPWS
_hypot
incompatible version
incomplete distance tree
incomplete dynamic bit lengths tree
incomplete literal/length tree
incorrect data check
incorrect header check
 inflate 1.1.4 Copyright 1995-2002 Mark Adler 
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
insufficient memory
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
InternetCloseHandle
InternetOpenA
InternetOpenUrlA
InternetReadFile
invalid bit length repeat
invalid block type
invalid distance code
invalid literal/length code
invalid stored block lengths
invalid window size
IsDebuggerPresent
isktop Control 1.0
JanFebMarAprMayJunJulAugSepOctNovDec
January
j(j ^V
j"^SSSSS
KERNEL32
kernel32.dll
KERNEL32.dll
KERNEL32.DLL
LCMapStringA
LCMapStringW
LeaveCriticalSection
L$LQVS
LoadLibraryA
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
L$,QWV
L$ RUPj
lstrcatA
lstrcpyA
lstrlenA
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
MessageBoxA
Microsoft Visual C++ Runtime Library
MM/dd/yy
Monday
Mozilla/4.0 (compatible)
Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)
mscoree.dll
MultiByteToWideChar
|$$MZu%
need dictionary
NetSubKey
 new[]
New Update
_nextafter
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
 > nul
(null)
October
`omni callsig'
OpenDesktopA
OpenEventA
OpenEventLogA
OpenInputDesktop
OpenMutexA
OpenSCManagerA
OpenServiceA
operator
ouyfgfMy Test Server 1.0
oversubscribed distance tree
oversubscribed dynamic bit lengths tree
oversubscribed literal/length tree
__pascal
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
POST %s HTTP/1.1
PPPPPPPP
Pragma: no-cache
ProductName
Program: 
<program name unknown>
__ptr64
- pure virtual function call
QQSVWd
QueryPerformanceCounter
RaiseException
`.rdata
Referer: http://%s/
RegCloseKey
RegCreateKeyExA
RegisterClassA
RegisterServiceCtrlHandlerA
RegOpenKeyA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ReleaseMutex
ResetEvent
__restrict
ResumeThread
rthrdgfh
RtlUnwind
runtime error 
Runtime Error!
Saturday
`scalar deleting destructor'
Security
September
SetErrorMode
SetEvent
SetFileAttributesA
SetFilePointer
SetHandleCount
SetLastError
SetPriorityClass
SetServiceStatus
SetStdHandle
SetThreadDesktop
SetThreadPriority
SetUnhandledExceptionFilter
Shell32.dll
ShellExecuteA
SING error
SOFTWARE\Microsoft\Windows NT\CurrentVersion
s[S;7|G;w
%s%s%s
^SSSSS
StartServiceA
StartServiceCtrlDispatcherA
__stdcall
stream end
stream error
`string'
Sunday
SunMonTueWedThuFriSat
SVhX4B
\syslog.dat
System
SYSTEM\CurrentControlSet\Services\
T+3x%A
t^9(uZ
tD9(u@
T$DPVS
TerminateProcess
TerminateThread
+t HHt
This application has requested the Runtime to terminate it in an unusual way.
__thiscall
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
Thursday
< tK<	tG
TLOSS error
T$LPQR
T$LRWS
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
tNIt?It0It 
too many length or distance symbols
T$,PQh
T$(PQR
tR99u2
T$$RSSj
T$,RWV
t#SSUP
<+t(<-t$:
t$<"u	3
Tuesday
;t$,v-
t$$VSS
t+WWVPV
 Type Descriptor'
`typeof'
tZ9H tU9H$tP
`udt returning'
|$ u*f
u&f!;f;
- unable to initialize heap
- unable to open console device
__unaligned
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
unknown compression method
Unknown exception
update.exe
UQPXY]Y[
URPQQh
USER32.dll
USER32.DLL
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E)
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.2)
uyerdfdgServer 1.0
`vbase destructor'
`vbtable'
`vcall'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`vftable'
VirtualAlloc
`virtual displacement map'
VirtualFree
v	N+D$
_VVVVV
W(9W$u
WaitForSingleObject
Wednesday
WideCharToMultiByte
Win32 ClassCiew
Windows 2000
Windows 2003
Windows 2008
Windows 7
Windows NT
Windows Vista
Windows XP
WININET.dll
WinSta0\Default
WriteConsoleA
WriteConsoleW
WriteFile
WS2_32.dll
WS2_32.DLL
WSAIoctl
WSASocketA
wsprintfA
|$ WUSV
^WWWWW
	X 9} 
xppwpp
xpxxxx
XXXXXXXXXXXXXX
XXXXXXXXXXXXXXX
>=Yt/j
_^][YY
YYu-9D$
YYuTVWh