Analysis Date2014-07-02 05:52:35
MD52b3ab7e0ce101f02ded07d1526d3ea1d
SHA1a88e73619a082d4eb216429a85772f765185f369

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Sectionf5dWu84e md5: 3d6e0eb531b76a7af7cdb5e51d54e70c sha1: 9794d212537d1fc0f838025fa1263193254648f9 size: 512
Section1u2kwTCN md5: c842a2faafa32adf4f49023b141bae9a sha1: 8620a6cabcce4a67b3bbe9f3ebc11d260b6b2eb2 size: 24557
Section4zitu9TY md5: 006ee35c459803a3ebfe206148cf94cc sha1: c51e5fa8d05fd543c10332627913ca158a0b253f size: 7168
SectionA8EMhUl3 md5: dc9b228d6b740590ab494e42f5e01cbb sha1: 063b98198c2a307652cb3d818c233deb145dd5e1 size: 512
Timestamp2032-02-14 21:22:02
PackerUPX v0.80 - v0.84
PEhash2527057962d0b617cd11f349be7518f936bb5e47
IMPhash469b1bae2575baede5bf1f06a01b4767
AV360 SafeGen:Trojan.Heur.GM.1000830421
AVAd-AwareGen:Trojan.Heur.GM.1000830421
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVArcabit (arcavir)Packed.Klone.bu
AVAuthentiumno_virus
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Trojan.Heur.GM.1000830421
AVEset (nod32)Win32/Alyak.E
AVFortinetW32/FraudPackTM.A!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Trojan.Heur.GM.1000830421
AVGrisoft (avg)Win32/DH{MYENA2eBEgBdOSAlNlAK}
AVIkarusPacked.Win32.Klone
AVK7Trojan ( 00067a4b1 )
AVKasperskyPacked.Win32.Klone.bu
AVMalwareBytesBackdoor.Agent.PS
AVMcafeeGeneric BackDoor.aee
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Kanav.C
AVMicroWorld (escan)Gen:Trojan.Heur.GM.1000830421
AVNormanwin32:win32/SB/Obfuscated_FA
AVRisingTrojan.Win32.Vmtoolsd.a
AVSophosMal/EncPk-ACW
AVSymantecTrojan.Gen
AVTrend MicroMal_Xed-3
AVVirusBlokAda (vba32)TScope.Malware-Cryptor.SB

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{DD5630AB-0A1D-401D-7E07-DA389929CD98}\stubpath ➝
%SystemRoot%\system32\vmtoolsd.exe
Creates FileC:\WINDOWS\system32\vmtoolsd.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\WINDOWS\system32\cmd.exe /c del C:\A88E73~1.EXE > nul
Creates Processreg delete "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{DD5630AB-0A1D-401D-7E07-DA389929CD98}" /f
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSgoogleads
Winsock URLhttp://www.issuejeju.com/poll/update.txt
Winsock URLhttp://blog.yahoo.com/naverblog/articles/601941/commentRss

Process
↳ C:\WINDOWS\system32\cmd.exe /c del C:\A88E73~1.EXE > nul

Creates Filenul
Deletes FileC:\malware.exe

Process
↳ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{DD5630AB-0A1D-401D-7E07-DA389929CD98}" /f

Network Details:

DNSwww.issuejeju.com
Type: A
121.78.127.76
DNSany-rc.a01.yahoodns.net
Type: A
74.6.50.150
DNSany-rc.a01.yahoodns.net
Type: A
98.139.102.145
DNSblog.yahoo.com
Type: A
HTTP GEThttp://www.issuejeju.com/poll/update.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
HTTP GEThttp://blog.yahoo.com/naverblog/articles/601941/commentRss
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Flows TCP192.168.1.1:1031 ➝ 121.78.127.76:80
Flows TCP192.168.1.1:1032 ➝ 74.6.50.150:80

Raw Pcap
0x00000000 (00000)   47455420 2f6e6176 6572626c 6f672f61   GET /naverblog/a
0x00000010 (00016)   72746963 6c65732f 36303139 34312f63   rticles/601941/c
0x00000020 (00032)   6f6d6d65 6e745273 73204854 54502f31   ommentRss HTTP/1
0x00000030 (00048)   2e310d0a 55736572 2d416765 6e743a20   .1..User-Agent: 
0x00000040 (00064)   4d6f7a69 6c6c612f 342e3020 28636f6d   Mozilla/4.0 (com
0x00000050 (00080)   70617469 626c653b 204d5349 4520362e   patible; MSIE 6.
0x00000060 (00096)   303b2057 696e646f 7773204e 5420352e   0; Windows NT 5.
0x00000070 (00112)   313b2053 56313b20 2e4e4554 20434c52   1; SV1; .NET CLR
0x00000080 (00128)   20312e31 2e343332 32290d0a 486f7374    1.1.4322)..Host
0x00000090 (00144)   3a20626c 6f672e79 61686f6f 2e636f6d   : blog.yahoo.com
0x000000a0 (00160)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x000000b0 (00176)   206e6f2d 63616368 650d0a0d 0a          no-cache....

