Analysis Date2013-09-15 13:02:59
MD59e2de85762594db78c2b600061598b75
SHA1a79f1dc6ec7d4f4bc956d2a96af704df807a2d44

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: bcefd13d879b5aa1628d5731462b1935 sha1: 5e05fbf6b8bf012397b847cd5d10aee153dc895d size: 75264
Section.data md5: 0eb9af4768d13f3fe805922a21fcbf55 sha1: 9665ae9e81ee6c6c0d2193973be588eb90aa031c size: 2560
Section.idata md5: 7f9440e32acb299f3bda96288136b63a sha1: 1d51ab1fb34c6b541f544524a63c3d9d73f566f9 size: 4096
Section.rsrc md5: 268a04383dbc7e86a53e982e1da21c2c sha1: 5d008fc03fb658231e94722b64715e90f270a97c size: 12800
Timestamp2005-08-03 16:31:58
PackerRAR SFX
PEhash865e2876baa75b3d067df745655e1ef3a3eed45c
AVavgDownloader.Generic9.BCOK
AVmsseTrojanDownloader:Win32/Troxen!rts
AVaviraDR/VB.ort.44

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileTXPlatform.exe
Creates FileSystam.exe
Creates ProcessC:\abcdef\Systam.exe

Process
↳ cmd /c ipconfig/all > C:\abcdef\macmac.txt

Creates FileC:\abcdef\macmac.txt
Creates Processipconfig /all

Process
↳ C:\abcdef\Systam.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates Process"C:\abcdef\TXPlatform.exe"
Creates ServiceNetwork Security Agent - C:\abcdef\Systam.exe

Process
↳ "C:\abcdef\TXPlatform.exe"

Creates FileC:\abcdef\runcount.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFC2F7.tmp
Creates FileC:\abcdef\runtrue.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\abcdef\macmac.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\abcdef\qqver.txt
Creates Processcmd /c ipconfig/all > C:\abcdef\macmac.txt
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ ipconfig /all

Winsock DNS192.168.254.254

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 796

Process
↳ Pid 840

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG

Process
↳ Pid 1120

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1848

Process
↳ Pid 984

Network Details:

DNSyd.ecoma.glb0.lxdns.com
Type: A
218.92.221.57
DNSyd.ecoma.glb0.lxdns.com
Type: A
218.92.221.55
DNSyd.ecoma.glb0.lxdns.com
Type: A
218.92.221.58
DNSyd.ecoma.glb0.lxdns.com
Type: A
218.92.221.56
DNSwww.ip138.cn
Type: A
218.133.22.66
DNSwww.ip138.com
Type: A
HTTP GEThttp://www.ip138.com/ips.asp
User-Agent: MyAgent
HTTP GEThttp://www.ip138.cn/
User-Agent: MyAgent
Flows TCP192.168.1.1:1031 ➝ 218.92.221.57:80
Flows TCP192.168.1.1:1032 ➝ 218.133.22.66:80

