Analysis Date2014-09-09 21:59:03
MD5fa5bf8fe15cb091cac69642b1a2786ad
SHA19fca21c3cba783b5c35cf6337970ef5b4f61e2df

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3d412f18e36dd179a13ea347869e8b04 sha1: 082889e10f09b3e1c37c8952870a3c66d6a88aef size: 13824
Section.rdata md5: e3830a1c40cb9a04fa7b9950f0fe8cc4 sha1: 807ebf0d4b36a9a7a4795392316fe22cb155f1ec size: 2048
Section.data md5: 6468aee4a94c207c84ca7f830093818d sha1: aba23dbe9b0e994850e895ffd580436059ed61db size: 109056
Section.rsrc md5: 190917669a1573d915d295430cfd9441 sha1: 264841ca998b32f962929794bb95e7b3213ec83a size: 5120
Timestamp2009-03-08 15:52:25
VersionLegalCopyright: Copyright © 2010 d Setup Technologies
InternalName: Ft set_up j
FileVersion: 4.1.0.0
CompanyName: Jordan Russell
LegalTrademarks:
Comments:
ProductName: Internet Security X
ProductVersion: 4.1.0.0
FileDescription: 8N Setup Self-Extractor
OriginalFilename: Ft set_up j
PEhash4237a1b51b7325653ad47d083319cbed7af01588
IMPhash1cb59ff9cd4cb522aa1a7a4a1712aacb

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Process
↳ C:\malware.exe

Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\CY08W456F0\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\CY08W456F0 ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNStopkio.com
Winsock DNSftuny.com

Network Details:

DNSwsj.com
Type: A
205.203.132.65
DNSwsj.com
Type: A
205.203.140.1
DNSwsj.com
Type: A
205.203.140.65
DNSwsj.com
Type: A
205.203.132.1
DNSfastclick.com
Type: A
64.156.167.84
DNSnifty.com
Type: A
210.131.4.217
DNSftuny.com
Type: A
208.73.210.211
DNSftuny.com
Type: A
208.73.211.250
DNSftuny.com
Type: A
208.73.211.244
DNSftuny.com
Type: A
208.73.211.167
DNStopkio.com
Type: A
DNSphreeway.com
Type: A
DNStirefondn.com
Type: A
HTTP POSThttp://ftuny.com/borders.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 208.73.210.211:80

Raw Pcap
0x00000000 (00000)   504f5354 202f626f 72646572 732e7068   POST /borders.ph
0x00000010 (00016)   70204854 54502f31 2e310d0a 41636365   p HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a436f6e 74656e74   pt: */*..Content
0x00000030 (00048)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000040 (00064)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000050 (00080)   6c656e63 6f646564 0d0a5573 65722d41   lencoded..User-A
0x00000060 (00096)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000070 (00112)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000080 (00128)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000090 (00144)   204e5420 352e3029 0d0a486f 73743a20    NT 5.0)..Host: 
0x000000a0 (00160)   6674756e 792e636f 6d0d0a43 6f6e7465   ftuny.com..Conte
0x000000b0 (00176)   6e742d4c 656e6774 683a2033 34310d0a   nt-Length: 341..
0x000000c0 (00192)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x000000d0 (00208)   2d416c69 76650d0a 43616368 652d436f   -Alive..Cache-Co
0x000000e0 (00224)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x000000f0 (00240)   0a0d0a64 6174613d 2f436a45 665a4453   ...data=/CjEfZDS
0x00000100 (00256)   76787143 694b306c 74554d31 7579322f   vxqCiK0ltUM1uy2/
0x00000110 (00272)   79753455 3559704e 6d31762f 2f6a546e   yu4U5YpNm1v//jTn
0x00000120 (00288)   6756632b 774d732b 2b5a426a 375a5359   gVc+wMs++ZBj7ZSY
0x00000130 (00304)   54723369 426b472f 672b3756 43432f30   Tr3iBkG/g+7VCC/0
0x00000140 (00320)   70427a6e 4f487037 65526348 5069596f   pBznOHp7eRcHPiYo
0x00000150 (00336)   3939494d 55756a67 55573462 76544964   99IMUujgUW4bvTId
0x00000160 (00352)   4e2f6a50 58754750 6a61427a 786c6363   N/jPXuGPjaBzxlcc
0x00000170 (00368)   356d704e 30316136 742f5169 53585877   5mpN01a6t/QiSXXw
0x00000180 (00384)   707a3948 6d306b7a 39664266 61556e31   pz9Hm0kz9fBfaUn1
0x00000190 (00400)   30782f47 4c636f66 52694834 4c764673   0x/GLcofRiH4LvFs
0x000001a0 (00416)   41694759 46736169 6f4d5730 374b3045   AiGYFsaioMW07K0E
0x000001b0 (00432)   33726b6b 334d655a 55796744 654c4777   3rkk3MeZUygDeLGw
0x000001c0 (00448)   32733132 2b6f504d 4e726e4a 5a637a68   2s12+oPMNrnJZczh
0x000001d0 (00464)   7a5a3878 694e5775 3554674f 6871344f   zZ8xiNWu5TgOhq4O
0x000001e0 (00480)   71555330 424d5464 4b32625a 792f6878   qUS0BMTdK2bZy/hx
0x000001f0 (00496)   33546e6d 47795446 4c48684c 6352662b   3TnmGyTFLHhLcRf+
0x00000200 (00512)   76417a49 4f424e6d 76343343 444b3251   vAzIOBNmv43CDK2Q
0x00000210 (00528)   30354156 636d4138 324b6854 66557373   05AVcmA82KhTfUss
0x00000220 (00544)   2f476f6c 77786c6d 396b4c6e 726e6c49   /Golwxlm9kLnrnlI
0x00000230 (00560)   2b355536 6e333664 2f33346b 6f6c5631   +5U6n36d/34kolV1
0x00000240 (00576)   6136516e 2b773d3d                     a6Qn+w==


Strings
<.c..6m
......

