Analysis Date2015-07-01 04:45:58
MD510d2e99af62839c8034276ac1d19f76a
SHA1a428e7844e5a55297ccea4cff35dcceb958129da

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8ab9e53ca2b70959e2f41a61c7cee919 sha1: 852364548af4da328d47fe7a98aecd0a6019fbb8 size: 442368
Section.rdata md5: ec0c4be6f7f0379139bb2c44c3b19789 sha1: ee417b4dc01d4a3bc42cfd3fe816eb457d868fe2 size: 1327104
Section.data md5: 4712bf36384779b1fbf5442ee6f2048e sha1: f007874a84fe4b55fbcd8efbf4f554d3e9f1d28d size: 61440
Section.rsrc md5: 044973b905ed2be888d50e5ceca46bc4 sha1: 22c7a66ffeae79afb6a340c7d548a1257faf82dd size: 24576
Timestamp2015-05-17 16:48:54
VersionLegalCopyright: 骷髅王
FileVersion: 1.1.8.11
CompanyName: By:永恒
Comments: 永恒
ProductName: 永恒
ProductVersion: 1.1.8.11
FileDescription: 永恒
PackerMicrosoft Visual C++ v6.0
PEhashf5267f29d5ad56aa9ded617da533eda8a7f0e7de
IMPhashdf57b751754317f1b534cc4c3fa3fde8
AVCA (E-Trust Ino)no_virus
AVF-SecureTrojan:W32/DelfInject.R
AVDr. WebBackDoor.BlackHole.27662
AVClamAVWin.Trojan.Agent-204211
AVArcabit (arcavir)Gen:Variant.Graftor.656
AVBullGuardGen:Variant.Graftor.656
AVPadvishno_virus
AVVirusBlokAda (vba32)HackTool.Sniffer.WpePro
AVCAT (quickheal)Win32.VirTool.DelfInject.gen!X.4.a
AVTrend Microno_virus
AVKasperskyno_virus
AVZillya!no_virus
AVEmsisoftGen:Variant.Graftor.656
AVIkarusno_virus
AVFrisk (f-prot)W32/Agent.EW.gen!Eldorado
AVAuthentiumW32/Agent.EW.gen!Eldorado
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Variant.Graftor.656
AVMicrosoft Security Essentialsno_virus
AVK7no_virus
AVBitDefenderGen:Variant.Graftor.656
AVFortinetRiskware/Qhost
AVSymantecno_virus
AVGrisoft (avg)no_virus
AVEset (nod32)no_virus
AVAlwil (avast)no_virus
AVAd-AwareGen:Variant.Graftor.656
AVTwisterHacktool.33C0C390558BEC@.mg
AVAvira (antivir)no_virus
AVMcafeeno_virus
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page ➝
http://www.2345.com/?k1276568788\\x00
Creates FileC:\\\xc2\\xb6\\xc3\\xa0\\xc2\\xb9\\xc2\\xa6\\xc3\\x84\\xc3\\x9c\\xc2\\xb8\\xc2\\xa8\\xc3\\x96\\xc3\\xba\\xc3\\x86\\xc3\\xb7.DLL

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Type ➝
4
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links\Order ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Type ➝
3
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Type ➝
4
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012015070120150702\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\logo[1].gif
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\2345[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\index.dat
Creates Mutex_!SHMSFTHISTORY!_
Creates MutexShell.CMruPidlList
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!mshist012015070120150702!
Winsock DNSwww.2345.com

Network Details:

DNSwww.2345.com
Type: A
42.62.30.180
HTTP GEThttp://www.2345.com/?k1276568788
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.2345.com/logo.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1033 ➝ 42.62.30.180:80
Flows TCP192.168.1.1:1034 ➝ 42.62.30.180:80

Raw Pcap
0x00000000 (00000)   47455420 2f3f6b31 32373635 36383738   GET /?k127656878
0x00000010 (00016)   38204854 54502f31 2e310d0a 41636365   8 HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a416363 6570742d   pt: */*..Accept-
0x00000030 (00048)   4c616e67 75616765 3a20656e 2d75730d   Language: en-us.
0x00000040 (00064)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000050 (00080)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000060 (00096)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000070 (00112)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000080 (00128)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000090 (00144)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x000000a0 (00160)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000b0 (00176)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000c0 (00192)   7777772e 32333435 2e636f6d 0d0a436f   www.2345.com..Co
0x000000d0 (00208)   6e6e6563 74696f6e 3a204b65 65702d41   nnection: Keep-A
0x000000e0 (00224)   6c697665 0d0a0d0a                     live....

0x00000000 (00000)   47455420 2f6c6f67 6f2e6769 66204854   GET /logo.gif HT
0x00000010 (00016)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000020 (00032)   2a2f2a0d 0a526566 65726572 3a206874   */*..Referer: ht
0x00000030 (00048)   74703a2f 2f777777 2e323334 352e636f   tp://www.2345.co
0x00000040 (00064)   6d2f3f6b 31323736 35363837 38380d0a   m/?k1276568788..
0x00000050 (00080)   41636365 70742d4c 616e6775 6167653a   Accept-Language:
0x00000060 (00096)   20656e2d 75730d0a 41636365 70742d45    en-us..Accept-E
0x00000070 (00112)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x00000080 (00128)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x00000090 (00144)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x000000a0 (00160)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x000000b0 (00176)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x000000c0 (00192)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x000000d0 (00208)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x000000e0 (00224)   0a486f73 743a2077 77772e32 3334352e   .Host: www.2345.
0x000000f0 (00240)   636f6d0d 0a436f6e 6e656374 696f6e3a   com..Connection:
0x00000100 (00256)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....


Strings