Analysis Date2014-09-06 17:59:18
MD59ea0ca597e50eb3d94f53a8b9cdaaa54
SHA1a16ef50d9d6c948f14ac738ab8a59a0634043e27

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 69606dc29fb53a2b8ccca6bf8e6882a7 sha1: cf114eb9da0efaca293e0b90fdb1d93e32077d11 size: 42496
SectionUPX2 md5: 0f63bc69994f3ff76dea05e93e0f70b2 sha1: d5f36dfb94f18ce1ba4d834cbe14d90b37734d97 size: 512
Timestamp2004-03-19 08:58:54
PackerUPX -> www.upx.sourceforge.net
PEhash6b28631e418d918f9fc8a345562c17fef5a284c6
IMPhashc7ecd1a0a4200634e300116dcad86d0d

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\msgfixed.exe
Creates ProcessC:\WINDOWS\system32\msgfixed.exe
Creates Mutexjop

Process
↳ C:\WINDOWS\system32\msgfixed.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Msg Fixage ➝
msgfixed.exe\\x00\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Msg Fixage ➝
msgfixed.exe\\x00\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Msg Fixage ➝
msgfixed.exe\\x00\\x00
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutexjop

Network Details:

DNSirc.abjects.net
Type: A
192.241.89.206
DNSirc.abjects.net
Type: A
195.154.6.113
DNSirc.abjects.net
Type: A
37.59.41.117
DNSirc.abjects.net
Type: A
37.59.60.133
DNSirc.abjects.net
Type: A
62.210.211.122
DNSirc.abjects.net
Type: A
91.217.189.77
DNSirc.abjects.net
Type: A
94.23.42.81
DNSirc.abjects.net
Type: A
192.186.136.206
DNSr0x.myvnc.com
Type: A
DNSirc.freshirc.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 192.241.89.206:6667
Flows TCP192.168.1.1:1033 ➝ 192.241.89.206:6667
Flows TCP192.168.1.1:1034 ➝ 192.241.89.206:6667
Flows TCP192.168.1.1:1035 ➝ 192.241.89.206:6667
Flows TCP192.168.1.1:1036 ➝ 192.241.89.206:6667
Flows TCP192.168.1.1:1037 ➝ 192.241.89.206:6667
Flows TCP192.168.1.1:1038 ➝ 192.241.89.206:6667
Flows TCP192.168.1.1:1039 ➝ 192.241.89.206:6667
Flows TCP192.168.1.1:1040 ➝ 192.241.89.206:6667
Flows TCP192.168.1.1:1041 ➝ 192.241.89.206:6667
Flows TCP192.168.1.1:1042 ➝ 192.241.89.206:6667
Flows TCP192.168.1.1:1045 ➝ 192.241.89.206:6667
Flows TCP192.168.1.1:1046 ➝ 192.241.89.206:6667