040904E4
 2010 d Setup Technologies 
4.1.0.0
8N Setup Self-Extractor 
BBABORT
Cannot open file "%s". %s
cHgt
Comments
CompanyName
Copyright 
DVCLAL
Error reading %s%s%s: %s
Failed to get data for '%s'
FileDescription
FileVersion
Ft set_up j
InternalName
 Internet Security X
Invalid argument to date encode
Invalid argument to time encode
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid property element: %s
Invalid property path
Invalid property type: %s
Invalid property value
Invalid stream format$''%s'' is not a valid component name
Jordan Russell
LegalCopyright
LegalTrademarks
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
MS Sans Serif
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters!'%s' is not a valid integer value('%s' is not a valid floating point value
OriginalFilename
Out of memory
ProductName
ProductVersion
Property is read-only
Property %s does not exist
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Stream read error
Stream write error
StringFileInfo
TEXTFILEDLG
Translation
VarFileInfo
VS_VERSION_INFO
(	0%$-
%02xy0?#
0{EYxvy
0}F:94
/13IgT
&18QcP
1A0g,.
1eAM|L
1Nkodd
1tQDkHN'
2tAqPv
2Z3	4`
33333333?333333
333333333333333333
3333333333333338
3333339
333338
33333833
333838
3/3F$l$
37G)JVW
3h?`h3
&3^O*M4/
3RxK3f7
3ur7}l
4@}|m;
4qeKQ^
4r1KsQwc
+!5)8/Yw
5@B{7"
5$ed_[t
/,|5F;(
5I@4Bf
\}6t~X
 7&9^qu
7bn8H 
7E1FlNsfA
7FUlOz
7NdXPj
! ?8L!
8_$	tAX
91p4t<B
9~dE<t
9@K{:(
9~@n_A)Z
9v6G;S
9X >`.rd
A(,291`a
#?a,|$N
a$|Nn#*
a+^PjH
AT)*ur
Au1ezPt
az6&"q
b4MwP@16
^(>b,a
BEILPLD
bJX%ej
bshlwapi
Bz8y!M?8
C7=,|8
cp2 @h
?Crifpc'S
CS#4j$
cUy* zM
{d2jd*RT
,d+_^3
@.data
DDBZ9<,
d)&^.f
DJlP@\
dz`6z>
DzN(nuq
E69E0s2
)EkNQ8_O4
`,)E*lfy
+,e=:q
ex0d6n
ExitProcess
f(^@)|
^<)F1|P@x
F*4Jy`
.F&pzu
Ft set_up j
?F@"+^u9
g1!eu<;}
&_g"3Z
G8OB(j
;G8`Qz_
G9G8,654
GetCapture
GetClassInfoA
GetClassLongA
G?etCom)and
GetMenu
h2kLAQgX2q
+H]:2$L
hiX2C~
hRX<9A4t$
hs`H~M
_hvV_3JE
i	-)]"
I6thU*y;*
=*I9&$
imHg|a_
itxs4n
iz0'eA
,".+j@
J?2Fk9
j5nxDp5
!jE`+S
j:lk>Z1|L<
(#j*O	
	js0#(
j%Wp}$Q
{Ka(\C\
KERKN^L
KERNEL32.dll
khGqCu
K(s&~;3
+:\ktGh
kYDpkFrJ
lH#YrA)
LoadLibraryA
l"#O.MiT
LPZQ7<
lstrcpyA
L)U19@
%M0^\F
_M1G9YFypRJd3bU@12
M3QmhS
MS<CP60
MUbpk13
(nfYmc
NpvsQr
(NY?3{K
oXwGUP9ujJ
ozCHRA~.;
:p8B^J
<;pDtn
P$Fa&t
Pi ')X
(\pk0 wv
pl!>@b
Po8uXOLEA
P'ocdsKc
>PpD~:}
PtNY(P
P"W.L?
qA1*q<R 
_qf6Kn1Ipj
Qk"0xS1G
/Qnt3r
QvAFTv
'q/Z%o&r_
@R1|HO
rBESa4CLD@20
`.rdata
r|n!Bj
rOD7faul[LCI
`{rS@2(d
RvhByi
rY,XNu
SD>h%L
SR;QPWja
s<WAg+
SZ- xv
t(:;\$
t-`b\s
tcJ}'j
"TD{	(
Th4$adI
ThILlJ
This program must be run under Win32
tjHfpeU
t)PBhx2T
T*Qo_RH
tU:1L$
"txOA7
tZvf\"
=u( 0F
UNIQSTR
USER32.dll
uz)p!L->Y
\/v8($
vc1PlFe@24
VD%|?k
VirtualAllocEx
vj5q(/;
vr+SUV
v-\swI
_vTMy60Z@4
vxh-dv
v,Y2tS
VZAEBz
WaitForSingleObject
whD!kqn
WideCharToMultiByte
WriteFile
wYO$(.j
wZtJt4t
X3F3nyTY
x4cpy,
x9Cx;m
Xc(0 ?d.
xc;p5_
XDucc8_
"x;~Dug
\X\eJq
XH	G4_
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
XV0x|\
*$xz\(
:y[3lH+?
~$~Y3M
y.B*v%
y`jGa1-
y$nu A
YoCf._\U
.*YoD~y
Y^P)&1|
yq1rW8QW
y@)S|4hW
z6RsE8
ZDVS{N*ME
z-H"7,
z@H|!D
ZO4 +,
(Z:R/f
&zY@A_
Zy	r{,os