Raw Pcap
0x00000000 (00000)   47455420 2f697073 2e617370 20485454   GET /ips.asp HTT
0x00000010 (00016)   502f312e 310d0a55 7365722d 4167656e   P/1.1..User-Agen
0x00000020 (00032)   743a204d 79416765 6e740d0a 486f7374   t: MyAgent..Host
0x00000030 (00048)   3a207777 772e6970 3133382e 636f6d0d   : www.ip138.com.
0x00000040 (00064)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000050 (00080)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d794167   User-Agent: MyAg
0x00000020 (00032)   656e740d 0a486f73 743a2077 77772e69   ent..Host: www.i
0x00000030 (00048)   70313338 2e636e0d 0a436163 68652d43   p138.cn..Cache-C
0x00000040 (00064)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x00000050 (00080)   0d0a0d0a 74657874 2f68746d 6c0d0a44   ....text/html..D
0x00000060 (00096)   6174653a 2053756e 2c203135 20536570   ate: Sun, 15 Sep
0x00000070 (00112)   20323031 33203131 3a35323a 33352047    2013 11:52:35 G
0x00000080 (00128)   4d540d0a 0d0a3c68 746d6c3e 0a20203c   MT....<html>.  <
0x00000090 (00144)   68656164 3e0a2020 20203c74 69746c65   head>.    <title
0x000000a0 (00160)   3e343034 204e6f74 20466f75 6e643c2f   >404 Not Found</
0x000000b0 (00176)   7469746c 653e0a20 203c2f68 6561643e   title>.  </head>
0x000000c0 (00192)   0a20203c 626f6479 3e0a2020 20203c68   .  <body>.    <h
0x000000d0 (00208)   313e4e6f 7420466f 756e643c 2f68313e   1>Not Found</h1>
0x000000e0 (00224)   0a202020 203c703e 596f7572 2062726f   .    <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
?*<>|"
/00/3`
 (08@P`p
;1&@b=t
1PUsIW
1tOpt3
=1tORv
2+Q~7;
33!D	3
3J[('2
3vt.oP
42RH`~{=
4<2W9v
4>"m^(
4Y_cOW
4Y_cOW	
5v[Uf+
6jbnRo
7+n7.A
7+n>.A
7x?=B)
7ZDX]Hy
\80z`j
^8j4+j
~[(]?9
9OMni}
9:z+Arh
AdjustTokenPrivileges
ADVAPI32.DLL
{^a|lWn;
"-aLXq
AQRPhD
ASKNEXTVOL
b(?%@b,?	cR
@b	gck(W
:b|i,#
Bl?VPPU
):bsRt
C,;C$s/
ceQ&^	gdk
CharToOemBuffA
CharUpperA
CloseHandle
CLSIDFromString
CoCreateInstance
COMCTL32.DLL
COMDLG32.DLL
CommDlgExtendedError
CompareStringA
CopyRect
 c@p37
CreateDirectoryA
CreateDirectoryW
CreateFileA
CreateFileW
CreateStreamOnHGlobal
CreateWindowExA
|$|;|$d
D$0+D$<
~'D;2K
(d8oT2N
`.data
D$`;D$\}
D$,;D$0u	
&;D$Dr
D$`;D$T
D$`;D$T|
DefWindowProcA
Delete
DeleteFileA
DeleteFileW
DeleteObject
DestroyIcon
DestroyWindow
{Df3NL
DialogBoxParamA
DispatchMessageA
&;D$Lw
DosDateTimeToFileTime
D$T;D$\|
;D$Tt\
E JL@=&
EnableWindow
EndDialog
&Evl|u
	EW_!W
ExitProcess
ExpandEnvironmentStringsA
ExtSign
fbc:N:
F$`E	s
F$`E	stTUjK
FFF))EE	FFFF))))))
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
FindResourceA
FindWindowExA
FreeLibrary
F+ti vs
g33WwQ
}GcV!8
GDI32.DLL
GetClassNameA
GetClientRect
GetCommandLineA
GetCPInfo
GetCurrentDirectoryA
GetCurrentProcess
GetDateFormatA
GetDlgItem
GetDlgItemTextA
GetFileAttributesA
GetFileAttributesW
GetFileType
GetFullPathNameA
GetLastError
GetLocaleInfoA
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetNumberFormatA
