| Analysis Date | 2013-09-15 13:02:59 |
|---|---|
| MD5 | 9e2de85762594db78c2b600061598b75 |
| SHA1 | a79f1dc6ec7d4f4bc956d2a96af704df807a2d44 |
Static Details:
| File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
|---|---|---|
| Section | .text md5: bcefd13d879b5aa1628d5731462b1935 sha1: 5e05fbf6b8bf012397b847cd5d10aee153dc895d size: 75264 | |
| Section | .data md5: 0eb9af4768d13f3fe805922a21fcbf55 sha1: 9665ae9e81ee6c6c0d2193973be588eb90aa031c size: 2560 | |
| Section | .idata md5: 7f9440e32acb299f3bda96288136b63a sha1: 1d51ab1fb34c6b541f544524a63c3d9d73f566f9 size: 4096 | |
| Section | .rsrc md5: 268a04383dbc7e86a53e982e1da21c2c sha1: 5d008fc03fb658231e94722b64715e90f270a97c size: 12800 | |
| Timestamp | 2005-08-03 16:31:58 | |
| Packer | RAR SFX | |
| PEhash | 865e2876baa75b3d067df745655e1ef3a3eed45c | |
| AV | avg | Downloader.Generic9.BCOK |
| AV | msse | TrojanDownloader:Win32/Troxen!rts |
| AV | avira | DR/VB.ort.44 |
Runtime Details:
| Screenshot |  |
|---|
Process
↳ C:\malware.exe
| Creates File | TXPlatform.exe |
|---|---|
| Creates File | Systam.exe |
| Creates Process | C:\abcdef\Systam.exe |
Process
↳ cmd /c ipconfig/all > C:\abcdef\macmac.txt
| Creates File | C:\abcdef\macmac.txt |
|---|---|
| Creates Process | ipconfig /all |
Process
↳ C:\abcdef\Systam.exe
| Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
|---|---|
| Creates File | PIPE\wkssvc |
| Creates Process | "C:\abcdef\TXPlatform.exe" |
| Creates Service | Network Security Agent - C:\abcdef\Systam.exe |
Process
↳ "C:\abcdef\TXPlatform.exe"
| Creates File | C:\abcdef\runcount.txt |
|---|---|
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\~DFC2F7.tmp |
| Creates File | C:\abcdef\runtrue.txt |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat |
| Creates File | C:\Documents and Settings\Administrator\Cookies\index.dat |
| Creates File | C:\abcdef\macmac.txt |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
| Creates File | C:\abcdef\qqver.txt |
| Creates Process | cmd /c ipconfig/all > C:\abcdef\macmac.txt |
| Creates Mutex | c:!documents and settings!administrator!local settings!history!history.ie5! |
| Creates Mutex | WininetConnectionMutex |
| Creates Mutex | c:!documents and settings!administrator!cookies! |
| Creates Mutex | c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! |
Process
↳ ipconfig /all
| Winsock DNS | 192.168.254.254 |
|---|
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ Pid 796
Process
↳ Pid 840
Process
↳ C:\WINDOWS\System32\svchost.exe
| Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝ NULL |
|---|---|
| Creates File | PIPE\lsarpc |
| Creates File | C:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG |
Process
↳ Pid 1120
Process
↳ C:\WINDOWS\system32\spoolsv.exe
| Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
|---|---|
| Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
| Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
| Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
| Creates File | WMIDataDevice |
Process
↳ Pid 1848
Process
↳ Pid 984
Network Details:
| DNS | yd.ecoma.glb0.lxdns.com Type: A 218.92.221.57 |
|---|---|
| DNS | yd.ecoma.glb0.lxdns.com Type: A 218.92.221.55 |
| DNS | yd.ecoma.glb0.lxdns.com Type: A 218.92.221.58 |
| DNS | yd.ecoma.glb0.lxdns.com Type: A 218.92.221.56 |
| DNS | www.ip138.cn Type: A 218.133.22.66 |
| DNS | www.ip138.com Type: A |
| HTTP GET | http://www.ip138.com/ips.asp User-Agent: MyAgent |
| HTTP GET | http://www.ip138.cn/ User-Agent: MyAgent |
| Flows TCP | 192.168.1.1:1031 ➝ 218.92.221.57:80 |
| Flows TCP | 192.168.1.1:1032 ➝ 218.133.22.66:80 |
Raw Pcap
