Analysis Date2015-05-13 01:50:34
MD525a6879eb91dc2a787c0138445b5a476
SHA1a0ca89f75935115e019d7038bdebacac88022cb9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 43494ef86f2baaae529d3f8fe24d63dc sha1: b0fc8cd35614e548a8f52f100a9533ec8a4c0617 size: 88064
Section.rdata md5: 60c984a5bb12450b1d81a70493655aff sha1: 03fcf1c1812d513865de8412ad6ff67bb401b023 size: 4096
Section.data md5: cf15b44bdfe1d0d90bfe02799809ac1d sha1: bb789d94744c77528f2f001157a5b7de6e765f90 size: 20992
Section.sxdata md5: c57826e3d1e133955b20d3fe909e5a8d sha1: 46aba16ada47325e0162a3a9e6d8b07beb407dae size: 512
Section.Polyene md5: 2de45d8ff8483f03ec378fad6211759f sha1: c2260ef6e2abd884048303afe856b3486d766245 size: 1536
Timestamp2005-08-18 13:54:22
PEhashdee8d4fea3f0cbbfcadec7dcdce22fca979e3426
IMPhashd843c229508e6f0d504bcfd08dd4d572

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\kklucruo.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\WINDOWS\system32\kklucruo.exe 0 "C:\malware.exe"
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex[Xthar2s Bot]

Process
↳ C:\WINDOWS\system32\kklucruo.exe 0 "C:\malware.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Winddows XP Patch ➝
kklucruo.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\OLE\Winddows XP Patch ➝
kklucruo.exe
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Winddows XP Patch ➝
kklucruo.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Creates Mutex[Xthar2s Bot]

Network Details:

DNSdata.shizero.com
Type: A
141.8.225.80
Flows TCP192.168.1.1:1031 ➝ 141.8.225.80:4497
Flows TCP192.168.1.1:1032 ➝ 141.8.225.80:4497
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:4497
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:4497
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:4497
Flows TCP192.168.1.1:1036 ➝ 141.8.225.80:4497
Flows TCP192.168.1.1:1037 ➝ 141.8.225.80:4497
Flows TCP192.168.1.1:1038 ➝ 141.8.225.80:4497
Flows TCP192.168.1.1:1039 ➝ 141.8.225.80:4497
Flows TCP192.168.1.1:1040 ➝ 141.8.225.80:4497
Flows TCP192.168.1.1:1041 ➝ 141.8.225.80:4497
Flows TCP192.168.1.1:1042 ➝ 141.8.225.80:4497

Raw Pcap
0x00000000 (00000)   4e49434b 20743072 6e7c3735 3537330d   NICK t0rn|75573.
0x00000010 (00016)   0a555345 52206e78 6c757473 20302030   .USER nxluts 0 0
0x00000020 (00032)   203a7430 726e7c37 35353733 0d0a        :t0rn|75573..

0x00000000 (00000)   4e49434b 20743072 6e7c3530 3534390d   NICK t0rn|50549.
0x00000010 (00016)   0a555345 52206164 697a646e 68203020   .USER adizdnh 0 
0x00000020 (00032)   30203a74 30726e7c 35303534 390d0a     0 :t0rn|50549..

0x00000000 (00000)   4e49434b 20743072 6e7c3032 3432360d   NICK t0rn|02426.
0x00000010 (00016)   0a555345 5220656a 66656d69 20302030   .USER ejfemi 0 0
0x00000020 (00032)   203a7430 726e7c30 32343236 0d0a0a      :t0rn|02426...

0x00000000 (00000)   4e49434b 20743072 6e7c3637 3036370d   NICK t0rn|67067.
0x00000010 (00016)   0a555345 5220726f 63697776 20302030   .USER rociwv 0 0
0x00000020 (00032)   203a7430 726e7c36 37303637 0d0a0a      :t0rn|67067...

0x00000000 (00000)   4e49434b 20743072 6e7c3438 3838310d   NICK t0rn|48881.
0x00000010 (00016)   0a555345 52206577 74786674 20302030   .USER ewtxft 0 0
0x00000020 (00032)   203a7430 726e7c34 38383831 0d0a0a      :t0rn|48881...

0x00000000 (00000)   4e49434b 20743072 6e7c3934 3838350d   NICK t0rn|94885.
0x00000010 (00016)   0a555345 52207971 71687874 20302030   .USER yqqhxt 0 0
0x00000020 (00032)   203a7430 726e7c39 34383835 0d0a0a      :t0rn|94885...

0x00000000 (00000)   4e49434b 20743072 6e7c3338 3934340d   NICK t0rn|38944.
0x00000010 (00016)   0a555345 52207962 66686520 30203020   .USER ybfhe 0 0 
0x00000020 (00032)   3a743072 6e7c3338 3934340d 0a0a0a     :t0rn|38944....

0x00000000 (00000)   4e49434b 20743072 6e7c3938 3031310d   NICK t0rn|98011.
0x00000010 (00016)   0a555345 52207377 62727720 30203020   .USER swbrw 0 0 
0x00000020 (00032)   3a743072 6e7c3938 3031310d 0a0a0a     :t0rn|98011....

