Analysis Date2014-06-25 00:05:48
MD5b240942d845311389b07e76cacbde93f
SHA1a3785b2dcc7edf2e8457d64c71d27d28ea57bcd4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: aa7c8d05b93fb1fce61d60db8a302489 sha1: 9c711819cb203bc2e9617a282c06c94639b210ab size: 183296
Section.rdata md5: c8c01a833bfd31d0e2141ed71c1d67f8 sha1: ecef3172ee85a96b7c4f25970ace99a2a9c6b2b8 size: 2048
Section.data md5: e0914135629bfd3c24ee7cb11c167863 sha1: f64c8b1af36fe3242cc914c06f0c60193932c4bf size: 16896
Section.tls md5: 192e052aad13de965d0625fdd1f936b2 sha1: 78fe1a060eaad95e827b02a5ebb6e68850209c47 size: 512
Timestamp2005-10-18 16:23:07
VersionPrivateBuild: 1517
PEhash4baa35ba5c3cfbfaf3154b8b8a33d2e4398f2094
IMPhash6de5e753b0ff8be1a49db4af2581499d

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{EEEB680D-AE62-4375-B93E-E9AE5FF585C1}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSordersmallcd.com
Winsock DNS127.0.0.1
Winsock DNSpsfk.com
Winsock DNSsupportminidevices.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Network Details:

DNSpsfk.com
Type: A
72.10.50.52
DNSzonetf.com
Type: A
208.73.211.237
DNSzonetf.com
Type: A
208.73.211.240
DNSzonetf.com
Type: A
208.73.211.250
DNSzonetf.com
Type: A
208.73.210.210
DNSzonetf.com
Type: A
208.73.211.179
DNSzonetf.com
Type: A
208.73.211.237
DNSzonetf.com
Type: A
208.73.211.240
DNSzonetf.com
Type: A
208.73.211.250
DNSzonetf.com
Type: A
208.73.210.210
DNSzonetf.com
Type: A
208.73.211.179
DNSsupportminidevices.com
Type: A
DNSordersmallcd.com
Type: A
HTTP GEThttp://psfk.com/img/icons/twitter.png?v48=13&tq=gKZEtzyqQSfsWY9%2FWtGTRYtc5VZ4GNWSGkLG14sFNow8fUGwjkEsNMgfgOiAHAZziPNweE2iIGrNjgd03FF6tRbHZSJtXHfMZoIz%2Fm9Hoz4pJFsT8XzDaxIcLq2JdrQjU1jVBmp9W4%2FW5KZVXj1Q70NlfdRaCzUB6BGfMMiM6codc3OBywzp5gUs80CptoUu0RZYHhQ87ncGaVyg1GVW8%2FE3L1x%2BHQ2xqvEKbscVChBZart6ItDerYFP0qHh41jUDiv7v1se2TAeFBnXRulKu0%2F8ebqZnfEdozC0sFpgAECcCgH%2F7QjivaaFxPDv8U%2FVAol96j8kH8tc6O35scluTS%2B0XO7rge%2BE0MAeAXLv0EqmUVfPMZT2FlTP1g4V7Fnyrk7fnqAMvjiC59lHFPWCrZBf2Ok10PkmO6%2FHWjCBfh84RNyq8GUZt4ws%2FemT0GcqFVyg1K4YsHfPDNu%2FcH2E0KI%2B7bl2jx2E39%2BwuoMXAc
User-Agent: mozilla/2.0
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNtX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNtX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJsX%2BSNzFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 72.10.50.52:80
Flows TCP192.168.1.1:1033 ➝ 208.73.211.237:80
Flows TCP192.168.1.1:1034 ➝ 208.73.211.237:80

Raw Pcap

Strings