Analysis Date2014-11-28 19:48:26
MD52bbc2f7b6e9d4039028f458041077fce
SHA1a4cf79e45de2c7585a207a90063ccf41a09daf00

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 931248cb8005fcbd3899e90aa05f881c sha1: 7887069899e2030ccf99ad864a328a78738c138d size: 138240
Section.rsrc md5: 2d53ec727f0fb462fbfb85aedf9cc433 sha1: 62c8e67471be8b44bbfb1f728a4e8f5c29b35790 size: 16384
Timestamp2008-07-29 22:55:23
VersionLegalCopyright: Copyright (C) 2003-2008
InternalName: Freegate
FileVersion: 0, 0, 0, 0
CompanyName:
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: Freegate Application
SpecialBuild:
ProductVersion: 0, 0, 0, 0
FileDescription: Freegate Application
OriginalFilename: freegate.EXE
PackerPECompact 2.0x Heuristic Mode -> Jeremy Collake
PEhashaa592428b1cfc5bdda017834033765dbdd53f0e2
IMPhash09d0478591d4f788cb3e5ea416c25237
AV360 SafeTrojan.GenericKD.1943371
AVAd-AwareTrojan.GenericKD.1943371
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Trojan.LVFS-9066
AVAvira (antivir)BDS/Rogue.155648
AVBullGuardTrojan.GenericKD.1943371
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Backdoor.Clack.r2
AVClamAVno_virus
AVDr. WebTrojan.Proxy.3764
AVEmsisoftTrojan.GenericKD.1943371
AVEset (nod32)no_virus
AVFortinetW32/Clack.K!tr.bdr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.GenericKD.1943371
AVGrisoft (avg)BackDoor.Generic_c.ACHJ
AVIkarusBackdoor.Win32.Clack
AVK7Riskware ( 0040eff71 )
AVKasperskyBackdoor.Win32.Clack.k
AVMalwareBytesTrojan.Agent
AVMcafeeGeneric.dx
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Trojan.GenericKD.1943371
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.Gen
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.Proxy

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Dgdebdtf ➝
5120
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePhysicalDrive0
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSw65.ziyoulonglive.com
Type: A
DNSw61.ziyoulonglive.com
Type: A
DNSw62.ziyoulonglive.com
Type: A
DNSw63.ziyoulonglive.com
Type: A
DNSw64.ziyoulonglive.com
Type: A
DNS2e41cd8302274680a8aebc3c936d061645a3d98b.7c81ecfd1999aac9f941c7fb04e0784c1db9095d.4.ziyouforever.com
Type: MX
DNSf8fb87084df8a6f84f82c1838c2fb5da93199300.335e0c85feb5d776e60374370150b56d665d5903.4.ziyouforever.com
Type: MX
DNSae22fa0207c64a8af5b6ce86b0f14f8cc5c0ee0a.7960e0f74481d873dadd8e617ee1ab0454dc8a7e.4.ziyouforever.com
Type: MX
DNSe2c7af7596c6d815daccbc831e0e42478925bb7d.e86072686bfbaa76742283aa28418426e1e7c741.4.ziyouforever.com