0x00000000 (00000)   47455420 2f706f6c 6c2f7570 64617465   GET /poll/update
0x00000010 (00016)   2e747874 20485454 502f312e 310d0a55   .txt HTTP/1.1..U
0x00000020 (00032)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000030 (00048)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000040 (00064)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000050 (00080)   6e646f77 73204e54 20352e31 3b205356   ndows NT 5.1; SV
0x00000060 (00096)   313b202e 4e455420 434c5220 312e312e   1; .NET CLR 1.1.
0x00000070 (00112)   34333232 290d0a48 6f73743a 20777777   4322)..Host: www
0x00000080 (00128)   2e697373 75656a65 6a752e63 6f6d0d0a   .issuejeju.com..
0x00000090 (00144)   43616368 652d436f 6e74726f 6c3a206e   Cache-Control: n
0x000000a0 (00160)   6f2d6361 6368650d 0a0d0a              o-cache....


Strings
.
...
v...
......=...T.. .....)..a..\...E.}.V
<<<Obsolete>>
030806000000Z
031204000000Z
070615000000Z
081022000000Z
0http://crl.verisign.com/ThawteTimestampingCA.crl0
100928081232Z0#
101123235959Z0
120614235959Z0\1
130805235959Z0U1
131203235959Z0S1
`1u2kwTCN
201231235959Z0
_3j}T_[ob
4zitu9TY
}5]6"Od
5LOsu7
5tswc|a
6^bMRQ4q
{7057FF52-E58B-5F4B-090A-5BA99FEAB9FE}{BB2316B4-09D4-7EFD-8A78-0B7877E71194}{E957E380-4F53-2A68-457C-7D908A545620}
7GF-s6
?7!Op1
;/7^Wy4
960801000000Z
`A8EMhUl3$
.(aKM9
/B1gwl5r
B61+3t
.(bbP$
Beijing1
Beijing1)0'
bpc7lC
	Cape Town1
Certification Services Division1!0
cI@BUK
&*C: z
Durbanville1
DYkgQ	+t;
e|uovE
f5dWu84e
_FJ{LK
gcR)^ 
GetModuleHandleA
GetProcAddress
*GS0a@
-http://crl.thawte.com/ThawteCodeSigningCA.crl0
/http://crl.thawte.com/ThawtePremiumServerCA.crl0
"http://crl.verisign.com/tss-ca.crl0
http://ocsp.thawte.com0
http://ocsp.verisign.com0
http://www.360.cn 0
JcEG.k
/J&!H{
K%&{7Q[
kA&ACT
KbYAOS
kernel32.dll
.(`l5%
LoadLibraryA
N/P7ZG@
+NtE^v
]O=3{!
od[oP~
PC]]F :
.,pGv,
premium-server@thawte.com0
PrivateLabel2-1440
PxBOf]b1
 Qizhi Software (beijing) Co. Ltd0
 Qizhi Software (beijing) Co. Ltd1'0%
sAIW2P9E6
]+s{apgE
SECURE APPLICATION DEVELOPMENT1)0'
SM+Pq*
t7&?ft
Thawte1
Thawte Certification1
Thawte Code Signing CA
Thawte Code Signing CA0
Thawte Consulting cc1(0&
Thawte Consulting (Pty) Ltd.1
Thawte Premium Server CA1(0&
Thawte Timestamping CA0
!This program cannot be run in DOS mode.
TSA1-20
TSA2048-1-530
"u"1Kd(
uBGsW3;R
UeOiNC
.(]VE.
VeriSign, Inc.1+0)
VeriSign, Inc.1402
"VeriSign Time Stamping Services CA
"VeriSign Time Stamping Services CA0
+VeriSign Time Stamping Services Signer - G20
VirtualAlloc
VirtualFree
VirtualProtect
<v\tHd
wc#lCg
Western Cape1
WlMwG0V
x`^^n7c"w6~
xp28Q,
ZA1%0#
z;(~W+