0x00000000 (00000) 47455420 2f697073 2e617370 20485454 GET /ips.asp HTT 0x00000010 (00016) 502f312e 310d0a55 7365722d 4167656e P/1.1..User-Agen 0x00000020 (00032) 743a204d 79416765 6e740d0a 486f7374 t: MyAgent..Host 0x00000030 (00048) 3a207777 772e6970 3133382e 636f6d0d : www.ip138.com. 0x00000040 (00064) 0a436163 68652d43 6f6e7472 6f6c3a20 .Cache-Control: 0x00000050 (00080) 6e6f2d63 61636865 0d0a0d0a no-cache.... 0x00000000 (00000) 47455420 2f204854 54502f31 2e310d0a GET / HTTP/1.1.. 0x00000010 (00016) 55736572 2d416765 6e743a20 4d794167 User-Agent: MyAg 0x00000020 (00032) 656e740d 0a486f73 743a2077 77772e69 ent..Host: www.i 0x00000030 (00048) 70313338 2e636e0d 0a436163 68652d43 p138.cn..Cache-C 0x00000040 (00064) 6f6e7472 6f6c3a20 6e6f2d63 61636865 ontrol: no-cache 0x00000050 (00080) 0d0a0d0a 74657874 2f68746d 6c0d0a44 ....text/html..D 0x00000060 (00096) 6174653a 2053756e 2c203135 20536570 ate: Sun, 15 Sep 0x00000070 (00112) 20323031 33203131 3a35323a 33352047 2013 11:52:35 G 0x00000080 (00128) 4d540d0a 0d0a3c68 746d6c3e 0a20203c MT....<html>. < 0x00000090 (00144) 68656164 3e0a2020 20203c74 69746c65 head>. <title 0x000000a0 (00160) 3e343034 204e6f74 20466f75 6e643c2f >404 Not Found</ 0x000000b0 (00176) 7469746c 653e0a20 203c2f68 6561643e title>. </head> 0x000000c0 (00192) 0a20203c 626f6479 3e0a2020 20203c68 . <body>. <h 0x000000d0 (00208) 313e4e6f 7420466f 756e643c 2f68313e 1>Not Found</h1> 0x000000e0 (00224) 0a202020 203c703e 596f7572 2062726f . <p>Your bro 0x000000f0 (00240) 77736572 2073656e 74206120 72657175 wser sent a requ 0x00000100 (00256) 65737420 74686174 20746869 73207365 est that this se 0x00000110 (00272) 72766572 20636f75 6c64206e 6f742075 rver could not u 0x00000120 (00288) 6e646572 7374616e 642e3c2f 703e0a20 nderstand.</p>. 0x00000130 (00304) 2020203c 703e4e6f 20737563 68206669 <p>No such fi 0x00000140 (00320) 6c65206f 72206469 72656374 6f72792e le or directory. 0x00000150 (00336) 3c2f703e 0a20203c 6872202f 3e0a2020 </p>. <hr />. 0x00000160 (00352) 3c616464 72657373 3e4d6963 726f736f <address>Microso 0x00000170 (00368) 66742d49 49532f37 2e303c2f 61646472 ft-IIS/7.0</addr 0x00000180 (00384) 6573733e 0a20203c 2f626f64 793e0a3c ess>. </body>.< 0x00000190 (00400) 2f68746d 6c3e0a /html>.
Strings
?*<>|"
/00/3`
(08@P`p
;1&@b=t
1PUsIW
1tOpt3
=1tORv
2+Q~7;
33!D 3
3J[('2
3vt.oP
42RH`~{=
4<2W9v
4>"m^(
4Y_cOW
4Y_cOW
5v[Uf+
6jbnRo
7+n7.A
7+n>.A
7x?=B)
7ZDX]Hy
\80z`j
^8j4+j
~[(]?9
9OMni}
9:z+Arh
AdjustTokenPrivileges
ADVAPI32.DLL
{^a|lWn;
"-aLXq
AQRPhD
ASKNEXTVOL
b(?%@b,? cR
@b gck(W
:b|i,#
Bl?VPPU
):bsRt
C,;C$s/
ceQ&^ gdk
CharToOemBuffA
CharUpperA
CloseHandle
CLSIDFromString
CoCreateInstance
COMCTL32.DLL
COMDLG32.DLL
CommDlgExtendedError
CompareStringA
CopyRect
c@p37
CreateDirectoryA
CreateDirectoryW
CreateFileA
CreateFileW
CreateStreamOnHGlobal
CreateWindowExA
|$|;|$d
D$0+D$<
~'D;2K
(d8oT2N
`.data
D$`;D$\}
D$,;D$0u
&;D$Dr
D$`;D$T
D$`;D$T|
DefWindowProcA
Delete
DeleteFileA
DeleteFileW
DeleteObject
DestroyIcon
DestroyWindow
{Df3NL
DialogBoxParamA
DispatchMessageA
&;D$Lw
DosDateTimeToFileTime
D$T;D$\|
;D$Tt\
E JL@=&
EnableWindow
EndDialog
&Evl|u
EW_!W
ExitProcess
ExpandEnvironmentStringsA
ExtSign
fbc:N:
F$`E s
F$`E stTUjK
FFF))EE FFFF))))))
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
FindResourceA
FindWindowExA
FreeLibrary
F+ti vs
g33WwQ
}GcV!8
GDI32.DLL
GetClassNameA
GetClientRect
GetCommandLineA
GetCPInfo
GetCurrentDirectoryA
GetCurrentProcess
GetDateFormatA
GetDlgItem
GetDlgItemTextA
GetFileAttributesA
GetFileAttributesW
GetFileType
GetFullPathNameA
GetLastError
GetLocaleInfoA
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetNumberFormatA
GetOpenFileNameA
GetParent
GETPASSWORD1
GetProcAddress
GetProcessHeap
GetStdHandle
GetSysColor
GetSystemMetrics
GetTempPathA
GetTickCount
GetTimeFormatA
GetVersionExA
GetWindow
GetWindowLongA
GetWindowRect
GetWindowTextA
GlobalAlloc
gwS3 3
gwS37%w`
h5LO!