Type: MX
DNS313c9762321213bfe47e7d484f115c425ade836a.4cb4b9c255496bbd253d9daf387eb917a815bb54.4.ziyouforever.com
Type: MX
DNS92d9a5d4684fe6104140b33c3967f6e8f93bb1dc.16e94c6df077a5c9534b3705d1815423becddc0b.4.ziyouforever.com
Type: MX
DNS5e2ef453eae7428297fdeb8b6ee3094c35cce05b.9441e8ff26cafd7e04cfc8a138f6190179c2ef5e.4.ziyouforever.com
Type: MX
DNS15a577c10cf76fc43c149dbb3c6d787c7e4763c9.7251c5b98d238b4e5641b991e8055a0a66bc630b.4.ziyouforever.com
Type: MX
Flows UDP192.168.1.1:1031 ➝ 38.99.76.229:53
Flows UDP192.168.1.1:1032 ➝ 38.35.193.158:53
Flows UDP192.168.1.1:1032 ➝ 38.65.238.191:53
Flows UDP192.168.1.1:1031 ➝ 88.85.74.8:53
Flows UDP192.168.1.1:1032 ➝ 38.121.7.4:53
Flows UDP192.168.1.1:1032 ➝ 38.52.86.4:53
Flows UDP192.168.1.1:1031 ➝ 211.115.66.121:53
Flows UDP192.168.1.1:1032 ➝ 38.90.52.20:53
Flows UDP192.168.1.1:1032 ➝ 38.8.89.139:53
Flows UDP192.168.1.1:1031 ➝ 192.88.195.10:53
Flows UDP192.168.1.1:1032 ➝ 38.229.52.56:53
Flows UDP192.168.1.1:1032 ➝ 38.124.246.93:53
Flows UDP192.168.1.1:1031 ➝ 202.27.17.253:53
Flows UDP192.168.1.1:1032 ➝ 38.169.113.191:53
Flows UDP192.168.1.1:1032 ➝ 38.255.164.59:53
Flows UDP192.168.1.1:1031 ➝ 63.90.67.11:53
Flows UDP192.168.1.1:1032 ➝ 38.154.10.26:53
Flows UDP192.168.1.1:1032 ➝ 38.187.73.55:53
Flows UDP192.168.1.1:1031 ➝ 209.191.16.131:53
Flows UDP192.168.1.1:1032 ➝ 38.31.161.238:53
Flows UDP192.168.1.1:1032 ➝ 38.108.170.121:53
Flows UDP192.168.1.1:1031 ➝ 143.166.82.252:53
Flows UDP192.168.1.1:1032 ➝ 38.155.32.47:53
Flows UDP192.168.1.1:1032 ➝ 38.133.71.220:53
Flows UDP192.168.1.1:1031 ➝ 38.99.76.229:53
Flows UDP192.168.1.1:1032 ➝ 38.188.56.178:53
Flows UDP192.168.1.1:1032 ➝ 38.210.125.75:53
Flows UDP192.168.1.1:1032 ➝ 38.211.181.4:53
Flows UDP192.168.1.1:1032 ➝ 38.104.12.145:53
Flows UDP192.168.1.1:1032 ➝ 38.227.90.71:53
Flows UDP192.168.1.1:1032 ➝ 38.189.151.150:53
Flows UDP192.168.1.1:1032 ➝ 38.148.218.131:53
Flows UDP192.168.1.1:1032 ➝ 38.33.166.85:53
Flows UDP192.168.1.1:1032 ➝ 38.41.255.155:53
Flows UDP192.168.1.1:1032 ➝ 38.181.225.55:53
Flows UDP192.168.1.1:1032 ➝ 38.64.8.106:53
Flows UDP192.168.1.1:1032 ➝ 38.244.140.201:53
Flows UDP192.168.1.1:1032 ➝ 38.138.151.88:53
Flows UDP192.168.1.1:1032 ➝ 38.27.124.220:53
Flows UDP192.168.1.1:1032 ➝ 38.48.17.114:53
Flows UDP192.168.1.1:1032 ➝ 38.45.90.86:53
Flows UDP192.168.1.1:1032 ➝ 38.60.92.227:53
Flows UDP192.168.1.1:1032 ➝ 38.190.71.167:53
Flows UDP192.168.1.1:1032 ➝ 38.204.197.183:53
Flows UDP192.168.1.1:1032 ➝ 38.205.131.63:53