Raw Pcap
0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d373134   NICK [KuanG]-714
0x00000010 (00016)   30383536 39380d0a 55534552 205b4b75   085698..USER [Ku
0x00000020 (00032)   616e475d 2d393439 38313930 36392030   anG]-949819069 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 37313430    0 :[KuanG]-7140
0x00000040 (00064)   38353639 380d0a                       85698..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d343831   NICK [KuanG]-481
0x00000010 (00016)   34303835 34340d0a 55534552 205b4b75   408544..USER [Ku
0x00000020 (00032)   616e475d 2d333430 35393336 31322030   anG]-340593612 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 34383134    0 :[KuanG]-4814
0x00000040 (00064)   30383534 340d0a                       08544..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d303831   NICK [KuanG]-081
0x00000010 (00016)   31383231 37360d0a 55534552 205b4b75   182176..USER [Ku
0x00000020 (00032)   616e475d 2d323335 38313435 39382030   anG]-235814598 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 30383131    0 :[KuanG]-0811
0x00000040 (00064)   38323137 360d0a                       82176..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d333932   NICK [KuanG]-392
0x00000010 (00016)   31353637 32390d0a 55534552 205b4b75   156729..USER [Ku
0x00000020 (00032)   616e475d 2d353537 36383831 34302030   anG]-557688140 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 33393231    0 :[KuanG]-3921
0x00000040 (00064)   35363732 390d0a                       56729..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d393133   NICK [KuanG]-913
0x00000010 (00016)   39333033 37310d0a 55534552 205b4b75   930371..USER [Ku
0x00000020 (00032)   616e475d 2d313536 34363237 39322030   anG]-156462792 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 39313339    0 :[KuanG]-9139
0x00000040 (00064)   33303337 310d0a                       30371..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d353938   NICK [KuanG]-598
0x00000010 (00016)   32353132 35370d0a 55534552 205b4b75   251257..USER [Ku
0x00000020 (00032)   616e475d 2d343537 33333631 33372030   anG]-457336137 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 35393832    0 :[KuanG]-5982
0x00000040 (00064)   35313235 370d0a                       51257..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d393937   NICK [KuanG]-997
0x00000010 (00016)   39323538 30390d0a 55534552 205b4b75   925809..USER [Ku
0x00000020 (00032)   616e475d 2d313632 36353739 39312030   anG]-162657991 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 39393739    0 :[KuanG]-9979
0x00000040 (00064)   32353830 390d0a                       25809..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d383735   NICK [KuanG]-875
0x00000010 (00016)   31333837 35350d0a 55534552 205b4b75   138755..USER [Ku
0x00000020 (00032)   616e475d 2d303139 38363930 34362030   anG]-019869046 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 38373531    0 :[KuanG]-8751
0x00000040 (00064)   33383735 350d0a                       38755..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d343131   NICK [KuanG]-411
0x00000010 (00016)   35333336 39390d0a 55534552 205b4b75   533699..USER [Ku
0x00000020 (00032)   616e475d 2d363833 32363537 31302030   anG]-683265710 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 34313135    0 :[KuanG]-4115
0x00000040 (00064)   33333639 390d0a                       33699..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d323236   NICK [KuanG]-226
0x00000010 (00016)   37323031 30340d0a 55534552 205b4b75   720104..USER [Ku
0x00000020 (00032)   616e475d 2d323236 37323031 30342030   anG]-226720104 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 32323637    0 :[KuanG]-2267
0x00000040 (00064)   32303130 340d0a                       20104..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d353733   NICK [KuanG]-573
0x00000010 (00016)   38353336 33350d0a 55534552 205b4b75   853635..USER [Ku
0x00000020 (00032)   616e475d 2d383236 35303437 35362030   anG]-826504756 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 35373338    0 :[KuanG]-5738
0x00000040 (00064)   35333633 350d0a                       53635..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d313237   NICK [KuanG]-127
0x00000010 (00016)   32353833 38380d0a 55534552 205b4b75   258388..USER [Ku
0x00000020 (00032)   616e475d 2d333731 39393036 39302030   anG]-371990690 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 31323732    0 :[KuanG]-1272
0x00000040 (00064)   35383338 380d0a                       58388..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d393931   NICK [KuanG]-991
0x00000010 (00016)   37363432 34340d0a 55534552 205b4b75   764244..USER [Ku
0x00000020 (00032)   616e475d 2d313335 34393633 34362030   anG]-135496346 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 39393137    0 :[KuanG]-9917
0x00000040 (00064)   36343234 340d0a                       64244..


Strings
A
l
.?
A
l
.?

*0)quf*2
!2NU_"
2\u_Zmv
]|[4c 
.53oL&
:6c.-;
6Vt~k6
7qi5%(
9l$\w_
9tX#pO}
ADVAPI32.dll
AG87MV
aOhAVQ
^?A>XK
]cp/K_x^
.)D$H)
dM1X	l
D$t+D$\
D$t#D$h
e6$xs(
E9ml~v
elzkeZ
eqp0xt
ExitProcess
@eZ^D3d
FFShnW
FindWindowA
{F+:s/)
FvV?ZrS
~{#~G5_
GetProcAddress
hj^]*c
hl`XR86
!h*tzh
I4`1o"
I|7Irp
IFQ-lU
InternetOpenA
jfF}:1e
 JL=<vF
jnDXIs
k.0l}ZuTE%*-x6@
kAqOA5mDZ,(v
K~Biw~
KERNEL32.DLL
K"GDU)t
k[<u <
:kzQ7.
!lI0vI
,LI'3iI,
'L}jIGuj
*'lk=f
LLd3m*hw
LoadLibraryA
LQL5c)d
MPR.dll
nE8x}.
NH("oT&^U
noL~Od
NYg-Mb
oD{7Aoe
OnO!1G
(PoiNSE
P	>>%Q
psU?oH3X
P?Y<O-
Pyy|k,#|
\QoFi5
qUA=?)
q]y+)h
RegCloseKey
r J.~Ks
SHELL32.dll
ShellExecuteA
s`)L$4
!This program cannot be run in DOS mode.
t$t#t$l
T#YJz1
ug69xT
USER32.dll
VirtualAlloc
VirtualFree
VirtualProtect
#V?Soi
V`sU9>
WININET.dll
WNetAddConnection2A
'wPrZxO
WS2_32.dll
WSWB0f
w.TB!{
 =x.?$
XL)^Fe
XPTPSW
\#Xqqi4.K
X+ s4}
Z:DEvWd
Z,kMXF
zz0$CC