GetOpenFileNameA
GetParent
GETPASSWORD1
GetProcAddress
GetProcessHeap
GetStdHandle
GetSysColor
GetSystemMetrics
GetTempPathA
GetTickCount
GetTimeFormatA
GetVersionExA
GetWindow
GetWindowLongA
GetWindowRect
GetWindowTextA
GlobalAlloc
gwS3	3
gwS37%w`	
h5LO! 
H7HZ}m
<head><meta http-equiv="content-type" content="text/html; charset=
HeapAlloc
HeapFree
HeapReAlloc
</html>
<html>
i9?=57@
.idata
InitCommonControlsEx
Install
I%O:IQ
IsDBCSLeadByte
IsWindow
IsWindowVisible
j12BIQ)i
J4bz&`MYr
jnS2ue
|jyn39IN
KERNEL32.DLL
K;P2j}S
KPMQR2
);l$8u
_LFrkx
License
LICENSEDLG
Lj(,WL
L$\)L$T
LO6]{X
LoadBitmapA
LoadCursorA
LoadIconA
LoadLibraryA
LoadStringA
LocalFileTimeToFileTime
lOlZIN7,
LookupPrivilegeValueA
lstrcmpiA
lstrlenA
!(-M0<{oX
MapWindowPoints
MessageBoxA
*messages***
MMpuew
MoveFileA
MoveFileExA
MultiByteToWideChar
M;Z4s+;Z,s
N4Y_cOW
&nbsp;
nk5-zs
N_^[Y]
OemToCharA
OemToCharBuffA
`O/f&Tnx
oH*45i
OLE32.DLL
OleInitialize
OleUninitialize
OpEb3(
OpenProcessToken
Overwrite
PA<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Roshal.WinRAR.WinRAR" type="win32" /> <description>WinRAR archiver.</description> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> </assembly>
.pd+tS
PeekMessageA
penc-N
pjREXc
PostMessageA
PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
Presetup
ProgramFilesDir
pwpD6?
q6N0c^
[qJ,5<
__rar_
RarHtmlClassName
RarSFX
?`[?rD
ReadFile
RegCloseKey
RegCreateKeyExA
RegisterClassExA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
RENAMEDLG
REPLACEFILEDLG
rE$T?1[L
riched20.dll
riched32.dll
RichEdit
rI;$]Y%
Rk8mAg
@.rsrc
rtmp%d
SavePath
%s.%d.tmp
S\<:e#
SendDlgItemMessageA
SendMessageA
SeRestorePrivilege
SeSecurityPrivilege
SetCurrentDirectoryA
SetDlgItemTextA
SetEndOfFile
SetEnvironmentVariableA
SetFileAttributesA
SetFileAttributesW
SetFilePointer
SetFileSecurityA
SetFileSecurityW
SetFileTime
SetFocus
SetLastError
SetMenu
SetWindowLongA
SetWindowPos
SetWindowTextA
sfxname
!SG(}b
SHAutoComplete
SHBrowseForFolderA
SHChangeNotify
SHELL32.DLL
ShellExecuteExA
SHFileOperationA
SHGetFileInfoA
SHGetMalloc
SHGetPathFromIDListA
SHGetSpecialFolderLocation
shlwapi.dll
Shortcut
ShowWindow
sIh$FA
Silent
Software\Microsoft\Windows\CurrentVersion
Software\WinRAR SFX
%s%s%d
%s %s %s
STARTDLG
</style>
<style>
<style>body{font-family:"Arial";font-size:12;}</style>
Systam.exe
SystemTimeToFileTime
T$0+L$8
T$,=b;y%'
TempMode
tfkL$@)
This program must be run under Win32
t Kt<Kt[
TranslateMessage
TslI-l|
T$(;T$,
TXPlatform.exe
TXR}hp	
TX/)+s
TYVH*'
t!+zXS
uorx)"
UpdateWindow
USER32.DLL
utf-8"></head>
`UZN9#O
V!7ahJ
<@Va}"*
VdSS S
%`vGS'
Vv%Y&~
#'v:wa
WaitForInputIdle
WaitForSingleObject
WideCharToMultiByte
WriteFile
wsprintfA
wvsprintfA
Wwgu"'P
WwR"'P
WwS7'u
wZ;+VA
x S]IAs
ybmJy;
y%jh4_
YNANRC
{<:y&q?	
y"TUFF
_^[YY]
$YZ_^[
YZ]_^[
Z13u&])F
Z\6*@)8
&@Z;;b
#.Z	e]!+
;Z$sa;Z
!Z--)u