Flows UDP192.168.1.1:1032 ➝ 38.151.54.94:53
Flows UDP192.168.1.1:1032 ➝ 38.129.129.247:53
Flows UDP192.168.1.1:1032 ➝ 38.25.142.242:53
Flows UDP192.168.1.1:1032 ➝ 38.14.38.100:53
Flows UDP192.168.1.1:1032 ➝ 38.2.148.17:53
Flows UDP192.168.1.1:1032 ➝ 38.78.223.129:53
Flows UDP192.168.1.1:1032 ➝ 38.209.105.242:53
Flows UDP192.168.1.1:1032 ➝ 38.179.244.70:53
Flows UDP192.168.1.1:1033 ➝ 38.99.76.229:53
Flows UDP192.168.1.1:1033 ➝ 88.85.74.8:53
Flows UDP192.168.1.1:1033 ➝ 211.115.66.121:53
Flows UDP192.168.1.1:1033 ➝ 192.88.195.10:53
Flows UDP192.168.1.1:1033 ➝ 202.27.17.253:53
Flows UDP192.168.1.1:1033 ➝ 63.90.67.11:53
Flows UDP192.168.1.1:1033 ➝ 209.191.16.131:53
Flows UDP192.168.1.1:1033 ➝ 143.166.82.252:53
Flows TCP192.168.1.1:1034 ➝ 175.181.101.252:443
Flows TCP192.168.1.1:1035 ➝ 175.181.114.173:443
Flows TCP192.168.1.1:1036 ➝ 1.161.151.225:443
Flows TCP192.168.1.1:1037 ➝ 118.169.168.243:443
Flows TCP192.168.1.1:1038 ➝ 122.121.11.111:443
Flows TCP192.168.1.1:1039 ➝ 114.43.197.79:443
Flows TCP192.168.1.1:1040 ➝ 114.27.38.18:443
Flows TCP192.168.1.1:1041 ➝ 36.224.10.251:443

Raw Pcap
0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..

0x00000000 (00000)   1603                                  ..


Strings
C
..
..
.J..
.~.S..2}
..9
..
..
G..&
.
h.
3o.2.
.%
..
...
0, 0, 0, 0
040904b0
Comments
CompanyName
Copyright (C) 2003-2008
FileDescription
FileVersion
Freegate
Freegate Application
freegate.EXE
GB23
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
;!"[]#
)@@*(,(
0123456789abcdefr
0.4OW qY
0Ax*[(h
0e$tiXdt
0&/ $N
0,P^b~vL0P
0@_QH@eaF
0VH@-!W
0/voew
0x%08OT
*;>	0Y
:0yB*:
0)ZXShtE
~188881~
1[lz&6
1`N#Nesr
1`PB<y
1SPECn
	\(2 -
26b,<`
2C5z |
2\<(-MUUVVVV
2PsZ_>>*d $R
  ( 3 
39tp6z
39\x,d
(	3	A	O	
3-b-H:%M
-+'3FHF
3i,<0 
3|)L)W?
3SYSTEM
/*'3WCw
4^~,~0(.
4B(@'9#
4.bW$5
4loICMP E
#4T n7
4WoNg# m
5dcXH.
<5:?DIN
5 ex I\&
5href#howto"
`5KqqABCD
5\<.)TGQn1Iw6/
5TTL_EXPIR\0,
5U VPS\x
 -+-6-
60*$y|
6(666D6
6g%O~DP
=!6J[/
6}%j1H
<6@JV^f
6PARAM
6ZkRH&G
7`$[sb4n
7wIf=T_$z9
,8 7dIS
~8880000/01
8Bd0@:
8:>>F``1>
8h($hG
`8$@K.
8l1YS2
8'@rHotKey
8'tF(2
9btaYT;
9dCoKwOZ~~v
9hG"Fz,
  9M4"2~
9[%tM~p
9Y;>&}G
	?.&%Ab
@ABODYE.
a@cO2;
AdaptersInfiphlp
AeMSMl
afauLCIDC
!ah4>1.c
 ,aIE`
al %d2*
alDN2s&hSc
Application 
}Au|PR
A\V=G 
`AWINET
AXDyweb
ayY<q?le
b1qR&lhY
BcCdEfFghijklmn
\Bf$57
bF(`GQ
B?*hT}
@body B
`BsJWh
Bt mo$
bug5 9
buggP9#p
^BUTTONq1
bVUeP1
b.Whi	
	(): c
C4"9L<
Car IE
C:\gRK
cH:aHs
Chunivn
CloseHandle
cmC:~0S
CmdwMnX
corrupt.