H7HZ}m
<head><meta http-equiv="content-type" content="text/html; charset=
HeapAlloc
HeapFree
HeapReAlloc
</html>
<html>
i9?=57@
.idata
InitCommonControlsEx
Install
I%O:IQ
IsDBCSLeadByte
IsWindow
IsWindowVisible
j12BIQ)i
J4bz&`MYr
jnS2ue
|jyn39IN
KERNEL32.DLL
K;P2j}S
KPMQR2
);l$8u
_LFrkx
License
LICENSEDLG
Lj(,WL
L$\)L$T
LO6]{X
LoadBitmapA
LoadCursorA
LoadIconA
LoadLibraryA
LoadStringA
LocalFileTimeToFileTime
lOlZIN7,
LookupPrivilegeValueA
lstrcmpiA
lstrlenA
!(-M0<{oX
MapWindowPoints
MessageBoxA
*messages***
MMpuew
MoveFileA
MoveFileExA
MultiByteToWideChar
M;Z4s+;Z,s
N4Y_cOW
nk5-zs
N_^[Y]
OemToCharA
OemToCharBuffA
`O/f&Tnx
oH*45i
OLE32.DLL
OleInitialize
OleUninitialize
OpEb3(
OpenProcessToken
Overwrite
PA<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Roshal.WinRAR.WinRAR" type="win32" /> <description>WinRAR archiver.</description> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> </assembly>
.pd+tS
PeekMessageA
penc-N
pjREXc
PostMessageA
PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
Presetup
ProgramFilesDir
pwpD6?
q6N0c^
[qJ,5<
__rar_
RarHtmlClassName
RarSFX
?`[?rD
ReadFile
RegCloseKey
RegCreateKeyExA
RegisterClassExA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
RENAMEDLG
REPLACEFILEDLG
rE$T?1[L
riched20.dll
riched32.dll
RichEdit
rI;$]Y%
Rk8mAg
@.rsrc
rtmp%d
SavePath
%s.%d.tmp
S\<:e#
SendDlgItemMessageA
SendMessageA
SeRestorePrivilege
SeSecurityPrivilege
SetCurrentDirectoryA
SetDlgItemTextA
SetEndOfFile
SetEnvironmentVariableA
SetFileAttributesA
SetFileAttributesW
SetFilePointer
SetFileSecurityA
SetFileSecurityW
SetFileTime
SetFocus
SetLastError
SetMenu
SetWindowLongA
SetWindowPos
SetWindowTextA
sfxname
!SG(}b
SHAutoComplete
SHBrowseForFolderA
SHChangeNotify
SHELL32.DLL
ShellExecuteExA
SHFileOperationA
SHGetFileInfoA
SHGetMalloc
SHGetPathFromIDListA
SHGetSpecialFolderLocation
shlwapi.dll
Shortcut
ShowWindow
sIh$FA
Silent
Software\Microsoft\Windows\CurrentVersion
Software\WinRAR SFX
%s%s%d
%s %s %s
STARTDLG
</style>
<style>
<style>body{font-family:"Arial";font-size:12;}</style>
Systam.exe
SystemTimeToFileTime
T$0+L$8
T$,=b;y%'
TempMode
tfkL$@)
This program must be run under Win32
t Kt<Kt[
TranslateMessage
TslI-l|
T$(;T$,
TXPlatform.exe
TXR}hp
TX/)+s
TYVH*'
t!+zXS
uorx)"
UpdateWindow
USER32.DLL
utf-8"></head>
`UZN9#O
V!7ahJ
<@Va}"*
VdSS S
%`vGS'
Vv%Y&~
#'v:wa
WaitForInputIdle
WaitForSingleObject
WideCharToMultiByte
WriteFile
wsprintfA
wvsprintfA
Wwgu"'P
WwR"'P
WwS7'u
wZ;+VA
x S]IAs
ybmJy;
y%jh4_
YNANRC
{<:y&q?
y"TUFF
_^[YY]
$YZ_^[
YZ]_^[
Z13u&])F
Z\6*@)8
&@Z;;b
#.Z e]!+
;Z$sa;Z
!Z--)u