0x00000000 (00000)   4e49434b 20743072 6e7c3639 3534330d   NICK t0rn|69543.
0x00000010 (00016)   0a555345 52206c68 71726c20 30203020   .USER lhqrl 0 0 
0x00000020 (00032)   3a743072 6e7c3639 3534330d 0a0a0a     :t0rn|69543....

0x00000000 (00000)   4e49434b 20743072 6e7c3133 3639390d   NICK t0rn|13699.
0x00000010 (00016)   0a555345 5220786f 6e686f63 61203020   .USER xonhoca 0 
0x00000020 (00032)   30203a74 30726e7c 31333639 390d0a     0 :t0rn|13699..

0x00000000 (00000)   4e49434b 20743072 6e7c3538 3331340d   NICK t0rn|58314.
0x00000010 (00016)   0a555345 52206e78 77706320 30203020   .USER nxwpc 0 0 
0x00000020 (00032)   3a743072 6e7c3538 3331340d 0a0d0a     :t0rn|58314....

0x00000000 (00000)   4e49434b 20743072 6e7c3133 3736320d   NICK t0rn|13762.
0x00000010 (00016)   0a555345 52206470 79657220 30203020   .USER dpyer 0 0 
0x00000020 (00032)   3a743072 6e7c3133 3736320d 0a0d0a     :t0rn|13762....


Strings
.b/
_
s=.......
?-	)	]
,09F(\
0NU7;<
<)%0Od
0Qe35\~5
~0X9-v?
1e2dw|
1w{,84
2> L7arCe 
?2s_}hQS
3)5#V=
39!oup
3?!_b~
3ep9=4|
4IX'cFw
&4w(^z
5=$M*3w1)
5=oT+v
5\ W;s
6'ie?'
$_6u;,
72,n/)y
7FPqGG
7TZBIe
- 7{<V
8	a+B8
[>8+_+G
~*&<#8I
*{8yo:
,9`1m#?
9co*5-
9:cq	|
=9H=5r
:`9_S<
9W\$c[
9xF/oC
a_4L=e>
[(a`[?c
a?$>~H
AL7T5"
AmT9!9=vd'
Av"^Kk
ax*+Vc
BF9a8	
+br/z[
C_clAgY+i7
CG=1=y 
ct.x\]<qn
^>d3H+\
$@D_IR
&DS?-d
dVaE#{
DyRway
e=|%;$
e6J}K|
_eF612@[M
;-egp&
ep:}_K
EQ<%l[
ExitProcess
;[F>`%
F%1i_-E3
]}f:-8
F,?eQS
_Fn1e^vc4
f+Q(%`%
F?S%.2
fuJsMxC
fzQQp14h
G'~()'
GCEIFy
GetProcAddress
gFC{]O+
gk/'aBMIbN
GlobalAlloc
GlobalFree
`gnbm9
G)`Q4QG
#)gS@53
Gs;. b
GW]ETn7
H:44SX
&Hj4bR
H^:PH%
hVZbcvR
!i=8pV
Ic~b>M
&I*Q;+sM
is_^ f
It=Q[2)
Iu%3p>UC9
i_UD:^
I|w9kC
j,J*ju
jK4ZTX
jPybH1
#k]0!~
.,K>B.
KERNEL32.dll
|:(KF~
KIg+Jo
k_W.26
KWP]f'
K!y__G
)k@yV/
l~4rv88
L6OF~1
l^,euik
Lf?%,%J 
{>l;%g
LM<_7[E
LoadLibraryA
loy5LP
]m3KBc
MessageBoxA
%mffqo
?];+(Mq
n_9S0F
,ne<&*
!NHKzL
nZjO|f
ob^+j;
>OJ0	./
P}^1]PQx
<PC;b3
"Pch1z
.Polyene
PolyEnE
PoX={K
PP?6G8e
pPA[r1
>PpaS*
&=PV]p
Q'$4u*
]$QbeN
qc+_C*)
qkNX=M
`Q;<`O,
>qO~&9
#)"qQ!
[/Q-s[S$
qX8vKjO
r0XnC5
R1[xa<
R6CI&ojK8
.rdata
reHkfZ
r}:~jY
RPo*)5
_}rtKv
Rzb]MjR
S^	{;9v
S]AOp=HO>qh
S{e,)`
.sxdata
%s|z8Ac
sZKEs8
`t0,H=
T9SO2#
!This program cannot be run in DOS mode.
Tsi4ry|snb	
T>; ;U
[-t<Wi>
,u,34T
u"9Y,,
;UHDBk
UH)d!&S$Z/u
:Unable to fix importtable.
Un+"`u>
USER32.dll
 ~uteL{
uu54wc
$U"'!x0O;~
$ UZ(M
UzzAhM
V<%(Hqu
VpaVQG
V@po!k
V?x(78
>v#zB'
W9 G1q
^WC{)F3
wdWc$"
W(|fh:
w;=r#%qn
wXqasK
	X5{YY|
$;-@X9
x#D<[+}
xe7.V*
'y1Cin
!y2ka,
Y?cZnw
@ye-(~(h
y\|L1L
y<X;?_
=%Z2JaZ
zB<c7/
zh2pbnL|f*Q-h
ZjH.xm3
?ZPKQS`/p