$CQ-VD
CRC32 Error
$\CTu5~
C "-//W3CDTD
|.;C x
__CxxFh
[%d] *
<;D. *
$ *#d0 l
d'0oZ,c
d2[)cV
dB6Hyh
D(D]>m
Deei.,
D?eLC5
Df0!/3
dF\t]#
d&guo.
>@$D,he
@#D/Nb
DO*0Hl
-<!DOCTYPE HTML PUBLI
DOe(us
DQm+M1
DR_DELETEly
<d,Rv,X
DtPVLg
dtwip001@gX
dwebL&
.d WQu
|DYub9Y
,,e&.+
@E3n;w2
>E>6Eq
Ec@D_uv
-e"CMs,H8Yd
EFGHIJKLMNOPQXYZ+
e>GQ&c
EjQ5$;
eKjd'Jw
emaJhw
 EMFTj`C
en7LBW=A=
eQvuMR
.es\Tcpu
eUhX{];
Eumx3|
]euVg_qd'i
 Explr&
@F2<QP
f6X~!k
fADVAP
fag$u`
(`FAIL
?$fCT<
fdR8Eq
f>E.Q%la
;{feSd
+f=~	f
='f-famil
$|fGEa
f*GxEJ
FLP%25
fm CD d
fOBC:W
Founbip
f(P;P<
#FS::]'R
fwzstm
g@($1t
,G^3PW
G''+9T
GE^(qb
GetModul
GetNwork4-
GetProcAddress
g,h$DG
G*l=HM
[_gLYC%
GuHtY&
G,utzY9
gwF(,$l
gxLRSSQ
GXPP0|
Gy].4#Wi}0
>;?H<@|
(HBGG)*+
",h&~Dd
: HDSN=
hdWTZis
hecksum
hfIQfq
hgAybA
hG'?Et6G
`HI;t(
;HjT:j
HlDQ"n_J
;`$hQd
\Hr,g5
]\hsM>
Ht?Hu1
Ht.HYD
H`$wBu
.+H^wU2y
h`*x&G2
H @'Z3
!i\9Y=
iCloseHan
Icm9A/dEoa
Id6j_2ab
IEPxy0Id
$-if'>
i F5gR 
I{\g@@(
iG	C,t
;	IL" 
I$>:L1
%=i Nk*
ioax>N 
i@@@,-P
IP_UNLOAD 
i%q4;+e
I@QPqd
!it9	C
(Iu2dR
\&iU,jb
:ix%[|
i@;ZYd
I.z!Ziizx
)j2%s2
j7hQwm
@jd4GO
jDGEcx
j'dtHvB
j<,g~z9
J<j@Bg
J(My A@L
j-R){\h
@Jry	R
jsjyDp
j]TL'GL
jWh`6@D
_JXT,z'
JZ`fxt
:K)3mc
,K,@&a
?kc4450
kdiLcr
kernel32
kernel32.dll
K)fv	R# 
k,{&i1
kI`-nT
KL7sKz
KM4?y3r
krFG(x
K(rHs|
ks.aspx?'
k^ Sc	
}K/?V^
kXUo[&
]	k	y	
KZGkzg
L=3'u.
la/4.0g
l-Alt-Z
/lCMHu
\LcR6$
lCz^3I
< <L,D
lF 'SY
Lgzx/H@
>LhRj/
`\libl
-lJT5X
(llCGfm
LoadLibraryA
/loc/subscribe
l^onQ5K mi6U
l=PhXV
*/*LS$
-`LTNSITl
L/v>pui+
@lx@a4
	mb Tlp
MFC4DLL-
#;M#G5
?M%ia<Px
MiByToW
MLKDc: 
msvbvmU
MTU_CHAN
M%XTT^
N34;2#
ng~v^PwJ
NHf=G:M
 nLen < 0_u!a
<nlzzcK
` not 
N[%s] id
,NTkT4
+~=Nyl
o^2UFbl
oAQ;:<Tl
ocated in the DLL %s4ordin%
ocW*-(9
o ]/d,[
oft:443/8.86.
OGbuff
OKmi#n
o<Kv$R
 on image did not match.
/O&NZX/(G`'
oQ32,1@
OURCE_QUEN
oVu)y?
-$<OwaRT
p~,??{
>\+' P
p^~2&1'
P3H9k1
P[^4_.
.p[A'%
:\PbkG
}:PC{ncv]
'P\Cw6*
pdStaEx
PEC2_IsPacke
PEC2=O
PECompact2
Pf1wbv
$_PF	\2@
pgggg($HD
P=GI#@
P/g=_-p
?\PGSZX,9
pGVU*ZZty
PHP3.4
\\.\PhyI
Pj@Q*T,
	pL0S<
P~~L|#Xc
P)Ng)*eu
P=NOTCONNTED
(Po&:K
PPu0gg 0
<PP[ X)
procedure %s coul
P-@U@VAVX
PvL(ym
pwlS=su
PWP!3A VM
PxGotre
<~pZDp8
|',(Q0lD
QghhllI
Qj;)M_
<QMkUp
QQlb=1hXRh
Qr~&~F
Q:R_GX
_q?S8h
QSWUQ@G
*qt,*Gj
quvwxb
QX]kfmgzC
`R1 2x
R9sQ(o
`rftvD4`(
[r${G|Kt*
Rj0@c!
"rjpgQ5
rlCach
RSPUes
RSTUVWXYZ__
rThs\EhdI
RtP|vQr
s%02d:
.S\0H'_
S`,21110
s9-lsY
S_b/]t
Sgqo&.
Shl#,R>-
<si6!M
#|skpO
SMALL1C
S;-+P5**
SProtect
~,sSOFTWAREQ w
STINAO
SX]bgi
sYV+4P
T42X6.
[t7iH?
TA$bhC
t!C2KZ
td-n47W
tF_oI.
*tft |
The `S
!This program cannot be run in DOS mode.
TITLE>
"t:l^ 
TMessageBoxA
T@<NF=
_TOOIG
tq7oaD
T|Qr'h6
: t>QV
tr=*[Uh8
TSu):O
ttp://media3.minghui.org/dl/getl
*tVHZDK
Tz97Ni
u2[5G|
u2D&[&
u%9l|C
uBu4*&^
u^!cB<
 UDP & TCD[
UfQ_@Gj
U)H5EU2
UHi1hw
uHZfuD.
UIeP_F
uINt%d
"uKtOht
>%ulD]yn
umxxmu
uSCSIDISKG]h=Sc
user32.d
USQWVR
UTF-8,
UtGzHW
uTUrtT
UVe/>&
UVVVWX
\`|v0(
# V5B|$ 
|Ve" A
(!vei(
veIoC3
VhQ*FS
Virtual
VirtualAlloc
VirtualFree
vjBI\B
vJ^v0y	G
V\M~6?
=vSSL+
#vus,V
W,3D$wk
Wcfwhr
$W E#5L
=w!fb#
WFD$c1
W\f#w4B.
:||wL:
wR04  2D
wsprintfA
W_*u[J
@wW$o4
x4WD-W
X9X!yh#
xbPDq<
x#d^bL
X[N8OP`.
<XP0T2B;
}X%pGb
x+\P@h
XPj'Q/Ce
}XrmbDJYdj
/(xt/;
@,X/-u
%x WPID=B[
x||x|	
y(0:JVj
Y4f5@P
@@YAXXZ
\Yd L.
YIPV`@
yJ}eY5
YLV/9#"7
}yMHmhA
y(:N`p|"
YntwzY
ypjd^XPX
ypNoKey
%#YR4L
>yr7T+`
y $Xyc
=ZH-CNy
z'M^Vq
z<Uh|"^
Z/w1qKX
Z^_Y[]